Register the VOBOX#

An AliEn VOBOX has first to be registered to the AliEn LDAP. AliEn administrators can do that with two pieces of information:

A site certificate and an associated private key will be created.

Store credentials in Vault#

First create a policy:

echo 'path "secret/alienvoboxes/mysitevobox/*" { policy = "read" }' | ./vault policy-write mysitevobox -

This policy allows reading the content of all secrets under secret/alienvoboxes/mysitevobox. Now we create a token valid one week:

vault token-create -policy mysitevobox -ttl 168h

The token can be renewed using the vault token-renew command.

When obtaining the certificate and key in PKCS12 format, export it in two PEM files. Certificate:

openssl pkcs12 -clcerts -nokeys -in ~/mysitevobox.p12 -out usercert.pem

Password-protected key:

openssl pkcs12 -nocerts -in ~/mysitevobox.p12 -out userkey_enc.pem

Now unprotect the key:

openssl rsa -in userkey_enc.pem -out userkey.pem

Save the certificate in Vault. We will use the following keys:

We can use the following command (and then paste the secret to stdin):

vault write secret/mysitevobox/host_cert value="`cat`"

Alternatively we can read it from a file:

vault write secret/mysitevobox/host_cert value=@usercert.pem

Our configuration is stored on Ansible. To run it, by limiting the run only to the AliEn VOBOXes, do - from the private configuration folder:

ansible-playbook site.yml -i inventory/ -e vault_token=<valid_vault_token> -l alienvoboxes

A valid Vault token must be provided: secrets are stored there and not in the configuration repository.