simp-pki

Table of Contents

1. Description
   • This is a SIMP module
2. Setup - The basics of getting started with simp-pki
   • What simp-pki affects
   • Setup requirements
   • Beginning with simp-pki
3. Usage - Configuration options and additional functionality
4. Reference - An under-the-hood peek at what the module is doing and how
5. Limitations - OS compatibility, etc.
6. Development - Guide for contributing to the module

Description

This module provides the capability to manage non-Puppet PKI keys that are hosted on the Puppet server.

The keydist directory must have the following structure:

  Under `${codedir}/${environment}/modules/#{module_name}/files/keydist/`:
  - cacerts
    - Any X.509 PEM formatted CA certificates that you want to serve to your
      clients. Do NOT hash these certificates. This will be done on the client
      side.
  - <fqdn>
    - cacerts
      - Any X.509 PEM formatted CA certificates that you want to serve to your
        clients. Do NOT hash these certificates. This will be done on the
        client side.
    - <fqdn>.pem -> Client Private Key
    - <fqdn>.pub -> Client Public Key

If $pki is set to 'simp', the keydist directory will have the same structure, however it will be located in a separate module path so keys don't get clobbered when using r10k:

• /var/simp/environments/${environment}/site_files/pki_files/files/keydist

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Setup

What simp-pki affects

This module both adds your client X.509 PKI keys to the system at /etc/pki/simp/x509/{cacerts,private,public} and provides the ability to copy those certificates (or other certificates in the same directory format) into application spaces.

Setup Requirements

The main functionality of this module is supported by the use of a Puppet Server. However, the pki::copy functionality may be used without connectivity to the Puppet Server.

To use the server side functionality, you must have a special keydist Puppet share.

The following is the recommended addition to auth.conf for realizing this share:

# Everyone gets access to the cacerts
path ~ ^/file_(metadata|content)/modules/pki/keydist/cacerts
allow *


# Allow access to the keydist space for only the nodes that match via
# certificate name
path ~ ^/file_(metadata|content)/modules/pki/keydist/([^/]+)
allow $2

Beginning with simp-pki

Usage

To sync certificates to your system, simply include the pki class.

include '::pki'

To copy the certificates into your application space, use the pki::copy define. By default, the cert source is set to /etc/pki/simp. Three basic use-cases are described below.

If $pki is true or simp:

• The simp-pki class will be included
• Certificates will be centrally managed, in /etc/pki/simp_apps

For example:

pki::copy { 'httpd': }

This will result in the directory /etc/pki/simp_apps/httpd/x509 being created with the cacerts, public, and private subdirectories as specified in the keydist directory.

If $pki is false:

• The simp-pki class will not be included
• Certificates will not be centrally managed, and you must specify a $destination
• You must ensure the parent directories of $destination exist

For example:

pki::copy { 'httpd':
  $pki         => false,
  $destination => '/foo/bar'
}

This will result in the directory /foo/bar/pki being created with the cacerts, public, and private subdirectories as specified in the /etc/pki/simp/x509 directory.

To change the source of certificates to be distributed, use the global pki::source catalyst.

• You must ensure the source directory contains the proper cacerts, public, and private subdirectories, in the correct format. Nothing else will get copied.

In some_hieradata.yaml

simp_options::pki::source: /some/other/certs

In a manifest

pki::copy { 'httpd': }

This will result in the directory /etc/pki/simp_apps/httpd/x509 being created with the cacerts, public, and private subdirectories as specified in the /some/other/certs directory.

Reference

Please refer to the REFERENCE.md, generated by Puppet strings.

Development

Please read our Contribution Guide.

Reference

Table of Contents

Classes

• pki: This class provides the capability to manage non-Puppet PKI keys that are hosted on the Puppet server. The keydist directory must have the f
• pki::copy::apps_dir: NOTE: THIS IS A PRIVATE CLASS This class configures the top-level appl

Defined types

• pki::copy: This Defined Type provides a useful copy function for properly copying the entire set of SIMP-based PKI certificates as deployed by the PKI m

Resource types

• pki_cert_sync: A puppet type for merging the contents of one directory full of X.509 PKI certificates into another while hashing the certificates in a manne

Classes

pki

This class provides the capability to manage non-Puppet PKI keys that are hosted on the Puppet server.

