Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Asha, I'm not sure what went wrong. Something must have happened during your HA setup. You might check a couple different things, first you might check out your HA policies and HA group setup. The other thing you might make sure is that you only generate one mkek and hmac on one hsm (I use direct slot and not the HA virtual slot for this) and then replicate (vtl haAdmin -synchronize). If the HA group is setup properly it should replicate your mkek and hmac across the other HSMs in the HA group. As a side note, the pkcs11 plugin in Barbican currently retrieves the mkek and hmac by label, so make sure you don't have multiple keys in the HSM with the same label. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.com Sent: Tuesday, July 28, 2015 9:22 AM To: John Vrbanac Cc: openstack-dev; John Wood; Douglas Mendizabal; Reller, Nathan S. Subject: Re: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi John , Any help would highly be appreciated. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com wrote: Hi John , Thanks a lot for providing me the response:) I followed the link[1] for configuring the HA SETUP [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html the final step in the above link is haAdmin command which is run on the client side(on Barbican) . The slot 6 is the virtual slot(only on the client side and not visible on LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM Please find the response below : [root@HSM-Client bin]# ./vtl haAdmin show HA Global Configuration Settings === HA Proxy: disabled HA Auto Recovery: disabled Maximum Auto Recovery Retry: 0 Auto Recovery Poll Interval: 60 seconds HA Logging: disabled Only Show HA Slots: no HA Group and Member Information HA Group Label: barbican_ha HA Group Number: 1489361010 HA Group Slot #: 6 Synchronization: enabled Group Members: 489361010, 489361011 Standby members: none Slot # Member S/N Member Label Status == == == 1 489361010 barbican2 alive 2 489361011 barbican3 alive After knowing the virtual slot HA number , I ran the pkcs11-key-generation with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 automatically . I am not sure why do we have to replicate the keys between partitions? Configured the slot 6 on the barbican.conf as mentioned in my first email Not sure what might be the issue and It would be great if you could tell me the steps or where I would have gone wrong. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac john.vrba...@rackspace.commailto:john.vrba...@rackspace.com wrote: Asha, I've used the Safenet HSM HA virtual slot setup and it does work. However, the setup is very interesting because you need to generate the MKEK and HMAC on a single HSM and then replicate it to the other HSMs out of band of anything we have in Barbican. If I recall correctly, the Safenet Luna docs mention how to replicate keys or partitions between HSMs. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com Sent: Monday, July 27, 2015 2:00 PM To: openstack-dev Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. Subject: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi All , I am working on Integrating Barbican with HSM HA set up. I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file. Please find the contents of the file : # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # = Crypto plugin === [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test5678' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK mkek_length = 32
Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Asha,
I've used the Safenet HSM HA virtual slot setup and it does work. However,
the setup is very interesting because you need to generate the MKEK and HMAC on
a single HSM and then replicate it to the other HSMs out of band of anything we
have in Barbican. If I recall correctly, the Safenet Luna docs mention how to
replicate keys or partitions between HSMs.
John Vrbanac
From: Asha Seshagiri asha.seshag...@gmail.com
Sent: Monday, July 27, 2015 2:00 PM
To: openstack-dev
Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S.
Subject: Barbican : Unable to create the secret after Integrating Barbican with
HSM HA
Hi All ,
I am working on Integrating Barbican with HSM HA set up.
I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a
virtual slot on the client side which acts as the proxy for the slot 1 and 2.
Hence on the Barbican side , I mentioned the slot number 6 and its password
which is identical to that of the passwords of slot1 and slot 2 in
barbican.conf file.
Please find the contents of the file :
# = Secret Store Plugin ===
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
# = Crypto plugin ===
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_db_path_ca = '/etc/barbican/alias-ca'
nss_password = 'password123'
simple_cmc_profile = 'caOtherCert'
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'test5678'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'ha_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'ha_hmac'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
slot_id = 6
Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the HSM
when we run the pkcs11-key-generation script for slot 6 which should be the
expected behaviour.
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek --label
'ha_mkek'
Verified label !
MKEK successfully generated!
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac --label
'ha_hmac'
HMAC successfully generated!
[root@HSM-Client bin]#
Please find the HSM commands and responses to show the details of the
partitions and partitions contents :
root@HSM-Client bin]# ./vtl verify
The following Luna SA Slots/Partitions were found:
Slot Serial # Label
=
1 489361010 barbican2
2 489361011 barbican3
[HSMtestLuna1] lunash: partition showcontents -partition barbican2
Please enter the user password for the partition:
Partition Name: barbican2
Partition SN: 489361010
Storage (Bytes): Total=1046420, Used=256, Free=1046164
Number objects: 2
Object Label: ha_mkek
Object Type: Symmetric Key
Object Label: ha_hmac
Object Type: Symmetric Key
Command Result : 0 (Success)
[HSMtestLuna1] lunash: partition showcontents -partition barbican3
Please enter the user password for the partition:
Partition Name: barbican3
Partition SN: 489361011
Storage (Bytes): Total=1046420, Used=256, Free=1046164
Number objects: 2
Object Label: ha_mkek
Object Type: Symmetric Key
Object Label: ha_hmac
Object Type: Symmetric Key
[root@HSM-Client bin]# ./lunacm
LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.
Available HSM's:
Slot Id - 1
HSM Label - barbican2
HSM Serial Number - 489361010
HSM Model - LunaSA
HSM Firmware Version - 6.2.1
HSM Configuration - Luna SA Slot (PW) Signing With Cloning Mode
HSM Status - OK
Slot Id - 2
HSM Label - barbican3
HSM Serial Number - 489361011
HSM Model - LunaSA
HSM Firmware Version - 6.2.1
HSM Configuration - Luna SA Slot (PW) Signing With Cloning Mode
HSM Status - OK
Slot Id - 6
HSM Label - barbican_ha
HSM Serial Number - 1489361010
HSM Model - LunaVirtual
HSM Firmware Version - 6.2.1
HSM Configuration - Virtual HSM (PW) Signing With Cloning Mode
HSM Status - N/A - HA Group
Current Slot Id: 1
Tried creating the secrets using the below command :
root@HSM-Client barbican]# curl -X POST -H 'content-type:application/json' -H
'X-Project-Id:12345' -d '{payload: my-secret-here, payload_content_type:
text/plain}' http://localhost:9311/v1/secrets
{code: 500, description: Secret creation failure seen - please contact
Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM
Hmm... This error is usually because one of the parameters is an incorrect
type. I'm wondering if the length is coming through as a string instead of an
integer. As the length defaults to 32, try not specifying the length parameter.
If that works, we need to report a defect to make sure that it's properly
converted to an integer.
John Vrbanac
From: Asha Seshagiri asha.seshag...@gmail.com
Sent: Monday, July 20, 2015 10:30 AM
To: OpenStack Development Mailing List (not for usage questions)
Cc: Reller, Nathan S.
Subject: Re: [openstack-dev] Barbican : Unable to store the secret when
Barbican was Integrated with SafeNet HSM
Hi John ,
Thanks a lot John for your response.
I tried executing the script with the following options before , but it
seems it did not work .Hence tried with the curly baraces .
Please find other options below :
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek --length
32 --label 'an_mkek'
HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
/usr/lib/libCryptoki2_64.so --passphrase test123 --slot-id 1 mkek --length
32 --label an_mkek
HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID
Would be of great help if l could the syntax for running the script
Thanks and Regards,
Asha Seshagiri
On Sun, Jul 19, 2015 at 6:25 PM, John Vrbanac
john.vrba...@rackspace.commailto:john.vrba...@rackspace.com wrote:
Don't include the curly brackets on the script arguments. The documentation is
just using them to indicate that those are placeholders for real values.
John Vrbanac
From: Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com
Sent: Sunday, July 19, 2015 2:15 PM
To: OpenStack Development Mailing List (not for usage questions)
Cc: Reller, Nathan S.
Subject: Re: [openstack-dev] Barbican : Unable to store the secret when
Barbican was Integrated with SafeNet HSM
Hi John ,
Thanks for pointing me to the right script.
I appreciate your help .
I tried running the script with the following command :
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
{/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1 mkek --length
32 --label 'an_mkek'
Traceback (most recent call last):
File pkcs11-key-generation, line 120, in module
main()
File pkcs11-key-generation, line 115, in main
kg = KeyGenerator()
File pkcs11-key-generation, line 38, in __init__
ffi=ffi
File /root/barbican/barbican/plugin/crypto/pkcs11.py, line 315, in __init__
self.lib = self.ffi.dlopen(library_path)
File /usr/lib64/python2.7/site-packages/cffi/api.py, line 127, in dlopen
lib, function_cache = _make_ffi_library(self, name, flags)
File /usr/lib64/python2.7/site-packages/cffi/api.py, line 572, in
_make_ffi_library
backendlib = _load_backend_lib(backend, libname, flags)
File /usr/lib64/python2.7/site-packages/cffi/api.py, line 561, in
_load_backend_lib
return backend.load_library(name, flags)
OSError: cannot load library {/usr/lib/libCryptoki2_64.so}:
{/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file or
directory
Unable to run the script since the library libCryptoki2_64.so cannot be opened.
Tried the following solution :
*vi /etc/ld.so.conf
* Added both the paths of ld.so.conf in the /etc/ld.so.conf file got from
the command find / -name libCryptoki2_64.so
* /usr/safenet/lunaclient/lib/libCryptoki2_64.so
* /usr/lib/libCryptoki2_64.so
* sudo ldconfig
* ldconfig -p
But the above solution failed and am geting the same error.
Any help would highly be apprecited.
Thanks in advance!
Thanks and Regards,
Asha Seshagiri
On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac
john.vrba...@rackspace.commailto:john.vrba...@rackspace.com wrote:
Asha,
It looks like you don't have your mkek label correctly configured. Make sure
that the mkek_label and hmac_label values in your config correctly reflect the
keys that you've generated on your HSM.
The plugin will cache the key handle to the mkek and hmac when the plugin
starts, so if it cannot find them, it'll fail to load the plugin altogether.
If you need help generating your mkek and hmac, refer to
http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html
for instructions on how to create them using a script.
As far as who uses HSMs, I know we (Rackspace) use them with Barbican.
John Vrbanac
From: Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com
Sent: Saturday, July 18, 2015 8:47 PM
To: openstack-dev
Cc: Reller, Nathan S.
Subject: [openstack-dev] Barbican : Unable to store the secret when Barbican
was Integrated with SafeNet HSM
Hi All ,
I have configured Barbican to integrate with SafeNet
Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM
Don't include the curly brackets on the script arguments. The documentation is
just using them to indicate that those are placeholders for real values.
John Vrbanac
From: Asha Seshagiri asha.seshag...@gmail.com
Sent: Sunday, July 19, 2015 2:15 PM
To: OpenStack Development Mailing List (not for usage questions)
Cc: Reller, Nathan S.
Subject: Re: [openstack-dev] Barbican : Unable to store the secret when
Barbican was Integrated with SafeNet HSM
Hi John ,
Thanks for pointing me to the right script.
I appreciate your help .
I tried running the script with the following command :
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
{/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1 mkek --length
32 --label 'an_mkek'
Traceback (most recent call last):
File pkcs11-key-generation, line 120, in module
main()
File pkcs11-key-generation, line 115, in main
kg = KeyGenerator()
File pkcs11-key-generation, line 38, in __init__
ffi=ffi
File /root/barbican/barbican/plugin/crypto/pkcs11.py, line 315, in __init__
self.lib = self.ffi.dlopen(library_path)
File /usr/lib64/python2.7/site-packages/cffi/api.py, line 127, in dlopen
lib, function_cache = _make_ffi_library(self, name, flags)
File /usr/lib64/python2.7/site-packages/cffi/api.py, line 572, in
_make_ffi_library
backendlib = _load_backend_lib(backend, libname, flags)
File /usr/lib64/python2.7/site-packages/cffi/api.py, line 561, in
_load_backend_lib
return backend.load_library(name, flags)
OSError: cannot load library {/usr/lib/libCryptoki2_64.so}:
{/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file or
directory
Unable to run the script since the library libCryptoki2_64.so cannot be opened.
