<div dir="ltr"><div><div><div><div>Hi All ,<br><br></div>I am working on Integrating Barbican with HSM HA set up.<br></div>I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file.<br><br></div>Please find the contents of the file :<br><br># ================= Secret Store Plugin ===================<br>[secretstore]<br>namespace = barbican.secretstore.plugin<br>enabled_secretstore_plugins = store_crypto<br><br># ================= Crypto plugin ===================<br>[crypto]<br>namespace = barbican.crypto.plugin<br>enabled_crypto_plugins = p11_crypto<br><br>[simple_crypto_plugin]<br># the kek should be a 32-byte value which is base64 encoded<br>kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='<br><br>[dogtag_plugin]<br>pem_path = '/etc/barbican/kra_admin_cert.pem'<br>dogtag_host = localhost<br>dogtag_port = 8443<br>nss_db_path = '/etc/barbican/alias'<br>nss_db_path_ca = '/etc/barbican/alias-ca'<br>nss_password = 'password123'<br>simple_cmc_profile = 'caOtherCert'<br><br><b>[p11_crypto_plugin]<br># Path to vendor PKCS11 library<br>library_path = '/usr/lib/libCryptoki2_64.so'<br># Password to login to PKCS11 session<br>login = 'test5678'<br># Label to identify master KEK in the HSM (must not be the same as HMAC label)<br>mkek_label = 'ha_mkek'<br># Length in bytes of master KEK<br>mkek_length = 32<br># Label to identify HMAC key in the HSM (must not be the same as MKEK label)<br>hmac_label = 'ha_hmac'<br># HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1<br>slot_id = 6<br><br></b></div><b>Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the HSM when we run the </b><b>pkcs11-key-generation script for slot 6 which should be the expected behaviour.<br></b><div><br>[root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek --label 'ha_mkek'<br>Verified label !<br>MKEK successfully generated!<br>[root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac --label 'ha_hmac'<br>HMAC successfully generated!<br>[root@HSM-Client bin]#<br><br><div>Please find the HSM commands and responses to show the details of the partitions and partitions contents :<br></div><div>
<p style="margin-bottom:0in"><font color="#000000"><font face="Tahoma"><font size="2">root@HSM-Client
bin]# ./vtl verify</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"><font face="Tahoma"><font size="2">The
following Luna SA Slots/Partitions were found:</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"><font face="Tahoma"><font size="2">Slot
Serial # Label</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"><font face="Tahoma"><font size="2">====
======== =====</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">1
489361010 barbican2</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">2
489361011 barbican3</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"><font face="Tahoma"><font size="2">[HSMtestLuna1]
lunash:> partition showcontents -partition barbican2</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Please
enter the user password for the partition:</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">>
********</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Partition
Name: barbican2</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Partition
SN: 489361010</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Storage
(Bytes): Total=1046420, Used=256, Free=1046164</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Number
objects: 2</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Object
Label: ha_mkek</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Object
Type: Symmetric Key</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Object
Label: ha_hmac</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Object
Type: Symmetric Key</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"><font face="Tahoma"><font size="2">Command
Result : 0 (Success)</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"><font face="Tahoma"><font size="2">[HSMtestLuna1]
lunash:> partition showcontents -partition barbican3</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Please
enter the user password for the partition:</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">>
********</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Partition
Name: barbican3</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Partition
SN: 489361011</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Storage
(Bytes): Total=1046420, Used=256, Free=1046164</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Number
objects: 2</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Object
Label: ha_mkek</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Object
Type: Symmetric Key</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Object
Label: ha_hmac</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Object
Type: Symmetric Key</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><br>
</p>
<br>
<p style="margin-bottom:0in"><font color="#000000"><font face="Tahoma"><font size="2">[root@HSM-Client
bin]# ./lunacm</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"><font face="Tahoma"><font size="2">LunaCM
V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Available
HSM's:</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Slot
Id -> 1</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Label -> barbican2</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Serial Number -> 489361010</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Model -> LunaSA</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Firmware Version -> 6.2.1</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Configuration -> Luna SA Slot (PW) Signing With Cloning Mode</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Status -> OK</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Slot
Id -> 2</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Label -> barbican3</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Serial Number -> 489361011</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Model -> LunaSA</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Firmware Version -> 6.2.1</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Configuration -> Luna SA Slot (PW) Signing With Cloning Mode</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Status -> OK</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Slot
Id -> 6</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Label -> barbican_ha</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Serial Number -> 1489361010</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Model -> LunaVirtual</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Firmware Version -> 6.2.1</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Configuration -> Virtual HSM (PW) Signing With Cloning Mode</font></font></font></p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">HSM
Status -> N/A - HA Group</font></font></font></p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in"><font color="#000000"> <font face="Tahoma"><font size="2">Current
Slot Id: 1</font></font></font></p>
<p style="margin-bottom:0in"><b>Tried creating the secrets using the below command :</b></p><p style="margin-bottom:0in">root@HSM-Client barbican]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' <a href="http://localhost:9311/v1/secrets">http://localhost:9311/v1/secrets</a><br>{"code": 500, "description": "Secret creation failure seen - please contact site administrator.", "title": "Internal Server Error"}[root@HSM-</p><p style="margin-bottom:0in"><b>Please find the logs below :</b><br></p><p style="margin-bottom:0in"></p><p style="margin-bottom:0in">2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback (most recent call last):<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 146, in content_types_enforcer<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers transport_key_id=data.get('transport_key_id'))<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers secret_model, project_model)<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 267, in _store_secret_using_plugin<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context)<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/store_crypto.py", line 96, in store_secret<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers encrypt_dto, kek_meta_dto, context.project_model.external_id<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 80, in encrypt<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers meta['mkek_label'], meta['hmac_label'], session<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 687, in unwrap_key<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers self.verify_hmac(hmac_key, hmac, wrapped_key, session)<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 657, in verify_hmac<br><b>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers rv = self.lib.C_VerifyInit(session, mech, hmac_key)<br>2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers TypeError: an integer is required<br></b></p><p style="margin-bottom:0in"><b>Would like to know wheather Barbican supports Virtual slot configuration since have mentioned the slot # 6 under in barbican.conf file and has anyone tested HSM HA setup with Barbican.<br>
</b></p><b>
</b>Any help would highly be appreciated!<br></div><div><div><div><div><div>-- <br><div class="gmail_signature"><div><i>Thanks and Regards,</i></div>
<div><i>Asha Seshagiri</i></div></div>
</div></div></div></div></div></div></div>