The keydist directory must have the following structure:

• ${codedir}/${environment}/modules/#{module_name}/files/keydist/
  • cacerts
    • Any X.509 PEM formatted CA certificates that you want to serve to your clients.
  • <fqdn>
    • cacerts
      • Any X.509 PEM formatted CA certificates that you want to serve to this particular client.
    • <fqdn>.pem -> Host Private Key
    • <fqdn>.pub -> Host Public Key

If $pki is set to 'simp', the keydist directory will have the same structure, however it will be located in a separate module path so keys don't get clobbered when using r10k:

• /var/simp/environments/${environment}/site_files/pki_files/files/keydist

Parameters

The following parameters are available in the pki class:

• pki
• base
• certname
• private_key_source
• public_key_source
• auditd
• sync_purge
• cacerts_sources

pki

Data type: Variant[Boolean,Enum['simp']]

• If 'simp', certs will be copied from puppet:///modules/pki_files/keydist

• If true or false, certs will be copied from puppet:///modules/${module_name}/keydist

Default value: simplib::lookup('simp_options::pki', { 'default_value' => 'simp' })

base

Data type: Stdlib::Absolutepath

The directory to which certs will be copied.

Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })

certname

Data type: String

The name of the cert to be used on this host

Defaults to the Puppet certname.

Default value: pick($trusted['certname'], $facts['networking']['fqdn'])

private_key_source

Data type: String

The source of the private key content

• This parameter accepts the same values as the file type's source parameter

Default value: "puppet:///modules/${module_name}/keydist/${certname}/${certname}.pem"

public_key_source

Data type: String

The source of the private key content

• This parameter accepts the same values as the file type's source parameter

Default value: "puppet:///modules/${module_name}/keydist/${certname}/${certname}.pub"

auditd

Data type: Boolean

Whether or not to enable auditing of the system keys

Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false})

sync_purge

Data type: Boolean

Whether or not the PKI sync type should purge the destination directory

• If set to true (the default), the /etc/pki/cacerts directory will have any non-recognized certificates removed.

Default value: true

cacerts_sources

Data type: Array[String]

Modulepath to look in for the CA certs. Normally this is a special modulepath outside of the normal $codedir. The full path can be found in the environment.conf or through puppet config print modulepath

Default value:

[
    "puppet:///modules/${module_name}/keydist/cacerts",
    "puppet:///modules/${module_name}/keydist/cacerts/${certname}/cacerts"
  ]

pki::copy::apps_dir

NOTE: THIS IS A PRIVATE CLASS

This class configures the top-level application directory where application-level copies of PKI keys will be housed

Parameters

The following parameters are available in the pki::copy::apps_dir class:

• target
• purge

target

Data type: Stdlib::Absolutepath

The name of the destination directory

Default value: '/etc/pki/simp_apps'

purge

Data type: Boolean

Whether or not to purge unmanaged keys from the directory

• NOTE: It is highly recommended that you purge unmanaged keys for security reasons

Default value: true

Defined types

pki::copy

This Defined Type provides a useful copy function for properly copying the entire set of SIMP-based PKI certificates as deployed by the PKI module to a different location.

This is particularly important when dealing with SELinux enabled services since they tend to react poorly to symlinks.

Parameters

The following parameters are available in the pki::copy defined type:

• pki
• name
• source
• destination
• owner
• group

pki

Data type: Variant[Boolean,Enum['simp']]

• If set to simp or true

  • Certificates will be centralized in /etc/pki/simp_apps/, and copied to /etc/pki/simp_apps/$name/x509.

• If set to simp

  • Include the pki class

• If set to false

  • Certificates will not be centralized, and you must provide a $destination

Default value: simplib::lookup('simp_options::pki', { 'default_value' => false})

name

Data type: Variant[String,Stdlib::Absolutepath]

• If $pki = true or $pki = 'simp' this parameter will be used to namespace certificates in /etc/pki/simp_apps/$name/x509.

• If $pki = false, this variable has no effect.

source

Data type: String

Where to find the certificates. This value could be one of a few types:

• Absolute path
• A file URL in the form of (https|puppet):///file/path. See the file resource documentation for details on the format of this URL
• An NSS database. This must be managed by something else, like IPA.

If the setting is a path (file or URL), the locations referenced must have the following structure:

• <path>/cacerts

• <path>/private

• <path>/public

• NOTE: No other directories will be copied!

Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })

destination

Data type: Optional[Stdlib::Absolutepath]

Optional. The destination that PKI certs get copied to.

• If $pki = false:

  • You must specify $destination.
  • You will need to ensure that all parent directories have been properly created.
  • A 'pki' directory will be created under this space
    • For example, if you set this to /foo/bar then /foo/bar/pki will be created

• If $pki = true or $pki = 'simp':

  • This variable has no effect.

