[openstack-dev] Barbican : Need help as to how to test the integration of Barbican with the HSM

Asha Seshagiri asha.seshagiri at gmail.com
Thu Jul 16 17:39:29 UTC 2015 

Hi All ,

I would need help to test the integration of Barbican with HSM.
Have configured the Barbican client to connect to HSM server by registering
barbican IP to the HSM server and have assigned the partition. Have
modified the barbican.conf file with the following changes  :

# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto

# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto

[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='

[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_db_path_ca = '/etc/barbican/alias-ca'
nss_password = 'password123'
simple_cmc_profile = 'caOtherCert'

[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'test123'
# Label to identify master KEK in the HSM (must not be the same as HMAC
label)
mkek_label = 'an_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'my_hmac_label'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
# slot_id = 1

Would need help as to how to test whether the Integration of Barbican with
HSM is successful.
Where are the encypted KEK stored and how do we know the KEK is generated
on the HSM side and the same KEK is used for encryption/decryption of
secrets in barbarian.
Would also like to know if I have done the right changes required for
Integration with HSM

I was able to generate and retrieve the secret .

*root at HSM-Client ~]# curl -X POST -H 'content-type:application/json' -H
'X-Project-Id: 12345' -d '{"secret": {"name":"secretname", "algorithm":
"aes", "bit_length": 256, "mode": "cbc"}}'
http://184.172.96.189:9311/v1/secrets
<http://184.172.96.189:9311/v1/secrets>*

*{"secret_ref":
"http://184.172.96.189:9311/v1/secrets/275b99ad-71f5-4e4c-8bda-5c2b011c265b
<http://184.172.96.189:9311/v1/secrets/275b99ad-71f5-4e4c-8bda-5c2b011c265b>"}[root at HSM-Client
~]#*

Any help would highly be appreciated.
-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150716/a0d3bc1f/attachment.html>

More information about the OpenStack-dev mailing list