Asha, I'm not sure what went wrong. Something must have happened during your HA setup. You might check a couple different things, first you might check out your HA policies and HA group setup. The other thing you might make sure is that you only generate one mkek and hmac on one hsm (I use direct slot and not the HA virtual slot for this) and then replicate (vtl haAdmin -synchronize). If the HA group is setup properly it should replicate your mkek and hmac across the other HSMs in the HA group. As a side note, the pkcs11 plugin in Barbican currently retrieves the mkek and hmac by label, so make sure you don't have multiple keys in the HSM with the same label.
John Vrbanac ________________________________ From: Asha Seshagiri <asha.seshag...@gmail.com> Sent: Tuesday, July 28, 2015 9:22 AM To: John Vrbanac Cc: openstack-dev; John Wood; Douglas Mendizabal; Reller, Nathan S. Subject: Re: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi John , Any help would highly be appreciated. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri <asha.seshag...@gmail.com<mailto:asha.seshag...@gmail.com>> wrote: Hi John , Thanks a lot for providing me the response:) I followed the link[1] for configuring the HA SETUP [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html the final step in the above link is haAdmin command which is run on the client side(on Barbican) . The slot 6 is the virtual slot(only on the client side and not visible on LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM Please find the response below : [root@HSM-Client bin]# ./vtl haAdmin show ================ HA Global Configuration Settings =============== HA Proxy: disabled HA Auto Recovery: disabled Maximum Auto Recovery Retry: 0 Auto Recovery Poll Interval: 60 seconds HA Logging: disabled Only Show HA Slots: no ================ HA Group and Member Information ================ HA Group Label: barbican_ha HA Group Number: 1489361010 HA Group Slot #: 6 Synchronization: enabled Group Members: 489361010, 489361011 Standby members: <none> Slot # Member S/N Member Label Status ====== ========== ============ ====== 1 489361010 barbican2 alive 2 489361011 barbican3 alive After knowing the virtual slot HA number , I ran the pkcs11-key-generation with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 automatically . I am not sure why do we have to replicate the keys between partitions? Configured the slot 6 on the barbican.conf as mentioned in my first email Not sure what might be the issue and It would be great if you could tell me the steps or where I would have gone wrong. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac <john.vrba...@rackspace.com<mailto:john.vrba...@rackspace.com>> wrote: Asha, I've used the Safenet HSM "HA" virtual slot setup and it does work. However, the setup is very interesting because you need to generate the MKEK and HMAC on a single HSM and then replicate it to the other HSMs out of band of anything we have in Barbican. If I recall correctly, the Safenet Luna docs mention how to replicate keys or partitions between HSMs. John Vrbanac ________________________________ From: Asha Seshagiri <asha.seshag...@gmail.com<mailto:asha.seshag...@gmail.com>> Sent: Monday, July 27, 2015 2:00 PM To: openstack-dev Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. Subject: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi All , I am working on Integrating Barbican with HSM HA set up. I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file. Please find the contents of the file : # ================= Secret Store Plugin =================== [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # ================= Crypto plugin =================== [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test5678' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 slot_id = 6 Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the HSM when we run the pkcs11-key-generation script for slot 6 which should be the expected behaviour. [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek --label 'ha_mkek' Verified label ! MKEK successfully generated! [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac --label 'ha_hmac' HMAC successfully generated! [root@HSM-Client bin]# Please find the HSM commands and responses to show the details of the partitions and partitions contents : root@HSM-Client bin]# ./vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label ==== ======== ===== 1 489361010 barbican2 2 489361011 barbican3 [HSMtestLuna1] lunash:> partition showcontents -partition barbican2 Please enter the user password for the partition: > ******** Partition Name: barbican2 Partition SN: 489361010 Storage (Bytes): Total=1046420, Used=256, Free=1046164 Number objects: 2 Object Label: ha_mkek Object Type: Symmetric Key Object Label: ha_hmac Object Type: Symmetric Key Command Result : 0 (Success) [HSMtestLuna1] lunash:> partition showcontents -partition barbican3 Please enter the user password for the partition: > ******** Partition Name: barbican3 Partition SN: 489361011 Storage (Bytes): Total=1046420, Used=256, Free=1046164 Number objects: 2 Object Label: ha_mkek Object Type: Symmetric Key Object Label: ha_hmac Object Type: Symmetric Key [root@HSM-Client bin]# ./lunacm LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc. Available HSM's: Slot Id -> 1 HSM Label -> barbican2 HSM Serial Number -> 489361010 HSM Model -> LunaSA HSM Firmware Version -> 6.2.1 HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode HSM Status -> OK Slot Id -> 2 HSM Label -> barbican3 HSM Serial Number -> 489361011 HSM Model -> LunaSA HSM Firmware Version -> 6.2.1 HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode HSM Status -> OK Slot Id -> 6 HSM Label -> barbican_ha HSM Serial Number -> 1489361010 HSM Model -> LunaVirtual HSM Firmware Version -> 6.2.1 HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode HSM Status -> N/A - HA Group Current Slot Id: 1 Tried creating the secrets using the below command : root@HSM-Client barbican]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets {"code": 500, "description": "Secret creation failure seen - please contact site administrator.", "title": "Internal Server Error"}[root@HSM- Please find the logs below : 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback (most recent call last): 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 146, in content_types_enforcer 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers transport_key_id=data.get('transport_key_id')) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers secret_model, project_model) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 267, in _store_secret_using_plugin 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/store_crypto.py", line 96, in store_secret 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers encrypt_dto, kek_meta_dto, context.project_model.external_id 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 80, in encrypt 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers meta['mkek_label'], meta['hmac_label'], session 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 687, in unwrap_key 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers self.verify_hmac(hmac_key, hmac, wrapped_key, session) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 657, in verify_hmac 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers rv = self.lib.C_VerifyInit(session, mech, hmac_key) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers TypeError: an integer is required Would like to know wheather Barbican supports Virtual slot configuration since have mentioned the slot # 6 under in barbican.conf file and has anyone tested HSM HA setup with Barbican. Any help would highly be appreciated! -- Thanks and Regards, Asha Seshagiri -- Thanks and Regards, Asha Seshagiri -- Thanks and Regards, Asha Seshagiri
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
