<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

.shape {behavior:url(#default#VML);}

</style><![endif]--><style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p

        {mso-style-priority:99;

        mso-margin-top-alt:auto;

        margin-right:0in;

        mso-margin-bottom-alt:auto;

        margin-left:0in;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

tt

        {mso-style-priority:99;

        font-family:"Courier New";}

p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph

        {mso-style-priority:34;

        margin-top:0in;

        margin-right:0in;

        margin-bottom:0in;

        margin-left:.5in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

span.EmailStyle19

        {mso-style-type:personal;

        font-family:"Calibri",sans-serif;

        color:#1F497D;}

span.EmailStyle20

        {mso-style-type:personal-compose;

        font-family:"Calibri",sans-serif;

        color:windowtext;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

/* List Definitions */

@list l0

        {mso-list-id:1642806610;

        mso-list-type:hybrid;

        mso-list-template-ids:-1249711388 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}

@list l0:level1

        {mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level2

        {mso-level-number-format:alpha-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level3

        {mso-level-number-format:roman-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:right;

        text-indent:-9.0pt;}

@list l0:level4

        {mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level5

        {mso-level-number-format:alpha-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level6

        {mso-level-number-format:roman-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:right;

        text-indent:-9.0pt;}

@list l0:level7

        {mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level8

        {mso-level-number-format:alpha-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level9

        {mso-level-number-format:roman-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:right;

        text-indent:-9.0pt;}

ol

        {margin-bottom:0in;}

ul

        {margin-bottom:0in;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">However, I cannot not make a request to the kmip plugin because of an ssl error:</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The keyfile, certfile, and ca_certs are passed directly to ssl.wrap_socket. Debugging any SSL errors isn’t easy – Google is generally the best resource to identify

 and resolve issues based on the error codes returned by OpenSSL. :-(<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">What exactly is each variable suppose to contain?<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">See the ssl.wrap_socket documentation for more details.<br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif">I have keyfile and certfile being a self signed certificate and 2048 bit RSA key respectively for barbican to use and ca_certs is the kmip_plugins' certificate for barbican to trust. Does

 this setup sound right?<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In the sentence, you swap the key and certificate (i.e., the RSA key should be the keyfile and the self-signed certificate should be the certfile), but that’s

 probably not the real issue. :-)<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If credentials (i.e., a key and certificate) weren’t provided to you for the KMIP appliance, you’ll probably need to have the KMIP appliance sign your self-signed

 certificate so it knows that it’s valid. The procedure differs by appliance but loosely resembles the following:<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">      

</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Generate key and certificate on local machine using OpenSSL<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">      

</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Upload certificate to KMIP appliance<o:p></o:p></span></p>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">      

</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Sign the certificate using the KMIP appliance’s server certificate<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Alternatively, a key and certificate could be provided for the KMIP appliance; you would use those files rather than generating them locally.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hope that information is helpful.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Joel<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>

<div>

<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> John Wood [mailto:john.wood@RACKSPACE.COM]

<br>

<b>Sent:</b> Wednesday, April 15, 2015 9:19 AM<br>

<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>

<b>Cc:</b> Reller, Nathan S.; Farr, Kaitlin M.<br>

<b>Subject:</b> Re: [openstack-dev] [barbican] Utilizing the KMIP plugin<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue">Hello Christopher,<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue">I’m glad you are making progress. I’m including two folks that worked on the KMIP plugin to see if they can help with your error diagnosis.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue">Thanks,<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue">John<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><o:p> </o:p></span></p>

</div>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:

</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Christopher N Solis <<a href="mailto:cnsolis@us.ibm.com">cnsolis@us.ibm.com</a>><br>

<b>Reply-To: </b>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>

<b>Date: </b>Tuesday, April 14, 2015 at 10:21 AM<br>

<b>To: </b>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>

<b>Subject: </b>Re: [openstack-dev] [barbican] Utilizing the KMIP plugin<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><o:p> </o:p></span></p>

</div>

<div>

<div>

<span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Hey John.

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Thanks!</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">You were right. It was reading the config from the /root directory because I switched to the root user.

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">After switching back to the normal user it is reading the correct config file again.

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">It is trying to use the kmip plugin now.

