Identify HSMs using labels instead of Slot ID
This patch adds support for two new options in barbican.conf for the PKCS#11 backend plugin: [p11_crypto]token_label and [p11_crypto]token_serial_number by adding two new parameters to the Barbican deployment BarbicanPkcs11CryptoTokenSerialNumber and BarbicanPkcs11CryptoTokenLabel. This patch also simplifies the use of barbican-manage to generate the MKEK and PKEK in the HSM backend by using the values provided in barbican.conf instead of duplicating them on the command line. For the Thales Luna Network device, this patch uses the label parameters to identify the partition to be used. Because we are using labels we no longer need to write the runtime generated Slot ID of the HA group into hieradata. Depends-On: I4e86e73bbdef0e16d3699cec1cc8f7e17dfb643b Change-Id: Id05acb6516daa62279c9aade41256bcec7c5fce7
This commit is contained in:
parent
d04421d48a
commit
04b4ec3866
@ -67,7 +67,7 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoLogin:
|
BarbicanPkcs11CryptoLogin:
|
||||||
description: Password to login to PKCS11 session
|
description: Password (PIN) to login to PKCS#11 session
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
default: ''
|
default: ''
|
||||||
@ -80,9 +80,17 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoSlotId:
|
BarbicanPkcs11CryptoSlotId:
|
||||||
description: Slot Id for the HSM
|
description: Slot Id for the PKCS#11 token to be used
|
||||||
type: string
|
type: string
|
||||||
default: '0'
|
default: '0'
|
||||||
|
BarbicanPkcs11CryptoTokenSerialNumber:
|
||||||
|
description: Serial number for PKCS#11 token to be used
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
BarbicanPkcs11CryptoTokenLabel:
|
||||||
|
description: Label for PKCS#11 token to be used
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
BarbicanPkcs11CryptoHMACKeyType:
|
BarbicanPkcs11CryptoHMACKeyType:
|
||||||
description: Cryptoki Key Type for Master HMAC key
|
description: Cryptoki Key Type for Master HMAC key
|
||||||
type: string
|
type: string
|
||||||
@ -168,7 +176,7 @@ conditions:
|
|||||||
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
|
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
|
||||||
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
|
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
|
||||||
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
|
lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
|
||||||
thales_or_atos_or_lunasa_hsm_enabled:
|
hsm_enabled:
|
||||||
or:
|
or:
|
||||||
- thales_hsm_enabled
|
- thales_hsm_enabled
|
||||||
- atos_hsm_enabled
|
- atos_hsm_enabled
|
||||||
@ -427,7 +435,7 @@ outputs:
|
|||||||
- null
|
- null
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
if:
|
if:
|
||||||
- thales_or_atos_or_lunasa_hsm_enabled
|
- hsm_enabled
|
||||||
- list_concat:
|
- list_concat:
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
@ -478,24 +486,17 @@ outputs:
|
|||||||
- map_merge:
|
- map_merge:
|
||||||
- {get_param: LunasaVars}
|
- {get_param: LunasaVars}
|
||||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||||
- map_merge:
|
- map_merge:
|
||||||
- {get_param: LunasaVars}
|
- {get_param: LunasaVars}
|
||||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||||
- lunasa_client_ip:
|
- lunasa_client_ip:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
"{{$NETWORK_ip}}"
|
"{{$NETWORK_ip}}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: LunasaClientIPNetwork}
|
$NETWORK: {get_param: LunasaClientIPNetwork}
|
||||||
|
|
||||||
- name: set the slot id in hieradata
|
|
||||||
include_role:
|
|
||||||
name: tripleo_hieradata
|
|
||||||
tasks_from: ansible_hieradata.yml
|
|
||||||
vars:
|
|
||||||
hieradata_ansible_data:
|
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}"
|
|
||||||
when: lunasa_ha_slot is defined
|
|
||||||
- null
|
- null
|
||||||
- null
|
- null
|
||||||
docker_config:
|
docker_config:
|
||||||
@ -562,23 +563,11 @@ outputs:
|
|||||||
- ' '
|
- ' '
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
- "hsm check_mkek --library-path"
|
- "hsm check_mkek --label"
|
||||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
|
||||||
- "--slot-id"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
|
||||||
- "--passphrase"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
|
||||||
- "--label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||||
- "|| /usr/bin/barbican-manage"
|
- "|| /usr/bin/barbican-manage"
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
- "hsm gen_mkek --library-path"
|
- "hsm gen_mkek --label"
|
||||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
|
||||||
- "--slot-id"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
|
||||||
- "--passphrase"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
|
||||||
- "--label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
|
||||||
- "'"
|
- "'"
|
||||||
- {}
|
- {}
|
||||||
@ -600,28 +589,10 @@ outputs:
|
|||||||
- ' '
|
- ' '
|
||||||
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
|
||||||
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
|
||||||
- "hsm check_hmac --library-path"
|
- "hsm check_hmac --label"
|
||||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
|
||||||
- "--slot-id"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
