Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Thanks John for your response :) I am currently working on the reconfiguring the HSM in different way. Shall let you know once my stuff is working. Thanks and Regards, Asha Seshagiri On Tue, Jul 28, 2015 at 11:31 AM, John Vrbanac wrote: > Asha, > > I'm not sure what went wrong. Something must have happened during your HA > setup. You might check a couple different things, first you might check out > your HA policies and HA group setup. The other thing you might make sure is > that you only generate one mkek and hmac on one hsm (I use direct slot and > not the HA virtual slot for this) and then replicate (vtl haAdmin > -synchronize). If the HA group is setup properly it should replicate your > mkek and hmac across the other HSMs in the HA group. As a side note, the > pkcs11 plugin in Barbican currently retrieves the mkek and hmac by label, > so make sure you don't have multiple keys in the HSM with the same label. > > > John Vrbanac > -- > *From:* Asha Seshagiri > *Sent:* Tuesday, July 28, 2015 9:22 AM > *To:* John Vrbanac > *Cc:* openstack-dev; John Wood; Douglas Mendizabal; Reller, Nathan S. > *Subject:* Re: Barbican : Unable to create the secret after Integrating > Barbican with HSM HA > >Hi John , > > Any help would highly be appreciated. > > Thanks and Regards, > Asha Seshagiri > > On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri > wrote: > >> Hi John , >> >> Thanks a lot for providing me the response:) >> I followed the link[1] for configuring the HA SETUP >> [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html >> >> the final step in the above link is haAdmin command which is run on the >> client side(on Barbican) . >> The slot 6 is the virtual slot(only on the client side and not visible on >> LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM >> >> Please find the response below : >> >> [root@HSM-Client bin]# ./vtl haAdmin show >> >> >> >> HA Global Configuration Settings === >> >> >> HA Proxy: disabled >> >> HA Auto Recovery: disabled >> >> Maximum Auto Recovery Retry: 0 >> >> Auto Recovery Poll Interval: 60 seconds >> >> HA Logging: disabled >> >> Only Show HA Slots: no >> >> >> >> HA Group and Member Information >> >> >> HA Group Label: barbican_ha >> >> HA Group Number: 1489361010 >> >> HA Group Slot #: 6 >> >> Synchronization: enabled >> >> Group Members: 489361010, 489361011 >> >> Standby members: >> >> >> Slot # Member S/N Member Label Status >> >> == == == >> >> 1 489361010 barbican2 alive >> >> 2 489361011 barbican3 alive >> >> After knowing the virtual slot HA number , I ran the >> pkcs11-key-generation with slot number 6 which did create mkek and hmac in >> slot/partition 1 and 2 automatically . I am not sure why do we have to >> replicate the keys between partitions? Configured the slot 6 on the >> barbican.conf as mentioned in my first email >> >> Not sure what might be the issue and >> >> It would be great if you could tell me the steps or where I would have >> gone wrong. >> >> Thanks and Regards, >> >> Asha Seshagiri >> >> On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac > > wrote: >> >>> Asha, >>> >>> I've used the Safenet HSM "HA" virtual slot setup and it does work. >>> However, the setup is very interesting because you need to generate the >>> MKEK and HMAC on a single HSM and then replicate it to the other HSMs out >>> of band of anything we have in Barbican. If I recall correctly, the Safenet >>> Luna docs mention how to replicate keys or partitions between HSMs. >>> >>> >>> John Vrbanac >>> -- >>> *From:* Asha Seshagiri >>> *Sent:* Monday, July 27, 2015 2:00 PM >>> *To:* openstack-dev >>> *Cc:* John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. >>> *Subject:* Barbican : Unable to create the secret after Integrating >>> Barbican with HSM HA >>> >>> Hi All , >>> >>> I am working on Integrating Barbican with HSM HA set up. >>> I have configured slot 1 and slot 2 to be on HA on Luna SA set up . >>> Slot 6 is a virtual slot on the client side which acts as the proxy for the >>> slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 >>> and its password which is identical to that of the passwords of slot1 and >>> slot 2 in barbican.conf file. >>> >>> Please find the contents of the file : >>> >>> # = Secret Store Plugin === >>> [secretstore] >>> namespace = barbican.secretstore.plugin >>> enabled_secretstore_plugins = store_crypto >>> >>> # = Crypto plugin === >>> [crypto] >>> namespace = barbican.crypto.plugin >>> enabled_crypto_plugins = p11_crypto >>> >>> [simple_crypto_plugin] >>> # the kek should be a 32-byte value which is base64 encoded >>> kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' >>> >>> [dogtag_plugin] >>> pem_path = '/etc/barbican/kra_admin_cert.p
Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Asha, I'm not sure what went wrong. Something must have happened during your HA setup. You might check a couple different things, first you might check out your HA policies and HA group setup. The other thing you might make sure is that you only generate one mkek and hmac on one hsm (I use direct slot and not the HA virtual slot for this) and then replicate (vtl haAdmin -synchronize). If the HA group is setup properly it should replicate your mkek and hmac across the other HSMs in the HA group. As a side note, the pkcs11 plugin in Barbican currently retrieves the mkek and hmac by label, so make sure you don't have multiple keys in the HSM with the same label. John Vrbanac From: Asha Seshagiri Sent: Tuesday, July 28, 2015 9:22 AM To: John Vrbanac Cc: openstack-dev; John Wood; Douglas Mendizabal; Reller, Nathan S. Subject: Re: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi John , Any help would highly be appreciated. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri mailto:asha.seshag...@gmail.com>> wrote: Hi John , Thanks a lot for providing me the response:) I followed the link[1] for configuring the HA SETUP [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html the final step in the above link is haAdmin command which is run on the client side(on Barbican) . The slot 6 is the virtual slot(only on the client side and not visible on LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM Please find the response below : [root@HSM-Client bin]# ./vtl haAdmin show HA Global Configuration Settings === HA Proxy: disabled HA Auto Recovery: disabled Maximum Auto Recovery Retry: 0 Auto Recovery Poll Interval: 60 seconds HA Logging: disabled Only Show HA Slots: no HA Group and Member Information HA Group Label: barbican_ha HA Group Number: 1489361010 HA Group Slot #: 6 Synchronization: enabled Group Members: 489361010, 489361011 Standby members: Slot # Member S/N Member Label Status == == == 1 489361010 barbican2 alive 2 489361011 barbican3 alive After knowing the virtual slot HA number , I ran the pkcs11-key-generation with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 automatically . I am not sure why do we have to replicate the keys between partitions? Configured the slot 6 on the barbican.conf as mentioned in my first email Not sure what might be the issue and It would be great if you could tell me the steps or where I would have gone wrong. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac mailto:john.vrba...@rackspace.com>> wrote: Asha, I've used the Safenet HSM "HA" virtual slot setup and it does work. However, the setup is very interesting because you need to generate the MKEK and HMAC on a single HSM and then replicate it to the other HSMs out of band of anything we have in Barbican. If I recall correctly, the Safenet Luna docs mention how to replicate keys or partitions between HSMs. John Vrbanac From: Asha Seshagiri mailto:asha.seshag...@gmail.com>> Sent: Monday, July 27, 2015 2:00 PM To: openstack-dev Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. Subject: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi All , I am working on Integrating Barbican with HSM HA set up. I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file. Please find the contents of the file : # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # = Crypto plugin === [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test5678' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'ha_hmac
Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Hi John , Any help would highly be appreciated. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri wrote: > Hi John , > > Thanks a lot for providing me the response:) > I followed the link[1] for configuring the HA SETUP > [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html > > the final step in the above link is haAdmin command which is run on the > client side(on Barbican) . > The slot 6 is the virtual slot(only on the client side and not visible on > LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM > > Please find the response below : > > [root@HSM-Client bin]# ./vtl haAdmin show > > > > HA Global Configuration Settings === > > > HA Proxy: disabled > > HA Auto Recovery: disabled > > Maximum Auto Recovery Retry: 0 > > Auto Recovery Poll Interval: 60 seconds > > HA Logging: disabled > > Only Show HA Slots: no > > > > HA Group and Member Information > > > HA Group Label: barbican_ha > > HA Group Number: 1489361010 > > HA Group Slot #: 6 > > Synchronization: enabled > > Group Members: 489361010, 489361011 > > Standby members: > > > Slot # Member S/N Member Label Status > > == == == > > 1 489361010 barbican2 alive > > 2 489361011 barbican3 alive > > After knowing the virtual slot HA number , I ran the pkcs11-key-generation > with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 > automatically . I am not sure why do we have to replicate the keys between > partitions? Configured the slot 6 on the barbican.conf as mentioned in my > first email > > Not sure what might be the issue and > > It would be great if you could tell me the steps or where I would have > gone wrong. > > Thanks and Regards, > > Asha Seshagiri > > On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac > wrote: > >> Asha, >> >> I've used the Safenet HSM "HA" virtual slot setup and it does work. >> However, the setup is very interesting because you need to generate the >> MKEK and HMAC on a single HSM and then replicate