Hi John , Thanks a lot for providing me the response:) I followed the link[1] for configuring the HA SETUP [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html
the final step in the above link is haAdmin command which is run on the client side(on Barbican) . The slot 6 is the virtual slot(only on the client side and not visible on LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM Please find the response below : [root@HSM-Client bin]# ./vtl haAdmin show ================ HA Global Configuration Settings =============== HA Proxy: disabled HA Auto Recovery: disabled Maximum Auto Recovery Retry: 0 Auto Recovery Poll Interval: 60 seconds HA Logging: disabled Only Show HA Slots: no ================ HA Group and Member Information ================ HA Group Label: barbican_ha HA Group Number: 1489361010 HA Group Slot #: 6 Synchronization: enabled Group Members: 489361010, 489361011 Standby members: <none> Slot # Member S/N Member Label Status ====== ========== ============ ====== 1 489361010 barbican2 alive 2 489361011 barbican3 alive After knowing the virtual slot HA number , I ran the pkcs11-key-generation with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 automatically . I am not sure why do we have to replicate the keys between partitions? Configured the slot 6 on the barbican.conf as mentioned in my first email Not sure what might be the issue and It would be great if you could tell me the steps or where I would have gone wrong. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac <[email protected]> wrote: > Asha, > > I've used the Safenet HSM "HA" virtual slot setup and it does work. > However, the setup is very interesting because you need to generate the > MKEK and HMAC on a single HSM and then replicate it to the other HSMs out > of band of anything we have in Barbican. If I recall correctly, the Safenet > Luna docs mention how to replicate keys or partitions between HSMs. > > > John Vrbanac > ------------------------------ > *From:* Asha Seshagiri <[email protected]> > *Sent:* Monday, July 27, 2015 2:00 PM > *To:* openstack-dev > *Cc:* John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. > *Subject:* Barbican : Unable to create the secret after Integrating > Barbican with HSM HA > > Hi All , > > I am working on Integrating Barbican with HSM HA set up. > I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot > 6 is a virtual slot on the client side which acts as the proxy for the slot > 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its > password which is identical to that of the passwords of slot1 and slot 2 in > barbican.conf file. > > Please find the contents of the file : > > # ================= Secret Store Plugin =================== > [secretstore] > namespace = barbican.secretstore.plugin > enabled_secretstore_plugins = store_crypto > > # ================= Crypto plugin =================== > [crypto] > namespace = barbican.crypto.plugin > enabled_crypto_plugins = p11_crypto > > [simple_crypto_plugin] > # the kek should be a 32-byte value which is base64 encoded > kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' > > [dogtag_plugin] > pem_path = '/etc/barbican/kra_admin_cert.pem' > dogtag_host = localhost > dogtag_port = 8443 > nss_db_path = '/etc/barbican/alias' > nss_db_path_ca = '/etc/barbican/alias-ca' > nss_password = 'password123' > simple_cmc_profile = 'caOtherCert' > > > > > > > > > > > > > > > > *[p11_crypto_plugin] # Path to vendor PKCS11 library library_path = > '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = > 'test5678' # Label to identify master KEK in the HSM (must not be the same > as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK > mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the > same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond > to a configured PKCS11 slot). Default: 1 slot_id = 6 * > *Was able to create MKEK and HMAC successfully for the slots 1 and 2 on > the HSM when we run the * > *pkcs11-key-generation script for slot 6 which should be the expected > behaviour. * > > [root@HSM-Client bin]# python pkcs11-key-generation --library-path > '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek > --label 'ha_mkek' > Verified label ! > MKEK successfully generated! > [root@HSM-Client bin]# python pkcs11-key-generation --library-path > '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac > --label 'ha_hmac' > HMAC successfully generated! > [root@HSM-Client bin]# > > Please find the HSM commands and responses to show the details of the > partitions and partitions contents : > > root@HSM-Client bin]# ./vtl verify > > > The following Luna SA Slots/Partitions were found: > > > Slot Serial # Label > > ==== ======== ===== > > 1 489361010 barbican2 > > 2 489361011 barbican3 > > > [HSMtestLuna1] lunash:> partition