[openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM

Asha Seshagiri asha.seshagiri at gmail.com
Sun Jul 19 19:15:13 UTC 2015


Hi John ,

Thanks  for pointing me to the right script.
I appreciate your help .

I tried running the script with the following command :

[root at HSM-Client bin]# python pkcs11-key-generation --library-path
{/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1  mkek
--length 32 --label 'an_mkek'
Traceback (most recent call last):
  File "pkcs11-key-generation", line 120, in <module>
    main()
  File "pkcs11-key-generation", line 115, in main
    kg = KeyGenerator()
  File "pkcs11-key-generation", line 38, in __init__
    ffi=ffi
  File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 315, in
__init__
    self.lib = self.ffi.dlopen(library_path)
  File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 127, in dlopen
    lib, function_cache = _make_ffi_library(self, name, flags)
  File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 572, in
_make_ffi_library
    backendlib = _load_backend_lib(backend, libname, flags)
  File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 561, in
_load_backend_lib
    return backend.load_library(name, flags)
*OSError: cannot load library {/usr/lib/libCryptoki2_64.so}:
{/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file
or directory*

*Unable to run the script since the library libCryptoki2_64.so cannot be
opened.*

Tried the following solution  :

   -  vi /etc/ld.so.conf
   - Added both the paths of ld.so.conf in the  /etc/ld.so.conf file got
    from the command find / -name libCryptoki2_64.so
   - /usr/safenet/lunaclient/lib/libCryptoki2_64.so
      - /usr/lib/libCryptoki2_64.so
   - sudo ldconfig
   - ldconfig -p

But the above solution failed and am geting the same error.

Any help would highly be apprecited.
Thanks in advance!

Thanks and Regards,
Asha Seshagiri

On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac <john.vrbanac at rackspace.com>
wrote:

>  Asha,
>
> It looks like you don't have your mkek label correctly configured. Make
> sure that the mkek_label and hmac_label values in your config correctly
> reflect the keys that you've generated on your HSM.
>
> The plugin will cache the key handle to the mkek and hmac when the plugin
> starts, so if it cannot find them, it'll fail to load the plugin altogether.
>
>
>  If you need help generating your mkek and hmac, refer to
> http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html
> for instructions on how to create them using a script.
>
>
>  As far as who uses HSMs, I know we (Rackspace) use them with Barbican.
>
>
>     John Vrbanac
>      ------------------------------
> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
> *Sent:* Saturday, July 18, 2015 8:47 PM
> *To:* openstack-dev
> *Cc:* Reller, Nathan S.
> *Subject:* [openstack-dev] Barbican : Unable to store the secret when
> Barbican was Integrated with SafeNet HSM
>
>  Hi All ,
>
>  I have configured Barbican to integrate with SafeNet  HSM.
> Installed safenet client libraries , registered the barbican machine to
> point to HSM server  and also assigned HSM partition.
>
>  The following were the changes done in barbican.conf file
>
>
>  # ================= Secret Store Plugin ===================
> [secretstore]
> namespace = barbican.secretstore.plugin
> enabled_secretstore_plugins = store_crypto
>
>  # ================= Crypto plugin ===================
> [crypto]
> namespace = barbican.crypto.plugin
> enabled_crypto_plugins = p11_crypto
>
>  [p11_crypto_plugin]
> # Path to vendor PKCS11 library
> library_path = '/usr/lib/libCryptoki2_64.so'
> # Password to login to PKCS11 session
> login = 'test123'
> # Label to identify master KEK in the HSM (must not be the same as HMAC
> label)
> mkek_label = 'an_mkek'
> # Length in bytes of master KEK
>  mkek_length = 32
> # Label to identify HMAC key in the HSM (must not be the same as MKEK
> label)
> hmac_label = 'my_hmac_label'
>   # HSM Slot id (Should correspond to a configured PKCS11 slot). Default:
> 1
> slot_id = 1
>
>  Unable to store the secret when Barbican was integrated with HSM.
>
>  [root at HSM-Client crypto]# curl -X POST -H
> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload":
> "my-secret-here", "payload_content_type": "text/plain"}'
> http://localhost:9311/v1/secrets
> *{"code": 500, "description": "Secret creation failure seen - please
> contact site administrator.", "title": "Internal Server
> Error"}[root at HSM-Client crypto]#*
>
>
> Please find the logs below :
>
>  2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen
> creating plugin: 'p11_crypto'
> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback
> (most recent call last):
> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
> "/root/barbican/barbican/plugin/util/utils.py", line 42, in
> instantiate_plugins
> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
> plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs)
> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
> "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__
> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
> conf.p11_crypto_plugin.hmac_label)
> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in
> cache_mkek_and_hmac
>  2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
> self.get_mkek(self.current_mkek_label, session)
> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek
> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils     raise
> P11CryptoKeyHandleException()
> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
> P11CryptoKeyHandleException: No key handle was found*
> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils*
> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation
> failure seen - please contact site administrator.*
>
>
>  (I am not sure why we are geting CryptoPluginNotFound: Crypto plugin not
> found. Exception since the changes is able to hit the p11_crypto.py code)
>
>  2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback
> (most recent call last):
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
> fn(inst, *args, **kwargs)
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
> fn(inst, *args, **kwargs)
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/__init__.py", line 146, in
> content_types_enforcer
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
> fn(inst, *args, **kwargs)
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
> transport_key_id=data.get('transport_key_id'))
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
> secret_model, project_model)
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/plugin/resources.py", line 267, in
> _store_secret_using_plugin
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
> secret_metadata = store_plugin.store_secret(secret_dto, context)
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret
> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
> crypto.PluginSupportTypes.ENCRYPT_DECRYPT
> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in
> get_plugin_store_generate*
> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     raise
> crypto.CryptoPluginNotFound()*
> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
> CryptoPluginNotFound: Crypto plugin not found.*
>
>  Had chance to go though the code as to why are we geting the exception : *P11CryptoKeyHandleException:
> No key handle was found .*
> *It is because *returned_count[0] == 0 .It needs to be 0 in order for the
> mkek to be created .From what I understand is that by default all the ffi
> variables would have the value 0 . I am not sure why the check
> returned_count[0] == 1: has been put .
>
>    if returned_count[0] == 1:
>    key = object_handle_ptr[0]   rv = self.lib.C_FindObjectsFinal(session)
> self.check_error(rv)   if returned_count[0] == 1:
>    return key   elif returned_count[0] == 0:   return None
> *Need Help .Any help would highly be appreciated .It is very critical for
> us to integrate with Barbican*
> *Also would like to know if any one has integrated Barbican with HSM.*
>
>  --
>  *Thanks and Regards,*
> *Asha Seshagiri*
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150719/3efc9c6b/attachment.html>


More information about the OpenStack-dev mailing list