[openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
John Vrbanac
john.vrbanac at RACKSPACE.COM
Mon Jul 27 19:36:30 UTC 2015
Asha,
I've used the Safenet HSM "HA" virtual slot setup and it does work. However, the setup is very interesting because you need to generate the MKEK and HMAC on a single HSM and then replicate it to the other HSMs out of band of anything we have in Barbican. If I recall correctly, the Safenet Luna docs mention how to replicate keys or partitions between HSMs.
John Vrbanac
________________________________
From: Asha Seshagiri <asha.seshagiri at gmail.com>
Sent: Monday, July 27, 2015 2:00 PM
To: openstack-dev
Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S.
Subject: Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Hi All ,
I am working on Integrating Barbican with HSM HA set up.
I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file.
Please find the contents of the file :
# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_db_path_ca = '/etc/barbican/alias-ca'
nss_password = 'password123'
simple_cmc_profile = 'caOtherCert'
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'test5678'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'ha_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'ha_hmac'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
slot_id = 6
Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the HSM when we run the pkcs11-key-generation script for slot 6 which should be the expected behaviour.
[root at HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek --label 'ha_mkek'
Verified label !
MKEK successfully generated!
[root at HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac --label 'ha_hmac'
HMAC successfully generated!
[root at HSM-Client bin]#
Please find the HSM commands and responses to show the details of the partitions and partitions contents :
root at HSM-Client bin]# ./vtl verify
The following Luna SA Slots/Partitions were found:
Slot Serial # Label
==== ======== =====
1 489361010 barbican2
2 489361011 barbican3
[HSMtestLuna1] lunash:> partition showcontents -partition barbican2
Please enter the user password for the partition:
> ********
Partition Name: barbican2
Partition SN: 489361010
Storage (Bytes): Total=1046420, Used=256, Free=1046164
Number objects: 2
Object Label: ha_mkek
Object Type: Symmetric Key
Object Label: ha_hmac
Object Type: Symmetric Key
Command Result : 0 (Success)
[HSMtestLuna1] lunash:> partition showcontents -partition barbican3
Please enter the user password for the partition:
> ********
Partition Name: barbican3
Partition SN: 489361011
Storage (Bytes): Total=1046420, Used=256, Free=1046164
Number objects: 2
Object Label: ha_mkek
Object Type: Symmetric Key
Object Label: ha_hmac
Object Type: Symmetric Key
[root at HSM-Client bin]# ./lunacm
LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.
Available HSM's:
Slot Id -> 1
HSM Label -> barbican2
HSM Serial Number -> 489361010
HSM Model -> LunaSA
HSM Firmware Version -> 6.2.1
HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 2
HSM Label -> barbican3
HSM Serial Number -> 489361011
HSM Model -> LunaSA
HSM Firmware Version -> 6.2.1
HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 6
HSM Label -> barbican_ha
HSM Serial Number -> 1489361010
HSM Model -> LunaVirtual
HSM Firmware Version -> 6.2.1
HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode
HSM Status -> N/A - HA Group
Current Slot Id: 1
Tried creating the secrets using the below command :
root at HSM-Client barbican]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets
{"code": 500, "description": "Secret creation failure seen - please contact site administrator.", "title": "Internal Server Error"}[root at HSM-
Please find the logs below :
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback (most recent call last):
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 146, in content_types_enforcer
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers transport_key_id=data.get('transport_key_id'))
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers secret_model, project_model)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 267, in _store_secret_using_plugin
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/store_crypto.py", line 96, in store_secret
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers encrypt_dto, kek_meta_dto, context.project_model.external_id
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 80, in encrypt
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers meta['mkek_label'], meta['hmac_label'], session
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 687, in unwrap_key
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers self.verify_hmac(hmac_key, hmac, wrapped_key, session)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 657, in verify_hmac
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers rv = self.lib.C_VerifyInit(session, mech, hmac_key)
2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers TypeError: an integer is required
Would like to know wheather Barbican supports Virtual slot configuration since have mentioned the slot # 6 under in barbican.conf file and has anyone tested HSM HA setup with Barbican.
Any help would highly be appreciated!
--
Thanks and Regards,
Asha Seshagiri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150727/fba98113/attachment.html>
More information about the OpenStack-dev
mailing list