[openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM

Asha Seshagiri asha.seshagiri at gmail.com
Mon Jul 20 15:30:04 UTC 2015


Hi  John ,

Thanks a lot John for your response.
I tried   executing the script with the following options  before , but it
seems it did not work .Hence tried with the curly baraces .

Please find other options below :

[root at HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek
--length 32 --label 'an_mkek'
HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID
[root at HSM-Client bin]# python pkcs11-key-generation --library-path
/usr/lib/libCryptoki2_64.so  --passphrase test123  --slot-id 1  mkek
--length 32 --label an_mkek
HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID


Would be of great help if l could the syntax for running the script

Thanks and Regards,
Asha  Seshagiri

On Sun, Jul 19, 2015 at 6:25 PM, John Vrbanac <john.vrbanac at rackspace.com>
wrote:

>  Don't include the curly brackets on the script arguments. The
> documentation is just using them to indicate that those are placeholders
> for real values.
>
>
>     John Vrbanac
>      ------------------------------
> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
> *Sent:* Sunday, July 19, 2015 2:15 PM
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Cc:* Reller, Nathan S.
> *Subject:* Re: [openstack-dev] Barbican : Unable to store the secret when
> Barbican was Integrated with SafeNet HSM
>
>   Hi John ,
>
>  Thanks  for pointing me to the right script.
> I appreciate your help .
>
>  I tried running the script with the following command :
>
>  [root at HSM-Client bin]# python pkcs11-key-generation --library-path
> {/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1  mkek
> --length 32 --label 'an_mkek'
> Traceback (most recent call last):
>   File "pkcs11-key-generation", line 120, in <module>
>     main()
>   File "pkcs11-key-generation", line 115, in main
>     kg = KeyGenerator()
>   File "pkcs11-key-generation", line 38, in __init__
>     ffi=ffi
>   File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 315, in
> __init__
>     self.lib = self.ffi.dlopen(library_path)
>   File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 127, in
> dlopen
>     lib, function_cache = _make_ffi_library(self, name, flags)
>   File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 572, in
> _make_ffi_library
>     backendlib = _load_backend_lib(backend, libname, flags)
>   File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 561, in
> _load_backend_lib
>     return backend.load_library(name, flags)
> *OSError: cannot load library {/usr/lib/libCryptoki2_64.so}:
> {/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file
> or directory*
>
> *Unable to run the script since the library libCryptoki2_64.so cannot be
> opened.*
>
>  Tried the following solution  :
>
>    -  vi /etc/ld.so.conf
>    - Added both the paths of ld.so.conf in the  /etc/ld.so.conf file got
>     from the command find / -name libCryptoki2_64.so
>     - /usr/safenet/lunaclient/lib/libCryptoki2_64.so
>       - /usr/lib/libCryptoki2_64.so
>    - sudo ldconfig
>    - ldconfig -p
>
> But the above solution failed and am geting the same error.
>
>  Any help would highly be apprecited.
> Thanks in advance!
>
>  Thanks and Regards,
> Asha Seshagiri
>
> On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac <john.vrbanac at rackspace.com
> > wrote:
>
>>  Asha,
>>
>> It looks like you don't have your mkek label correctly configured. Make
>> sure that the mkek_label and hmac_label values in your config correctly
>> reflect the keys that you've generated on your HSM.
>>
>> The plugin will cache the key handle to the mkek and hmac when the plugin
>> starts, so if it cannot find them, it'll fail to load the plugin altogether.
>>
>>
>>  If you need help generating your mkek and hmac, refer to
>> http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html
>> for instructions on how to create them using a script.
>>
>>
>>  As far as who uses HSMs, I know we (Rackspace) use them with Barbican.
>>
>>
>>     John Vrbanac
>>      ------------------------------
>> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
>> *Sent:* Saturday, July 18, 2015 8:47 PM
>> *To:* openstack-dev
>> *Cc:* Reller, Nathan S.
>> *Subject:* [openstack-dev] Barbican : Unable to store the secret when
>> Barbican was Integrated with SafeNet HSM
>>
>>    Hi All ,
>>
>>  I have configured Barbican to integrate with SafeNet  HSM.
>> Installed safenet client libraries , registered the barbican machine to
>> point to HSM server  and also assigned HSM partition.
>>
>>  The following were the changes done in barbican.conf file
>>
>>
>>  # ================= Secret Store Plugin ===================
>> [secretstore]
>> namespace = barbican.secretstore.plugin
>> enabled_secretstore_plugins = store_crypto
>>
>>  # ================= Crypto plugin ===================
>> [crypto]
