<div dir="ltr"><div><div><div><div><div>Hi All ,<br><br></div>I would need help to test the integration of Barbican with HSM.<br></div>Have configured the Barbican client to connect to HSM server by registering barbican IP to the HSM server and have assigned the partition. Have modified the barbican.conf file with the following changesĀ :<br><br># ================= Secret Store Plugin ===================<br>[secretstore]<br>namespace = barbican.secretstore.plugin<br>enabled_secretstore_plugins = store_crypto<br><br># ================= Crypto plugin ===================<br>[crypto]<br>namespace = barbican.crypto.plugin<br>enabled_crypto_plugins = p11_crypto<br><br>[simple_crypto_plugin]<br># the kek should be a 32-byte value which is base64 encoded<br>kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='<br><br>[dogtag_plugin]<br>pem_path = '/etc/barbican/kra_admin_cert.pem'<br>dogtag_host = localhost<br>dogtag_port = 8443<br>nss_db_path = '/etc/barbican/alias'<br>nss_db_path_ca = '/etc/barbican/alias-ca'<br>nss_password = 'password123'<br>simple_cmc_profile = 'caOtherCert'<br><br>[p11_crypto_plugin]<br># Path to vendor PKCS11 library<br>library_path = '/usr/lib/libCryptoki2_64.so'<br># Password to login to PKCS11 session<br>login = 'test123'<br># Label to identify master KEK in the HSM (must not be the same as HMAC label)<br>mkek_label = 'an_mkek'<br># Length in bytes of master KEK<br>mkek_length = 32<br># Label to identify HMAC key in the HSM (must not be the same as MKEK label)<br>hmac_label = 'my_hmac_label'<br># HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1<br># slot_id = 1<br><br></div>Would need help as to how to test whether the Integration of Barbican with HSM is successful.<br></div>Where are the encypted KEK stored and how do we know the KEK is generated on the HSM side and the same KEK is used for encryption/decryption of secrets in barbarian.<br>Would also like to know if I have done the right changes required for Integration with HSM<br><br>I was able to generate and retrieve the secret .<br><br>
<p style="margin-bottom:0in"><b><font color="#000000" size="4"><font face="Tahoma">root@HSM-Client
~]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:
12345' -d '{"secret": {"name":"secretname",
"algorithm": "aes", "bit_length": 256,
"mode": "cbc"}}'
<a href="http://184.172.96.189:9311/v1/secrets">http://184.172.96.189:9311/v1/secrets</a></font></font></b></p><b><font size="4">
</font></b><p style="margin-bottom:0in"><b><font color="#000000" size="4"><font face="Tahoma">{"secret_ref":
"<a href="http://184.172.96.189:9311/v1/secrets/275b99ad-71f5-4e4c-8bda-5c2b011c265b">http://184.172.96.189:9311/v1/secrets/275b99ad-71f5-4e4c-8bda-5c2b011c265b</a>"}[root@HSM-Client
~]#</font></font></b></p><font size="4">
</font><br></div>Any help would highly be appreciated.<br><div><div><div><div><div><div><div>-- <br><div class="gmail_signature"><div><i>Thanks and Regards,</i></div>
<div><i>Asha Seshagiri</i></div></div>
</div></div></div></div></div></div></div></div>