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">However, I cannot not make a request to the kmip plugin because of an ssl error:</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">2015-04-14 10:02:26,219 - barbican.plugin.kmip_secret_store - ERROR - Error opening or writing to client</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Traceback (most recent call last):</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">  File "/home/swift/barbican/barbican/plugin/kmip_secret_store.py", line 167, in generate_symmetric_key</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">    self.client.open()</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">  File "/home/swift/.pyenv/versions/barbican27/lib/python2.7/site-packages/kmip/services/kmip_client.py", line 86, in open</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">    self.socket.connect((self.host, self.port))</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">  File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 333, in connect</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">    self._real_connect(addr, False)</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">  File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 314, in _real_connect</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">    self.ca_certs, self.ciphers)</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">SSLError: [Errno 0] _ssl.c:343: error:00000000:lib(0):func(0):reason(0)</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">I believe there is a problem in the KMIP plugin part of the barbican-api.conf file:

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">keyfile = '/path/to/certs/cert.key'</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">certfile = '/path/to/certs/cert.crt'</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">ca_certs = '/path/to/certs/LocalCA.crt'</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

<span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">What exactly is each variable suppose to contain?

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">I have keyfile and certfile being a self signed certificate and 2048 bit RSA key respectively for barbican to use and

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">ca_certs is the kmip_plugins' certificate for barbican to trust. Does this setup sound right?</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Regards,

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Christopher Solis</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

<img border="0" width="16" height="16" id="_x0000_i1025" src="cid:image001.gif@01D0785F.05711E30" alt="Inactive hide details for John Wood ---04/10/2015 07:24:59 PM---Hello Christopher, It does seem that configs are being read for"></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#424282">John

 Wood ---04/10/2015 07:24:59 PM---Hello Christopher, It does seem that configs are being read for another location. Try to remove that</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F">From:

</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">John Wood <<a href="mailto:john.wood@RACKSPACE.COM">john.wood@RACKSPACE.COM</a>></span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F">To:

</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>></span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F">Date:

</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">04/10/2015 07:24 PM</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F">Subject:

</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">Re: [openstack-dev] [barbican] Utilizing the KMIP plugin</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><o:p></o:p></span></p>

<div class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue">

<hr size="2" width="100%" noshade="" style="color:#8091A5" align="left">

</span></div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

<br>

</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue">Hello Christopher,</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue">It does seem that configs are being read for another location. Try to remove that copy in you home directory (so just keep the /etc location). If you see the same issue, try to

 rename your /etc/barbican/barbican-api.conf file to something else. Barbican should crash, probably with a No SQL connection error.</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue">Also, double check the ‘kmip_plugin’ setting in setup.cfg as per below, and try running ‘pip install -e .’ again in your virtual environment.</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue">FWIW, this CR adds better logging of plugin errors once the loading problem you have is figured out:

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="https://review.openstack.org/#/c/171868/"><span style="font-size:7.5pt">https://review.openstack.org/#/c/171868/</span></a><br>

<br>

</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue">Thanks,</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue">John</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

<br>

</span><b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">From:

</span></b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">Christopher N Solis <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:cnsolis@us.ibm.com"><span style="font-size:10.0pt">cnsolis@us.ibm.com</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">><b><br>

Reply-To: </b>"OpenStack Development Mailing List (not for usage questions)" <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:10.0pt">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">><b><br>

Date: </b>Thursday, April 9, 2015 at 1:55 PM<b><br>

To: </b>"OpenStack Development Mailing List (not for usage questions)" <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:10.0pt">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">><b><br>

Subject: </b>Re: [openstack-dev] [barbican] Utilizing the KMIP plugin</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><o:p></o:p></span></p>

<span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Hey John.

<br>

Thanks for letting me know about the error. But I think my configuration is not seeing the kmip_plugin selection.<br>

In my barbican-api.conf file in /etc/barbican I have set enabled_secretstore_plugins = kmip_plugin</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue"><br>

However, I don't think it is creating a KMIPSecretStore instance. <br>

I edited the code in kmip_secret_store.py and put a breakpoint at the very beginning of the init function.<br>

When I make a barbican request to put a secret in there, it did not stop at the breakpoint at all.

<br>

I put another breakpoint in the store_crypto.py file inside the init function for the StoreCryptoAdapterPlugin and I

<br>

was able to enter the code at that breakpoint. </span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue"><br>

So even though in my barbican-api.conf file I specified kmip_plugin it seems to be using the store_crypto plugin instead.

</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue"><br>

Is there something that might cause this to happen? <br>

I also want to note that my code has the most up to date pull from the community code.

