[openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA

Asha Seshagiri asha.seshagiri at gmail.com
Mon Jul 27 20:10:17 UTC 2015 

Hi John ,

Thanks  a lot for providing me the response:)
I followed the link[1] for configuring the HA SETUP
[1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html

the final step in the above link  is haAdmin command which is run on the
client side(on Barbican) .
The slot 6 is the virtual slot(only on the client side and not visible on
LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM

Please find the response below :

[root at HSM-Client bin]# ./vtl haAdmin show



 ================ HA Global Configuration Settings ===============


 HA Proxy: disabled

HA Auto Recovery: disabled

Maximum Auto Recovery Retry: 0

Auto Recovery Poll Interval: 60 seconds

HA Logging: disabled

Only Show HA Slots: no



 ================ HA Group and Member Information ================


 HA Group Label: barbican_ha

HA Group Number: 1489361010

HA Group Slot #: 6

Synchronization: enabled

Group Members: 489361010, 489361011

Standby members: <none>


 Slot # Member S/N Member Label Status

====== ========== ============ ======

1 489361010 barbican2 alive

2 489361011 barbican3 alive

After knowing the virtual slot HA number , I ran the pkcs11-key-generation
with slot number 6 which did create mkek and hmac in slot/partition 1 and 2
automatically . I am not sure why do we have to replicate the keys between
partitions? Configured the slot 6 on the barbican.conf as mentioned in my
first email

Not sure what might be the issue and

It would be great if you could tell me the steps or where I would have gone
wrong.

Thanks and Regards,

Asha Seshagiri

On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac <john.vrbanac at rackspace.com>
wrote:

>  Asha,
>
> I've used the Safenet HSM "HA" virtual slot setup and it does work.
> However, the setup is very interesting because you need to generate the
> MKEK and HMAC on a single HSM and then replicate it to the other HSMs out
> of band of anything we have in Barbican. If I recall correctly, the Safenet
> Luna docs mention how to replicate keys or partitions between HSMs.
>
>
>     John Vrbanac
>      ------------------------------
> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
> *Sent:* Monday, July 27, 2015 2:00 PM
> *To:* openstack-dev
> *Cc:* John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S.
> *Subject:* Barbican : Unable to create the secret after Integrating
> Barbican with HSM HA
>
>    Hi All ,
>
>  I am working on Integrating Barbican with HSM HA set up.
>  I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot
> 6 is a virtual slot on the client side which acts as the proxy for the slot
> 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its
> password which is identical to that of the passwords of slot1 and slot 2 in
> barbican.conf file.
>
>  Please find the contents of the file  :
>
> # ================= Secret Store Plugin ===================
> [secretstore]
> namespace = barbican.secretstore.plugin
> enabled_secretstore_plugins = store_crypto
>
> # ================= Crypto plugin ===================
> [crypto]
> namespace = barbican.crypto.plugin
> enabled_crypto_plugins = p11_crypto
>
> [simple_crypto_plugin]
> # the kek should be a 32-byte value which is base64 encoded
> kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
>
> [dogtag_plugin]
> pem_path = '/etc/barbican/kra_admin_cert.pem'
> dogtag_host = localhost
> dogtag_port = 8443
> nss_db_path = '/etc/barbican/alias'
> nss_db_path_ca = '/etc/barbican/alias-ca'
> nss_password = 'password123'
> simple_cmc_profile = 'caOtherCert'
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *[p11_crypto_plugin] # Path to vendor PKCS11 library library_path =
> '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login =
> 'test5678' # Label to identify master KEK in the HSM (must not be the same
> as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK
> mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the
> same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond
> to a configured PKCS11 slot). Default: 1 slot_id = 6 *
> *Was able to create MKEK and HMAC successfully for the slots 1 and 2 on
> the HSM when we run the *
> *pkcs11-key-generation script  for slot 6 which should be the expected
> behaviour. *
>
> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
> '/usr/lib/libCryptoki2_64.so'  --passphrase 'test5678' --slot-id 6 mkek
> --label 'ha_mkek'
> Verified label !
> MKEK successfully generated!
> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
> '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac
> --label 'ha_hmac'
> HMAC successfully generated!
> [root at HSM-Client bin]#
>
> Please find the HSM commands and responses to show the details of the
> partitions and partitions contents :
>
> root at HSM-Client bin]# ./vtl verify
>
>
>  The following Luna SA Slots/Partitions were found:
>
>
>  Slot Serial # Label
>
> ==== ======== =====
>
> 1 489361010 barbican2
>
> 2 489361011 barbican3
>
>
>  [HSMtestLuna1] lunash:> partition showcontents -partition barbican2
>
>
>
>  Please enter the user password for the partition:
>
> > ********
>
>
>
>  Partition Name: barbican2
>
> Partition SN: 489361010
>
> Storage (Bytes): Total=1046420, Used=256, Free=1046164
>
> Number objects: 2
>
>
>  Object Label: ha_mkek
>
> Object Type: Symmetric Key
>
>
>  Object Label: ha_hmac
>
> Object Type: Symmetric Key
>
>
>
>  Command Result : 0 (Success)
>
> [HSMtestLuna1] lunash:> partition showcontents -partition barbican3
>
>
>
>  Please enter the user password for the partition:
>
> > ********
>
>
>
>  Partition Name: barbican3
>
> Partition SN: 489361011
>
> Storage (Bytes): Total=1046420, Used=256, Free=1046164
>
> Number objects: 2
>
>
>  Object Label: ha_mkek
>
> Object Type: Symmetric Key
>
>
>  Object Label: ha_hmac
>
> Object Type: Symmetric Key
>
>
>
>
> [root at HSM-Client bin]# ./lunacm
>
>
>  LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.
>
>
>  Available HSM's:
>
>
>  Slot Id -> 1
>
> HSM Label -> barbican2
>
> HSM Serial Number -> 489361010
>
> HSM Model -> LunaSA
>
> HSM Firmware Version -> 6.2.1
>
> HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
>
> HSM Status -> OK
>
>
>  Slot Id -> 2
>
> HSM Label -> barbican3
>
> HSM Serial Number -> 489361011
>
> HSM Model -> LunaSA
>
> HSM Firmware Version -> 6.2.1
>
> HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
>
> HSM Status -> OK
>
>
>  Slot Id -> 6
>
> HSM Label -> barbican_ha
>
> HSM Serial Number -> 1489361010
>
> HSM Model -> LunaVirtual
>
> HSM Firmware Version -> 6.2.1
>
> HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode
>
> HSM Status -> N/A - HA Group
>
>
>  Current Slot Id: 1
>
> *Tried creating the secrets using the below command :*
>
> root at HSM-Client barbican]# curl -X POST -H
> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload":
> "my-secret-here", "payload_content_type": "text/plain"}'
> http://localhost:9311/v1/secrets
> {"code": 500, "description": "Secret creation failure seen - please
> contact site administrator.", "title": "Internal Server Error"}[root at HSM-
>
> *Please find the logs below :*
>
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback
> (most recent call last):
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     return
> fn(inst, *args, **kwargs)
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     return
> fn(inst, *args, **kwargs)
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/__init__.py", line 146, in
> content_types_enforcer
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     return
> fn(inst, *args, **kwargs)
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
> transport_key_id=data.get('transport_key_id'))
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
> secret_model, project_model)
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/plugin/resources.py", line 267, in
> _store_secret_using_plugin
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
> secret_metadata = store_plugin.store_secret(secret_dto, context)
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/plugin/store_crypto.py", line 96, in store_secret
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
> encrypt_dto, kek_meta_dto, context.project_model.external_id
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 80, in encrypt
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
> meta['mkek_label'], meta['hmac_label'], session
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 687, in unwrap_key
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
> self.verify_hmac(hmac_key, hmac, wrapped_key, session)
> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 657, in verify_hmac
>
>
> *2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     rv =
> self.lib.C_VerifyInit(session, mech, hmac_key) 2015-07-27 11:57:07.586
> 16362 ERROR barbican.api.controllers TypeError: an integer is required *
>
>
> *Would like to know wheather Barbican supports Virtual slot configuration
> since have mentioned the slot # 6 under in barbican.conf file and has
> anyone tested HSM HA setup with Barbican. *
> Any help would highly be appreciated!
>    --
>  *Thanks and Regards,*
> *Asha Seshagiri*
>



-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150727/2de0c87d/attachment-0001.html>

More information about the OpenStack-dev mailing list