[openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM
Asha Seshagiri
asha.seshagiri at gmail.com
Mon Jul 20 15:30:04 UTC 2015
Hi John ,
Thanks a lot John for your response.
I tried executing the script with the following options before , but it
seems it did not work .Hence tried with the curly baraces .
Please find other options below :
[root at HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek
--length 32 --label 'an_mkek'
HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID
[root at HSM-Client bin]# python pkcs11-key-generation --library-path
/usr/lib/libCryptoki2_64.so --passphrase test123 --slot-id 1 mkek
--length 32 --label an_mkek
HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID
Would be of great help if l could the syntax for running the script
Thanks and Regards,
Asha Seshagiri
On Sun, Jul 19, 2015 at 6:25 PM, John Vrbanac <john.vrbanac at rackspace.com>
wrote:
> Don't include the curly brackets on the script arguments. The
> documentation is just using them to indicate that those are placeholders
> for real values.
>
>
> John Vrbanac
> ------------------------------
> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
> *Sent:* Sunday, July 19, 2015 2:15 PM
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Cc:* Reller, Nathan S.
> *Subject:* Re: [openstack-dev] Barbican : Unable to store the secret when
> Barbican was Integrated with SafeNet HSM
>
> Hi John ,
>
> Thanks for pointing me to the right script.
> I appreciate your help .
>
> I tried running the script with the following command :
>
> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
> {/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1 mkek
> --length 32 --label 'an_mkek'
> Traceback (most recent call last):
> File "pkcs11-key-generation", line 120, in <module>
> main()
> File "pkcs11-key-generation", line 115, in main
> kg = KeyGenerator()
> File "pkcs11-key-generation", line 38, in __init__
> ffi=ffi
> File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 315, in
> __init__
> self.lib = self.ffi.dlopen(library_path)
> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 127, in
> dlopen
> lib, function_cache = _make_ffi_library(self, name, flags)
> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 572, in
> _make_ffi_library
> backendlib = _load_backend_lib(backend, libname, flags)
> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 561, in
> _load_backend_lib
> return backend.load_library(name, flags)
> *OSError: cannot load library {/usr/lib/libCryptoki2_64.so}:
> {/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file
> or directory*
>
> *Unable to run the script since the library libCryptoki2_64.so cannot be
> opened.*
>
> Tried the following solution :
>
> - vi /etc/ld.so.conf
> - Added both the paths of ld.so.conf in the /etc/ld.so.conf file got
> from the command find / -name libCryptoki2_64.so
> - /usr/safenet/lunaclient/lib/libCryptoki2_64.so
> - /usr/lib/libCryptoki2_64.so
> - sudo ldconfig
> - ldconfig -p
>
> But the above solution failed and am geting the same error.
>
> Any help would highly be apprecited.
> Thanks in advance!
>
> Thanks and Regards,
> Asha Seshagiri
>
> On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac <john.vrbanac at rackspace.com
> > wrote:
>
>> Asha,
>>
>> It looks like you don't have your mkek label correctly configured. Make
>> sure that the mkek_label and hmac_label values in your config correctly
>> reflect the keys that you've generated on your HSM.
>>
>> The plugin will cache the key handle to the mkek and hmac when the plugin
>> starts, so if it cannot find them, it'll fail to load the plugin altogether.
>>
>>
>> If you need help generating your mkek and hmac, refer to
>> http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html
>> for instructions on how to create them using a script.
>>
>>
>> As far as who uses HSMs, I know we (Rackspace) use them with Barbican.
>>
>>
>> John Vrbanac
>> ------------------------------
>> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
>> *Sent:* Saturday, July 18, 2015 8:47 PM
>> *To:* openstack-dev
>> *Cc:* Reller, Nathan S.
>> *Subject:* [openstack-dev] Barbican : Unable to store the secret when
>> Barbican was Integrated with SafeNet HSM
>>
>> Hi All ,
>>
>> I have configured Barbican to integrate with SafeNet HSM.
>> Installed safenet client libraries , registered the barbican machine to
>> point to HSM server and also assigned HSM partition.
