Puppet users - Dec 2011 - Puppet integration with SecretServer (Thycotic)

I''ve done some more development on my Puppet module that handles
password integration with Secret Server from Thycotic, and now it handles
certificates as well.

This allows you to have a ''password'' define that ensures the
password is stored in SecretServer, and changes it on a regular basis:

password { ''root'': maxage=>60; }
password { ''oracle'': }

Also now you can manage certificates, and it will install and update them:

ssl::cert { $fqdn: }
ssl::cert { ''foo.company.com'':
key=>''/usr/local/ssl/foo.key'',
crt=>''/usr/local/ssl/foo.crt''; }

The module will retrieve the certificate and key from SecretServer, then
optionally restart Apache after installing them.  You can override this
behaviour, or specify a different location for the files than the default of
/etc/httpd/conf.
It can also work from files instead of secretserver if necessary.

This requires SecretServer 7.6 or later (for the certificates) and 7.0 or later
(for passwords).  There is also a ruby module (secretserver.rb) that needs to be
installed, as well as Ruby Gems and the ''savon'' gem.

I''m working on wrapping the two up into a
''secretserver'' module and uploading to moduleforge.

If anyone would like a copy, let me know.

Steve


Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.shipway@auckland.ac.nz<mailto:s.shipway@auckland.ac.nz>
Ph: +64 9 373 7599 ext 86487

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.

On Mon, Dec 12, 2011 at 18:47, Steve Shipway <s.shipway@auckland.ac.nz>
wrote:

G''day Steve.
> I''ve done some more development on my Puppet module that handles
password
> integration with Secret Server from Thycotic, and now it handles
> certificates as well.
That is pretty darn awesome - lots of people out there want some sort
of solution to this, and when I looked the Thycotic solution seemed
pretty solid.  Does this work with the hosted service as well as the
in-house service?

(Not that I can imagine ever using the hosted service, but it might
make sense in some folks threat models. ;)
> This allows you to have a ''password'' define that ensures
the password is
> stored in SecretServer, and changes it on a regular basis:
>
> password { ''root'': maxage=>60; }
> password { ''oracle'': }
>
> Also now you can manage certificates, and it will install and update them:
>
> ssl::cert { $fqdn: }
> ssl::cert { ''foo.company.com'':
key=>''/usr/local/ssl/foo.key'',
> crt=>''/usr/local/ssl/foo.crt''; }
>
> The module will retrieve the certificate and key from SecretServer, then
> optionally restart Apache after installing them.  You can override this
> behaviour, or specify a different location for the files than the default
of
> /etc/httpd/conf.
> It can also work from files instead of secretserver if necessary.
That looks pretty reasonable, but there are a couple of points that I
wondered at - and so, I wanted to take a look at the code and help
this be absolutely awesome!
> If anyone would like a copy, let me know.
Do you have the code in GitHub or somewhere like that, where I can have a look?

Is this the best email address to send any suggestions about improvements?

Would you accept pull requests or whatever?

Again, this looks absolutely awesome, and I would love to make it
something that everyone wanted to use.

Daniel
-- 
⎋ Puppet Labs Developer – http://puppetlabs.com
♲ Made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.