Default value: undef

owner

Data type: String

The owner of the directories/files that get copied

Default value: 'root'

group

Data type: String

The group of the directories/files that get copied

Default value: 'root'

Resource types

pki_cert_sync

A puppet type for merging the contents of one directory full of X.509 PKI certificates into another while hashing the certificates in a manner appropriate for use by most Linux applications (Apache, OpenLDAP, etc...).

Usage:

pki_cert_sync { '<target_dir>': source => '<source_dir>' }

Both directories must exist on the local operating system, remote file syncing is not supported. File attributes will all be copied from the source directory.

Any SELinux contexts will be preserved on existing files and copied from the source files if the destination file does not exist.

Properties

The following properties are available in the pki_cert_sync type.

source

The directory from which to copy all materials.

Parameters

The following parameters are available in the pki_cert_sync type.

• generate_pem_hash_links
• name
• provider
• purge

generate_pem_hash_links

Valid values: true, false, yes, no

Whether to generate the PEM file hash links in the target directory (:name). Should only be disabled if the application using the target directory generates those links itself.

Default value: true

name

namevar

The target directory into which to place and hash the X.509 certificates.

This directory will be left as it was found at the end of the sync just in case it is the destination of a recursive file copy with purge enabled.

provider

The specific backend to use for this pki_cert_sync resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

purge

Valid values: true, false, yes, no

Whether to purge the target directory (:name). In general, you will want to do this to ensure that systems do not get inappropriate CAs added locally.

Default value: true

• Wed Jul 10 2024 Steven Pritchard steve@sicura.us - 6.7.1

• Fix call to FileUtils.cp to work on Ruby 3

• Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 6.7.0

• [puppetsync] Add EL9 support

• Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 6.6.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Wed Aug 23 2023 Steven Pritchard steve@sicura.us - 6.5.0

• Add AlmaLinux 8 support

• Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 6.4.0

• Add RockyLinux 8 support

• Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.3.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Fri Dec 18 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 6.2.1

• Removed EL6 support

• Tue Dec 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0

• Add EL8 support

• Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.2.0-0

• Drop Puppet 4 support
• Add Puppet 6 support
• Add puppetlabs-stdlib 6 support

• Fri Jan 25 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0

• Moved temporary aggregate CA certs reference files used by pki_cert_sync out of the target directory. These temporary files were being erroneously processed by the gitlab application.

• Fri Jan 25 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0

• pki_cert_sync type now generates an aggregate CA certificates with X.509 certificate headers removed, cacerts_no_headers.pem, in addition to the existing aggregate CA certificates file, cacerts.pem. This new CA certificates file is useful for application that cannot handle certificate headers.
• Add a pki_cert_sync option, generate_pem_hash_links, which controls whether pki_cert_sync should generate and maintain the PEM file hash links in the target directory. Disabling automatic PEM hash link generation is useful if an application is managing those links in the target directory, itself.
• Update the upper bound of stdlib to < 6.0.0
• Update a URL in the README.md

• Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.0.4-0

• Drop Hiera 4 support
• Update badges and contribution guide URL in README.md

• Wed Jul 18 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.4-0

• Add support for OEL and Puppet 5

• Mon Apr 16 2018 Nick Miller nick.miller@onyxpoint.com - 6.0.3-0

• pki::copy's source parameter now accepts any string to allow for use of NSS and remote file sources.
• Cleanup unneeded fixtures
• Update version range of auditd dependency in metadata.json

• Mon Dec 11 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.2-0

• Ensure that /etc/pki/simp_apps is recursively purged so that old certificates are not left on the system
• Adds a new param, $certname, that controls the name of the certs in keydist that will be copied over. This used to be set to $facts['fqdn'] without an option to change it, now it will default to $trusted['certname']

• Thu Jul 06 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.1-0

• Update puppet dependency and remove OBE pe dependency in metadata.json

• Wed Jan 11 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• SIMP certs are now managed in /etc/pki/simp/x509, and application certs in /etc/pki/simp_apps/<app_name>/x509.

• Tue Jan 10 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0

• Changed default location of keydist certs from the files directory of the pki module unless $pki is set to 'simp', when it will pull from pki_files in a different module path instead.

