openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Add template code to configure hsm backends for barbican 

Adds support for the Thales and ATOS client software.

Change-Id: I79f8608431fecc58c8bdeba2de4a692a7ee388e9
Co-Authored-By: Douglas Mendizabal <dmendiza@redhat.com>
changes/34/610634/17
Ade Lee 2018-10-15 16:05:56 +00:00 committed by Douglas Mendizábal
parent 795dfcfdce
commit 17e0087e43
6 changed files with 547 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

556
docker/services/barbican-api.yaml
View File

@ -49,10 +49,76 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
BarbicanPkcs11CryptoATOSEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoThalesEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library
type: string
default: ''
BarbicanPkcs11CryptoLogin:
description: Password to login to PKCS11 session
type: string
hidden: true
default: ''
BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK
type: string
default: ''
BarbicanPkcs11CryptoMKEKLength:
description: Length of Master KEK in bytes
type: string
default: '256'
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
default: ''
BarbicanPkcs11CryptoSlotId:
description: Slot Id for the HSM
type: string
default: '0'
BarbicanPkcs11CryptoEncryptionMechanism:
description: Cryptoki Mechanism used for encryption
type: string
default: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
default: 'CKK_AES'
BarbicanPkcs11CryptoHMACKeygenMechanism:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
ThalesHSMNetworkName:
description: The network that the HSM is listening on.
type: string
default: 'internal_api'
ThalesVars:
default: {}
description: Hash of tripleo-barbican-thales variables used to
install Thales client software.
type: json
ATOSVars:
default: {}
description: Hash of tripleo-barbican-atos variables used to
install ATOS client software.
type: json
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
thales_or_atos_hsm_enabled:
or:
- thales_hsm_enabled
- atos_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
resources:
@ -119,128 +185,384 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
external_deploy_tasks:
if:
- thales_hsm_enabled
-
- name: Add ip addresses to the RFS server
when: step == '2'
block:
- name: get the ip addresses for the barbican nodes
set_fact:
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
thales_client_ips:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_bootstrap_client_ip:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
{%- endif %}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_hsm_ip_address: {get_param: [ThalesVars, thales_hsm_ip_address]}
thales_hsm_config_location: {get_param: [ThalesVars, thales_hsm_config_location]}
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
- name: set playbook vars
set_fact:
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
- name: creating working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: directory
- name: generate an inventory
copy:
dest: "{{thales_rfs_inventory}}"
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
- name: write SSH key to file
copy:
dest: "{{thales_rfs_keyfile}}"
content: {get_param: [ThalesVars, thales_rfs_key]}
mode: 0400
- name: generate playbook to run
copy:
dest: "{{thales_rfs_playbook}}"
content: |
---
- hosts: all
remote_user: "{{thales_rfs_user}}"
vars:
thales_client_ips: "{{thales_client_ips}}"
thales_hsm_ip_address: "{{thales_hsm_ip_address}}"
thales_hsm_config_location: "{{thales_hsm_config_location}}"
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
roles:
- tripleo-barbican-thales-rfs
- name: call ansible on rfs server
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
- name: clean up working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: absent
- null
deploy_steps_tasks:
if:
- thales_or_atos_hsm_enabled
- list_concat:
-
if:
- thales_hsm_enabled
-
- name: Thales client install
when: step == '2'
block:
- set_fact:
my_thales_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: ThalesHSMNetworkName}
- include_role:
name: tripleo-barbican-thales
vars:
{get_param: ThalesVars}
- null
-
if:
- atos_hsm_enabled
-
- name: ATOS client install
when: step == '2'
block:
- include_role:
name: tripleo-barbican-atos
vars:
{get_param: ATOSVars}
- null
- null
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
get_attr: [BarbicanApiLogging, docker_config, step_2]
map_merge:
- get_attr: [BarbicanApiLogging, docker_config, step_2]
- if:
- atos_hsm_enabled
- barbican_init_atos_directory:
image: &barbican_api_image {get_param: DockerBarbicanApiImage}
user: root
volumes:
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnetshm.so:/usr/lib64/libnethsm.so
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
- {}
step_3:
barbican_api_db_sync:
start_order: 0
image: &barbican_api_image {get_param: DockerBarbicanApiImage}
net: host
detach: false
user: root
volumes: &barbican_api_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db upgrade"
- "'"
barbican_api_secret_store_sync:
start_order: 1
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db sync_secret_stores --verbose"
- "'"
barbican_api:
# NOTE(alee): Barbican should start after keystone processes
start_order: 5
image: *barbican_api_image
net: host
privileged: false
restart: always
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment: &kolla_env
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
barbican_keystone_listener:
start_order: 6
image: {get_param: DockerBarbicanKeystoneListenerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
map_merge:
- if:
- pkcs11_plugin_enabled
- barbican_api_create_mkek:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: &barbican_api_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
-
if:
- thales_hsm_enabled
-
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_mkek --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "|| /usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm gen_mkek --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "'"
- {}
- if:
- pkcs11_plugin_enabled
- barbican_api_create_hmac:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_hmac --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "--key-type"
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
- "|| /usr/bin/barbican-manage hsm gen_hmac --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "--key-type"
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
- "--mechanism"
- {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]}
- "'"
- {}
- if:
- thales_hsm_enabled
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
- {}
- if:
- thales_hsm_enabled
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command: "/opt/nfast/bin/rfs-sync --update"
- {}
- barbican_api_db_sync:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
barbican_worker:
start_order: 7
image: {get_param: DockerBarbicanWorkerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db upgrade"
- "'"
- barbican_api_secret_store_sync:
start_order: 1
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db sync_secret_stores --verbose"
- "'"
- barbican_api:
# NOTE(alee): Barbican should start after keystone processes
start_order: 5
image: *barbican_api_image
net: host
privileged: false
restart: always
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- null
-
if:
- thales_hsm_enabled
-
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
environment: &kolla_env
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- barbican_keystone_listener:
start_order: 6
image: {get_param: DockerBarbicanKeystoneListenerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
- barbican_worker:
start_order: 7
image: {get_param: DockerBarbicanWorkerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
-
if:
- thales_hsm_enabled
-
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
environment: *kolla_env
host_prep_tasks: {get_attr: [BarbicanApiLogging, host_prep_tasks]}
upgrade_tasks:
- when: step|int == 3

