Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Thanks John for your response :) I am currently working on the reconfiguring the HSM in different way. Shall let you know once my stuff is working. Thanks and Regards, Asha Seshagiri On Tue, Jul 28, 2015 at 11:31 AM, John Vrbanac wrote: > Asha, > > I'm not sure what went wrong. Something must have happened during your HA > setup. You might check a couple different things, first you might check out > your HA policies and HA group setup. The other thing you might make sure is > that you only generate one mkek and hmac on one hsm (I use direct slot and > not the HA virtual slot for this) and then replicate (vtl haAdmin > -synchronize). If the HA group is setup properly it should replicate your > mkek and hmac across the other HSMs in the HA group. As a side note, the > pkcs11 plugin in Barbican currently retrieves the mkek and hmac by label, > so make sure you don't have multiple keys in the HSM with the same label. > > > John Vrbanac > -- > *From:* Asha Seshagiri > *Sent:* Tuesday, July 28, 2015 9:22 AM > *To:* John Vrbanac > *Cc:* openstack-dev; John Wood; Douglas Mendizabal; Reller, Nathan S. > *Subject:* Re: Barbican : Unable to create the secret after Integrating > Barbican with HSM HA > >Hi John , > > Any help would highly be appreciated. > > Thanks and Regards, > Asha Seshagiri > > On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri > wrote: > >> Hi John , >> >> Thanks a lot for providing me the response:) >> I followed the link[1] for configuring the HA SETUP >> [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html >> >> the final step in the above link is haAdmin command which is run on the >> client side(on Barbican) . >> The slot 6 is the virtual slot(only on the client side and not visible on >> LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM >> >> Please find the response below : >> >> [root@HSM-Client bin]# ./vtl haAdmin show >> >> >> >> HA Global Configuration Settings === >> >> >> HA Proxy: disabled >> >> HA Auto Recovery: disabled >> >> Maximum Auto Recovery Retry: 0 >> >> Auto Recovery Poll Interval: 60 seconds >> >> HA Logging: disabled >> >> Only Show HA Slots: no >> >> >> >> HA Group and Member Information >> >> >> HA Group Label: barbican_ha >> >> HA Group Number: 1489361010 >> >> HA Group Slot #: 6 >> >> Synchronization: enabled >> >> Group Members: 489361010, 489361011 >> >> Standby members: >> >> >> Slot # Member S/N Member Label Status >> >> == == == >> >> 1 489361010 barbican2 alive >> >> 2 489361011 barbican3 alive >> >> After knowing the virtual slot HA number , I ran the >> pkcs11-key-generation with slot number 6 which did create mkek and hmac in >> slot/partition 1 and 2 automatically . I am not sure why do we have to >> replicate the keys between partitions? Configured the slot 6 on the >> barbican.conf as mentioned in my first email >> >> Not sure what might be the issue and >> >> It would be great if you could tell me the steps or where I would have >> gone wrong. >> >> Thanks and Regards, >> >> Asha Seshagiri >> >> On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac > > wrote: >> >>> Asha, >>> >>> I've used the Safenet HSM "HA" virtual slot setup and it does work. >>> However, the setup is very interesting because you need to generate the >>> MKEK and HMAC on a single HSM and then replicate it to the other HSMs out >>> of band of anything we have in Barbican. If I recall correctly, the Safenet >>> Luna docs mention how to replicate keys or partitions between HSMs. >>> >>> >>> John Vrbanac >>> -- >>> *From:* Asha Seshagiri >>> *Sent:* Monday, July 27, 2015 2:00 PM >>> *To:* openstack-dev >>> *Cc:* John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. >>> *Subject:* Barbican : Unable to create the secret after Integrating >>> Barbican with HSM HA >>> >>> Hi All , >>> >>> I am working on Integrating Barbican with HSM HA set up. >>> I have configured slot 1 and slot 2 to be on HA on Luna SA set up . >>> Slot 6 is a virtual slot on the client side which acts as the proxy for the >>> slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 >>> and its password which is identical to that of the passwords of slot1 and >>> slot 2 in barbican.conf file. >>> >>> Please find the contents of the file : >>> >>> # = Secret Store Plugin === >>> [secretstore] >>> namespace = barbican.secretstore.plugin >>> enabled_secretstore_plugins = store_crypto >>> >>> # = Crypto plugin === >>> [crypto] >>> namespace = barbican.crypto.plugin >>> enabled_crypto_plugins = p11_crypto >>> >>> [simple_crypto_plugin] >>> # the kek should be a 32-byte value which is base64 encoded >>> kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' >>> >>> [dogtag_plugin] >>> pem_path = '/etc/barbican/kra_admin_cert.p
Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Asha, I'm not sure what went wrong. Something must have happened during your HA setup. You might check a couple different things, first you might check out your HA policies and HA group setup. The other thing you might make sure is that you only generate one mkek and hmac on one hsm (I use direct slot and not the HA virtual slot for this) and then replicate (vtl haAdmin -synchronize). If the HA group is setup properly it should replicate your mkek and hmac across the other HSMs in the HA group. As a side note, the pkcs11 plugin in Barbican currently retrieves the mkek and hmac by label, so make sure you don't have multiple keys in the HSM with the same label. John Vrbanac From: Asha Seshagiri Sent: Tuesday, July 28, 2015 9:22 AM To: John Vrbanac Cc: openstack-dev; John Wood; Douglas Mendizabal; Reller, Nathan S. Subject: Re: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi John , Any help would highly be appreciated. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri mailto:asha.seshag...@gmail.com>> wrote: Hi John , Thanks a lot for providing me the response:) I followed the link[1] for configuring the HA SETUP [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html the final step in the above link is haAdmin command which is run on the client side(on Barbican) . The slot 6 is the virtual slot(only on the client side and not visible on LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM Please find the response below : [root@HSM-Client bin]# ./vtl haAdmin show HA Global Configuration Settings === HA Proxy: disabled HA Auto Recovery: disabled Maximum Auto Recovery Retry: 0 Auto Recovery Poll Interval: 60 seconds HA Logging: disabled Only Show HA Slots: no HA Group and Member Information HA Group Label: barbican_ha HA Group Number: 1489361010 HA Group Slot #: 6 Synchronization: enabled Group Members: 489361010, 489361011 Standby members: Slot # Member S/N Member Label Status == == == 1 489361010 barbican2 alive 2 489361011 barbican3 alive After knowing the virtual slot HA number , I ran the pkcs11-key-generation with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 automatically . I am not sure why do we have to replicate the keys between partitions? Configured the slot 6 on the barbican.conf as mentioned in my first email Not sure what might be the issue and It would be great if you could tell me the steps or where I would have gone wrong. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac mailto:john.vrba...@rackspace.com>> wrote: Asha, I've used the Safenet HSM "HA" virtual slot setup and it does work. However, the setup is very interesting because you need to generate the MKEK and HMAC on a single HSM and then replicate it to the other HSMs out of band of anything we have in Barbican. If I recall correctly, the Safenet Luna docs mention how to replicate keys or partitions between HSMs. John Vrbanac From: Asha Seshagiri mailto:asha.seshag...@gmail.com>> Sent: Monday, July 27, 2015 2:00 PM To: openstack-dev Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. Subject: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi All , I am working on Integrating Barbican with HSM HA set up. I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file. Please find the contents of the file : # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # = Crypto plugin === [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test5678' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'ha_hmac
Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Hi John , Any help would highly be appreciated. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri wrote: > Hi John , > > Thanks a lot for providing me the response:) > I followed the link[1] for configuring the HA SETUP > [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html > > the final step in the above link is haAdmin command which is run on the > client side(on Barbican) . > The slot 6 is the virtual slot(only on the client side and not visible on > LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM > > Please find the response below : > > [root@HSM-Client bin]# ./vtl haAdmin show > > > > HA Global Configuration Settings === > > > HA Proxy: disabled > > HA Auto Recovery: disabled > > Maximum Auto Recovery Retry: 0 > > Auto Recovery Poll Interval: 60 seconds > > HA Logging: disabled > > Only Show HA Slots: no > > > > HA Group and Member Information > > > HA Group Label: barbican_ha > > HA Group Number: 1489361010 > > HA Group Slot #: 6 > > Synchronization: enabled > > Group Members: 489361010, 489361011 > > Standby members: > > > Slot # Member S/N Member Label Status > > == == == > > 1 489361010 barbican2 alive > > 2 489361011 barbican3 alive > > After knowing the virtual slot HA number , I ran the pkcs11-key-generation > with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 > automatically . I am not sure why do we have to replicate the keys between > partitions? Configured the slot 6 on the barbican.conf as mentioned in my > first email > > Not sure what might be the issue and > > It would be great if you could tell me the steps or where I would have > gone wrong. > > Thanks and Regards, > > Asha Seshagiri > > On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac > wrote: > >> Asha, >> >> I've used the Safenet HSM "HA" virtual slot setup and it does work. >> However, the setup is very interesting because you need to generate the >> MKEK and HMAC on a single HSM and then replicate it to the other HSMs out >> of band of anything we have in Barbican. If I recall correctly, the Safenet >> Luna docs mention how to replicate keys or partitions between HSMs. >> >> >> John Vrbanac >> -- >> *From:* Asha Seshagiri >> *Sent:* Monday, July 27, 2015 2:00 PM >> *To:* openstack-dev >> *Cc:* John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. >> *Subject:* Barbican : Unable to create the secret after Integrating >> Barbican with HSM HA >> >>Hi All , >> >> I am working on Integrating Barbican with HSM HA set up. >> I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot >> 6 is a virtual slot on the client side which acts as the proxy for the slot >> 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its >> password which is identical to that of the passwords of slot1 and slot 2 in >> barbican.conf file. >> >> Please find the contents of the file : >> >> # = Secret Store Plugin === >> [secretstore] >> namespace = barbican.secretstore.plugin >> enabled_secretstore_plugins = store_crypto >> >> # = Crypto plugin === >> [crypto] >> namespace = barbican.crypto.plugin >> enabled_crypto_plugins = p11_crypto >> >> [simple_crypto_plugin] >> # the kek should be a 32-byte value which is base64 encoded >> kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' >> >> [dogtag_plugin] >> pem_path = '/etc/barbican/kra_admin_cert.pem' >> dogtag_host = localhost >> dogtag_port = 8443 >> nss_db_path = '/etc/barbican/alias' >> nss_db_path_ca = '/etc/barbican/alias-ca' >> nss_password = 'password123' >> simple_cmc_profile = 'caOtherCert' >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> *[p11_crypto_plugin] # Path to vendor PKCS11 library library_path = >> '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = >> 'test5678' # Label to identify master KEK in the HSM (must not be the same >> as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK >> mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the >> same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond >> to a configured PKCS11 slot). Default: 1 slot_id = 6 * >> *Was able to create MKEK and HMAC successfully for the slots 1 and 2 on >> the HSM when we run the * >> *pkcs11-key-generation script for slot 6 which should be the expected >> behaviour. * >> >> [root@HSM-Client bin]# python pkcs11-key-generation --library-path >> '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek >> --label 'ha_mkek' >> Verified label ! >> MKEK successfully generated! >> [root@HSM-Client bin]# python pkcs11-key-generation --library-path >> '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac >> --label 'ha_hmac' >> HMAC successfully generated! >> [root@HSM-Client bin]#
Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Hi John , Thanks a lot for providing me the response:) I followed the link[1] for configuring the HA SETUP [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html the final step in the above link is haAdmin command which is run on the client side(on Barbican) . The slot 6 is the virtual slot(only on the client side and not visible on LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM Please find the response below : [root@HSM-Client bin]# ./vtl haAdmin show HA Global Configuration Settings === HA Proxy: disabled HA Auto Recovery: disabled Maximum Auto Recovery Retry: 0 Auto Recovery Poll Interval: 60 seconds HA Logging: disabled Only Show HA Slots: no HA Group and Member Information HA Group Label: barbican_ha HA Group Number: 1489361010 HA Group Slot #: 6 Synchronization: enabled Group Members: 489361010, 489361011 Standby members: Slot # Member S/N Member Label Status == == == 1 489361010 barbican2 alive 2 489361011 barbican3 alive After knowing the virtual slot HA number , I ran the pkcs11-key-generation with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 automatically . I am not sure why do we have to replicate the keys between partitions? Configured the slot 6 on the barbican.conf as mentioned in my first email Not sure what might be the issue and It would be great if you could tell me the steps or where I would have gone wrong. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac wrote: > Asha, > > I've used the Safenet HSM "HA" virtual slot setup and it does work. > However, the setup is very interesting because you need to generate the > MKEK and HMAC on a single HSM and then replicate it to the other HSMs out > of band of anything we have in Barbican. If I recall correctly, the Safenet > Luna docs mention how to replicate keys or partitions between HSMs. > > > John Vrbanac > -- > *From:* Asha Seshagiri > *Sent:* Monday, July 27, 2015 2:00 PM > *To:* openstack-dev > *Cc:* John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. > *Subject:* Barbican : Unable to create the secret after Integrating > Barbican with HSM HA > >Hi All , > > I am working on Integrating Barbican with HSM HA set up. > I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot > 6 is a virtual slot on the client side which acts as the proxy for the slot > 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its > password which is identical to that of the passwords of slot1 and slot 2 in > barbican.conf file. > > Please find the contents of the file : > > # = Secret Store Plugin === > [secretstore] > namespace = barbican.secretstore.plugin > enabled_secretstore_plugins = store_crypto > > # = Crypto plugin === > [crypto] > namespace = barbican.crypto.plugin > enabled_crypto_plugins = p11_crypto > > [simple_crypto_plugin] > # the kek should be a 32-byte value which is base64 encoded > kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' > > [dogtag_plugin] > pem_path = '/etc/barbican/kra_admin_cert.pem' > dogtag_host = localhost > dogtag_port = 8443 > nss_db_path = '/etc/barbican/alias' > nss_db_path_ca = '/etc/barbican/alias-ca' > nss_password = 'password123' > simple_cmc_profile = 'caOtherCert' > > > > > > > > > > > > > > > > *[p11_crypto_plugin] # Path to vendor PKCS11 library library_path = > '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = > 'test5678' # Label to identify master KEK in the HSM (must not be the same > as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK > mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the > same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond > to a configured PKCS11 slot). Default: 1 slot_id = 6 * > *Was able to create MKEK and HMAC successfully for the slots 1 and 2 on > the HSM when we run the * > *pkcs11-key-generation script for slot 6 which should be the expected > behaviour. * > > [root@HSM-Client bin]# python pkcs11-key-generation --library-path > '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek > --label 'ha_mkek' > Verified label ! > MKEK successfully generated! > [root@HSM-Client bin]# python pkcs11-key-generation --library-path > '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac > --label 'ha_hmac' > HMAC successfully generated! > [root@HSM-Client bin]# > > Please find the HSM commands and responses to show the details of the > partitions and partitions contents : > > root@HSM-Client bin]# ./vtl verify > > > The following Luna SA Slots/Partitions were found: > > > Slot Serial # Label > > = > > 1 489361010 barbican2 > > 2 489361011 barbican3 > > > [HSMtestLuna1] lunash:> pa
Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Asha, I've used the Safenet HSM "HA" virtual slot setup and it does work. However, the setup is very interesting because you need to generate the MKEK and HMAC on a single HSM and then replicate it to the other HSMs out of band of anything we have in Barbican. If I recall correctly, the Safenet Luna docs mention how to replicate keys or partitions between HSMs. John Vrbanac From: Asha Seshagiri Sent: Monday, July 27, 2015 2:00 PM To: openstack-dev Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. Subject: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi All , I am working on Integrating Barbican with HSM HA set up. I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file. Please find the contents of the file : # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # = Crypto plugin === [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test5678' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 slot_id = 6 Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the HSM when we run the pkcs11-key-generation script for slot 6 which should be the expected behaviour. [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek --label 'ha_mkek' Verified label ! MKEK successfully generated! [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac --label 'ha_hmac' HMAC successfully generated! [root@HSM-Client bin]# Please find the HSM commands and responses to show the details of the partitions and partitions contents : root@HSM-Client bin]# ./vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label = 1 489361010 barbican2 2 489361011 barbican3 [HSMtestLuna1] lunash:> partition showcontents -partition barbican2 Please enter the user password for the partition: > Partition Name: barbican2 Partition SN: 489361010 Storage (Bytes): Total=1046420, Used=256, Free=1046164 Number objects: 2 Object Label: ha_mkek Object Type: Symmetric Key Object Label: ha_hmac Object Type: Symmetric Key Command Result : 0 (Success) [HSMtestLuna1] lunash:> partition showcontents -partition barbican3 Please enter the user password for the partition: > Partition Name: barbican3 Partition SN: 489361011 Storage (Bytes): Total=1046420, Used=256, Free=1046164 Number objects: 2 Object Label: ha_mkek Object Type: Symmetric Key Object Label: ha_hmac Object Type: Symmetric Key [root@HSM-Client bin]# ./lunacm LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc. Available HSM's: Slot Id -> 1 HSM Label -> barbican2 HSM Serial Number -> 489361010 HSM Model -> LunaSA HSM Firmware Version -> 6.2.1 HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode HSM Status -> OK Slot Id -> 2 HSM Label -> barbican3 HSM Serial Number -> 489361011 HSM Model -> LunaSA HSM Firmware Version -> 6.2.1 HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode HSM Status -> OK Slot Id -> 6 HSM Label -> barbican_ha HSM Serial Number -> 1489361010 HSM Model -> LunaVirtual HSM Firmware Version -> 6.2.1 HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode HSM Status -> N/A - HA Group Current Slot Id: 1 Tried creating the secrets using the below command : root@HSM-Client barbican]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets {"code": 500, "description": "Secret creation failure seen - ple
[openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Hi All , I am working on Integrating Barbican with HSM HA set up. I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file. Please find the contents of the file : # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # = Crypto plugin === [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' *[p11_crypto_plugin]# Path to vendor PKCS11 librarylibrary_path = '/usr/lib/libCryptoki2_64.so'# Password to login to PKCS11 sessionlogin = 'test5678'# Label to identify master KEK in the HSM (must not be the same as HMAC label)mkek_label = 'ha_mkek'# Length in bytes of master KEKmkek_length = 32# Label to identify HMAC key in the HSM (must not be the same as MKEK label)hmac_label = 'ha_hmac'# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1slot_id = 6* *Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the HSM when we run the * *pkcs11-key-generation script for slot 6 which should be the expected behaviour.* [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek --label 'ha_mkek' Verified label ! MKEK successfully generated! [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac --label 'ha_hmac' HMAC successfully generated! [root@HSM-Client bin]# Please find the HSM commands and responses to show the details of the partitions and partitions contents : root@HSM-Client bin]# ./vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label = 1 489361010 barbican2 2 489361011 barbican3 [HSMtestLuna1] lunash:> partition showcontents -partition barbican2 Please enter the user password for the partition: > Partition Name: barbican2 Partition SN: 489361010 Storage (Bytes): Total=1046420, Used=256, Free=1046164 Number objects: 2 Object Label: ha_mkek Object Type: Symmetric Key Object Label: ha_hmac Object Type: Symmetric Key Command Result : 0 (Success) [HSMtestLuna1] lunash:> partition showcontents -partition barbican3 Please enter the user password for the partition: > Partition Name: barbican3 Partition SN: 489361011 Storage (Bytes): Total=1046420, Used=256, Free=1046164 Number objects: 2 Object Label: ha_mkek Object Type: Symmetric Key Object Label: ha_hmac Object Type: Symmetric Key [root@HSM-Client bin]# ./lunacm LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc. Available HSM's: Slot Id -> 1 HSM Label -> barbican2 HSM Serial Number -> 489361010 HSM Model -> LunaSA HSM Firmware Version -> 6.2.1 HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode HSM Status -> OK Slot Id -> 2 HSM Label -> barbican3 HSM Serial Number -> 489361011 HSM Model -> LunaSA HSM Firmware Version -> 6.2.1 HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode HSM Status -> OK Slot Id -> 6 HSM Label -> barbican_ha HSM Serial Number -> 1489361010 HSM Model -> LunaVirtual HSM Firmware Version -> 6.2.1 HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode HSM Status -> N/A - HA Group Current Slot Id: 1 *Tried creating the secrets using the below command :* root@HSM-Client barbican]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets {"code": 500, "description": "Secret creation failure seen - please contact site administrator.", "title": "Internal Server Error"}[root@HSM- *Please find the logs below :* 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback (most recent call last): 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer 2015-07-27 11:57:07.586 16362 ERROR barbi