it to the other HSMs out >> of band of anything we have in Barbican. If I recall correctly, the Safenet >> Luna docs mention how to replicate keys or partitions between HSMs. >> >> >> John Vrbanac >> -- >> *From:* Asha Seshagiri >> *Sent:* Monday, July 27, 2015 2:00 PM >> *To:* openstack-dev >> *Cc:* John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. >> *Subject:* Barbican : Unable to create the secret after Integrating >> Barbican with HSM HA >> >>Hi All , >> >> I am working on Integrating Barbican with HSM HA set up. >> I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot >> 6 is a virtual slot on the client side which acts as the proxy for the slot >> 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its >> password which is identical to that of the passwords of slot1 and slot 2 in >> barbican.conf file. >> >> Please find the contents of the file : >> >> # = Secret Store Plugin === >> [secretstore] >> namespace = barbican.secretstore.plugin >> enabled_secretstore_plugins = store_crypto >> >> # = Crypto plugin === >> [crypto] >> namespace = barbican.crypto.plugin >> enabled_crypto_plugins = p11_crypto >> >> [simple_crypto_plugin] >> # the kek should be a 32-byte value which is base64 encoded >> kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' >> >> [dogtag_plugin] >> pem_path = '/etc/barbican/kra_admin_cert.pem' >> dogtag_host = localhost >> dogtag_port = 8443 >> nss_db_path = '/etc/barbican/alias' >> nss_db_path_ca = '/etc/barbican/alias-ca' >> nss_password = 'password123' >> simple_cmc_profile = 'caOtherCert' >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> *[p11_crypto_plugin] # Path to vendor PKCS11 library library_path = >> '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = >> 'test5678' # Label to identify master KEK in the HSM (must not be the same >> as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK >> mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the >> same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond >> to a configured PKCS11 slot). Default: 1 slot_id = 6 * >> *Was able to create MKEK and HMAC successfully for the slots 1 and 2 on >> the HSM when we run the * >> *pkcs11-key-generation script for slot 6 which should be the expected >> behaviour. * >> >> [root@HSM-Client bin]# python pkcs11-key-generation --library-path >> '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek >> --label 'ha_mkek' >> Verified label ! >> MKEK successfully generated! >> [root@HSM-Client bin]# python pkcs11-key-generation --library-path >> '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac >> --label 'ha_hmac' >> HMAC successfully generated! >> [root@HSM-Client bin]#
Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Hi John , Thanks a lot for providing me the response:) I followed the link[1] for configuring the HA SETUP [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html the final step in the above link is haAdmin command which is run on the client side(on Barbican) . The slot 6 is the virtual slot(only on the client side and not visible on LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM Please find the response below : [root@HSM-Client bin]# ./vtl haAdmin show HA Global Configuration Settings === HA Proxy: disabled HA Auto Recovery: disabled Maximum Auto Recovery Retry: 0 Auto Recovery Poll Interval: 60 seconds HA Logging: disabled Only Show HA Slots: no HA Group and Member Information HA Group Label: barbican_ha HA Group Number: 1489361010 HA Group Slot #: 6 Synchronization: enabled Group Members: 489361010, 489361011 Standby members: Slot # Member S/N Member Label Status == == == 1 489361010 barbican2 alive 2 489361011 barbican3 alive After knowing the virtual slot HA number , I ran the pkcs11-key-generation with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 automatically . I am not sure why do we have to replicate the keys between partitions? Configured the slot 6 on the barbican.conf as mentioned in my first email Not sure what might be the issue and It would be great if you could tell me the steps or where I would have gone wrong. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac wrote: > Asha, > > I've used the Safenet HSM "HA" virtual slot setup and it does work. > However, the setup is very interesting because you need to generate the > MKEK and HMAC on a single HSM and then replicate it to the other HSMs out > of band of anything we have in Barbican. If I recall correctly, the Safenet > Luna docs mention how to replicate keys or partitions between HSMs. > > > John Vrbanac > -- > *From:* Asha Seshagiri > *Sent:* Monday, July 27, 2015 2:00 PM > *To:* openstack-dev > *Cc:* John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. > *Subject:* Barbican : Unable to create the secret after Integrating > Barbican with HSM HA > >Hi All , > > I am working on Integrating Barbican with HSM HA set up. > I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot > 6 is a virtual slot on the client side which acts as the proxy for the slot > 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its > password which is identical to that of the passwords of slot1 and