Hi All ,
I am working on Integrating Barbican with HSM HA set up.
I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6
is a virtual slot on the client side which acts as the proxy for the slot 1
and 2. Hence on the Barbican side , I mentioned the slot number 6 and its
password which is identical to that of the passwords of slot1 and slot 2 in
barbican.conf file.
Please find the contents of the file :
# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_db_path_ca = '/etc/barbican/alias-ca'
nss_password = 'password123'
simple_cmc_profile = 'caOtherCert'
*[p11_crypto_plugin]# Path to vendor PKCS11 librarylibrary_path =
'/usr/lib/libCryptoki2_64.so'# Password to login to PKCS11 sessionlogin =
'test5678'# Label to identify master KEK in the HSM (must not be the same
as HMAC label)mkek_label = 'ha_mkek'# Length in bytes of master
KEKmkek_length = 32# Label to identify HMAC key in the HSM (must not be the
same as MKEK label)hmac_label = 'ha_hmac'# HSM Slot id (Should correspond
to a configured PKCS11 slot). Default: 1slot_id = 6*
*Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the
HSM when we run the *
*pkcs11-key-generation script for slot 6 which should be the expected
behaviour.*
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek
--label 'ha_mkek'
Verified label !
MKEK successfully generated!
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac
--label 'ha_hmac'
HMAC successfully generated!
[root@HSM-Client bin]#
Please find the HSM commands and responses to show the details of the
partitions and partitions contents :
root@HSM-Client bin]# ./vtl verify
The following Luna SA Slots/Partitions were found:
Slot Serial # Label
==== ======== =====
1 489361010 barbican2
2 489361011 barbican3
[HSMtestLuna1] lunash:> partition showcontents -partition barbican2
Please enter the user password for the partition:
> ********
Partition Name: barbican2
Partition SN: 489361010
Storage (Bytes): Total=1046420, Used=256, Free=1046164
Number objects: 2
Object Label: ha_mkek
Object Type: Symmetric Key
Object Label: ha_hmac
Object Type: Symmetric Key
Command Result : 0 (Success)
[HSMtestLuna1] lunash:> partition showcontents -partition barbican3
Please enter the user password for the partition:
> ********
Partition Name: barbican3
Partition SN: 489361011
Storage (Bytes): Total=1046420, Used=256, Free=1046164
Number objects: 2
Object Label: ha_mkek
Object Type: Symmetric Key
Object Label: ha_hmac
Object Type: Symmetric Key
[root@HSM-Client bin]# ./lunacm
LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.
Available HSM's:
Slot Id -> 1
HSM Label -> barbican2
HSM Serial Number -> 489361010
HSM Model -> LunaSA
HSM Firmware Version -> 6.2.1
HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 2
HSM Label -> barbican3
HSM Serial Number -> 489361011
HSM Model -> LunaSA
HSM Firmware Version -> 6.2.1
HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 6
HSM Label -> barbican_ha
HSM Serial Number -> 1489361010
HSM Model -> LunaVirtual
HSM Firmware Version -> 6.2.1
HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode
HSM Status -> N/A - HA Group
Current Slot Id: 1
*Tried creating the secrets using the below command :*
root@HSM-Client barbican]# curl -X POST -H 'content-type:application/json'
-H 'X-Project-Id:12345' -d '{"payload": "my-secret-here",
"payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets
{"code": 500, "description": "Secret creation failure seen - please contact
site administrator.", "title": "Internal Server Error"}[root@HSM-
*Please find the logs below :*
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback
(most recent call last):
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return
fn(inst, *args, **kwargs)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return
fn(inst, *args, **kwargs)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/api/controllers/__init__.py", line 146, in
content_types_enforcer
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return
fn(inst, *args, **kwargs)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
transport_key_id=data.get('transport_key_id'))
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
secret_model, project_model)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/plugin/resources.py", line 267, in
_store_secret_using_plugin
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
secret_metadata = store_plugin.store_secret(secret_dto, context)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/plugin/store_crypto.py", line 96, in store_secret
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
encrypt_dto, kek_meta_dto, context.project_model.external_id
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 80, in encrypt
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
meta['mkek_label'], meta['hmac_label'], session
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/plugin/crypto/pkcs11.py", line 687, in unwrap_key
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
self.verify_hmac(hmac_key, hmac, wrapped_key, session)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/plugin/crypto/pkcs11.py", line 657, in verify_hmac
*2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers rv =
self.lib.C_VerifyInit(session, mech, hmac_key)2015-07-27 11:57:07.586 16362
ERROR barbican.api.controllers TypeError: an integer is required*
*Would like to know wheather Barbican supports Virtual slot configuration
since have mentioned the slot # 6 under in barbican.conf file and has
anyone tested HSM HA setup with Barbican. *
Any help would highly be appreciated!
--
*Thanks and Regards,*
*Asha Seshagiri*
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