Tried the following solution :
*vi /etc/ld.so.conf
* Added both the paths of ld.so.conf in the /etc/ld.so.conf file got from
the command find / -name libCryptoki2_64.so
* /usr/safenet/lunaclient/lib/libCryptoki2_64.so
* /usr/lib/libCryptoki2_64.so
* sudo ldconfig
* ldconfig -p
But the above solution failed and am geting the same error.
Any help would highly be apprecited.
Thanks in advance!
Thanks and Regards,
Asha Seshagiri
On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac
john.vrba...@rackspace.commailto:john.vrba...@rackspace.com wrote:
Asha,
It looks like you don't have your mkek label correctly configured. Make sure
that the mkek_label and hmac_label values in your config correctly reflect the
keys that you've generated on your HSM.
The plugin will cache the key handle to the mkek and hmac when the plugin
starts, so if it cannot find them, it'll fail to load the plugin altogether.
If you need help generating your mkek and hmac, refer to
http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html
for instructions on how to create them using a script.
As far as who uses HSMs, I know we (Rackspace) use them with Barbican.
John Vrbanac
From: Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com
Sent: Saturday, July 18, 2015 8:47 PM
To: openstack-dev
Cc: Reller, Nathan S.
Subject: [openstack-dev] Barbican : Unable to store the secret when Barbican
was Integrated with SafeNet HSM
Hi All ,
I have configured Barbican to integrate with SafeNet HSM.
Installed safenet client libraries , registered the barbican machine to point
to HSM server and also assigned HSM partition.
The following were the changes done in barbican.conf file
# = Secret Store Plugin ===
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
# = Crypto plugin ===
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'test123'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'an_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'my_hmac_label'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
slot_id = 1
Unable to store the secret when Barbican was integrated with HSM.
[root@HSM-Client crypto]# curl -X POST -H 'content-type:application/json' -H
'X-Project-Id:12345' -d '{payload: my-secret-here, payload_content_type:
text/plain}' http://localhost:9311/v1/secrets
{code: 500, description: Secret creation failure seen - please contact
site administrator., title: Internal Server Error}[root@HSM-Client crypto]#
Please find the logs below :
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
[req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen creating
plugin: 'p11_crypto'
2015-07-18
Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM
Asha,
It looks like you don't have your mkek label correctly configured. Make sure
that the mkek_label and hmac_label values in your config correctly reflect the
keys that you've generated on your HSM.
The plugin will cache the key handle to the mkek and hmac when the plugin
starts, so if it cannot find them, it'll fail to load the plugin altogether.
If you need help generating your mkek and hmac, refer to
http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html
for instructions on how to create them using a script.
As far as who uses HSMs, I know we (Rackspace) use them with Barbican.
John Vrbanac
From: Asha Seshagiri asha.seshag...@gmail.com
Sent: Saturday, July 18, 2015 8:47 PM
To: openstack-dev
Cc: Reller, Nathan S.
Subject: [openstack-dev] Barbican : Unable to store the secret when Barbican
was Integrated with SafeNet HSM
Hi All ,
I have configured Barbican to integrate with SafeNet HSM.
Installed safenet client libraries , registered the barbican machine to point
to HSM server and also assigned HSM partition.
The following were the changes done in barbican.conf file
# = Secret Store Plugin ===
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
# = Crypto plugin ===
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'test123'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'an_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'my_hmac_label'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
slot_id = 1
Unable to store the secret when Barbican was integrated with HSM.
[root@HSM-Client crypto]# curl -X POST -H 'content-type:application/json' -H
'X-Project-Id:12345' -d '{payload: my-secret-here, payload_content_type:
text/plain}' http://localhost:9311/v1/secrets
{code: 500, description: Secret creation failure seen - please contact
site administrator., title: Internal Server Error}[root@HSM-Client crypto]#
Please find the logs below :
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
[req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen creating
plugin: 'p11_crypto'
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback (most
recent call last):
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
/root/barbican/barbican/plugin/util/utils.py, line 42, in instantiate_plugins
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs)
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
/root/barbican/barbican/plugin/crypto/p11_crypto.py, line 70, in __init__
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
conf.p11_crypto_plugin.hmac_label)
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
/root/barbican/barbican/plugin/crypto/pkcs11.py, line 344, in
cache_mkek_and_hmac
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
self.get_mkek(self.current_mkek_label, session)
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
/root/barbican/barbican/plugin/crypto/pkcs11.py, line 426, in get_mkek
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils raise
P11CryptoKeyHandleException()
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
P11CryptoKeyHandleException: No key handle was found
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
[req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation
failure seen - please contact site administrator.