slot 2 in > barbican.conf file. > > Please find the contents of the file : > > # = Secret Store Plugin === > [secretstore] > namespace = barbican.secretstore.plugin > enabled_secretstore_plugins = store_crypto > > # = Crypto plugin === > [crypto] > namespace = barbican.crypto.plugin > enabled_crypto_plugins = p11_crypto > > [simple_crypto_plugin] > # the kek should be a 32-byte value which is base64 encoded > kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' > > [dogtag_plugin] > pem_path = '/etc/barbican/kra_admin_cert.pem' > dogtag_host = localhost > dogtag_port = 8443 > nss_db_path = '/etc/barbican/alias' > nss_db_path_ca = '/etc/barbican/alias-ca' > nss_password = 'password123' > simple_cmc_profile = 'caOtherCert' > > > > > > > > > > > > > > > > *[p11_crypto_plugin] # Path to vendor PKCS11 library library_path = > '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = > 'test5678' # Label to identify master KEK in the HSM (must not be the same > as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK > mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the > same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond > to a configured PKCS11 slot). Default: 1 slot_id = 6 * > *Was able to create MKEK and HMAC successfully for the slots 1 and 2 on > the HSM when we run the * > *pkcs11-key-generation script for slot 6 which should be the expected > behaviour. * > > [root@HSM-Client bin]# python pkcs11-key-generation --library-path > '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek > --label 'ha_mkek' > Verified label ! > MKEK successfully generated! > [root@HSM-Client bin]# python pkcs11-key-generation --library-path > '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac > --label 'ha_hmac' > HMAC successfully generated! > [root@HSM-Client bin]# > > Please find the HSM commands and responses to show the details of the > partitions and partitions contents : > > root@HSM-Client bin]# ./vtl verify > > > The following Luna SA Slots/Partitions were found: > > > Slot Serial # Label > > = > > 1 489361010 barbican2 > > 2 489361011 barbican3 > > > [HSMtestLuna1] lunash:> pa
Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Asha,
I've used the Safenet HSM "HA" virtual slot setup and it does work. However,
the setup is very interesting because you need to generate the MKEK and HMAC on
a single HSM and then replicate it to the other HSMs out of band of anything we
have in Barbican. If I recall correctly, the Safenet Luna docs mention how to
replicate keys or partitions between HSMs.
John Vrbanac
From: Asha Seshagiri
Sent: Monday, July 27, 2015 2:00 PM
To: openstack-dev
Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S.
Subject: Barbican : Unable to create the secret after Integrating Barbican with
HSM HA
Hi All ,
I am working on Integrating Barbican with HSM HA set up.
I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a
virtual slot on the client side which acts as the proxy for the slot 1 and 2.
Hence on the Barbican side , I mentioned the slot number 6 and its password
which is identical to that of the passwords of slot1 and slot 2 in
barbican.conf file.
Please find the contents of the file :
# = Secret Store Plugin ===
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
# = Crypto plugin ===
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_db_path_ca = '/etc/barbican/alias-ca'
nss_password = 'password123'
simple_cmc_profile = 'caOtherCert'
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'test5678'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'ha_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'ha_hmac'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
slot_id = 6
Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the HSM
when we run the pkcs11-key-generation script for slot 6 which should be the
expected behaviour.
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek --label
'ha_mkek'
Verified label !
MKEK successfully generated!
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac --label
'ha_hmac'
HMAC successfully generated!
[root@HSM-Client bin]#
Please find the HSM commands and responses to show the details of the
partitions and partitions contents :
root@HSM-Client bin]# ./vtl verify
The following Luna SA Slots/Partitions were found:
Slot Serial # Label
=
1 489361010 barbican2
2 489361011 barbican3
[HSMtestLuna1] lunash:> partition showcontents -partition barbican2
Please enter the user password for the partition:
>
Partition Name: barbican2
Partition SN: 489361010
Storage (Bytes): Total=1046420, Used=256, Free=1046164
Number objects: 2
Object Label: ha_mkek
Object Type: Symmetric Key
Object Label: ha_hmac
Object Type: Symmetric Key
Command Result : 0 (Success)
[HSMtestLuna1] lunash:> partition showcontents -partition barbican3
Please enter the user password for the partition:
>
Partition Name: barbican3
Partition SN: 489361011
Storage (Bytes): Total=1046420, Used=256, Free=1046164
Number objects: 2
Object Label: ha_mkek
Object Type: Symmetric Key
Object Label: ha_hmac
Object Type: Symmetric Key
[root@HSM-Client bin]# ./lunacm
LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.