</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue"><br>

Here's what my /etc/barbican/barbican-api.conf file has in it: </span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue"><br>

# ================= Secret Store Plugin ===================<br>

[secretstore]<br>

namespace = barbican.secretstore.plugin<br>

enabled_secretstore_plugins = kmip_plugin<br>

...<br>

...<br>

...<br>

# ================== KMIP plugin =====================<br>

[kmip_plugin]<br>

username = '******'<br>

password = '******'<br>

host = 10.0.2.15<br>

port = 5696<br>

keyfile = '/etc/barbican/rootCA.key'<br>

certfile = '/etc/barbican/rootCA.pem'<br>

ca_certs = '/etc/barbican/rootCA.pem'</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue"><br>

Regards, <br>

Christopher Solis</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

<br>

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><img border="0" width="16" height="16" id="_x0000_i1027" src="cid:image001.gif@01D0785F.05711E30" alt="Inactive hide details for John Wood ---04/08/2015 03:16:58 PM---Hello Christopher, My local configuration is indeed seeing the "></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#424282">John

 Wood ---04/08/2015 03:16:58 PM---Hello Christopher, My local configuration is indeed seeing the kmip_plugin selection, but when steve</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F"><br>

From: </span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">John Wood <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:john.wood@RACKSPACE.COM"><span style="font-size:7.5pt;font-family:"Arial",sans-serif">john.wood@RACKSPACE.COM</span></a></span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">></span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F"><br>

To: </span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">"OpenStack Development Mailing List (not for usage questions)" <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:7.5pt;font-family:"Arial",sans-serif">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">></span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F"><br>

Date: </span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">04/08/2015 03:16 PM</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F"><br>

Subject: </span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">Re: [openstack-dev] [barbican] Utilizing the KMIP plugin</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><o:p></o:p></span></p>

<div class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue">

<hr size="2" width="100%" noshade="" style="color:gray" align="left">

</span></div>

<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

<br>

Hello Christopher, <br>

<br>

My local configuration is indeed seeing the kmip_plugin selection, but when stevedore tries to load the KMIP plugin it crashes because required files are missing in my local environment (see

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="https://github.com/openstack/barbican/blob/master/barbican/plugin/kmip_secret_store.py#L131" target="_blank"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#1D40FF">https://github.com/openstack/barbican/blob/master/barbican/plugin/kmip_secret_store.py#L131</span></a></span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue">)

 for example.<br>

<br>

Stevedore logs the exception but then doesn’t load this module, so when Barbican asks for an available plugin it doesn’t see it and crashes as you see. So the root exception from stevedore isn’t showing up in my logs for some reason, and probably not in yours

 as well. We’ll try to put up a CR to at least expose this exception in logs. In the mean time, make sure the KMIP values checked via that link above are configured on your machine.<br>

<br>

Sorry for the inconvenience,<br>

John<br>

<br>

</span><b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue"><br>

From: </span></b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">Christopher N Solis <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:cnsolis@us.ibm.com"><span style="font-size:10.0pt">cnsolis@us.ibm.com</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">><b><br>

Reply-To: </b>"OpenStack Development Mailing List (not for usage questions)" <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:10.0pt">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">><b><br>

Date: </b>Wednesday, April 8, 2015 at 11:27 AM<b><br>

To: </b>"OpenStack Development Mailing List (not for usage questions)" <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:10.0pt">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">><b><br>

Subject: </b>Re: [openstack-dev] [barbican] Utilizing the KMIP plugin</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue">

<o:p></o:p></span></p>

<span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Hey John.

<br>

I do have the barbican-api.conf file located in the /etc/barbican folder. But that does not seem to be the one that barbican

<br>

reads from. It seems to be reading from the barbican-api.conf file locate in my home directory.

