[openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA

Asha Seshagiri asha.seshagiri at gmail.com
Tue Jul 28 14:22:19 UTC 2015 

Hi John ,

Any help would highly be appreciated.

Thanks and Regards,
Asha Seshagiri

On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri <asha.seshagiri at gmail.com>
wrote:

> Hi John ,
>
> Thanks  a lot for providing me the response:)
> I followed the link[1] for configuring the HA SETUP
> [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html
>
> the final step in the above link  is haAdmin command which is run on the
> client side(on Barbican) .
> The slot 6 is the virtual slot(only on the client side and not visible on
> LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM
>
> Please find the response below :
>
> [root at HSM-Client bin]# ./vtl haAdmin show
>
>
>
>  ================ HA Global Configuration Settings ===============
>
>
>  HA Proxy: disabled
>
> HA Auto Recovery: disabled
>
> Maximum Auto Recovery Retry: 0
>
> Auto Recovery Poll Interval: 60 seconds
>
> HA Logging: disabled
>
> Only Show HA Slots: no
>
>
>
>  ================ HA Group and Member Information ================
>
>
>  HA Group Label: barbican_ha
>
> HA Group Number: 1489361010
>
> HA Group Slot #: 6
>
> Synchronization: enabled
>
> Group Members: 489361010, 489361011
>
> Standby members: <none>
>
>
>  Slot # Member S/N Member Label Status
>
> ====== ========== ============ ======
>
> 1 489361010 barbican2 alive
>
> 2 489361011 barbican3 alive
>
> After knowing the virtual slot HA number , I ran the pkcs11-key-generation
> with slot number 6 which did create mkek and hmac in slot/partition 1 and 2
> automatically . I am not sure why do we have to replicate the keys between
> partitions? Configured the slot 6 on the barbican.conf as mentioned in my
> first email
>
> Not sure what might be the issue and
>
> It would be great if you could tell me the steps or where I would have
> gone wrong.
>
> Thanks and Regards,
>
> Asha Seshagiri
>
> On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac <john.vrbanac at rackspace.com>
> wrote:
>
>>  Asha,
>>
>> I've used the Safenet HSM "HA" virtual slot setup and it does work.
>> However, the setup is very interesting because you need to generate the
>> MKEK and HMAC on a single HSM and then replicate it to the other HSMs out
>> of band of anything we have in Barbican. If I recall correctly, the Safenet
>> Luna docs mention how to replicate keys or partitions between HSMs.
>>
>>
>>     John Vrbanac
>>      ------------------------------
>> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
>> *Sent:* Monday, July 27, 2015 2:00 PM
>> *To:* openstack-dev
>> *Cc:* John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S.
>> *Subject:* Barbican : Unable to create the secret after Integrating
>> Barbican with HSM HA
>>
>>    Hi All ,
>>
>>  I am working on Integrating Barbican with HSM HA set up.
>>  I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot
>> 6 is a virtual slot on the client side which acts as the proxy for the slot
>> 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its
>> password which is identical to that of the passwords of slot1 and slot 2 in
>> barbican.conf file.
>>
>>  Please find the contents of the file  :
>>
>> # ================= Secret Store Plugin ===================
>> [secretstore]
>> namespace = barbican.secretstore.plugin
>> enabled_secretstore_plugins = store_crypto
>>
>> # ================= Crypto plugin ===================
>> [crypto]
>> namespace = barbican.crypto.plugin
>> enabled_crypto_plugins = p11_crypto
>>
>> [simple_crypto_plugin]
>> # the kek should be a 32-byte value which is base64 encoded
>> kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
>>
>> [dogtag_plugin]
>> pem_path = '/etc/barbican/kra_admin_cert.pem'
>> dogtag_host = localhost
>> dogtag_port = 8443
>> nss_db_path = '/etc/barbican/alias'
>> nss_db_path_ca = '/etc/barbican/alias-ca'
>> nss_password = 'password123'
>> simple_cmc_profile = 'caOtherCert'
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *[p11_crypto_plugin] # Path to vendor PKCS11 library library_path =
>> '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login =
>> 'test5678' # Label to identify master KEK in the HSM (must not be the same
>> as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK
>> mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the
>> same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond
>> to a configured PKCS11 slot). Default: 1 slot_id = 6 *
>> *Was able to create MKEK and HMAC successfully for the slots 1 and 2 on
>> the HSM when we run the *
>> *pkcs11-key-generation script  for slot 6 which should be the expected
>> behaviour. *
>>
>> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
>> '/usr/lib/libCryptoki2_64.so'  --passphrase 'test5678' --slot-id 6 mkek
>> --label 'ha_mkek'
>> Verified label !
>> MKEK successfully generated!
>> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
>> '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac
>> --label 'ha_hmac'
