<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; }--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:'Times New Roman',Times,serif;">
<p>Don't include the curly brackets on the script arguments. The documentation is just using them to indicate that those are placeholders for real values.<br>
</p>
<p><br>
</p>
<div id="Signature">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div>
<div class="BodyFragment"><font face="Arial">
<div class="PlainText"><font face="Times New Roman" size="3">John Vrbanac</font><br>
</div>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Asha Seshagiri <asha.seshagiri@gmail.com><br>
<b>Sent:</b> Sunday, July 19, 2015 2:15 PM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Cc:</b> Reller, Nathan S.<br>
<b>Subject:</b> Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div>Hi John ,</div>
<div><br>
</div>
Thanks for pointing me to the right script.
<div>I appreciate your help .</div>
<div><br>
</div>
<div>I tried running the script with the following command :</div>
<div><br>
</div>
<div>
<div>[root@HSM-Client bin]# python pkcs11-key-generation --library-path {/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1 mkek --length 32 --label 'an_mkek' </div>
<div>Traceback (most recent call last):</div>
<div> File "pkcs11-key-generation", line 120, in <module></div>
<div> main()</div>
<div> File "pkcs11-key-generation", line 115, in main</div>
<div> kg = KeyGenerator()</div>
<div> File "pkcs11-key-generation", line 38, in __init__</div>
<div> ffi=ffi</div>
<div> File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 315, in __init__</div>
<div> self.lib = self.ffi.dlopen(library_path)</div>
<div> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 127, in dlopen</div>
<div> lib, function_cache = _make_ffi_library(self, name, flags)</div>
<div> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 572, in _make_ffi_library</div>
<div> backendlib = _load_backend_lib(backend, libname, flags)</div>
<div> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 561, in _load_backend_lib</div>
<div> return backend.load_library(name, flags)</div>
<div><b>OSError: cannot load library {/usr/lib/libCryptoki2_64.so}: {/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file or directory</b></div>
</div>
<div> </div>
<div><b>Unable to run the script since the library libCryptoki2_64.so cannot be opened.</b></div>
<div><br>
</div>
<div>Tried the following solution : </div>
<div>
<ul>
<li> vi /etc/ld.so.conf<br>
</li><li>Added both the paths of ld.so.conf in the /etc/ld.so.conf file got from the command find / -name libCryptoki2_64.so<br>
<ul>
<li>/usr/safenet/lunaclient/lib/libCryptoki2_64.so</li><li>/usr/lib/libCryptoki2_64.so</li></ul>
</li><li>sudo ldconfig</li><li>ldconfig -p</li></ul>
<div>But the above solution failed and am geting the same error.</div>
</div>
<div><br>
</div>
<div>Any help would highly be apprecited.</div>
<div>Thanks in advance!</div>
<div><br>
</div>
<div>Thanks and Regards,</div>
<div>Asha Seshagiri</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac <span dir="ltr">
<<a href="mailto:john.vrbanac@rackspace.com" target="_blank">john.vrbanac@rackspace.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr" style="font-size:12pt; color:#000000; background-color:#ffffff; font-family:'Times New Roman',Times,serif">
<p>Asha,<br>
</p>
<p>It looks like you don't have your mkek label correctly configured. Make sure that the mkek_label and hmac_label values in your config correctly reflect the keys that you've generated on your HSM.<br>
</p>
<p>The plugin will cache the key handle to the mkek and hmac when the plugin starts, so if it cannot find them, it'll fail to load the plugin altogether.<br>
</p>
<p><br>
</p>
<p>If you need help generating your mkek and hmac, refer to <a href="http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html" target="_blank">http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html</a>
for instructions on how to create them using a script.<br>
</p>
<p><br>
</p>
<p>As far as who uses HSMs, I know we (Rackspace) use them with Barbican.<span class="HOEnZb"><font color="#888888"><br>
</font></span></p>
<span class="HOEnZb"><font color="#888888">
<p><br>
</p>
<div>
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div>
<div><font face="Arial">
<div><font face="Times New Roman" size="3">John Vrbanac</font><br>
</div>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</font></span>
<div style="color:rgb(33,33,33)"><span class="HOEnZb"><font color="#888888">
<hr style="display:inline-block; width:98%">
<div dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Asha Seshagiri <<a href="mailto:asha.seshagiri@gmail.com" target="_blank">asha.seshagiri@gmail.com</a>><br>
<b>Sent:</b> Saturday, July 18, 2015 8:47 PM<br>
<b>To:</b> openstack-dev<br>
<b>Cc:</b> Reller, Nathan S.<br>
<b>Subject:</b> [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM</font>
<div> </div>
</div>
</font></span>
<div>
<div class="h5">
<div>
<div dir="ltr">Hi All ,
<div><br>
</div>
<div>I have configured Barbican to integrate with SafeNet HSM.</div>
<div>Installed safenet client libraries , registered the barbican machine to point to HSM server and also assigned HSM partition.</div>
<div><br>
</div>
<div>The following were the changes done in barbican.conf file </div>
<div><br>
</div>
<div><br>
</div>
<div># ================= Secret Store Plugin ===================
<div>[secretstore]</div>
<div>namespace = barbican.secretstore.plugin</div>
<div>enabled_secretstore_plugins = store_crypto</div>
<div><br>
</div>
<div># ================= Crypto plugin ===================</div>
<div>[crypto]</div>
<div>namespace = barbican.crypto.plugin</div>
<div>enabled_crypto_plugins = p11_crypto</div>
<div><br>
</div>
<div>
<div>[p11_crypto_plugin]</div>
<div># Path to vendor PKCS11 library</div>
<div>library_path = '/usr/lib/libCryptoki2_64.so'</div>
<div># Password to login to PKCS11 session</div>
<div>login = 'test123'</div>
<div># Label to identify master KEK in the HSM (must not be the same as HMAC label)</div>
<div>mkek_label = 'an_mkek'</div>
<div># Length in bytes of master KEK<br>
</div>
<div>mkek_length = 32</div>
<div># Label to identify HMAC key in the HSM (must not be the same as MKEK label)</div>
<div>hmac_label = 'my_hmac_label'<br>
</div>
</div>
<div>
<div># HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1</div>
<div>slot_id = 1</div>
</div>
<div><br>
</div>
<div>Unable to store the secret when Barbican was integrated with HSM.</div>
<div><br>
</div>
<div>
<div>[root@HSM-Client crypto]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}'
<a href="http://localhost:9311/v1/secrets" target="_blank">http://localhost:9311/v1/secrets</a></div>
<div><b>{"code": 500, "description": "Secret creation failure seen - please contact site administrator.", "title": "Internal Server Error"}[root@HSM-Client crypto]#</b></div>
</div>
<div><br>
</div>
<div><br>
<div>Please find the logs below :</div>
<div><br>
</div>
<div>
<div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen creating plugin: 'p11_crypto'</div>
<div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback (most recent call last):</div>
<div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/util/utils.py", line 42, in instantiate_plugins</div>
<div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs)</div>
<div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__</div>
<div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils conf.p11_crypto_plugin.hmac_label)</div>
<div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in cache_mkek_and_hmac<br>
</div>
<div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils self.get_mkek(self.current_mkek_label, session)</div>
<div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek</div>
<div>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils raise P11CryptoKeyHandleException()</div>
<div><b>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils P11CryptoKeyHandleException: No key handle was found</b></div>
<div><b>2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils</b></div>
<div><b>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation failure seen - please contact site administrator.</b></div>
<div><br>
</div>
<div><br>
</div>
<div>(I am not sure why we are geting CryptoPluginNotFound: Crypto plugin not found. Exception since the changes is able to hit the p11_crypto.py code)</div>
<div><br>
</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback (most recent call last):</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 146, in content_types_enforcer</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers transport_key_id=data.get('transport_key_id'))</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers secret_model, project_model)</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 267, in _store_secret_using_plugin</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context)</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret</div>
<div>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers crypto.PluginSupportTypes.ENCRYPT_DECRYPT</div>
<div><b>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in get_plugin_store_generate</b></div>
<div><b>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers raise crypto.CryptoPluginNotFound()</b></div>
<div><b>2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers CryptoPluginNotFound: Crypto plugin not found.</b></div>