|
||||||
- "--passphrase"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
|
||||||
- "--label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||||
- "--key-type"
|
- "|| /usr/bin/barbican-manage hsm gen_hmac --label"
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
|
|
||||||
- "|| /usr/bin/barbican-manage hsm gen_hmac --library-path"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
|
|
||||||
- "--slot-id"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoSlotId]}
|
|
||||||
- "--passphrase"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoLogin]}
|
|
||||||
- "--label"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
|
||||||
- "--key-type"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
|
|
||||||
- "--mechanism"
|
|
||||||
- {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]}
|
|
||||||
- "'"
|
- "'"
|
||||||
- {}
|
- {}
|
||||||
- if:
|
- if:
|
||||||
|
@ -36,7 +36,7 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoLogin:
|
BarbicanPkcs11CryptoLogin:
|
||||||
description: Password to login to PKCS11 session
|
description: Password (PIN) to login to PKCS#11 session
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
default: ''
|
default: ''
|
||||||
@ -53,9 +53,17 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoSlotId:
|
BarbicanPkcs11CryptoSlotId:
|
||||||
description: Slot Id for the HSM
|
description: Slot Id for the PKCS#11 token to be used
|
||||||
type: string
|
type: string
|
||||||
default: '0'
|
default: '0'
|
||||||
|
BarbicanPkcs11CryptoTokenSerialNumber:
|
||||||
|
description: Serial number for PKCS#11 token to be used
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
BarbicanPkcs11CryptoTokenLabel:
|
||||||
|
description: Label for PKCS#11 token to be used
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
BarbicanPkcs11CryptoEncryptionMechanism:
|
BarbicanPkcs11CryptoEncryptionMechanism:
|
||||||
description: Cryptoki Mechanism used for encryption
|
description: Cryptoki Mechanism used for encryption
|
||||||
type: string
|
type: string
|
||||||
@ -93,6 +101,8 @@ outputs:
|
|||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
||||||
|
@ -1,15 +1,17 @@
|
|||||||
# A Heat environment file to enable the barbican PKCS11 crypto backend with
|
# A Heat environment file to enable the barbican PKCS#11 crypto backend using
|
||||||
# a Lunasa HSM.
|
# one or more Thales Luna Network HSMs.
|
||||||
# Note that barbican needs to be enabled in order to use this.
|
# Note that Barbican needs to be enabled in order to use this.
|
||||||
parameter_defaults:
|
parameter_defaults:
|
||||||
# In order to use this backend, you need to uncomment these values and
|
# In order to use this backend, you need to uncomment these values and
|
||||||
# provide the appropriate values.
|
# provide the appropriate values.
|
||||||
#
|
#
|
||||||
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
|
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
|
||||||
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM. Note that this parameter is only
|
#
|
||||||
# strictly required when setting up the Lunasa client in non-HA mode. In HA
|
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
|
||||||
# mode, whatever value is placed here will be overridden by the dynamically generated
|
# For single HSM deployments this value should be the partition label
|
||||||
# slot for the HA group created on the client.
|
# that will be assigned to the clients.
|
||||||
|
# For HA deployments this value should be the label for the HA group.
|
||||||
|
# BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used
|
||||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||||
#
|
#
|
||||||
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
|
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
|
||||||
@ -36,13 +38,13 @@ parameter_defaults:
|
|||||||
# lunasa_client_rotate_cert: (Optional) Set to true to generate a new
|
# lunasa_client_rotate_cert: (Optional) Set to true to generate a new
|
||||||
# client certificate and re-register clients during deployment.
|
# client certificate and re-register clients during deployment.
|
||||||
# lunasa_hsms: A list of HSMs. When more than one HSM is specified, they
|
# lunasa_hsms: A list of HSMs. When more than one HSM is specified, they
|
||||||
# will be configured as an HA pool. Each entry should specify the
|
# will be configured as an HA group. Each entry should specify the
|
||||||
# following:
|
# following:
|
||||||
# - hostname: Hostname for the HSM
|
# - hostname: Hostname for the HSM
|
||||||
# admin_password: admin password for the HSM, used to add a new client.
|
# admin_password: admin password for the HSM, used to add a new client
|
||||||
|
# for each controller node.
|
||||||
# partition: HSM partition to be assigned to the clients.
|
# partition: HSM partition to be assigned to the clients.
|
||||||
# partition_serial: serial number for the partition.
|
# partition_serial: serial number for the partition.
|
||||||
# lunasa_ha_label: HA group label Required only for HA mode.
|
|
||||||
|
|
||||||
resource_registry:
|
resource_registry:
|
||||||
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|
||||||
|
Loading…
Reference in New Issue
Block a user