showcontents -partition barbican2 > > > > Please enter the user password for the partition: > > > ******** > > > > Partition Name: barbican2 > > Partition SN: 489361010 > > Storage (Bytes): Total=1046420, Used=256, Free=1046164 > > Number objects: 2 > > > Object Label: ha_mkek > > Object Type: Symmetric Key > > > Object Label: ha_hmac > > Object Type: Symmetric Key > > > > Command Result : 0 (Success) > > [HSMtestLuna1] lunash:> partition showcontents -partition barbican3 > > > > Please enter the user password for the partition: > > > ******** > > > > Partition Name: barbican3 > > Partition SN: 489361011 > > Storage (Bytes): Total=1046420, Used=256, Free=1046164 > > Number objects: 2 > > > Object Label: ha_mkek > > Object Type: Symmetric Key > > > Object Label: ha_hmac > > Object Type: Symmetric Key > > > > > [root@HSM-Client bin]# ./lunacm > > > LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc. > > > Available HSM's: > > > Slot Id -> 1 > > HSM Label -> barbican2 > > HSM Serial Number -> 489361010 > > HSM Model -> LunaSA > > HSM Firmware Version -> 6.2.1 > > HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode > > HSM Status -> OK > > > Slot Id -> 2 > > HSM Label -> barbican3 > > HSM Serial Number -> 489361011 > > HSM Model -> LunaSA > > HSM Firmware Version -> 6.2.1 > > HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode > > HSM Status -> OK > > > Slot Id -> 6 > > HSM Label -> barbican_ha > > HSM Serial Number -> 1489361010 > > HSM Model -> LunaVirtual > > HSM Firmware Version -> 6.2.1 > > HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode > > HSM Status -> N/A - HA Group > > > Current Slot Id: 1 > > *Tried creating the secrets using the below command :* > > root@HSM-Client barbican]# curl -X POST -H > 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": > "my-secret-here", "payload_content_type": "text/plain"}' > http://localhost:9311/v1/secrets > {"code": 500, "description": "Secret creation failure seen - please > contact site administrator.", "title": "Internal Server Error"}[root@HSM- > > *Please find the logs below :* > > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback > (most recent call last): > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File > "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return > fn(inst, *args, **kwargs) > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File > "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return > fn(inst, *args, **kwargs) > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File > "/root/barbican/barbican/api/controllers/__init__.py", line 146, in > content_types_enforcer > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return > fn(inst, *args, **kwargs) > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File > "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers > transport_key_id=data.get('transport_key_id')) > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File > "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers > secret_model, project_model) > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File > "/root/barbican/barbican/plugin/resources.py", line 267, in > _store_secret_using_plugin > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers > secret_metadata = store_plugin.store_secret(secret_dto, context) > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File > "/root/barbican/barbican/plugin/store_crypto.py", line 96, in store_secret > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers > encrypt_dto, kek_meta_dto, context.project_model.external_id > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File > "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 80, in encrypt > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers > meta['mkek_label'], meta['hmac_label'], session > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File > "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 687, in unwrap_key > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers > self.verify_hmac(hmac_key, hmac, wrapped_key, session) > 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File > "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 657, in verify_hmac > > > *2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers rv = > self.lib.C_VerifyInit(session, mech, hmac_key) 2015-07-27 11:57:07.586 > 16362 ERROR barbican.api.controllers TypeError: an integer is required * > > > *Would like to know wheather Barbican supports Virtual slot configuration > since have mentioned the slot # 6 under in barbican.conf file and has > anyone tested HSM HA setup with Barbican. * > Any help would highly be appreciated! > -- > *Thanks and Regards,* > *Asha Seshagiri* > -- *Thanks and Regards,* *Asha Seshagiri*
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