<div><br>
</div>
<div>Had chance to go though the code as to why are we geting the exception : <b>P11CryptoKeyHandleException: No key handle was found .</b></div>
<div><b>It is because </b><span style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap">returned_count[</span><span style="font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap; color:rgb(0,134,179)">0</span><span style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap">]
</span><span style="font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap; color:rgb(167,29,93)">==</span><span style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap">
0 .It needs to be 0 in order for the mkek to be created .From what I understand is that by default all the ffi variables would have the value 0 . I am not sure why the check
</span><span style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap">returned_count[</span><span style="font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap; color:rgb(0,134,179)">0</span><span style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap">]
</span><span style="font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap; color:rgb(167,29,93)">==</span><span style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap">
</span><span style="font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap; color:rgb(0,134,179)">1</span><span style="color:rgb(51,51,51); font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18.2000007629395px; white-space:pre-wrap">:
has been put .</span></div>
<div><b><br>
</b></div>
<div>
<table style="border-collapse:collapse; border-spacing:0px; color:rgb(51,51,51); font-family:Helvetica,arial,nimbussansl,liberationsans,freesans,clean,sans-serif,'Segoe UI Emoji','Segoe UI Symbol'; font-size:13px; line-height:18.2000007629395px">
<tbody>
<tr>
<td style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre-wrap; overflow:visible; word-wrap:normal">
<span style="color:rgb(167,29,93)">if</span> returned_count[<span style="color:rgb(0,134,179)">0</span>]
<span style="color:rgb(167,29,93)">==</span> <span style="color:rgb(0,134,179)">1</span>:<br>
</td>
</tr>
<tr>
<td style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre-wrap; overflow:visible; word-wrap:normal">
key <span style="color:rgb(167,29,93)">=</span> object_handle_ptr[<span style="color:rgb(0,134,179)">0</span>]</td>
</tr>
<tr>
<td style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre-wrap; overflow:visible; word-wrap:normal">
rv <span style="color:rgb(167,29,93)">=</span> <span style="color:rgb(237,106,67)">
self</span>.lib.C_FindObjectsFinal(session)</td>
</tr>
<tr>
<td style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre-wrap; overflow:visible; word-wrap:normal">
<span style="color:rgb(237,106,67)">self</span>.check_error(rv)</td>
</tr>
<tr>
<td style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre-wrap; overflow:visible; word-wrap:normal">
<span style="color:rgb(167,29,93)">if</span> returned_count[<span style="color:rgb(0,134,179)">0</span>]
<span style="color:rgb(167,29,93)">==</span> <span style="color:rgb(0,134,179)">1</span>:<br>
</td>
</tr>
<tr>
<td style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre-wrap; overflow:visible; word-wrap:normal">
<span style="color:rgb(167,29,93)">return</span> key</td>
</tr>
<tr>
<td style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre-wrap; overflow:visible; word-wrap:normal">
<span style="color:rgb(167,29,93)">elif</span> returned_count[<span style="color:rgb(0,134,179)">0</span>]
<span style="color:rgb(167,29,93)">==</span> <span style="color:rgb(0,134,179)">0</span>:</td>
</tr>
<tr>
<td style="padding:0px 10px; width:50px; min-width:50px; white-space:nowrap; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; line-height:18px; vertical-align:top; text-align:right; border-style:solid; border-color:rgb(238,238,238); border-width:0px 1px 0px 0px">
</td>
<td style="padding:0px 10px; vertical-align:top; font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace; font-size:12px; white-space:pre-wrap; overflow:visible; word-wrap:normal">
<span style="color:rgb(167,29,93)">return</span> <span style="color:rgb(0,134,179)">
None </span></td>
</tr>
</tbody>
</table>
</div>
<div><b>Need Help .Any help would highly be appreciated .It is very critical for us to integrate with Barbican</b></div>
<div><b>Also would like to know if any one has integrated Barbican with HSM.</b><br>
<br>
</div>
-- <br>
<div>
<div><em>Thanks and Regards,</em></div>
<div><em>Asha Seshagiri</em></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div><em>Thanks and Regards,</em></div>
<div><em>Asha Seshagiri</em></div>
</div>
</div>
</div>
</div>
</body>
</html>