(I am not sure why we are geting CryptoPluginNotFound: Crypto plugin not found.
Exception since the changes is able to hit the p11_crypto.py code)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback (most
recent call last):
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
/root/barbican/barbican/api/controllers/__init__.py, line 104, in handler
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return
fn(inst, *args, **kwargs)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
/root/barbican/barbican/api/controllers/__init__.py, line 90, in enforcer
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return
fn(inst, *args, **kwargs)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
/root/barbican/barbican/api/controllers/__init__.py, line 146, in
content_types_enforcer
2015-07-18 17:15:32.643 29838
Re: [openstack-dev] Barbican : Regarding the API support for Order and Consumer Resource
Asha, We haven't removed anything. Unfortunately, no one has had the chance to port those resources over from the old github wiki page and into the new sphinx format yet. Also, yes they are still supported. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.com Sent: Monday, June 1, 2015 2:38 AM To: openstack-dev Subject: Re: [openstack-dev] Barbican : Regarding the API support for Order and Consumer Resource Editing the subject On Mon, Jun 1, 2015 at 2:35 AM, Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com wrote: Hi All , Would like to know why have we removed the API details for Order and Consumer Resource in the following update link for API Documentation of Barbican http://docs.openstack.org/developer/barbican/api/index.html Does the Barbican support order and consumer resource now ? Any help would be highly appreciated. Thanks in Advance -- Thanks and Regards, Asha Seshagiri -- Thanks and Regards, Asha Seshagiri __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Nominating Kaitlin Farr for barbican-core
+1 John Vrbanac From: Douglas Mendizábal douglas.mendiza...@rackspace.com Sent: Tuesday, May 19, 2015 7:09 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [barbican] Nominating Kaitlin Farr for barbican-core -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi All, I would like to nominate Kaitlin Farr for barbican-core. Kaitlin has been contributing to the project for a long time, both by contributing code to Barbican, python-barbicanclient and Castellan, and also by providing valuable reviews. [1] As a reminder to the rest of the core team, we use the process outlined in https://wiki.openstack.org/wiki/Barbican/CoreTeam to add members to the barbican-core team. Thanks, Douglas Mendizábal [1] http://stackalytics.com/report/contribution/barbican-group/90 -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVW9CgAAoJEB7Z2EQgmLX7u6kP/22G3NqsnJmKRsnw065btt8z /Sb7OqFa2RKuIKk88a9yehwRuunh2YCdfLmXta1+XXpucghG9dbflfFVGU4/VujX VG/B3yUXTBYT2kn72mtwpKk4S6mYXBPn+fpKGR7iJrifYSg55XO7a2c2m/xIC8pO R9+d5/8ZztxS1UbmhNuqLwBDpo9FIG+5CoWOfYPTAQ1TxB/SIs2ltk4jzLaU05yb 5LTG3uq5K3CT+LvM3Rl6SCZ7bIiTmaTuPsXMnqqLiqhya90U63VJGGXUE1yjW11G Kgm7yxUV8DkcESHXEe0aW8hpLMuGKda/f83XetGN27+YpM3/G1z8N656zLX9sF3t oVU7dWnARn9NsByFP9ASg8BCk8iWr/mCeB/fajwXT95C+OXAicNWn5jXKowXQhQH v4XaFrjafROLdJocgH0mfcoEbTXZXlsKyHYtnZdwAO+T06RNd21c/lnNiG1rMYeh 2Yl48nzxxx33YprizHDRMEhABIb11HO040+j+EHNCvbsGSJGZIZmzzbxNe2QGXkx q++JvMBW60pPd6pi7nEVjbjSEZhb6f6xHs13/y+nZ9NCSNkUPx1UoxKz18JRtrLi /XDZLv6D92Trlaxae9mpVlWTM1elYPWSm3QVMxMrSP9wtAYbUIoq0PN+WwKk/1J7 WaeQpFjA1SdFHj5uPNZk =1OIW -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Barbican] Nominating Chelsea Winfree for Barbican core
