diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index e4626b9bb7..fb2b2ca86c 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -67,7 +67,7 @@ parameters: type: string default: '' BarbicanPkcs11CryptoLogin: - description: Password to login to PKCS11 session + description: Password (PIN) to login to PKCS#11 session type: string hidden: true default: '' @@ -80,9 +80,17 @@ parameters: type: string default: '' BarbicanPkcs11CryptoSlotId: - description: Slot Id for the HSM + description: Slot Id for the PKCS#11 token to be used type: string default: '0' + BarbicanPkcs11CryptoTokenSerialNumber: + description: Serial number for PKCS#11 token to be used + type: string + default: '' + BarbicanPkcs11CryptoTokenLabel: + description: Label for PKCS#11 token to be used + type: string + default: '' BarbicanPkcs11CryptoHMACKeyType: description: Cryptoki Key Type for Master HMAC key type: string @@ -168,7 +176,7 @@ conditions: thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]} atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]} lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]} - thales_or_atos_or_lunasa_hsm_enabled: + hsm_enabled: or: - thales_hsm_enabled - atos_hsm_enabled @@ -427,7 +435,7 @@ outputs: - null deploy_steps_tasks: if: - - thales_or_atos_or_lunasa_hsm_enabled + - hsm_enabled - list_concat: - if: @@ -478,24 +486,17 @@ outputs: - map_merge: - {get_param: LunasaVars} - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin} + - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel} - map_merge: - {get_param: LunasaVars} - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin} + - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel} - lunasa_client_ip: str_replace: template: "{{$NETWORK_ip}}" params: $NETWORK: {get_param: LunasaClientIPNetwork} - - - name: set the slot id in hieradata - include_role: - name: tripleo_hieradata - tasks_from: ansible_hieradata.yml - vars: - hieradata_ansible_data: - barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}" - when: lunasa_ha_slot is defined - null - null docker_config: @@ -562,23 +563,11 @@ outputs: - ' ' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - - "hsm check_mkek --library-path" - - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - - "--slot-id" - - {get_param: [BarbicanPkcs11CryptoSlotId]} - - "--passphrase" - - {get_param: [BarbicanPkcs11CryptoLogin]} - - "--label" + - "hsm check_mkek --label" - {get_param: [BarbicanPkcs11CryptoMKEKLabel]} - "|| /usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - - "hsm gen_mkek --library-path" - - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - - "--slot-id" - - {get_param: [BarbicanPkcs11CryptoSlotId]} - - "--passphrase" - - {get_param: [BarbicanPkcs11CryptoLogin]} - - "--label" + - "hsm gen_mkek --label" - {get_param: [BarbicanPkcs11CryptoMKEKLabel]} - "'" - {} @@ -600,28 +589,10 @@ outputs: - ' ' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - - "hsm check_hmac --library-path" - - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - - "--slot-id" - - {get_param: [BarbicanPkcs11CryptoSlotId]} - - "--passphrase" - - {get_param: [BarbicanPkcs11CryptoLogin]} - - "--label" + - "hsm check_hmac --label" - {get_param: [BarbicanPkcs11CryptoHMACLabel]} - - "--key-type" - - {get_param: [BarbicanPkcs11CryptoHMACKeyType]} - - "|| /usr/bin/barbican-manage hsm gen_hmac --library-path" - - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - - "--slot-id" - - {get_param: [BarbicanPkcs11CryptoSlotId]} - - "--passphrase" - - {get_param: [BarbicanPkcs11CryptoLogin]} - - "--label" + - "|| /usr/bin/barbican-manage hsm gen_hmac --label" - {get_param: [BarbicanPkcs11CryptoHMACLabel]} - - "--key-type" - - {get_param: [BarbicanPkcs11CryptoHMACKeyType]} - - "--mechanism" - - {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]} - "'" - {} - if: diff --git a/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml b/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml index 7e0cad26d8..4bbd24f129 100644 --- a/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml +++ b/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml @@ -36,7 +36,7 @@ parameters: type: string default: '' BarbicanPkcs11CryptoLogin: - description: Password to login to PKCS11 session + description: Password (PIN) to login to PKCS#11 session type: string hidden: true default: '' @@ -53,9 +53,17 @@ parameters: type: string default: '' BarbicanPkcs11CryptoSlotId: - description: Slot Id for the HSM + description: Slot Id for the PKCS#11 token to be used type: string default: '0' + BarbicanPkcs11CryptoTokenSerialNumber: + description: Serial number for PKCS#11 token to be used + type: string + default: '' + BarbicanPkcs11CryptoTokenLabel: + description: Label for PKCS#11 token to be used + type: string + default: '' BarbicanPkcs11CryptoEncryptionMechanism: description: Cryptoki Mechanism used for encryption type: string @@ -93,6 +101,8 @@ outputs: barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel} barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId} + barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber} + barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel} barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism} diff --git a/environments/barbican-backend-pkcs11-lunasa.yaml b/environments/barbican-backend-pkcs11-lunasa.yaml index 01c6a7b945..d850b65f52 100644 --- a/environments/barbican-backend-pkcs11-lunasa.yaml +++ b/environments/barbican-backend-pkcs11-lunasa.yaml @@ -1,15 +1,17 @@ -# A Heat environment file to enable the barbican PKCS11 crypto backend with -# a Lunasa HSM. -# Note that barbican needs to be enabled in order to use this. +# A Heat environment file to enable the barbican PKCS#11 crypto backend using +# one or more Thales Luna Network HSMs. +# Note that Barbican needs to be enabled in order to use this. parameter_defaults: # In order to use this backend, you need to uncomment these values and # provide the appropriate values. # - # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session - # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM. Note that this parameter is only - # strictly required when setting up the Lunasa client in non-HA mode. In HA - # mode, whatever value is placed here will be overridden by the dynamically generated - # slot for the HA group created on the client. + # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session + # + # BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used. + # For single HSM deployments this value should be the partition label + # that will be assigned to the clients. + # For HA deployments this value should be the label for the HA group. + # BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin # # LunasaClientIPNetwork: (Optional) Network to be used by the controllers @@ -36,13 +38,13 @@ parameter_defaults: # lunasa_client_rotate_cert: (Optional) Set to true to generate a new # client certificate and re-register clients during deployment. # lunasa_hsms: A list of HSMs. When more than one HSM is specified, they - # will be configured as an HA pool. Each entry should specify the + # will be configured as an HA group. Each entry should specify the # following: # - hostname: Hostname for the HSM - # admin_password: admin password for the HSM, used to add a new client. + # admin_password: admin password for the HSM, used to add a new client + # for each controller node. # partition: HSM partition to be assigned to the clients. # partition_serial: serial number for the partition. - # lunasa_ha_label: HA group label Required only for HA mode. resource_registry: OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml