Hi John , Any help would highly be appreciated.
Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri <asha.seshag...@gmail.com> wrote: > Hi John , > > Thanks a lot for providing me the response:) > I followed the link[1] for configuring the HA SETUP > [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html > > the final step in the above link is haAdmin command which is run on the > client side(on Barbican) . > The slot 6 is the virtual slot(only on the client side and not visible on > LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM > > Please find the response below : > > [root@HSM-Client bin]# ./vtl haAdmin show > > > > ================ HA Global Configuration Settings =============== > > > HA Proxy: disabled > > HA Auto Recovery: disabled > > Maximum Auto Recovery Retry: 0 > > Auto Recovery Poll Interval: 60 seconds > > HA Logging: disabled > > Only Show HA Slots: no > > > > ================ HA Group and Member Information ================ > > > HA Group Label: barbican_ha > > HA Group Number: 1489361010 > > HA Group Slot #: 6 > > Synchronization: enabled > > Group Members: 489361010, 489361011 > > Standby members: <none> > > > Slot # Member S/N Member Label Status > > ====== ========== ============ ====== > > 1 489361010 barbican2 alive > > 2 489361011 barbican3 alive > > After knowing the virtual slot HA number , I ran the pkcs11-key-generation > with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 > automatically . I am not sure why do we have to replicate the keys between > partitions? Configured the slot 6 on the barbican.conf as mentioned in my > first email > > Not sure what might be the issue and > > It would be great if you could tell me the steps or where I would have > gone wrong. > > Thanks and Regards, > > Asha Seshagiri > > On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac <john.vrba...@rackspace.com> > wrote: > >> Asha, >> >> I've used the Safenet HSM "HA" virtual slot setup and it does work. >> However, the setup is very interesting because you need to generate the >> MKEK and HMAC on a single HSM and then replicate it to the other HSMs out >> of band of anything we have in Barbican. If I recall correctly, the Safenet >> Luna docs mention how to replicate keys or partitions between HSMs. >> >> >> John Vrbanac >> ------------------------------ >> *From:* Asha Seshagiri <asha.seshag...@gmail.com> >> *Sent:* Monday, July 27, 2015 2:00 PM >> *To:* openstack-dev >> *Cc:* John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. >> *Subject:* Barbican : Unable to create the secret after Integrating >> Barbican with HSM HA >> >> Hi All , >> >> I am working on Integrating Barbican with HSM HA set up. >> I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot >> 6 is a virtual slot on the client side which acts as the proxy for the slot >> 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its >> password which is identical to that of the passwords of slot1 and slot 2 in >> barbican.conf file. >> >> Please find the contents of the file : >> >> # ================= Secret Store Plugin =================== >> [secretstore] >> namespace = barbican.secretstore.plugin >> enabled_secretstore_plugins = store_crypto >> >> # ================= Crypto plugin =================== >> [crypto] >> namespace = barbican.crypto.plugin >> enabled_crypto_plugins = p11_crypto >> >> [simple_crypto_plugin] >> # the kek should be a 32-byte value which is base64 encoded >> kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' >> >> [dogtag_plugin] >> pem_path = '/etc/barbican/kra_admin_cert.pem' >> dogtag_host = localhost >> dogtag_port = 8443 >> nss_db_path = '/etc/barbican/alias' >> nss_db_path_ca = '/etc/barbican/alias-ca' >> nss_password = 'password123' >> simple_cmc_profile = 'caOtherCert' >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> *[p11_crypto_plugin] # Path to vendor PKCS11 library library_path = >> '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = >> 'test5678' # Label to identify master KEK in the HSM (must not be the same >> as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK >> mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the >> same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond >> to a configured PKCS11 slot). Default: 1 slot_id = 6 * >> *Was able to create MKEK and HMAC successfully for the slots 1 and 2 on >> the HSM when we run the * >> *pkcs11-key-generation script for slot 6 which should be the expected >> behaviour. * >> >> [root@HSM-Client bin]# python pkcs11-key-generation --library-path >> '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek >> --label 'ha_mkek' >> Verified label ! >> MKEK successfully generated! >> [root@HSM-Client bin]# python pkcs11-key-generation --library-path >> '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac >> --label 'ha_hmac' >> HMAC successfully generated! >> [root@HSM-Client bin]# >> >> Please find the HSM commands and responses to show the details of the >> partitions and partitions contents : >> >> root@HSM-Client bin]# ./vtl verify >> >> >> The following Luna SA Slots/Partitions were found: >> >> >> Slot Serial # Label >> >> ==== ======== ===== >> >> 1 489361010 barbican2 >> >> 2 489361011 barbican3 >> >> >> [HSMtestLuna1] lunash:> partition showcontents -partition barbican2 >> >> >> >> Please enter the user password for the partition: >> >> > ******** >> >> >> >> Partition Name: barbican2 >> >> Partition SN: 489361010 >> >> Storage (Bytes): Total=1046420, Used=256, Free=1046164 >> >> Number objects: 2 >> >> >> Object Label: ha_mkek >> >> Object Type: Symmetric Key >> >> >> Object Label: ha_hmac >> >> Object Type: Symmetric Key >> >> >> >> Command Result : 0 (Success) >> >> [HSMtestLuna1] lunash:> partition showcontents -partition barbican3 >> >> >> >> Please enter the user password for the partition: >> >> > ******** >> >> >> >> Partition Name: barbican3 >> >> Partition SN: 489361011 >> >> Storage (Bytes): Total=1046420, Used=256, Free=1046164 >> >> Number objects: 2 >> >> >> Object Label: ha_mkek >> >> Object Type: Symmetric Key >> >> >> Object Label: ha_hmac >> >> Object Type: Symmetric Key >> >> >> >> >> [root@HSM-Client bin]# ./lunacm >> >> >> LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc. >> >> >> Available HSM's: >> >> >> Slot Id -> 1 >> >> HSM Label -> barbican2 >> >> HSM Serial Number -> 489361010 >> >> HSM Model -> LunaSA >> >> HSM Firmware Version -> 6.2.1 >> >> HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode >> >> HSM Status -> OK >> >> >> Slot Id -> 2 >> >> HSM Label -> barbican3 >> >> HSM Serial Number -> 489361011 >> >> HSM Model -> LunaSA >> >> HSM Firmware Version -> 6.2.1 >> >> HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode >> >> HSM Status -> OK >> >> >> Slot Id -> 6 >> >> HSM Label -> barbican_ha >> >> HSM Serial Number -> 1489361010 >> >> HSM Model -> LunaVirtual >> >> HSM Firmware Version -> 6.2.1 >> >> HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode >> >> HSM Status -> N/A - HA Group >> >> >> Current Slot Id: 1 >> >> *Tried creating the secrets using the below command :* >> >> root@HSM-Client barbican]# curl -X POST -H >> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": >> "my-secret-here", "payload_content_type": "text/plain"}' >> http://localhost:9311/v1/secrets >> {"code": 500, "description": "Secret creation failure seen - please >> contact site administrator.", "title": "Internal Server Error"}[root@HSM- >> >> *Please find the logs below :* >> >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback >> (most recent call last): >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File >> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return >> fn(inst, *args, **kwargs) >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File >> "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return >> fn(inst, *args, **kwargs) >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File >> "/root/barbican/barbican/api/controllers/__init__.py", line 146, in >> content_types_enforcer >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return >> fn(inst, *args, **kwargs) >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File >> "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers >> transport_key_id=data.get('transport_key_id')) >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File >> "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers >> secret_model, project_model) >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File >> "/root/barbican/barbican/plugin/resources.py", line 267, in >> _store_secret_using_plugin >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers >> secret_metadata = store_plugin.store_secret(secret_dto, context) >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File >> "/root/barbican/barbican/plugin/store_crypto.py", line 96, in store_secret >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers >> encrypt_dto, kek_meta_dto, context.project_model.external_id >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File >> "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 80, in encrypt >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers >> meta['mkek_label'], meta['hmac_label'], session >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File >> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 687, in unwrap_key >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers >> self.verify_hmac(hmac_key, hmac, wrapped_key, session) >> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File >> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 657, in verify_hmac >> >> >> *2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers rv = >> self.lib.C_VerifyInit(session, mech, hmac_key) 2015-07-27 11:57:07.586 >> 16362 ERROR barbican.api.controllers TypeError: an integer is required * >> >> >> *Would like to know wheather Barbican supports Virtual slot configuration >> since have mentioned the slot # 6 under in barbican.conf file and has >> anyone tested HSM HA setup with Barbican. * >> Any help would highly be appreciated! >> -- >> *Thanks and Regards,* >> *Asha Seshagiri* >> > > > > -- > *Thanks and Regards,* > *Asha Seshagiri* > -- *Thanks and Regards,* *Asha Seshagiri*
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