29
environments/barbican-backend-pkcs11-atos.yaml Normal file
View File

@ -0,0 +1,29 @@
# A Heat environment file to enable the barbican PKCS11 crypto backend. Note
# that barbican needs to be enabled in order to use this.
parameter_defaults:
# In order to use this backend, you need to uncomment these values and
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType: 'CKK_GENERIC_SECRET'
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_GENERIC_SECRET_KEY_GEN'
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
BarbicanPkcs11CryptoMKEKLength: 32
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
BarbicanPkcs11CryptoATOSEnabled: true
BarbicanPkcs11CryptoEnabled: true
ATOSVars:
atos_client_working_dir: /tmp/atos_client_install
# atos_client_iso_location:
# atos_client_iso_name:
# atos_client_cert_location:
# atos_client_key_loaction:
# atos_hsm_ip_address:
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

38
environments/barbican-backend-pkcs11-thales.yaml Normal file
View File

@ -0,0 +1,38 @@
# A Heat environment file to enable the barbican PKCS11 crypto backend with
# a Thales HSM.
# Note that barbican needs to be enabled in order to use this.
parameter_defaults:
# In order to use this backend, you need to uncomment these values and
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType: 'CKK_SHA256_HMAC'
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_NC_SHA256_HMAC_KEY_GEN'
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
BarbicanPkcs11CryptoMKEKLength: '32'
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
BarbicanPkcs11CryptoThalesEnabled: true
BarbicanPkcs11CryptoEnabled: true
ThalesVars:
thales_client_working_dir: /tmp/thales_client_install
# thales_client_tarball_location: URI where the CipherTools tarball can be downloaded.
# thales_client_tarball_name: Filename for the CipherTools tarball.
thales_client_path: linux/libc6_11/amd64/nfast
thales_client_uid: 42481
thales_client_gid: 42481
# thales_km_data_location: URL where the RFS kmdata tarball can be downloaded.
# thales_km_data_tarball_name: Filename for the kmdata tarball.
# thales_hsm_ip_address: IP address for the HSM
# thales_rfs_server_ip_address: IP address for the RFS Server.
# thales_hsm_config_location: The directory where the hsm configuration is stored in
# your RFS server. e.g. hsm-XXXX-XXXX-XXXX.
# thales_rfs_user: Username used to log into RFS server.
# thales_rfs_key: RSA Private key in PEM format used to log into RFS server.
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

1
environments/barbican-backend-pkcs11.yaml
View File

@ -11,6 +11,7 @@ parameter_defaults:
# BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoEnabled: true
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

34
puppet/services/barbican-backend-pkcs11-crypto.yaml
View File

@ -34,22 +34,44 @@ parameters:
BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library
type: string
default: ''
BarbicanPkcs11CryptoLogin:
description: Password to login to PKCS11 session
type: string
hidden: true
default: ''
BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK
type: string
default: ''
BarbicanPkcs11CryptoMKEKLength:
description: Length of Master KEK in bytes
type: number
type: string
default: '256'
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
default: ''
BarbicanPkcs11CryptoSlotId:
description: Slot Id for the HSM
type: number
type: string
default: '0'
BarbicanPkcs11CryptoEncryptionMechanism:
description: Cryptoki Mechanism used for encryption
type: string
default: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
default: 'CKK_AES'
BarbicanPkcs11CryptoHMACKeygenMechanism:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
BarbicanPkcs11CryptoAESGCMGenerateIV:
description: Generate IVs for CKM_AES_GCM encryption mechanism
type: boolean
default: true
BarbicanPkcs11CryptoGlobalDefault:
description: Whether this plugin is the global default plugin
type: boolean
@ -61,10 +83,14 @@ outputs:
value:
service_name: barbican_backend_pkcs11_crypto
config_settings:
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path {get_param: BarbicanPkcs11CryptoLibraryPath}
barbican::plugins::p11_crypto::p11_crypto_plugin_login {get_param: BarbicanPkcs11CryptoLogin}
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path: {get_param: BarbicanPkcs11CryptoLibraryPath}
barbican::plugins::p11_crypto::p11_crypto_plugin_login: {get_param: BarbicanPkcs11CryptoLogin}
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}

10
releasenotes/notes/add-barbican-hsm-code-2ceffb2e1c3f6b67.yaml Normal file
View File

@ -0,0 +1,10 @@
---
features:
- |
Added code in the barbican-api.yaml template to allow barbican to be
configured to run with either an ATOS or Thales HSM back-end. Also
added environment files with all the required variables. The added code
installs and configures the client software on the barbican nodes,
generates the required kets for the PKCS#11 plugin, and configures
barbican correctly. For the Thales case, it also contacts the RFS server
to add the new clients to the HSM.