From 9b67d642081b1fdcc312c497fcb4c9afa5e1d9fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Mon, 1 Mar 2021 15:29:49 -0600 Subject: [PATCH] Add new options for Barbican PKCS#11 backend This patch adds two new parameters for deploying Barbican with the PCKS#11 backend `BarbicanPkcs11CryptoTokenLabels` and `BarbicanPkcs11CryptoOsLockingOk`. The patch also deprecates `BarbicanPkcs11CryptoTokenLabel` in favor of the new option that can be set to more than one label. Depends-On: Iba7013dd6e1b1e4650b25cd4dd8dc1f355ceb538 Change-Id: I1c5059799f613a62a13379eb82ba516a8ed3a15a (cherry picked from commit 3b4d488a6a307e575048d7e553e223452e543a21) --- .../barbican-api-container-puppet.yaml | 20 ++++++++++++++++--- ...barbican-backend-pkcs11-crypto-puppet.yaml | 16 ++++++++++++++- .../barbican-backend-pkcs11-atos.yaml | 13 ++++++++++-- .../barbican-backend-pkcs11-lunasa.yaml | 3 +-- .../barbican-backend-pkcs11-thales.yaml | 3 +-- ...bican-pkcs11-options-a2ec14369518b40e.yaml | 9 +++++++++ 6 files changed, 54 insertions(+), 10 deletions(-) create mode 100644 releasenotes/notes/add-support-for-barbican-pkcs11-options-a2ec14369518b40e.yaml diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index f84753ba07..c1b48c8e0d 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -88,7 +88,14 @@ parameters: type: string default: '' BarbicanPkcs11CryptoTokenLabel: - description: Label for PKCS#11 token to be used + description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead. + type: string + default: '' + BarbicanPkcs11CryptoTokenLabels: + description: List of comma separated labels for the tokens to be used. + This is typically a single label, but some devices may require + more than one label for Load Balancing and High Availability + configurations. type: string default: '' BarbicanPkcs11CryptoHMACKeyType: @@ -183,6 +190,7 @@ conditions: - lunasa_hsm_enabled pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]} pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]} + pkcs11_tokens_unset: {equals: [{get_param: BarbicanPkcs11CryptoTokenLabels}, '']} enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} # Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we # will use the Controller's IP address from that network instead. @@ -491,11 +499,17 @@ outputs: - map_merge: - {get_param: LunasaVars} - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin} - - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel} + - if: + - pkcs11_tokens_unset + - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel} + - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels} - map_merge: - {get_param: LunasaVars} - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin} - - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel} + - if: + - pkcs11_tokens_unset + - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel} + - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels} - lunasa_client_ip: str_replace: template: diff --git a/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml b/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml index 4bbd24f129..46dea07eba 100644 --- a/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml +++ b/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml @@ -61,7 +61,14 @@ parameters: type: string default: '' BarbicanPkcs11CryptoTokenLabel: - description: Label for PKCS#11 token to be used + description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead. + type: string + default: '' + BarbicanPkcs11CryptoTokenLabels: + description: List of comma separated labels for the tokens to be used. + This is typically a single label, but some devices may require + more than one label for Load Balancing and High Availability + configurations. type: string default: '' BarbicanPkcs11CryptoEncryptionMechanism: @@ -84,6 +91,11 @@ parameters: description: Always set CKA_SENSITIVE=CK_TRUE type: boolean default: true + BarbicanPkcs11CryptoOsLockingOk: + description: Set CKF_OS_LOCKING_OK flag when initializing the client + library. + type: boolean + default: false BarbicanPkcs11CryptoGlobalDefault: description: Whether this plugin is the global default plugin type: boolean @@ -103,9 +115,11 @@ outputs: barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId} barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber} barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel} + barbican::plugins::p11_crypto::p11_crypto_plugin_token_labels: {get_param: BarbicanPkcs11CryptoTokenLabels} barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism} barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV} barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive} + barbican::plugins::p11_crypto::p11_crypto_plugin_os_locking_ok: {get_param: BarbicanPkcs11CryptoOsLockingOk} barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault} diff --git a/environments/barbican-backend-pkcs11-atos.yaml b/environments/barbican-backend-pkcs11-atos.yaml index 98145e0784..9563d5174e 100644 --- a/environments/barbican-backend-pkcs11-atos.yaml +++ b/environments/barbican-backend-pkcs11-atos.yaml @@ -5,7 +5,10 @@ parameter_defaults: # provide the appropriate values. # # BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session - # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM + # BarbicanPkcs11CryptoTokenLabels: The token label for the virtual HSM to be used. + # This is typically a single label, but may be more than one if you are using + # multiple HSMs in Load Balancing mode, and the HSMs have different labels. + # When listing more than one, separate them using a comma (,). # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so' @@ -18,13 +21,19 @@ parameter_defaults: BarbicanPkcs11CryptoATOSEnabled: true BarbicanPkcs11CryptoEnabled: true BarbicanPkcs11AlwaysSetCkaSensitive: false + BarbicanPkcs11CryptoOsLockingOk: true + ATOSVars: atos_client_working_dir: /tmp/atos_client_install # atos_client_iso_location: # atos_client_iso_name: # atos_client_cert_location: # atos_client_key_loaction: - # atos_hsm_ip_address: + # atos_hsms: # -- A list of HSMs. When more than one HSM is specified, + # # they will be configured in Load Balancing mode. + # - name: my-hsm-hostanme.example.com + # server_cert_location: https://user@PASSWORD:example.com/cert.CRT + # ip: 127.0.0.1 resource_registry: OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml diff --git a/environments/barbican-backend-pkcs11-lunasa.yaml b/environments/barbican-backend-pkcs11-lunasa.yaml index d850b65f52..12d105ce17 100644 --- a/environments/barbican-backend-pkcs11-lunasa.yaml +++ b/environments/barbican-backend-pkcs11-lunasa.yaml @@ -7,11 +7,10 @@ parameter_defaults: # # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session # - # BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used. + # BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used. # For single HSM deployments this value should be the partition label # that will be assigned to the clients. # For HA deployments this value should be the label for the HA group. - # BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin # # LunasaClientIPNetwork: (Optional) Network to be used by the controllers diff --git a/environments/barbican-backend-pkcs11-thales.yaml b/environments/barbican-backend-pkcs11-thales.yaml index 60eb0a2db6..0855a112a7 100644 --- a/environments/barbican-backend-pkcs11-thales.yaml +++ b/environments/barbican-backend-pkcs11-thales.yaml @@ -6,9 +6,8 @@ parameter_defaults: # provide the appropriate values. # # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session - # BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used. + # BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used. # This is typically the label given to the Operator Card Set (OCS) - # BarbicanPkcs11CryptoSlotId (optional): Slot Id for the HSM # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so' diff --git a/releasenotes/notes/add-support-for-barbican-pkcs11-options-a2ec14369518b40e.yaml b/releasenotes/notes/add-support-for-barbican-pkcs11-options-a2ec14369518b40e.yaml new file mode 100644 index 0000000000..c7c3d6bfd6 --- /dev/null +++ b/releasenotes/notes/add-support-for-barbican-pkcs11-options-a2ec14369518b40e.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Added new options for deploying Barbican with PKCS#11 backends: + `BarbicanPkcs11CryptoTokenLabels` and `BarbicanPkcs11CryptoOsLockingOk` +deprecations: + - | + The `BarbicanPkcs11CryptoTokenLabel` option has been deprecated and + replaced with the `BarbicanPkcs11CryptoTokenLabels` option.