Asha, I've used the Safenet HSM "HA" virtual slot setup and it does work. However, the setup is very interesting because you need to generate the MKEK and HMAC on a single HSM and then replicate it to the other HSMs out of band of anything we have in Barbican. If I recall correctly, the Safenet Luna docs mention how to replicate keys or partitions between HSMs.
John Vrbanac ________________________________ From: Asha Seshagiri <[email protected]> Sent: Monday, July 27, 2015 2:00 PM To: openstack-dev Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. Subject: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi All , I am working on Integrating Barbican with HSM HA set up. I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file. Please find the contents of the file : # ================= Secret Store Plugin =================== [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # ================= Crypto plugin =================== [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test5678' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 slot_id = 6 Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the HSM when we run the pkcs11-key-generation script for slot 6 which should be the expected behaviour. [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek --label 'ha_mkek' Verified label ! MKEK successfully generated! [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac --label 'ha_hmac' HMAC successfully generated! [root@HSM-Client bin]# Please find the HSM commands and responses to show the details of the partitions and partitions contents : root@HSM-Client bin]# ./vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label ==== ======== ===== 1 489361010 barbican2 2 489361011 barbican3 [HSMtestLuna1] lunash:> partition showcontents -partition barbican2 Please enter the user password for the partition: > ******** Partition Name: barbican2 Partition SN: 489361010 Storage (Bytes): Total=1046420, Used=256, Free=1046164 Number objects: 2 Object Label: ha_mkek Object Type: Symmetric Key Object Label: ha_hmac Object Type: Symmetric Key Command Result : 0 (Success) [HSMtestLuna1] lunash:> partition showcontents -partition barbican3 Please enter the user password for the partition: > ******** Partition Name: barbican3 Partition SN: 489361011 Storage (Bytes): Total=1046420, Used=256, Free=1046164 Number objects: 2 Object Label: ha_mkek Object Type: Symmetric Key Object Label: ha_hmac Object Type: Symmetric Key [root@HSM-Client bin]# ./lunacm LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc. Available HSM's: Slot Id -> 1 HSM Label -> barbican2 HSM Serial Number -> 489361010 HSM Model -> LunaSA HSM Firmware Version -> 6.2.1 HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode HSM Status -> OK Slot Id -> 2 HSM Label -> barbican3 HSM Serial Number -> 489361011 HSM Model -> LunaSA HSM Firmware Version -> 6.2.1 HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode HSM Status -> OK Slot Id -> 6 HSM Label -> barbican_ha HSM Serial Number -> 1489361010 HSM Model -> LunaVirtual HSM Firmware Version -> 6.2.1 HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode HSM Status -> N/A - HA Group Current Slot Id: 1 Tried creating the secrets using the below command : root@HSM-Client barbican]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets {"code": 500, "description": "Secret creation failure seen - please contact site administrator.", "title": "Internal Server Error"}[root@HSM- Please find the logs below : 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback (most recent call last): 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 146, in content_types_enforcer 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers transport_key_id=data.get('transport_key_id')) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers secret_model, project_model) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 267, in _store_secret_using_plugin 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/store_crypto.py", line 96, in store_secret 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers encrypt_dto, kek_meta_dto, context.project_model.external_id 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 80, in encrypt 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers meta['mkek_label'], meta['hmac_label'], session 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 687, in unwrap_key 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers self.verify_hmac(hmac_key, hmac, wrapped_key, session) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 657, in verify_hmac 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers rv = self.lib.C_VerifyInit(session, mech, hmac_key) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers TypeError: an integer is required Would like to know wheather Barbican supports Virtual slot configuration since have mentioned the slot # 6 under in barbican.conf file and has anyone tested HSM HA setup with Barbican. Any help would highly be appreciated! -- Thanks and Regards, Asha Seshagiri
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