Available HSM's:
Slot Id -> 1
HSM Label -> barbican2
HSM Serial Number -> 489361010
HSM Model -> LunaSA
HSM Firmware Version -> 6.2.1
HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 2
HSM Label -> barbican3
HSM Serial Number -> 489361011
HSM Model -> LunaSA
HSM Firmware Version -> 6.2.1
HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 6
HSM Label -> barbican_ha
HSM Serial Number -> 1489361010
HSM Model -> LunaVirtual
HSM Firmware Version -> 6.2.1
HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode
HSM Status -> N/A - HA Group
Current Slot Id: 1
Tried creating the secrets using the below command :
root@HSM-Client barbican]# curl -X POST -H 'content-type:application/json' -H
'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type":
"text/plain"}' http://localhost:9311/v1/secrets
{"code": 500, "description": "Secret creation failure seen - ple
[openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Hi All ,
I am working on Integrating Barbican with HSM HA set up.
I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6
is a virtual slot on the client side which acts as the proxy for the slot 1
and 2. Hence on the Barbican side , I mentioned the slot number 6 and its
password which is identical to that of the passwords of slot1 and slot 2 in
barbican.conf file.
Please find the contents of the file :
# = Secret Store Plugin ===
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
# = Crypto plugin ===
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_db_path_ca = '/etc/barbican/alias-ca'
nss_password = 'password123'
simple_cmc_profile = 'caOtherCert'
*[p11_crypto_plugin]# Path to vendor PKCS11 librarylibrary_path =
'/usr/lib/libCryptoki2_64.so'# Password to login to PKCS11 sessionlogin =
'test5678'# Label to identify master KEK in the HSM (must not be the same
as HMAC label)mkek_label = 'ha_mkek'# Length in bytes of master
KEKmkek_length = 32# Label to identify HMAC key in the HSM (must not be the
same as MKEK label)hmac_label = 'ha_hmac'# HSM Slot id (Should correspond
to a configured PKCS11 slot). Default: 1slot_id = 6*
*Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the
HSM when we run the *
*pkcs11-key-generation script for slot 6 which should be the expected
behaviour.*
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek
--label 'ha_mkek'
Verified label !
MKEK successfully generated!
[root@HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac
--label 'ha_hmac'
HMAC successfully generated!
[root@HSM-Client bin]#
Please find the HSM commands and responses to show the details of the
partitions and partitions contents :
root@HSM-Client bin]# ./vtl verify
The following Luna SA Slots/Partitions were found:
Slot Serial # Label
=
1 489361010 barbican2
2 489361011 barbican3
[HSMtestLuna1] lunash:> partition showcontents -partition barbican2
Please enter the user password for the partition:
>
Partition Name: barbican2
Partition SN: 489361010
Storage (Bytes): Total=1046420, Used=256, Free=1046164
Number objects: 2
Object Label: ha_mkek
Object Type: Symmetric Key
Object Label: ha_hmac
Object Type: Symmetric Key
Command Result : 0 (Success)
[HSMtestLuna1] lunash:> partition showcontents -partition barbican3
Please enter the user password for the partition:
>
Partition Name: barbican3
Partition SN: 489361011
Storage (Bytes): Total=1046420, Used=256, Free=1046164
Number objects: 2
Object Label: ha_mkek
Object Type: Symmetric Key
Object Label: ha_hmac
Object Type: Symmetric Key
[root@HSM-Client bin]# ./lunacm
LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.
Available HSM's:
Slot Id -> 1
HSM Label -> barbican2
HSM Serial Number -> 489361010
HSM Model -> LunaSA
HSM Firmware Version -> 6.2.1
HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 2
HSM Label -> barbican3
HSM Serial Number -> 489361011
HSM Model -> LunaSA
HSM Firmware Version -> 6.2.1
HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 6
HSM Label -> barbican_ha
HSM Serial Number -> 1489361010
HSM Model -> LunaVirtual
HSM Firmware Version -> 6.2.1
HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode
HSM Status -> N/A - HA Group
Current Slot Id: 1
*Tried creating the secrets using the below command :*
root@HSM-Client barbican]# curl -X POST -H 'content-type:application/json'
-H 'X-Project-Id:12345' -d '{"payload": "my-secret-here",
"payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets
{"code": 500, "description": "Secret creation failure seen - please contact
site administrator.", "title": "Internal Server Error"}[root@HSM-
*Please find the logs below :*
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback
(most recent call last):
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return
fn(inst, *args, **kwargs)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File
"/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
2015-07-27 11:57:07.586 16362 ERROR barbi