>> HMAC successfully generated!
>> [root at HSM-Client bin]#
>>
>> Please find the HSM commands and responses to show the details of the
>> partitions and partitions contents :
>>
>> root at HSM-Client bin]# ./vtl verify
>>
>>
>>  The following Luna SA Slots/Partitions were found:
>>
>>
>>  Slot Serial # Label
>>
>> ==== ======== =====
>>
>> 1 489361010 barbican2
>>
>> 2 489361011 barbican3
>>
>>
>>  [HSMtestLuna1] lunash:> partition showcontents -partition barbican2
>>
>>
>>
>>  Please enter the user password for the partition:
>>
>> > ********
>>
>>
>>
>>  Partition Name: barbican2
>>
>> Partition SN: 489361010
>>
>> Storage (Bytes): Total=1046420, Used=256, Free=1046164
>>
>> Number objects: 2
>>
>>
>>  Object Label: ha_mkek
>>
>> Object Type: Symmetric Key
>>
>>
>>  Object Label: ha_hmac
>>
>> Object Type: Symmetric Key
>>
>>
>>
>>  Command Result : 0 (Success)
>>
>> [HSMtestLuna1] lunash:> partition showcontents -partition barbican3
>>
>>
>>
>>  Please enter the user password for the partition:
>>
>> > ********
>>
>>
>>
>>  Partition Name: barbican3
>>
>> Partition SN: 489361011
>>
>> Storage (Bytes): Total=1046420, Used=256, Free=1046164
>>
>> Number objects: 2
>>
>>
>>  Object Label: ha_mkek
>>
>> Object Type: Symmetric Key
>>
>>
>>  Object Label: ha_hmac
>>
>> Object Type: Symmetric Key
>>
>>
>>
>>
>> [root at HSM-Client bin]# ./lunacm
>>
>>
>>  LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.
>>
>>
>>  Available HSM's:
>>
>>
>>  Slot Id -> 1
>>
>> HSM Label -> barbican2
>>
>> HSM Serial Number -> 489361010
>>
>> HSM Model -> LunaSA
>>
>> HSM Firmware Version -> 6.2.1
>>
>> HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
>>
>> HSM Status -> OK
>>
>>
>>  Slot Id -> 2
>>
>> HSM Label -> barbican3
>>
>> HSM Serial Number -> 489361011
>>
>> HSM Model -> LunaSA
>>
>> HSM Firmware Version -> 6.2.1
>>
>> HSM Configuration -> Luna SA Slot (PW) Signing With Cloning Mode
>>
>> HSM Status -> OK
>>
>>
>>  Slot Id -> 6
>>
>> HSM Label -> barbican_ha
>>
>> HSM Serial Number -> 1489361010
>>
>> HSM Model -> LunaVirtual
>>
>> HSM Firmware Version -> 6.2.1
>>
>> HSM Configuration -> Virtual HSM (PW) Signing With Cloning Mode
>>
>> HSM Status -> N/A - HA Group
>>
>>
>>  Current Slot Id: 1
>>
>> *Tried creating the secrets using the below command :*
>>
>> root at HSM-Client barbican]# curl -X POST -H
>> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload":
>> "my-secret-here", "payload_content_type": "text/plain"}'
>> http://localhost:9311/v1/secrets
>> {"code": 500, "description": "Secret creation failure seen - please
>> contact site administrator.", "title": "Internal Server Error"}[root at HSM-
>>
>> *Please find the logs below :*
>>
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers Traceback
>> (most recent call last):
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     return
>> fn(inst, *args, **kwargs)
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     return
>> fn(inst, *args, **kwargs)
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 146, in
>> content_types_enforcer
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     return
>> fn(inst, *args, **kwargs)
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
>> transport_key_id=data.get('transport_key_id'))
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
>> secret_model, project_model)
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/plugin/resources.py", line 267, in
>> _store_secret_using_plugin
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
>> secret_metadata = store_plugin.store_secret(secret_dto, context)
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/plugin/store_crypto.py", line 96, in store_secret
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
>> encrypt_dto, kek_meta_dto, context.project_model.external_id
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 80, in encrypt
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
>> meta['mkek_label'], meta['hmac_label'], session
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 687, in unwrap_key
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers
>> self.verify_hmac(hmac_key, hmac, wrapped_key, session)
>> 2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers   File
>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 657, in verify_hmac
>>
>>
>> *2015-07-27 11:57:07.586 16362 ERROR barbican.api.controllers     rv =
>> self.lib.C_VerifyInit(session, mech, hmac_key) 2015-07-27 11:57:07.586
>> 16362 ERROR barbican.api.controllers TypeError: an integer is required *
>>
>>
>> *Would like to know wheather Barbican supports Virtual slot configuration
>> since have mentioned the slot # 6 under in barbican.conf file and has
>> anyone tested HSM HA setup with Barbican. *
>> Any help would highly be appreciated!
>>    --
>>  *Thanks and Regards,*
>> *Asha Seshagiri*
>>
>
>
>
> --
> *Thanks and Regards,*
> *Asha Seshagiri*
>



-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150728/6835b6ad/attachment.html>

More information about the OpenStack-dev mailing list