>> namespace = barbican.crypto.plugin
>> enabled_crypto_plugins = p11_crypto
>>
>>  [p11_crypto_plugin]
>> # Path to vendor PKCS11 library
>> library_path = '/usr/lib/libCryptoki2_64.so'
>> # Password to login to PKCS11 session
>> login = 'test123'
>> # Label to identify master KEK in the HSM (must not be the same as HMAC
>> label)
>> mkek_label = 'an_mkek'
>> # Length in bytes of master KEK
>>  mkek_length = 32
>> # Label to identify HMAC key in the HSM (must not be the same as MKEK
>> label)
>> hmac_label = 'my_hmac_label'
>>   # HSM Slot id (Should correspond to a configured PKCS11 slot).
>> Default: 1
>> slot_id = 1
>>
>>  Unable to store the secret when Barbican was integrated with HSM.
>>
>>  [root at HSM-Client crypto]# curl -X POST -H
>> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload":
>> "my-secret-here", "payload_content_type": "text/plain"}'
>> http://localhost:9311/v1/secrets
>> *{"code": 500, "description": "Secret creation failure seen - please
>> contact site administrator.", "title": "Internal Server
>> Error"}[root at HSM-Client crypto]#*
>>
>>
>> Please find the logs below :
>>
>>  2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen
>> creating plugin: 'p11_crypto'
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback
>> (most recent call last):
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
>> "/root/barbican/barbican/plugin/util/utils.py", line 42, in
>> instantiate_plugins
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>> plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs)
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
>> "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>> conf.p11_crypto_plugin.hmac_label)
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in
>> cache_mkek_and_hmac
>>  2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>> self.get_mkek(self.current_mkek_label, session)
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek
>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils     raise
>> P11CryptoKeyHandleException()
>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>> P11CryptoKeyHandleException: No key handle was found*
>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils*
>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation
>> failure seen - please contact site administrator.*
>>
>>
>>  (I am not sure why we are geting CryptoPluginNotFound: Crypto plugin
>> not found. Exception since the changes is able to hit the p11_crypto.py
>> code)
>>
>>  2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback
>> (most recent call last):
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
>> fn(inst, *args, **kwargs)
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
>> fn(inst, *args, **kwargs)
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 146, in
>> content_types_enforcer
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
>> fn(inst, *args, **kwargs)
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> transport_key_id=data.get('transport_key_id'))
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> secret_model, project_model)
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/plugin/resources.py", line 267, in
>> _store_secret_using_plugin
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> secret_metadata = store_plugin.store_secret(secret_dto, context)
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret
>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> crypto.PluginSupportTypes.ENCRYPT_DECRYPT
>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in
>> get_plugin_store_generate*
>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     raise
>> crypto.CryptoPluginNotFound()*
>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>> CryptoPluginNotFound: Crypto plugin not found.*
>>
>>  Had chance to go though the code as to why are we geting the exception
>> : *P11CryptoKeyHandleException: No key handle was found .*
>> *It is because *returned_count[0] == 0 .It needs to be 0 in order for
>> the mkek to be created .From what I understand is that by default all the
>> ffi variables would have the value 0 . I am not sure why the check
>> returned_count[0] == 1: has been put .
>>
>>    if returned_count[0] == 1:
>>    key = object_handle_ptr[0]   rv = self.lib.C_FindObjectsFinal(session)
>> self.check_error(rv)   if returned_count[0] == 1:
>>    return key   elif returned_count[0] == 0:   return None
>> *Need Help .Any help would highly be appreciated .It is very critical for
>> us to integrate with Barbican*
>> *Also would like to know if any one has integrated Barbican with HSM.*
>>
>>  --
>>  *Thanks and Regards,*
>> *Asha Seshagiri*
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
>  --
>  *Thanks and Regards,*
> *Asha Seshagiri*
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150720/34cac8c1/attachment.html>


More information about the OpenStack-dev mailing list