Identify HSMs using labels instead of Slot ID

This patch adds support for two new options in barbican.conf for the
PKCS#11 backend plugin:  [p11_crypto]token_label and
[p11_crypto]token_serial_number by adding two new parameters
to the Barbican deployment BarbicanPkcs11CryptoTokenSerialNumber
and BarbicanPkcs11CryptoTokenLabel.

This patch also simplifies the use of barbican-manage to generate
the MKEK and PKEK in the HSM backend by using the values provided
in barbican.conf instead of duplicating them on the command line.

For the Thales Luna Network device, this patch uses the label
parameters to identify the partition to be used.  Because we are
using labels we no longer need to write the runtime generated
Slot ID of the HA group into hieradata.

Depends-On: I4e86e73bbdef0e16d3699cec1cc8f7e17dfb643b
Change-Id: Id05acb6516daa62279c9aade41256bcec7c5fce7
(cherry picked from commit 04b4ec3866)

deployment/barbican/barbican-api-container-puppet.yaml

@@ -62,7 +62,7 @@ parameters:
     type: string
     default: ''
   BarbicanPkcs11CryptoLogin:
-    description: Password to login to PKCS11 session
+    description: Password (PIN) to login to PKCS#11 session
     type: string
     hidden: true
     default: ''
@@ -75,9 +75,17 @@ parameters:
     type: string
     default: ''
   BarbicanPkcs11CryptoSlotId:
-    description: Slot Id for the HSM
+    description: Slot Id for the PKCS#11 token to be used
     type: string
     default: '0'
+  BarbicanPkcs11CryptoTokenSerialNumber:
+    description: Serial number for PKCS#11 token to be used
+    type: string
+    default: ''
+  BarbicanPkcs11CryptoTokenLabel:
+    description: Label for PKCS#11 token to be used
+    type: string
+    default: ''
   BarbicanPkcs11CryptoHMACKeyType:
     description: Cryptoki Key Type for Master HMAC key
     type: string
@@ -163,7 +171,7 @@ conditions:
   thales_hsm_enabled:   {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
   atos_hsm_enabled:     {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
   lunasa_hsm_enabled:   {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
-  thales_or_atos_or_lunasa_hsm_enabled:
+  hsm_enabled:
     or:
     - thales_hsm_enabled
     - atos_hsm_enabled
@@ -424,7 +432,7 @@ outputs:
         - null
       deploy_steps_tasks:
         if:
-        - thales_or_atos_or_lunasa_hsm_enabled
+        - hsm_enabled
         - list_concat:
           -
             if:
@@ -475,24 +483,17 @@ outputs:
                         - map_merge:
                           - {get_param: LunasaVars}
                           - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
+                          - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
                         - map_merge:
                           - {get_param: LunasaVars}
                           - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
+                          - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
                           - lunasa_client_ip:
                               str_replace:
                                 template:
                                   "{{$NETWORK_ip}}"
                                 params:
                                   $NETWORK: {get_param: LunasaClientIPNetwork}
-
-                  - name: set the slot id in hieradata
-                    include_role:
-                      name: tripleo-hieradata
-                      tasks_from: ansible_hieradata.yml
-                    vars:
-                      hieradata_ansible_data:
-                        barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}"
-                    when: lunasa_ha_slot is defined
               - null
         - null
       docker_config:
@@ -559,23 +560,11 @@ outputs:
                       - ' '
                       - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
                         - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
-                        - "hsm check_mkek --library-path"
-                        - {get_param: [BarbicanPkcs11CryptoLibraryPath]}
-                        - "--slot-id"
-                        - {get_param: [BarbicanPkcs11CryptoSlotId]}
-                        - "--passphrase"
-                        - {get_param: [BarbicanPkcs11CryptoLogin]}
-                        - "--label"
+                        - "hsm check_mkek --label"
                         - {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
                         - "|| /usr/bin/barbican-manage"
                         - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
-                        - "hsm gen_mkek --library-path"
-                        - {get_param: [BarbicanPkcs11CryptoLibraryPath]}
-                        - "--slot-id"
-                        - {get_param: [BarbicanPkcs11CryptoSlotId]}
-                        - "--passphrase"
-                        - {get_param: [BarbicanPkcs11CryptoLogin]}
-                        - "--label"
+                        - "hsm gen_mkek --label"
                         - {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
                         - "'"
               - {}
@@ -597,28 +586,10 @@ outputs:
                       - ' '
                       - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
                         - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
-                        - "hsm check_hmac --library-path"
-                        - {get_param: [BarbicanPkcs11CryptoLibraryPath]}
-                        - "--slot-id"
-                        - {get_param: [BarbicanPkcs11CryptoSlotId]}
-                        - "--passphrase"
-                        - {get_param: [BarbicanPkcs11CryptoLogin]}
-                        - "--label"
+                        - "hsm check_hmac --label"
                         - {get_param: [BarbicanPkcs11CryptoHMACLabel]}
-                        - "--key-type"
-                        - {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
-                        - "|| /usr/bin/barbican-manage hsm gen_hmac --library-path"
-                        - {get_param: [BarbicanPkcs11CryptoLibraryPath]}
-                        - "--slot-id"
-                        - {get_param: [BarbicanPkcs11CryptoSlotId]}
-                        - "--passphrase"
-                        - {get_param: [BarbicanPkcs11CryptoLogin]}
-                        - "--label"
+                        - "|| /usr/bin/barbican-manage hsm gen_hmac --label"
                         - {get_param: [BarbicanPkcs11CryptoHMACLabel]}
-                        - "--key-type"
-                        - {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
-                        - "--mechanism"
-                        - {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]}
                         - "'"
               - {}
             - if:

deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml

@@ -36,7 +36,7 @@ parameters:
     type: string
     default: ''
   BarbicanPkcs11CryptoLogin:
-    description: Password to login to PKCS11 session
+    description: Password (PIN) to login to PKCS#11 session
     type: string
     hidden: true
     default: ''
@@ -53,9 +53,17 @@ parameters:
     type: string
     default: ''
   BarbicanPkcs11CryptoSlotId:
-    description: Slot Id for the HSM
+    description: Slot Id for the PKCS#11 token to be used
     type: string
     default: '0'
+  BarbicanPkcs11CryptoTokenSerialNumber:
+    description: Serial number for PKCS#11 token to be used
+    type: string
+    default: ''
+  BarbicanPkcs11CryptoTokenLabel:
+    description: Label for PKCS#11 token to be used
+    type: string
+    default: ''
   BarbicanPkcs11CryptoEncryptionMechanism:
     description: Cryptoki Mechanism used for encryption
     type: string
@@ -93,6 +101,8 @@ outputs:
         barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
         barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
         barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
+        barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
+        barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
         barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
         barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
         barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}

environments/barbican-backend-pkcs11-lunasa.yaml

@@ -1,15 +1,17 @@
-# A Heat environment file to enable the barbican PKCS11 crypto backend with
-# a Lunasa HSM.
-# Note that barbican needs to be enabled in order to use this.
+# A Heat environment file to enable the barbican PKCS#11 crypto backend using
+# one or more Thales Luna Network HSMs.
+# Note that Barbican needs to be enabled in order to use this.
 parameter_defaults:
   # In order to use this backend, you need to uncomment these values and
   # provide the appropriate values.
   #
-  # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
-  # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM.  Note that this parameter is only
-  #   strictly required when setting up the Lunasa client in non-HA mode.  In HA
-  #   mode, whatever value is placed here will be overridden by the dynamically generated
-  #   slot for the HA group created on the client.
+  # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
+  #
+  # BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
+  #   For single HSM deployments this value should be the partition label
+  #   that will be assigned to the clients.
+  #   For HA deployments this value should be the label for the HA group.
+  # BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used
   # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
   #
   # LunasaClientIPNetwork: (Optional) Network to be used by the controllers
@@ -36,13 +38,13 @@ parameter_defaults:
     # lunasa_client_rotate_cert:  (Optional) Set to true to generate a new
     #   client certificate and re-register clients during deployment.
     # lunasa_hsms:  A list of HSMs.  When more than one HSM is specified, they
-    #    will be configured as an HA pool.  Each entry should specify the
+    #    will be configured as an HA group.  Each entry should specify the
     #    following:
     #  - hostname: Hostname for the HSM
-    #    admin_password: admin password for the HSM, used to add a new client.
+    #    admin_password: admin password for the HSM, used to add a new client
+    #      for each controller node.
     #    partition: HSM partition to be assigned to the clients.
     #    partition_serial: serial number for the partition.
-    # lunasa_ha_label: HA group label Required only for HA mode.
 
 resource_registry:
   OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml