openstack
/
tripleo-heat-templates
Code Issues Proposed changes
Browse Source

Add template code to configure hsm backends for barbican 

Adds support for the Thales and ATOS client software.

Change-Id: I79f8608431fecc58c8bdeba2de4a692a7ee388e9
Co-Authored-By: Douglas Mendizabal <dmendiza@redhat.com>
changes/34/610634/17
Ade Lee 4 years ago committed by Douglas Mendizábal
parent
795dfcfdce
commit
17e0087e43
6 changed files with 547 additions and 121 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 556
      docker/services/barbican-api.yaml
  2. 29
      environments/barbican-backend-pkcs11-atos.yaml
  3. 38
      environments/barbican-backend-pkcs11-thales.yaml
  4. 1
      environments/barbican-backend-pkcs11.yaml
  5. 34
      puppet/services/barbican-backend-pkcs11-crypto.yaml
  6. 10
      releasenotes/notes/add-barbican-hsm-code-2ceffb2e1c3f6b67.yaml

556
docker/services/barbican-api.yaml
Unescape View File

@ -49,10 +49,76 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
BarbicanPkcs11CryptoATOSEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoThalesEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library
type: string
default: ''
BarbicanPkcs11CryptoLogin:
description: Password to login to PKCS11 session
type: string
hidden: true
default: ''
BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK
type: string
default: ''
BarbicanPkcs11CryptoMKEKLength:
description: Length of Master KEK in bytes
type: string
default: '256'
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
default: ''
BarbicanPkcs11CryptoSlotId:
description: Slot Id for the HSM
type: string
default: '0'
BarbicanPkcs11CryptoEncryptionMechanism:
description: Cryptoki Mechanism used for encryption
type: string
default: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
default: 'CKK_AES'
BarbicanPkcs11CryptoHMACKeygenMechanism:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
ThalesHSMNetworkName:
description: The network that the HSM is listening on.
type: string
default: 'internal_api'
ThalesVars:
default: {}
description: Hash of tripleo-barbican-thales variables used to
install Thales client software.
type: json
ATOSVars:
default: {}
description: Hash of tripleo-barbican-atos variables used to
install ATOS client software.
type: json
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
thales_or_atos_hsm_enabled:
or:
- thales_hsm_enabled
- atos_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
resources:
@ -119,128 +185,384 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
external_deploy_tasks:
if:
- thales_hsm_enabled
-
- name: Add ip addresses to the RFS server
when: step == '2'
block:
- name: get the ip addresses for the barbican nodes
set_fact:
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
thales_client_ips:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_bootstrap_client_ip:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
{%- endif %}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_hsm_ip_address: {get_param: [ThalesVars, thales_hsm_ip_address]}
thales_hsm_config_location: {get_param: [ThalesVars, thales_hsm_config_location]}
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
- name: set playbook vars
set_fact:
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
- name: creating working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: directory
- name: generate an inventory
copy:
dest: "{{thales_rfs_inventory}}"
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
- name: write SSH key to file
copy:
dest: "{{thales_rfs_keyfile}}"
content: {get_param: [ThalesVars, thales_rfs_key]}
mode: 0400
- name: generate playbook to run
copy:
dest: "{{thales_rfs_playbook}}"
content: |
---
- hosts: all
remote_user: "{{thales_rfs_user}}"
vars:
thales_client_ips: "{{thales_client_ips}}"
thales_hsm_ip_address: "{{thales_hsm_ip_address}}"
thales_hsm_config_location: "{{thales_hsm_config_location}}"
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
roles:
- tripleo-barbican-thales-rfs
- name: call ansible on rfs server
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
- name: clean up working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: absent
- null
deploy_steps_tasks:
if:
- thales_or_atos_hsm_enabled
- list_concat:
-
if:
- thales_hsm_enabled
-
- name: Thales client install
when: step == '2'
block:
- set_fact:
my_thales_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: ThalesHSMNetworkName}
- include_role:
name: tripleo-barbican-thales
vars:
{get_param: ThalesVars}
- null
-
if:
- atos_hsm_enabled
-
- name: ATOS client install
when: step == '2'
block:
- include_role:
name: tripleo-barbican-atos
vars:
{get_param: ATOSVars}
- null
- null
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
get_attr: [BarbicanApiLogging, docker_config, step_2]
map_merge:
- get_attr: [BarbicanApiLogging, docker_config, step_2]
- if:
- atos_hsm_enabled
- barbican_init_atos_directory:
image: &barbican_api_image {get_param: DockerBarbicanApiImage}
user: root
volumes:
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnetshm.so:/usr/lib64/libnethsm.so
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
- {}
step_3:
barbican_api_db_sync:
start_order: 0
image: &barbican_api_image {get_param: DockerBarbicanApiImage}
net: host
detach: false
user: root
volumes: &barbican_api_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db upgrade"
- "'"
barbican_api_secret_store_sync:
start_order: 1
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db sync_secret_stores --verbose"
- "'"
barbican_api:
# NOTE(alee): Barbican should start after keystone processes
start_order: 5
image: *barbican_api_image
net: host
privileged: false
restart: always
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment: &kolla_env
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
barbican_keystone_listener:
start_order: 6
image: {get_param: DockerBarbicanKeystoneListenerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
map_merge:
- if:
- pkcs11_plugin_enabled
- barbican_api_create_mkek:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: &barbican_api_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
-
if:
- thales_hsm_enabled
-
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_mkek --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "|| /usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm gen_mkek --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- "'"
- {}
- if:
- pkcs11_plugin_enabled
- barbican_api_create_hmac:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
list_join:
- ' '
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "hsm check_hmac --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "--key-type"
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
- "|| /usr/bin/barbican-manage hsm gen_hmac --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "--key-type"
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
- "--mechanism"
- {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]}
- "'"
- {}
- if:
- thales_hsm_enabled
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
- {}
- if:
- thales_hsm_enabled
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command: "/opt/nfast/bin/rfs-sync --update"
- {}
- barbican_api_db_sync:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
barbican_worker:
start_order: 7
image: {get_param: DockerBarbicanWorkerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db upgrade"
- "'"
- barbican_api_secret_store_sync:
start_order: 1
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- "db sync_secret_stores --verbose"
- "'"
- barbican_api:
# NOTE(alee): Barbican should start after keystone processes
start_order: 5
image: *barbican_api_image
net: host
privileged: false
restart: always
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- null
-
if:
- thales_hsm_enabled
-
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
environment: &kolla_env
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- barbican_keystone_listener:
start_order: 6
image: {get_param: DockerBarbicanKeystoneListenerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
- barbican_worker:
start_order: 7
image: {get_param: DockerBarbicanWorkerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
-
if:
- thales_hsm_enabled
-
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
environment: *kolla_env
host_prep_tasks: {get_attr: [BarbicanApiLogging, host_prep_tasks]}
upgrade_tasks:
- when: step|int == 3

29
environments/barbican-backend-pkcs11-atos.yaml
Unescape View File

@ -0,0 +1,29 @@
# A Heat environment file to enable the barbican PKCS11 crypto backend. Note
# that barbican needs to be enabled in order to use this.
parameter_defaults:
# In order to use this backend, you need to uncomment these values and
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType: 'CKK_GENERIC_SECRET'
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_GENERIC_SECRET_KEY_GEN'
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
BarbicanPkcs11CryptoMKEKLength: 32
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
BarbicanPkcs11CryptoATOSEnabled: true
BarbicanPkcs11CryptoEnabled: true
ATOSVars:
atos_client_working_dir: /tmp/atos_client_install
# atos_client_iso_location:
# atos_client_iso_name:
# atos_client_cert_location:
# atos_client_key_loaction:
# atos_hsm_ip_address:
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

38
environments/barbican-backend-pkcs11-thales.yaml
Unescape View File

@ -0,0 +1,38 @@
# A Heat environment file to enable the barbican PKCS11 crypto backend with
# a Thales HSM.
# Note that barbican needs to be enabled in order to use this.
parameter_defaults:
# In order to use this backend, you need to uncomment these values and
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType: 'CKK_SHA256_HMAC'
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_NC_SHA256_HMAC_KEY_GEN'
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
BarbicanPkcs11CryptoMKEKLength: '32'
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
BarbicanPkcs11CryptoThalesEnabled: true
BarbicanPkcs11CryptoEnabled: true
ThalesVars:
thales_client_working_dir: /tmp/thales_client_install
# thales_client_tarball_location: URI where the CipherTools tarball can be downloaded.
# thales_client_tarball_name: Filename for the CipherTools tarball.
thales_client_path: linux/libc6_11/amd64/nfast
thales_client_uid: 42481
thales_client_gid: 42481
# thales_km_data_location: URL where the RFS kmdata tarball can be downloaded.
# thales_km_data_tarball_name: Filename for the kmdata tarball.
# thales_hsm_ip_address: IP address for the HSM
# thales_rfs_server_ip_address: IP address for the RFS Server.
# thales_hsm_config_location: The directory where the hsm configuration is stored in
# your RFS server. e.g. hsm-XXXX-XXXX-XXXX.
# thales_rfs_user: Username used to log into RFS server.
# thales_rfs_key: RSA Private key in PEM format used to log into RFS server.
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

1
environments/barbican-backend-pkcs11.yaml
Unescape View File

@ -11,6 +11,7 @@ parameter_defaults:
# BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoEnabled: true
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

34
puppet/services/barbican-backend-pkcs11-crypto.yaml
Unescape View File

@ -34,22 +34,44 @@ parameters:
BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library
type: string
default: ''
BarbicanPkcs11CryptoLogin:
description: Password to login to PKCS11 session
type: string
hidden: true
default: ''
BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK
type: string
default: ''
BarbicanPkcs11CryptoMKEKLength:
description: Length of Master KEK in bytes
type: number
type: string
default: '256'
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
default: ''
BarbicanPkcs11CryptoSlotId:
description: Slot Id for the HSM
type: number
type: string
default: '0'
BarbicanPkcs11CryptoEncryptionMechanism:
description: Cryptoki Mechanism used for encryption
type: string
default: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
default: 'CKK_AES'
BarbicanPkcs11CryptoHMACKeygenMechanism:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
BarbicanPkcs11CryptoAESGCMGenerateIV:
description: Generate IVs for CKM_AES_GCM encryption mechanism
type: boolean
default: true
BarbicanPkcs11CryptoGlobalDefault:
description: Whether this plugin is the global default plugin
type: boolean
@ -61,10 +83,14 @@ outputs:
value:
service_name: barbican_backend_pkcs11_crypto
config_settings:
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path {get_param: BarbicanPkcs11CryptoLibraryPath}
barbican::plugins::p11_crypto::p11_crypto_plugin_login {get_param: BarbicanPkcs11CryptoLogin}
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path: {get_param: BarbicanPkcs11CryptoLibraryPath}
barbican::plugins::p11_crypto::p11_crypto_plugin_login: {get_param: BarbicanPkcs11CryptoLogin}
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}

10
releasenotes/notes/add-barbican-hsm-code-2ceffb2e1c3f6b67.yaml
Unescape View File

@ -0,0 +1,10 @@
---
features:
- |
Added code in the barbican-api.yaml template to allow barbican to be
configured to run with either an ATOS or Thales HSM back-end. Also
added environment files with all the required variables. The added code
installs and configures the client software on the barbican nodes,
generates the required kets for the PKCS#11 plugin, and configures
barbican correctly. For the Thales case, it also contacts the RFS server
to add the new clients to the HSM.
Write Preview
Loading…
Cancel
Save