Asha, It looks like you don't have your mkek label correctly configured. Make sure that the mkek_label and hmac_label values in your config correctly reflect the keys that you've generated on your HSM.
The plugin will cache the key handle to the mkek and hmac when the plugin starts, so if it cannot find them, it'll fail to load the plugin altogether. If you need help generating your mkek and hmac, refer to http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html for instructions on how to create them using a script. As far as who uses HSMs, I know we (Rackspace) use them with Barbican. John Vrbanac ________________________________ From: Asha Seshagiri <[email protected]> Sent: Saturday, July 18, 2015 8:47 PM To: openstack-dev Cc: Reller, Nathan S. Subject: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM Hi All , I have configured Barbican to integrate with SafeNet HSM. Installed safenet client libraries , registered the barbican machine to point to HSM server and also assigned HSM partition. The following were the changes done in barbican.conf file # ================= Secret Store Plugin =================== [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # ================= Crypto plugin =================== [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test123' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'an_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'my_hmac_label' # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 slot_id = 1 Unable to store the secret when Barbican was integrated with HSM. [root@HSM-Client crypto]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets {"code": 500, "description": "Secret creation failure seen - please contact site administrator.", "title": "Internal Server Error"}[root@HSM-Client crypto]# Please find the logs below : 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen creating plugin: 'p11_crypto' 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback (most recent call last): 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/util/utils.py", line 42, in instantiate_plugins 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs) 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__ 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils conf.p11_crypto_plugin.hmac_label) 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in cache_mkek_and_hmac 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils self.get_mkek(self.current_mkek_label, session) 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils raise P11CryptoKeyHandleException() 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils P11CryptoKeyHandleException: No key handle was found 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation failure seen - please contact site administrator. (I am not sure why we are geting CryptoPluginNotFound: Crypto plugin not found. Exception since the changes is able to hit the p11_crypto.py code) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback (most recent call last): 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 146, in content_types_enforcer 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers transport_key_id=data.get('transport_key_id')) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers secret_model, project_model) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 267, in _store_secret_using_plugin 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers crypto.PluginSupportTypes.ENCRYPT_DECRYPT 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in get_plugin_store_generate 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers raise crypto.CryptoPluginNotFound() 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers CryptoPluginNotFound: Crypto plugin not found. Had chance to go though the code as to why are we geting the exception : P11CryptoKeyHandleException: No key handle was found . It is because returned_count[0] == 0 .It needs to be 0 in order for the mkek to be created .From what I understand is that by default all the ffi variables would have the value 0 . I am not sure why the check returned_count[0] == 1: has been put . if returned_count[0] == 1: key = object_handle_ptr[0] rv = self.lib.C_FindObjectsFinal(session) self.check_error(rv) if returned_count[0] == 1: return key elif returned_count[0] == 0: return None Need Help .Any help would highly be appreciated .It is very critical for us to integrate with Barbican Also would like to know if any one has integrated Barbican with HSM. -- Thanks and Regards, Asha Seshagiri
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
