<div dir="ltr">Hi All ,<div><br></div><div>I have configured Barbican to integrate with SafeNet HSM.</div><div>Installed safenet client libraries , registered the barbican machine to point to HSM server and also assigned HSM partition.</div><div><br></div><div>The following were the changes done in barbican.conf file </div><div><br></div><div><br></div><div># ================= Secret Store Plugin ===================<div>[secretstore]</div><div>namespace = barbican.secretstore.plugin</div><div>enabled_secretstore_plugins = store_crypto</div><div><br></div><div># ================= Crypto plugin ===================</div><div>[crypto]</div><div>namespace = barbican.crypto.plugin</div><div>enabled_crypto_plugins = p11_crypto</div><div><br></div><div><div>[p11_crypto_plugin]</div><div># Path to vendor PKCS11 library</div><div>library_path = '/usr/lib/libCryptoki2_64.so'</div><div># Password to login to PKCS11 session</div><div>login = 'test123'</div><div># Label to identify master KEK in the HSM (must not be the same as HMAC label)</div><div>mkek_label = 'an_mkek'</div><div># Length in bytes of master KEK</div><div>mkek_length = 32</div><div># Label to identify HMAC key in the HSM (must not be the same as MKEK label)</div><div>hmac_label = 'my_hmac_label'</div></div><div><div># HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1</div><div>slot_id = 1</div></div><div><br></div><div>Unable to store the secret when Barbican was integrated with HSM.</div><div><br></div><div><div>[root@HSM-Client crypto]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' <a href="http://localhost:9311/v1/secrets">http://localhost:9311/v1/secrets</a></div><div><b>{"code": 500, "description": "Secret creation failure seen - please contact site administrator.", "title": "Internal Server Error"}[root@HSM-Client crypto]#</b></div></div><div><br></div><div><br><div>Please find the logs below :</div><div><br></div><div><div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen creating plugin: 'p11_crypto'</div><div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback (most recent call last):</div><div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/util/utils.py", line 42, in instantiate_plugins</div><div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs)</div><div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__</div><div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils conf.p11_crypto_plugin.hmac_label)</div><div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in cache_mkek_and_hmac</div><div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils self.get_mkek(self.current_mkek_label, session)</div><div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek</div><div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils raise P11CryptoKeyHandleException()</div><div><b>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils P11CryptoKeyHandleException: No key handle was found</b></div><div><b>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils</b></div><div><b>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation failure seen - please contact site administrator.</b></div><div><br></div><div><br></div><div>(I am not sure why we are geting CryptoPluginNotFound: Crypto plugin not found. Exception since the changes is able to hit the p11_crypto.py code)</div><div><br></div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback (most recent call last):</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 146, in content_types_enforcer</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers transport_key_id=data.get('transport_key_id'))</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers secret_model, project_model)</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 267, in _store_secret_using_plugin</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context)</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret</div><div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers crypto.PluginSupportTypes.ENCRYPT_DECRYPT</div><div><b>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in get_plugin_store_generate</b></div><div><b>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers raise crypto.CryptoPluginNotFound()</b></div><div><b>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers CryptoPluginNotFound: Crypto plugin not found.</b></div><div><br></div><div>Had chance to go though the code as to why are we geting the exception : <b>P11CryptoKeyHandleException: No key handle was found .</b></div><div><b>It is because </b><span style="color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre">returned_count[</span><span class="" style="font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre;color:rgb(0,134,179)">0</span><span style="color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre">] </span><span class="" style="font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre;color:rgb(167,29,93)">==</span><span style="color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre"> 0 .It needs to be 0 in order for the mkek to be created .From what I understand is that by default all the ffi variables would have the value 0 . I am not sure why the check </span><span style="color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre">returned_count[</span><span class="" style="font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre;color:rgb(0,134,179)">0</span><span style="color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre">] </span><span class="" style="font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre;color:rgb(167,29,93)">==</span><span style="color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre"> </span><span class="" style="font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre;color:rgb(0,134,179)">1</span><span style="color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18.2000007629395px;white-space:pre">: has been put .