From 17e0087e433a930a8b97d3c2cdd943aaf5975357 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Mon, 15 Oct 2018 16:05:56 +0000 Subject: [PATCH] Add template code to configure hsm backends for barbican Adds support for the Thales and ATOS client software. Change-Id: I79f8608431fecc58c8bdeba2de4a692a7ee388e9 Co-Authored-By: Douglas Mendizabal --- docker/services/barbican-api.yaml | 556 ++++++++++++++---- .../barbican-backend-pkcs11-atos.yaml | 29 + .../barbican-backend-pkcs11-thales.yaml | 38 ++ environments/barbican-backend-pkcs11.yaml | 1 + .../barbican-backend-pkcs11-crypto.yaml | 34 +- ...dd-barbican-hsm-code-2ceffb2e1c3f6b67.yaml | 10 + 6 files changed, 547 insertions(+), 121 deletions(-) create mode 100644 environments/barbican-backend-pkcs11-atos.yaml create mode 100644 environments/barbican-backend-pkcs11-thales.yaml create mode 100644 releasenotes/notes/add-barbican-hsm-code-2ceffb2e1c3f6b67.yaml diff --git a/docker/services/barbican-api.yaml b/docker/services/barbican-api.yaml index cc783cefcd..5c8006c3b7 100644 --- a/docker/services/barbican-api.yaml +++ b/docker/services/barbican-api.yaml @@ -49,10 +49,76 @@ parameters: default: false description: Remove package if the service is being disabled during upgrade type: boolean + BarbicanPkcs11CryptoATOSEnabled: + type: boolean + default: false + BarbicanPkcs11CryptoThalesEnabled: + type: boolean + default: false + BarbicanPkcs11CryptoEnabled: + type: boolean + default: false + BarbicanPkcs11CryptoLibraryPath: + description: Path to vendor PKCS11 library + type: string + default: '' + BarbicanPkcs11CryptoLogin: + description: Password to login to PKCS11 session + type: string + hidden: true + default: '' + BarbicanPkcs11CryptoMKEKLabel: + description: Label for Master KEK + type: string + default: '' + BarbicanPkcs11CryptoMKEKLength: + description: Length of Master KEK in bytes + type: string + default: '256' + BarbicanPkcs11CryptoHMACLabel: + description: Label for the HMAC key + type: string + default: '' + BarbicanPkcs11CryptoSlotId: + description: Slot Id for the HSM + type: string + default: '0' + BarbicanPkcs11CryptoEncryptionMechanism: + description: Cryptoki Mechanism used for encryption + type: string + default: 'CKM_AES_CBC' + BarbicanPkcs11CryptoHMACKeyType: + description: Cryptoki Key Type for Master HMAC key + type: string + default: 'CKK_AES' + BarbicanPkcs11CryptoHMACKeygenMechanism: + description: Cryptoki Mechanism used to generate Master HMAC Key + type: string + default: 'CKM_AES_KEY_GEN' + ThalesHSMNetworkName: + description: The network that the HSM is listening on. + type: string + default: 'internal_api' + ThalesVars: + default: {} + description: Hash of tripleo-barbican-thales variables used to + install Thales client software. + type: json + ATOSVars: + default: {} + description: Hash of tripleo-barbican-atos variables used to + install ATOS client software. + type: json conditions: - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]} + atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]} + thales_or_atos_hsm_enabled: + or: + - thales_hsm_enabled + - atos_hsm_enabled + pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]} resources: @@ -119,128 +185,384 @@ outputs: dest: "/" merge: true preserve_properties: true + external_deploy_tasks: + if: + - thales_hsm_enabled + - + - name: Add ip addresses to the RFS server + when: step == '2' + block: + - name: get the ip addresses for the barbican nodes + set_fact: + thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir" + thales_client_ips: + str_replace: + template: >- + {% for host in groups['barbican_backend_pkcs11_crypto'] -%} + {{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }} + {%- endfor %} + params: + $THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName} + thales_bootstrap_client_ip: + str_replace: + template: >- + {% for host in groups['barbican_backend_pkcs11_crypto'] -%} + {% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%} + {{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }} + {%- endif %} + {%- endfor %} + params: + $THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName} + thales_hsm_ip_address: {get_param: [ThalesVars, thales_hsm_ip_address]} + thales_hsm_config_location: {get_param: [ThalesVars, thales_hsm_config_location]} + thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]} + + - name: set playbook vars + set_fact: + thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory" + thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa" + thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml" + + - name: creating working directory + file: + path: "{{thales_rfs_playbook_dir}}" + state: directory + + - name: generate an inventory + copy: + dest: "{{thales_rfs_inventory}}" + content: {get_param: [ThalesVars, thales_rfs_server_ip_address]} + + - name: write SSH key to file + copy: + dest: "{{thales_rfs_keyfile}}" + content: {get_param: [ThalesVars, thales_rfs_key]} + mode: 0400 + + - name: generate playbook to run + copy: + dest: "{{thales_rfs_playbook}}" + content: | + --- + - hosts: all + remote_user: "{{thales_rfs_user}}" + vars: + thales_client_ips: "{{thales_client_ips}}" + thales_hsm_ip_address: "{{thales_hsm_ip_address}}" + thales_hsm_config_location: "{{thales_hsm_config_location}}" + thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}" + roles: + - tripleo-barbican-thales-rfs + + - name: call ansible on rfs server + shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}" + + - name: clean up working directory + file: + path: "{{thales_rfs_playbook_dir}}" + state: absent + - null + deploy_steps_tasks: + if: + - thales_or_atos_hsm_enabled + - list_concat: + - + if: + - thales_hsm_enabled + - + - name: Thales client install + when: step == '2' + block: + - set_fact: + my_thales_client_ip: + str_replace: + template: + "{{$NETWORK_ip}}" + params: + $NETWORK: {get_param: ThalesHSMNetworkName} + - include_role: + name: tripleo-barbican-thales + vars: + {get_param: ThalesVars} + - null + - + if: + - atos_hsm_enabled + - + - name: ATOS client install + when: step == '2' + block: + - include_role: + name: tripleo-barbican-atos + vars: + {get_param: ATOSVars} + - null + - null + docker_config: # db sync runs before permissions set by kolla_config step_2: - get_attr: [BarbicanApiLogging, docker_config, step_2] + map_merge: + - get_attr: [BarbicanApiLogging, docker_config, step_2] + - if: + - atos_hsm_enabled + - barbican_init_atos_directory: + image: &barbican_api_image {get_param: DockerBarbicanApiImage} + user: root + volumes: + - /etc/proteccio:/etc/proteccio + - /usr/lib64/libnetshm.so:/usr/lib64/libnethsm.so + command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so'] + - {} step_3: - barbican_api_db_sync: - start_order: 0 - image: &barbican_api_image {get_param: DockerBarbicanApiImage} - net: host - detach: false - user: root - volumes: &barbican_api_volumes - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - {get_attr: [BarbicanApiLogging, volumes]} - - - - /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro - - /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro - command: - # NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part - # of the bash -c invocation, so we include them in the quoted db sync command. Hence the - # final single quote that's part of the list_join. - list_join: - - ' ' - - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - - "db upgrade" - - "'" - barbican_api_secret_store_sync: - start_order: 1 - image: *barbican_api_image - net: host - detach: false - user: root - volumes: *barbican_api_volumes - command: - # NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part - # of the bash -c invocation, so we include them in the quoted db sync command. Hence the - # final single quote that's part of the list_join. - list_join: - - ' ' - - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - - "db sync_secret_stores --verbose" - - "'" - barbican_api: - # NOTE(alee): Barbican should start after keystone processes - start_order: 5 - image: *barbican_api_image - net: host - privileged: false - restart: always - user: root - healthcheck: - test: /openstack/healthcheck - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - {get_attr: [BarbicanApiLogging, volumes]} - - - - /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro - - - if: - - internal_tls_enabled - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - - '' - - - if: - - internal_tls_enabled - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - - '' - environment: &kolla_env - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - barbican_keystone_listener: - start_order: 6 - image: {get_param: DockerBarbicanKeystoneListenerImage} - net: host - privileged: false - restart: always - user: barbican - healthcheck: - test: - list_join: + map_merge: + - if: + - pkcs11_plugin_enabled + - barbican_api_create_mkek: + start_order: 0 + image: *barbican_api_image + net: host + detach: false + user: root + volumes: &barbican_api_volumes + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - {get_attr: [BarbicanApiLogging, volumes]} + - + - /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro + - /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro + - + if: + - thales_hsm_enabled + - + - /opt/nfast:/opt/nfast + - null + - + if: + - atos_hsm_enabled + - + - /etc/proteccio:/etc/proteccio + - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so + - null + command: + list_join: + - ' ' + - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" + - {get_attr: [BarbicanApiLogging, cmd_extra_args]} + - "hsm check_mkek --library-path" + - {get_param: [BarbicanPkcs11CryptoLibraryPath]} + - "--slot-id" + - {get_param: [BarbicanPkcs11CryptoSlotId]} + - "--passphrase" + - {get_param: [BarbicanPkcs11CryptoLogin]} + - "--label" + - {get_param: [BarbicanPkcs11CryptoMKEKLabel]} + - "|| /usr/bin/barbican-manage" + - {get_attr: [BarbicanApiLogging, cmd_extra_args]} + - "hsm gen_mkek --library-path" + - {get_param: [BarbicanPkcs11CryptoLibraryPath]} + - "--slot-id" + - {get_param: [BarbicanPkcs11CryptoSlotId]} + - "--passphrase" + - {get_param: [BarbicanPkcs11CryptoLogin]} + - "--label" + - {get_param: [BarbicanPkcs11CryptoMKEKLabel]} + - "'" + - {} + - if: + - pkcs11_plugin_enabled + - barbican_api_create_hmac: + start_order: 0 + image: *barbican_api_image + net: host + detach: false + user: root + volumes: *barbican_api_volumes + command: + list_join: + - ' ' + - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" + - {get_attr: [BarbicanApiLogging, cmd_extra_args]} + - "hsm check_hmac --library-path" + - {get_param: [BarbicanPkcs11CryptoLibraryPath]} + - "--slot-id" + - {get_param: [BarbicanPkcs11CryptoSlotId]} + - "--passphrase" + - {get_param: [BarbicanPkcs11CryptoLogin]} + - "--label" + - {get_param: [BarbicanPkcs11CryptoHMACLabel]} + - "--key-type" + - {get_param: [BarbicanPkcs11CryptoHMACKeyType]} + - "|| /usr/bin/barbican-manage hsm gen_hmac --library-path" + - {get_param: [BarbicanPkcs11CryptoLibraryPath]} + - "--slot-id" + - {get_param: [BarbicanPkcs11CryptoSlotId]} + - "--passphrase" + - {get_param: [BarbicanPkcs11CryptoLogin]} + - "--label" + - {get_param: [BarbicanPkcs11CryptoHMACLabel]} + - "--key-type" + - {get_param: [BarbicanPkcs11CryptoHMACKeyType]} + - "--mechanism" + - {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]} + - "'" + - {} + - if: + - thales_hsm_enabled + - barbican_api_update_rfs_server_with_mkek_and_hmac_keys: + start_order: 0 + image: *barbican_api_image + net: host + detach: false + user: root + volumes: *barbican_api_volumes + command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit" + - {} + - if: + - thales_hsm_enabled + - barbican_api_get_mkek_and_hmac_keys_from_rfs: + start_order: 0 + image: *barbican_api_image + net: host + detach: false + user: root + volumes: *barbican_api_volumes + command: "/opt/nfast/bin/rfs-sync --update" + - {} + - barbican_api_db_sync: + start_order: 0 + image: *barbican_api_image + net: host + detach: false + user: root + volumes: *barbican_api_volumes + command: + # NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part + # of the bash -c invocation, so we include them in the quoted db sync command. Hence the + # final single quote that's part of the list_join. + list_join: - ' ' - - - '/openstack/healthcheck' - - yaql: - expression: str($.data.port) - data: - port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']} - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - {get_attr: [BarbicanApiLogging, volumes]} - - - - /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro - environment: *kolla_env - barbican_worker: - start_order: 7 - image: {get_param: DockerBarbicanWorkerImage} - net: host - privileged: false - restart: always - user: barbican - healthcheck: - test: - list_join: + - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" + - {get_attr: [BarbicanApiLogging, cmd_extra_args]} + - "db upgrade" + - "'" + - barbican_api_secret_store_sync: + start_order: 1 + image: *barbican_api_image + net: host + detach: false + user: root + volumes: *barbican_api_volumes + command: + # NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part + # of the bash -c invocation, so we include them in the quoted db sync command. Hence the + # final single quote that's part of the list_join. + list_join: - ' ' - - - '/openstack/healthcheck' - - yaql: - expression: str($.data.port) - data: - port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']} - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - {get_attr: [BarbicanApiLogging, volumes]} - - - - /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro - environment: *kolla_env + - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" + - {get_attr: [BarbicanApiLogging, cmd_extra_args]} + - "db sync_secret_stores --verbose" + - "'" + - barbican_api: + # NOTE(alee): Barbican should start after keystone processes + start_order: 5 + image: *barbican_api_image + net: host + privileged: false + restart: always + user: root + healthcheck: + test: /openstack/healthcheck + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - {get_attr: [BarbicanApiLogging, volumes]} + - + - /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro + - + if: + - internal_tls_enabled + - + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - null + - + if: + - thales_hsm_enabled + - + - /opt/nfast:/opt/nfast + - null + - + if: + - atos_hsm_enabled + - + - /etc/proteccio:/etc/proteccio + - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so + - null + environment: &kolla_env + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - barbican_keystone_listener: + start_order: 6 + image: {get_param: DockerBarbicanKeystoneListenerImage} + net: host + privileged: false + restart: always + user: barbican + healthcheck: + test: + list_join: + - ' ' + - - '/openstack/healthcheck' + - yaql: + expression: str($.data.port) + data: + port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']} + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - {get_attr: [BarbicanApiLogging, volumes]} + - + - /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro + environment: *kolla_env + - barbican_worker: + start_order: 7 + image: {get_param: DockerBarbicanWorkerImage} + net: host + privileged: false + restart: always + user: barbican + healthcheck: + test: + list_join: + - ' ' + - - '/openstack/healthcheck' + - yaql: + expression: str($.data.port) + data: + port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']} + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - {get_attr: [BarbicanApiLogging, volumes]} + - + - /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro + - + if: + - thales_hsm_enabled + - + - /opt/nfast:/opt/nfast + - null + - + if: + - atos_hsm_enabled + - + - /etc/proteccio:/etc/proteccio + - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so + - null + environment: *kolla_env host_prep_tasks: {get_attr: [BarbicanApiLogging, host_prep_tasks]} upgrade_tasks: - when: step|int == 3 diff --git a/environments/barbican-backend-pkcs11-atos.yaml b/environments/barbican-backend-pkcs11-atos.yaml new file mode 100644 index 0000000000..d576380a50 --- /dev/null +++ b/environments/barbican-backend-pkcs11-atos.yaml @@ -0,0 +1,29 @@ +# A Heat environment file to enable the barbican PKCS11 crypto backend. Note +# that barbican needs to be enabled in order to use this. +parameter_defaults: + # In order to use this backend, you need to uncomment these values and + # provide the appropriate values. + # + # BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session + # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM + # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin + + BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so' + BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC' + BarbicanPkcs11CryptoHMACKeyType: 'CKK_GENERIC_SECRET' + BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_GENERIC_SECRET_KEY_GEN' + BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0' + BarbicanPkcs11CryptoMKEKLength: 32 + BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0' + BarbicanPkcs11CryptoATOSEnabled: true + BarbicanPkcs11CryptoEnabled: true + ATOSVars: + atos_client_working_dir: /tmp/atos_client_install + # atos_client_iso_location: + # atos_client_iso_name: + # atos_client_cert_location: + # atos_client_key_loaction: + # atos_hsm_ip_address: + +resource_registry: + OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml diff --git a/environments/barbican-backend-pkcs11-thales.yaml b/environments/barbican-backend-pkcs11-thales.yaml new file mode 100644 index 0000000000..7ee30c812d --- /dev/null +++ b/environments/barbican-backend-pkcs11-thales.yaml @@ -0,0 +1,38 @@ +# A Heat environment file to enable the barbican PKCS11 crypto backend with +# a Thales HSM. +# Note that barbican needs to be enabled in order to use this. +parameter_defaults: + # In order to use this backend, you need to uncomment these values and + # provide the appropriate values. + # + # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session + # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM + # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin + + BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so' + BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC' + BarbicanPkcs11CryptoHMACKeyType: 'CKK_SHA256_HMAC' + BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_NC_SHA256_HMAC_KEY_GEN' + BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0' + BarbicanPkcs11CryptoMKEKLength: '32' + BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0' + BarbicanPkcs11CryptoThalesEnabled: true + BarbicanPkcs11CryptoEnabled: true + ThalesVars: + thales_client_working_dir: /tmp/thales_client_install + # thales_client_tarball_location: URI where the CipherTools tarball can be downloaded. + # thales_client_tarball_name: Filename for the CipherTools tarball. + thales_client_path: linux/libc6_11/amd64/nfast + thales_client_uid: 42481 + thales_client_gid: 42481 + # thales_km_data_location: URL where the RFS kmdata tarball can be downloaded. + # thales_km_data_tarball_name: Filename for the kmdata tarball. + # thales_hsm_ip_address: IP address for the HSM + # thales_rfs_server_ip_address: IP address for the RFS Server. + # thales_hsm_config_location: The directory where the hsm configuration is stored in + # your RFS server. e.g. hsm-XXXX-XXXX-XXXX. + # thales_rfs_user: Username used to log into RFS server. + # thales_rfs_key: RSA Private key in PEM format used to log into RFS server. + +resource_registry: + OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml diff --git a/environments/barbican-backend-pkcs11.yaml b/environments/barbican-backend-pkcs11.yaml index 9018360810..4767de2bb7 100644 --- a/environments/barbican-backend-pkcs11.yaml +++ b/environments/barbican-backend-pkcs11.yaml @@ -11,6 +11,7 @@ parameter_defaults: # BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin + BarbicanPkcs11CryptoEnabled: true resource_registry: OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml diff --git a/puppet/services/barbican-backend-pkcs11-crypto.yaml b/puppet/services/barbican-backend-pkcs11-crypto.yaml index b0d21e70b5..1857ce8164 100644 --- a/puppet/services/barbican-backend-pkcs11-crypto.yaml +++ b/puppet/services/barbican-backend-pkcs11-crypto.yaml @@ -34,22 +34,44 @@ parameters: BarbicanPkcs11CryptoLibraryPath: description: Path to vendor PKCS11 library type: string + default: '' BarbicanPkcs11CryptoLogin: description: Password to login to PKCS11 session type: string hidden: true + default: '' BarbicanPkcs11CryptoMKEKLabel: description: Label for Master KEK type: string + default: '' BarbicanPkcs11CryptoMKEKLength: description: Length of Master KEK in bytes - type: number + type: string + default: '256' BarbicanPkcs11CryptoHMACLabel: description: Label for the HMAC key type: string + default: '' BarbicanPkcs11CryptoSlotId: description: Slot Id for the HSM - type: number + type: string + default: '0' + BarbicanPkcs11CryptoEncryptionMechanism: + description: Cryptoki Mechanism used for encryption + type: string + default: 'CKM_AES_CBC' + BarbicanPkcs11CryptoHMACKeyType: + description: Cryptoki Key Type for Master HMAC key + type: string + default: 'CKK_AES' + BarbicanPkcs11CryptoHMACKeygenMechanism: + description: Cryptoki Mechanism used to generate Master HMAC Key + type: string + default: 'CKM_AES_KEY_GEN' + BarbicanPkcs11CryptoAESGCMGenerateIV: + description: Generate IVs for CKM_AES_GCM encryption mechanism + type: boolean + default: true BarbicanPkcs11CryptoGlobalDefault: description: Whether this plugin is the global default plugin type: boolean @@ -61,10 +83,14 @@ outputs: value: service_name: barbican_backend_pkcs11_crypto config_settings: - barbican::plugins::p11_crypto::p11_crypto_plugin_library_path {get_param: BarbicanPkcs11CryptoLibraryPath} - barbican::plugins::p11_crypto::p11_crypto_plugin_login {get_param: BarbicanPkcs11CryptoLogin} + barbican::plugins::p11_crypto::p11_crypto_plugin_library_path: {get_param: BarbicanPkcs11CryptoLibraryPath} + barbican::plugins::p11_crypto::p11_crypto_plugin_login: {get_param: BarbicanPkcs11CryptoLogin} barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel} barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel} barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId} + barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism} + barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType} + barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism} + barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV} barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault} diff --git a/releasenotes/notes/add-barbican-hsm-code-2ceffb2e1c3f6b67.yaml b/releasenotes/notes/add-barbican-hsm-code-2ceffb2e1c3f6b67.yaml new file mode 100644 index 0000000000..a086d3078d --- /dev/null +++ b/releasenotes/notes/add-barbican-hsm-code-2ceffb2e1c3f6b67.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Added code in the barbican-api.yaml template to allow barbican to be + configured to run with either an ATOS or Thales HSM back-end. Also + added environment files with all the required variables. The added code + installs and configures the client software on the barbican nodes, + generates the required kets for the PKCS#11 plugin, and configures + barbican correctly. For the Thales case, it also contacts the RFS server + to add the new clients to the HSM.