?+1 John Vrbanac From: Chad Lung chad.l...@gmail.com Sent: Sunday, May 17, 2015 6:34 PM To: openstack-dev@lists.openstack.org Subject: [openstack-dev] [Barbican] Nominating Chelsea Winfree for Barbican core Hi all, I'd like to nominate Chelsea Winfree for the Barbican core review team. Chelsea has been active in Barbican as a regular contributor of code and helping always needed documentation. http://stackalytics.com/?user_id=chelsea-winfreerelease=all As a reminder to barbican-core members we use the voting process outlined in https://wiki.openstack.org/wiki/Barbican/CoreTeam to add members to our team. Thanks, Chad Lung EMC Cloud Services __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Barbican : Unable to execute the curl command for uploading/retrieving the secrets with the latest Barbican code.
Asha,
We landed the fix in: https://review.openstack.org/#/c/183391/
Hopefully, that should address the problem you've been seeing.
Thanks!
John Vrbanac
On Thu, 2015-05-14 at 18:14 -0500, Douglas Mendizábal wrote:
Hi Asha,
The reason we support an Unauthenticated Context in Barbican is purely
for development purposes. We recommend that all production Barbican
deployments use Keystone or an alternative AuthN/AuthZ service in
front of Barbican.
Setting up a working Keystone environment just to hack on Barbican is
a steep requirement, which is why we need the Unauthenticated Context
to work.
- Douglas Mendizabal
On 5/14/15 6:07 PM, Asha Seshagiri wrote:
Thanks a lot John for your response. But would like to know why do
would we have to fix the issue for creating the secret for
unauthenticated context for Barbican since it would be good to have
access control mechanism enforced to access secrets , orders and
other entities from Barbican.
This should be the expected behavior from security perspective .And
also we are able to access secrets by providing the right token
from the Identity service (Keystone ). Looking forward for your
response.
Thanks and Regards, Asha Seshagiri
On Thu, May 14, 2015 at 4:43 PM, John Vrbanac
john.vrba...@rackspace.com mailto:john.vrba...@rackspace.com
wrote:
__ Asha, I spent some time looking into this, It looks to be a
regression that occurred a few days ago when a CR was merged that
moved us over to oslo_context. I have reported the issue here:
https://bugs.launchpad.net/barbican/+bug/1455247
I have a couple ideas on how to fix it, so keep your eyes out for
a CR to resolve the issue.
John Vrbanac
On Thu, 2015-05-14 at 12:26 -0500, Asha Seshagiri wrote:
Hi all ,
We are able to execute the curl commands on new barbican code
provided we integrated it with keystone . I ran into this issue
because I was trying to configure localhost to actual IP on a
plain barbican server so that I would get the response and
request objects with the actual IP rather than the local host .
This configuration was required for seting up HA proxy for
Barbican.
And then I thought of integrating with the keystone and
configure Babrican server to https.