>>
>> The following were the changes done in barbican.conf file
>>
>>
>> # ================= Secret Store Plugin ===================
>> [secretstore]
>> namespace = barbican.secretstore.plugin
>> enabled_secretstore_plugins = store_crypto
>>
>> # ================= Crypto plugin ===================
>> [crypto]
>> namespace = barbican.crypto.plugin
>> enabled_crypto_plugins = p11_crypto
>>
>> [p11_crypto_plugin]
>> # Path to vendor PKCS11 library
>> library_path = '/usr/lib/libCryptoki2_64.so'
>> # Password to login to PKCS11 session
>> login = 'test123'
>> # Label to identify master KEK in the HSM (must not be the same as HMAC
>> label)
>> mkek_label = 'an_mkek'
>> # Length in bytes of master KEK
>> mkek_length = 32
>> # Label to identify HMAC key in the HSM (must not be the same as MKEK
>> label)
>> hmac_label = 'my_hmac_label'
>> # HSM Slot id (Should correspond to a configured PKCS11 slot).
>> Default: 1
>> slot_id = 1
>>
>> Unable to store the secret when Barbican was integrated with HSM.
>>
>> [root at HSM-Client crypto]# curl -X POST -H
>> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload":
>> "my-secret-here", "payload_content_type": "text/plain"}'
>> http://localhost:9311/v1/secrets
>> *{"code": 500, "description": "Secret creation failure seen - please
>> contact site administrator.", "title": "Internal Server
>> Error"}[root at HSM-Client crypto]#*
>>
>>
>> Please find the logs below :
>>
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen
>> creating plugin: 'p11_crypto'
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback
>> (most recent call last):
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
>> "/root/barbican/barbican/plugin/util/utils.py", line 42, in
>> instantiate_plugins
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>> plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs)
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
>> "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>> conf.p11_crypto_plugin.hmac_label)
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in
>> cache_mkek_and_hmac
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>> self.get_mkek(self.current_mkek_label, session)
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils raise
>> P11CryptoKeyHandleException()
>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>> P11CryptoKeyHandleException: No key handle was found*
>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils*
>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation
>> failure seen - please contact site administrator.*
>>
>>
>> (I am not sure why we are geting CryptoPluginNotFound: Crypto plugin
>> not found. Exception since the changes is able to hit the p11_crypto.py
>> code)
>>
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback
>> (most recent call last):
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return
>> fn(inst, *args, **kwargs)
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return
>> fn(inst, *args, **kwargs)
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 146, in
>> content_types_enforcer
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return
>> fn(inst, *args, **kwargs)
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>> "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> transport_key_id=data.get('transport_key_id'))
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>> "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> secret_model, project_model)
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>> "/root/barbican/barbican/plugin/resources.py", line 267, in
>> _store_secret_using_plugin
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> secret_metadata = store_plugin.store_secret(secret_dto, context)
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>> "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> crypto.PluginSupportTypes.ENCRYPT_DECRYPT
>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>> "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in
>> get_plugin_store_generate*
>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers raise
>> crypto.CryptoPluginNotFound()*
>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> CryptoPluginNotFound: Crypto plugin not found.*
>>
>> Had chance to go though the code as to why are we geting the exception
>> : *P11CryptoKeyHandleException: No key handle was found .*
>> *It is because *returned_count[0] == 0 .It needs to be 0 in order for
>> the mkek to be created .From what I understand is that by default all the
>> ffi variables would have the value 0 . I am not sure why the check
>> returned_count[0] == 1: has been put .
>>
>> if returned_count[0] == 1:
>> key = object_handle_ptr[0] rv = self.lib.C_FindObjectsFinal(session)
>> self.check_error(rv) if returned_count[0] == 1:
>> return key elif returned_count[0] == 0: return None
>> *Need Help .Any help would highly be appreciated .It is very critical for
>> us to integrate with Barbican*
>> *Also would like to know if any one has integrated Barbican with HSM.*
>>
>> --
>> *Thanks and Regards,*
>> *Asha Seshagiri*
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> *Thanks and Regards,*
> *Asha Seshagiri*
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150720/34cac8c1/attachment.html>
More information about the OpenStack-dev
mailing list