</span></div><div><b><br></b></div><div><table class="" style="border-collapse:collapse;border-spacing:0px;color:rgb(51,51,51);font-family:Helvetica,arial,nimbussansl,liberationsans,freesans,clean,sans-serif,'Segoe UI Emoji','Segoe UI Symbol';font-size:13px;line-height:18.2000007629395px"><tbody><tr><td id="LC502" class="" style="padding:0px 10px;vertical-align:top;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;white-space:pre;overflow:visible;word-wrap:normal"><span class="" style="color:rgb(167,29,93)">if</span> returned_count[<span class="" style="color:rgb(0,134,179)">0</span>] <span class="" style="color:rgb(167,29,93)">==</span> <span class="" style="color:rgb(0,134,179)">1</span>:</td></tr><tr><td id="L503" class="" style="padding:0px 10px;width:50px;min-width:50px;white-space:nowrap;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18px;color:rgba(0,0,0,0.298039);vertical-align:top;text-align:right;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="LC503" class="" style="padding:0px 10px;vertical-align:top;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;white-space:pre;overflow:visible;word-wrap:normal"> key <span class="" style="color:rgb(167,29,93)">=</span> object_handle_ptr[<span class="" style="color:rgb(0,134,179)">0</span>]</td></tr><tr><td id="L504" class="" style="padding:0px 10px;width:50px;min-width:50px;white-space:nowrap;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18px;color:rgba(0,0,0,0.298039);vertical-align:top;text-align:right;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="LC504" class="" style="padding:0px 10px;vertical-align:top;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;white-space:pre;overflow:visible;word-wrap:normal"> rv <span class="" style="color:rgb(167,29,93)">=</span> <span class="" style="color:rgb(237,106,67)">self</span>.lib.C_FindObjectsFinal(session)</td></tr><tr><td id="L505" class="" style="padding:0px 10px;width:50px;min-width:50px;white-space:nowrap;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18px;color:rgba(0,0,0,0.298039);vertical-align:top;text-align:right;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="LC505" class="" style="padding:0px 10px;vertical-align:top;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;white-space:pre;overflow:visible;word-wrap:normal"> <span class="" style="color:rgb(237,106,67)">self</span>.check_error(rv)</td></tr><tr><td id="L506" class="" style="padding:0px 10px;width:50px;min-width:50px;white-space:nowrap;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18px;color:rgba(0,0,0,0.298039);vertical-align:top;text-align:right;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="LC506" class="" style="padding:0px 10px;vertical-align:top;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;white-space:pre;overflow:visible;word-wrap:normal"> <span class="" style="color:rgb(167,29,93)">if</span> returned_count[<span class="" style="color:rgb(0,134,179)">0</span>] <span class="" style="color:rgb(167,29,93)">==</span> <span class="" style="color:rgb(0,134,179)">1</span>:</td></tr><tr><td id="L507" class="" style="padding:0px 10px;width:50px;min-width:50px;white-space:nowrap;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18px;color:rgba(0,0,0,0.298039);vertical-align:top;text-align:right;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="LC507" class="" style="padding:0px 10px;vertical-align:top;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;white-space:pre;overflow:visible;word-wrap:normal"> <span class="" style="color:rgb(167,29,93)">return</span> key</td></tr><tr><td id="L508" class="" style="padding:0px 10px;width:50px;min-width:50px;white-space:nowrap;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18px;color:rgba(0,0,0,0.298039);vertical-align:top;text-align:right;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="LC508" class="" style="padding:0px 10px;vertical-align:top;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;white-space:pre;overflow:visible;word-wrap:normal"> <span class="" style="color:rgb(167,29,93)">elif</span> returned_count[<span class="" style="color:rgb(0,134,179)">0</span>] <span class="" style="color:rgb(167,29,93)">==</span> <span class="" style="color:rgb(0,134,179)">0</span>:</td></tr><tr><td id="L509" class="" style="padding:0px 10px;width:50px;min-width:50px;white-space:nowrap;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;line-height:18px;color:rgba(0,0,0,0.298039);vertical-align:top;text-align:right;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="LC509" class="" style="padding:0px 10px;vertical-align:top;font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace;font-size:12px;white-space:pre;overflow:visible;word-wrap:normal"> <span class="" style="color:rgb(167,29,93)">return</span> <span class="" style="color:rgb(0,134,179)">None
</span></td></tr></tbody></table></div><div><b>Need Help .Any help would highly be appreciated .It is very critical for us to integrate with Barbican</b></div><div><b>Also would like to know if any one has integrated Barbican with HSM.</b><br><br></div>-- <br><div class="gmail_signature"><div><em>Thanks and Regards,</em></div>
<div><em>Asha Seshagiri</em></div></div>
</div></div></div></div>