*Its a good learning to know that the latest code drop of
Barbican enforces the authentication mechanism with the keystone
which would not allow us to execute the curl command without
providing the token of Identity service (Keystone ) in the
request unlike the previous Barbican versions*
Please find the curl command request and responses for
uploading/reteriving the secets on Barbican Server
root@Clientfor-HAProxy barbican]# curl -X POST -H
'content-type:application/json' -H 'X-Project-Id:12345' \
-H X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2 -d
'{payload: my-secret-here,payload_content_type:
text/plain}' \
-k https://localhost:9311/v1/secrets
{secret_ref:
https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e
35}[root@Clientfor-HAProxy
barbican]#
[root@Clientfor-HAProxy barbican]# curl -H 'Accept:
application/json' -H 'X-Project-Id:12345' \
-H X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2 -k
https://localhost:9311/v1/secrets {secrets: [{status:
ACTIVE, secret_type: opaque, updated:
2015-05-14T16:35:44.109536, name: null, algorithm: null,
created: 2015-05-14T16:35:44.103982, secret_ref:
https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e
35,
content_types: {default: text/plain}, creator_id:
cedd848a8a9e410196793c601c03b99a, mode: null, bit_length:
null, expiration: null}], total: 1}[root@Clientfor-HAProxy
barbican]#
Thanks and Regards, Asha Seshagiri
On Wed, May 13, 2015 at 4:26 PM, Asha Seshagiri
asha.seshag...@gmail.com mailto:asha.seshag...@gmail.com
wrote:
Hi all ,
When I started debugging ,we find that default group is not
used instead oslo_policy would be used
Please find the logs below :
*2015-05-13 15:59:34.393 13210 WARNING oslo_config.cfg [-] Option
policy_default_rule from group DEFAULT is deprecated. Use
option policy_default_rule from group oslo_policy.*
*2015-05-13 15:59:34.394 13210 WARNING oslo_config.cfg [-] Option
policy_file from group DEFAULT is deprecated. Use option
policy_file from group oslo_policy.* 2015-05-13 15:59:34.395
13210 DEBUG oslo_policy.openstack.common.fileutils
[req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -]
Reloading cached file /etc/barbican/policy.json read_cached_file
/usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileuti
ls.py:64
2015-05-13 15:59:34.398 13210 DEBUG oslo_policy.policy
[req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloaded
policy file: /etc/barbican/policy.json _load_policy_file
/usr/lib/python2.7/site-packages/oslo_policy/policy.py:424
2015
Re: [openstack-dev] Barbican : Unable to execute the curl command for uploading/retrieving the secrets with the latest Barbican code.
Asha,
I spent some time looking into this, It looks to be a regression that occurred
a few days ago when a CR was merged that moved us over to oslo_context.
I have reported the issue here: https://bugs.launchpad.net/barbican/+bug/1455247
I have a couple ideas on how to fix it, so keep your eyes out for a CR to
resolve the issue.
John Vrbanac
On Thu, 2015-05-14 at 12:26 -0500, Asha Seshagiri wrote:
Hi all ,
We are able to execute the curl commands on new barbican code provided we
integrated it with keystone .
I ran into this issue because I was trying to configure localhost to actual IP
on a plain barbican server so that I would get the response and request objects
with the actual IP rather than the local host .
This configuration was required for seting up HA proxy for Barbican.
And then I thought of integrating with the keystone and configure Babrican
server to https.
Its a good learning to know that the latest code drop of Barbican enforces the
authentication mechanism with the keystone which would not allow us to execute
the curl command without providing the token of Identity service (Keystone ) in
the request unlike the previous Barbican versions
Please find the curl command request and responses for uploading/reteriving the
secets on Barbican Server
root@Clientfor-HAProxy barbican]# curl -X POST -H
'content-type:application/json' -H 'X-Project-Id:12345' \
-H X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2 -d '{payload:
my-secret-here,payload_content_type: text/plain}' \
-k https://localhost:9311/v1/secrets
{secret_ref:
https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e35}[root@Clientfor-HAProxy
barbican]#
[root@Clientfor-HAProxy barbican]# curl -H 'Accept: application/json' -H
'X-Project-Id:12345' \
-H X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2 -k
https://localhost:9311/v1/secrets
{secrets: [{status: ACTIVE, secret_type: opaque, updated:
2015-05-14T16:35:44.109536, name: null, algorithm: null, created:
2015-05-14T16:35:44.103982, secret_ref:
https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e35;,
content_types: {default: text/plain}, creator_id:
cedd848a8a9e410196793c601c03b99a, mode: null, bit_length: null,
expiration: null}], total: 1}[root@Clientfor-HAProxy barbican]#
Thanks and Regards,
Asha Seshagiri
On Wed, May 13, 2015 at 4:26 PM, Asha Seshagiri
asha.seshag...@gmail.commailto:asha.seshag...@gmail.com wrote:
Hi all ,
When I started debugging ,we find that default group is not used instead
oslo_policy would be used
Please find the logs below :
2015-05-13 15:59:34.393 13210 WARNING oslo_config.cfg [-] Option
policy_default_rule from group DEFAULT is deprecated. Use option
policy_default_rule from group oslo_policy.