• Mon Jan 09 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• Set perms on simp_apps to 644/755; apps were being denied access to their own certs because they could not access /etc/pki/simp_apps.
• We have made the decision to centralize application certificates when simp is managing pki (simp_options::pki => true or 'simp'). This update re-tools pki::copy to better handle managing certs in /etc/pki/simp_apps.

• Mon Dec 26 2016 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0

• Changed pki::pki_dir parameter to pki::base_dir
• Updated acceptance tests
• Fixed bugs in ordering

• Tue Dec 13 2016 Jeanne Greulich jgreulich.greulich@onyxpoint.com - 6.0.0-0

• Global catalyst updates
• Strong Type updates
• Changed default for pki directory to /etc/pki/simp from /etc/pki

• Wed Nov 23 2016 Jeanne Greulich jgreulich.greulich@onyxpoint.com - 5.0.0-0

• update requirement versions

• Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0

• Updated to compliance_markup version 2

• Fri Sep 30 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.2.4-0

• Fixed dependencies in metadata.json prior to a Forge push.

• Wed Jul 06 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.3-0

• Fixed a permissions flapping issue between a file resource and the 'sync' provider.

• Tue Apr 12 2016 Kendall Moore kendall.moore@onyxpoint.com - 4.2.2-0

• Removed custom type deprecation warning

• Mon Mar 28 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.1-0

• Removed extraneous cacerts keys
• Updated the README
• Fixed code comments

• Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0

• Added the ability to copy from arbitrary OS locations for pki::copy. This was mainly to support stunnel.

• Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-9

• Added compliance function support

• Mon Jan 18 2016 Carl Caum carl@puppetlabs.com - 4.1.0-8

• Allow PKI file content source to be modified.

• Mon Dec 14 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7

• Remove erroneous test5.simp.vm key from the keydist directory

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-6

• Migration to simplib and simpcat (lib/ only)

• Tue Oct 13 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-5

• If a directory is placed in keydist/cacerts, the directory structure is copied to pki/cacerts, and all certs in subdirectories are appended to cacerts.pem.
• If a directory is removed from keydist/cacerts, it is now forcibly removed from .cacerts_ingress.

• Thu Feb 12 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4

• Moved things to the new 'simp' environment
• Ensure the requirements on packages are appropriately defined

• Mon Feb 09 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-3

• A public RSA key is now generated off off the system private key, and placed in /etc/pki/public/fqdn_rsa.pem

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2

• Removed MD5 file checksums for FIPS compliance.

• Fri Jun 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

• Modified code in the pki_cert_sync provider for Ruby 2 compatibility.

• Thu May 15 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1

• Updated pki_cert_sync to (re)build a concatenated cacerts.pem file which is a bundled file of all valid CA certs in /etc/pki/cacerts.

• Tue Apr 08 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-0

• Updated manifests for puppet 3 and hiera compatibility.
• Refactored manifests to pass all lint tests.
• Removed the pki::pre class as all functionality now exists in the pki class.
• Added spec tests.

• Mon Mar 17 2014 Trevor Vaughan tvaughan@onyxpoint.com - 3.0.0-0

• Added a pki::copy define for properly copying the entire PKI set to an alternate location on the system with proper ordering.
• Rolled the pki::pre class into the main pki class.

• Mon Feb 17 2014 Kendall Moore kmoore@keywcorp.com - 2.0.0-6

• Added autorequire to pki_cert_sync for file destination.

• Fri May 31 2013 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-5

• Created a native type to replace the hack set of execs for CA certificate synchronization. This is not perfect but it is far faster and better. Ideally, the type would be able to pull the files from the Puppet server itself. Also, the file resource for '/etc/pki/cacerts' was preserved for legacy code notification compatibility.

• Wed Apr 11 2012 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-4

• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-3

• Improved test stubs.

• Wed Dec 14 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-2

• Added an initial suite of tests
• Fixed the creation of certificate hashes and now hash on 'subject' not 'issuer'.
• Updated the spec file to not require a separate file list.
• The certificate hash script had errors with cert hashes beginning with a '0' as well as hashing on the issuer not the subject. Also, cleaned up the way the intermediate directory cleanup is handled.

• Thu Oct 27 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-1

• Updated the PKI module to create a two-step certificate placement so that the certificate hashes can be generated on the client. This is done due to RHEL6 using a different hashing algorithm than RHEL5

• Tue Jan 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Tue Oct 26 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1-2

• Converting all spec files to check for directories prior to copy.

• Thu Jun 10 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-1

• No templates to copy in caused an RPM build failure.

• Mon May 24 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-0

• Code refactor and doc updates.