<br>

Either way, both have the exact same configurations. <br>

<br>

I also checked the setup.cfg file and it does have the line for kmip_plugin . </span>

<span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue"><br>

<br>

Regards,<br>

</span><b><span style="font-family:"Arial",sans-serif;color:blue"><br>

CHRIS SOLIS</span></b><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><img border="0" width="16" height="16" id="_x0000_i1029" src="cid:image001.gif@01D0785F.05711E30" alt="Inactive hide details for John Wood ---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that barbican-api.conf"></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#424282">John

 Wood ---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that barbican-api.conf file located in your local system's</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F"><br>

<br>

From: </span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">John Wood <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:john.wood@RACKSPACE.COM"><span style="font-size:7.5pt;font-family:"Arial",sans-serif">john.wood@RACKSPACE.COM</span></a></span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">></span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F"><br>

To: </span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">"</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:7.5pt;font-family:"Arial",sans-serif">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">"

 <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:7.5pt;font-family:"Arial",sans-serif">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">></span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F"><br>

Date: </span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">04/07/2015 10:39 AM</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#5F5F5F"><br>

Subject: </span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:blue">Re: [openstack-dev] [barbican] Utilizing the KMIP plugin</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><o:p></o:p></span></p>

<div class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue">

<hr size="2" width="100%" noshade="" style="color:gray" align="left">

</span></div>

<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

<br>

Hello Christopher,<br>

<br>

Just checking, but is that barbican-api.conf file located in your local system’s /etc/barbican folder? If not that is the preferred place for local development. Modifying the copy that is in your local git repository will have no effect.<br>

<br>

Also, please double check that your local git repository’s setup.cfg has a line like this in there (at/around #35):<br>

<br>

  kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore<br>

<br>

Thanks,<br>

John<br>

<br>

<br>

</span><b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue"><br>

<br>

From: </span></b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">Christopher N Solis <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:cnsolis@us.ibm.com"><span style="font-size:10.0pt">cnsolis@us.ibm.com</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">><b><br>

Reply-To: </b>"</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:10.0pt">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">"

 <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:10.0pt">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">><b><br>

Date: </b>Monday, April 6, 2015 at 10:25 AM<b><br>

To: </b>"</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:10.0pt">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">"

 <</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:openstack-dev@lists.openstack.org"><span style="font-size:10.0pt">openstack-dev@lists.openstack.org</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">><b><br>

Subject: </b>[openstack-dev] [barbican] Utilizing the KMIP plugin</span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"> </span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue">

<o:p></o:p></span></p>

<p><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Hello!<br>

<br>

Sorry to Kaitlin Farr for not responding directly to your e-mail. <br>

My openstack settings were misconfigured and I was not receiving e-mail from the dev mailing list.

<br>

Thanks for looking into the issue. <br>

<br>

I double checked the permissions at the bottom of the kmip_plugin part in the barbican-api.conf file

<br>

and they are set to 400. <br>

<br>

I would also like to note that I do not think the code ever actually entered the __init__ function<br>

of KMIPSecretStore. I put a breakpoint in the __init__ function but the debugger never gets open.

<br>

The error occurs and returns without ever seeming to enter the init function. <br>

<br>

Here are the parts of the barbican-api.conf file that concern the kmip_plugin: <br>

.....................<br>

[secretstore]<br>

namespace = barbican.secretstore.plugin<br>

enabled_secretstore_plugins = kmip_plugin<br>

.....................<br>

[kmip_plugin]<br>

username = '**********'<br>

password = '**********'<br>

host = ********<br>

port = ********<br>

keyfile = '/etc/barbican/rootCA.key'<br>

certfile = '/etc/barbican/rootCA.pem'<br>

ca_certs = '/etc/barbican/rootCA.pem'<br>

.......................<br>

<br>

Thank You!!<br>

<br>

Regards, <br>

Christopher Solis</span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: </span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:OpenStack-dev-request@lists.openstack.org"><span style="font-size:10.0pt">OpenStack-dev-request@lists.openstack.org</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">?subject:unsubscribe</span><u><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span></u><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><span style="font-size:10.0pt">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: </span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="mailto:OpenStack-dev-request@lists.openstack.org"><span style="font-size:10.0pt">OpenStack-dev-request@lists.openstack.org</span></a></span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:blue">?subject:unsubscribe<u><br>

</u></span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><span style="font-size:10.0pt">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</span></a></span><span style="font-size:7.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue"><br>

[attachment "graycol.gif" deleted by Christopher N Solis/Austin/IBM] </span><tt><span style="font-size:10.0pt;color:blue">__________________________________________________________________________</span></tt><span style="font-size:10.0pt;font-family:"Courier New";color:blue"><br>

<tt>OpenStack Development Mailing List (not for usage questions)</tt><br>

<tt>Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe</tt><br>

<tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></tt><br>

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><br>

</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">[attachment "graycol.gif" deleted by Christopher N Solis/Austin/IBM]

</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:blue"><o:p></o:p></span></p>

</div>

</div>

</div>

</body>

</html>