2015-05-13 15:59:34.394 13210 WARNING oslo_config.cfg [-] Option policy_file
from group DEFAULT is deprecated. Use option policy_file from group
oslo_policy.
2015-05-13 15:59:34.395 13210 DEBUG oslo_policy.openstack.common.fileutils
[req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloading cached file
/etc/barbican/policy.json read_cached_file
/usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileutils.py:64
2015-05-13 15:59:34.398 13210 DEBUG oslo_policy.policy
[req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloaded policy file:
/etc/barbican/policy.json _load_policy_file
/usr/lib/python2.7/site-packages/oslo_policy/policy.py:424
2015-05-13 15:59:34.399 13210 ERROR barbican.api.controllers
[req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Secret creation
attempt not allowed - please review your user/project privileges
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers Traceback (most
recent call last):
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
/root/barbican/barbican/api/controllers/__init__.py, line 104, in handler
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers return
fn(inst, *args, **kwargs)
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
/root/barbican/barbican/api/controllers/__init__.py, line 85, in enforcer
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers
_do_enforce_rbac(inst, pecan.request, action_name, ctx, **kwargs)
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
/root/barbican/barbican/api/controllers/__init__.py, line 68, in
_do_enforce_rbac
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers credentials,
do_raise=True)
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
/usr/lib/python2.7/site-packages/oslo_policy/policy.py, line 493, in enforce
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers raise
PolicyNotAuthorized(rule, target, creds)
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers
PolicyNotAuthorized: secrets:post on {u'payload': u'my-secret-here',
u'payload_content_type': u'text/plain'} by {'project': '12345', 'user': None,
'roles': []} disallowed
Re: [openstack-dev] [barbican] Nominating Ade Lee for barbican-core
+1 John Vrbanac From: Douglas Mendizabal [douglas.mendiza...@rackspace.com] Sent: Thursday, July 10, 2014 11:55 AM To: OpenStack Development Mailing List (not for usage questions); a...@redhat.com Subject: [openstack-dev] [barbican] Nominating Ade Lee for barbican-core Hi Everyone, I would like to nominate Ade Lee for the barbican-core team. Ade has been involved in the development of Barbican since January of this year, and he’s been driving the work to enable DogTag to be used as a back end for Barbican. Ade’s input to the design of barbican has been invaluable, and his reviews are always helpful, which has earned him the respect of the existing barbican-core team. As a reminder to barbican-core members, we use the voting process outlined in https://wiki.openstack.org/wiki/Barbican/CoreTeam to add members to our team. Thanks, Doug Douglas Mendizábal IRC: redrobot PGP Key: 245C 7B6F 70E9 D8F3 F5D5 0CC9 AD14 1F30 2D58 923C ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Nominating Nathan Reller for barbican-core
+1 John Vrbanac From: Douglas Mendizabal [douglas.mendiza...@rackspace.com] Sent: Thursday, July 10, 2014 12:11 PM To: OpenStack Development Mailing List (not for usage questions); Nathan Reller Subject: [openstack-dev] [barbican] Nominating Nathan Reller for barbican-core Hi Everyone, I would also like to nominate Nathan Reller for the barbican-core team. Nathan has been involved with the Key Management effort since early 2013. Recently, Nate has been driving the development of a KMIP backend for Barbican, which will enable Barbican to be used with KMIP devices. Nate’s input to the design of the plug-in mechanisms in Barbican has been extremely helpful, as well as his feedback in CR reviews. As a reminder to barbican-core members, we use the voting process outlined in https://wiki.openstack.org/wiki/Barbican/CoreTeam to add members to our team. Thanks, Doug Douglas Mendizábal IRC: redrobot PGP Key: 245C 7B6F 70E9 D8F3 F5D5 0CC9 AD14 1F30 2D58 923C ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
