[openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA

Asha Seshagiri asha.seshagiri at gmail.com
Mon Jul 27 19:00:52 UTC 2015


Hi All ,

I am working on Integrating Barbican with HSM HA set up.
I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6
is a virtual slot on the client side which acts as the proxy for the slot 1
and 2. Hence on the Barbican side , I mentioned the slot number 6 and its
password which is identical to that of the passwords of slot1 and slot 2 in
barbican.conf file.

Please find the contents of the file  :

# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto

# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto

[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='

[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_db_path_ca = '/etc/barbican/alias-ca'
nss_password = 'password123'
simple_cmc_profile = 'caOtherCert'















*[p11_crypto_plugin]# Path to vendor PKCS11 librarylibrary_path =
'/usr/lib/libCryptoki2_64.so'# Password to login to PKCS11 sessionlogin =
'test5678'# Label to identify master KEK in the HSM (must not be the same
as HMAC label)mkek_label = 'ha_mkek'# Length in bytes of master
KEKmkek_length = 32# Label to identify HMAC key in the HSM (must not be the
same as MKEK label)hmac_label = 'ha_hmac'# HSM Slot id (Should correspond
to a configured PKCS11 slot). Default: 1slot_id = 6*
*Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the
HSM when we run the *
*pkcs11-key-generation script  for slot 6 which should be the expected
behaviour.*

[root at HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so'  --passphrase 'test5678' --slot-id 6 mkek
--label 'ha_mkek'
Verified label !
MKEK successfully generated!
[root at HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac
--label 'ha_hmac'
HMAC successfully generated!
[root at HSM-Client bin]#

Please find the HSM commands and responses to show the details of the
partitions and partitions contents :

root at HSM-Client bin]# ./vtl verify


 The following Luna SA Slots/Partitions were found:


 Slot Serial # Label

==== ======== =====

1 489361010 barbican2

2 489361011 barbican3


 [HSMtestLuna1] lunash:> partition showcontents -partition barbican2



 Please enter the user password for the partition:

> ********



 Partition Name: barbican2

Partition SN: 489361010

Storage (Bytes): Total=1046420, Used=256, Free=1046164

Number objects: 2


 Object Label: ha_mkek

Object Type: Symmetric Key


 Object Label: ha_hmac

Object Type: Symmetric Key



 Command Result : 0 (Success)

[HSMtestLuna1] lunash:> partition showcontents -partition barbican3



 Please enter the user password for the partition:

> ********



 Partition Name: barbican3

Partition SN: 489361011

Storage (Bytes): Total=1046420, Used=256, Free=1046164

Number objects: 2


 Object Label: ha_mkek

Object Type: Symmetric Key


 Object Label: ha_hmac

Object Type: Symmetric Key




[root at HSM-Client bin]# ./lunacm


 LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.


 Available HSM's:


 Slot Id -> 1

HSM Label -> barbican2

HSM Serial Number -> 489361010

HSM Model -> LunaSA

HSM Firmware Version -> 6.2.1

HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode

HSM Status -> OK


 Slot Id -> 2

HSM Label -> barbican3

HSM Serial Number -> 489361011

HSM Model -> LunaSA

HSM Firmware Version -> 6.2.1

HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode

HSM Status -> OK


 Slot Id -> 6

HSM Label -> barbican_ha

HSM Serial Number -> 1489361010

HSM Model -> LunaVirtual

HSM Firmware Version -> 6.2.1

HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode

HSM Status -> N/A - HA Group


 Current Slot Id: 1

*Tried creating the secrets using the below command :*

root at HSM-Client barbican]# curl -X POST -H 'content-type:application/json'
-H 'X-Project-Id:12345' -d '{"payload": "my-secret-here",
"payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets
{"code": 500, "description": "Secret creation failure seen - please contact
site administrator.", "title": "Internal Server Error"}[root at HSM-

*Please find the logs below :*

2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback
(most recent call last):
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
"/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     return
fn(inst, *args, **kwargs)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
"/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     return
fn(inst, *args, **kwargs)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
"/root/barbican/barbican/api/controllers/__init__.py", line 146, in
content_types_enforcer
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     return
fn(inst, *args, **kwargs)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
"/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
transport_key_id=data.get('transport_key_id'))
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
"/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
secret_model, project_model)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
"/root/barbican/barbican/plugin/resources.py", line 267, in
_store_secret_using_plugin
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
secret_metadata = store_plugin.store_secret(secret_dto, context)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
"/root/barbican/barbican/plugin/store_crypto.py", line 96, in store_secret
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
encrypt_dto, kek_meta_dto, context.project_model.external_id
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
"/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 80, in encrypt
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
meta['mkek_label'], meta['hmac_label'], session
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
"/root/barbican/barbican/plugin/crypto/pkcs11.py", line 687, in unwrap_key
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
self.verify_hmac(hmac_key, hmac, wrapped_key, session)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
"/root/barbican/barbican/plugin/crypto/pkcs11.py", line 657, in verify_hmac


*2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     rv =
self.lib.C_VerifyInit(session, mech, hmac_key)2015-07-27 11:57:07.586 16362
ERROR barbican.api.controllers TypeError: an integer is required*


*Would like to know wheather Barbican supports Virtual slot configuration
since have mentioned the slot # 6 under in barbican.conf file and has
anyone tested HSM HA setup with Barbican. *
Any help would highly be appreciated!
-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150727/640c7a56/attachment.html>


More information about the OpenStack-dev mailing list