Browse Source

Add new options for Barbican PKCS#11 backend

This patch adds two new parameters for deploying Barbican with the
PCKS#11 backend `BarbicanPkcs11CryptoTokenLabels` and
`BarbicanPkcs11CryptoOsLockingOk`.

The patch also deprecates `BarbicanPkcs11CryptoTokenLabel` in favor of
the new option that can be set to more than one label.

Depends-On: Iba7013dd6e1b1e4650b25cd4dd8dc1f355ceb538
Change-Id: I1c5059799f613a62a13379eb82ba516a8ed3a15a
(cherry picked from commit 3b4d488a6a)
changes/42/787242/10
Douglas Mendizábal 7 months ago
parent
commit
9b67d64208
  1. 20
      deployment/barbican/barbican-api-container-puppet.yaml
  2. 16
      deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
  3. 13
      environments/barbican-backend-pkcs11-atos.yaml
  4. 3
      environments/barbican-backend-pkcs11-lunasa.yaml
  5. 3
      environments/barbican-backend-pkcs11-thales.yaml
  6. 9
      releasenotes/notes/add-support-for-barbican-pkcs11-options-a2ec14369518b40e.yaml

20
deployment/barbican/barbican-api-container-puppet.yaml

@ -88,7 +88,14 @@ parameters:
type: string
default: ''
BarbicanPkcs11CryptoTokenLabel:
description: Label for PKCS#11 token to be used
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
type: string
default: ''
BarbicanPkcs11CryptoTokenLabels:
description: List of comma separated labels for the tokens to be used.
This is typically a single label, but some devices may require
more than one label for Load Balancing and High Availability
configurations.
type: string
default: ''
BarbicanPkcs11CryptoHMACKeyType:
@ -183,6 +190,7 @@ conditions:
- lunasa_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
pkcs11_tokens_unset: {equals: [{get_param: BarbicanPkcs11CryptoTokenLabels}, '']}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
# will use the Controller's IP address from that network instead.
@ -491,11 +499,17 @@ outputs:
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- if:
- pkcs11_tokens_unset
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
- map_merge:
- {get_param: LunasaVars}
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- if:
- pkcs11_tokens_unset
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
- lunasa_client_ip:
str_replace:
template:

16
deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml

@ -61,7 +61,14 @@ parameters:
type: string
default: ''
BarbicanPkcs11CryptoTokenLabel:
description: Label for PKCS#11 token to be used
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
type: string
default: ''
BarbicanPkcs11CryptoTokenLabels:
description: List of comma separated labels for the tokens to be used.
This is typically a single label, but some devices may require
more than one label for Load Balancing and High Availability
configurations.
type: string
default: ''
BarbicanPkcs11CryptoEncryptionMechanism:
@ -84,6 +91,11 @@ parameters:
description: Always set CKA_SENSITIVE=CK_TRUE
type: boolean
default: true
BarbicanPkcs11CryptoOsLockingOk:
description: Set CKF_OS_LOCKING_OK flag when initializing the client
library.
type: boolean
default: false
BarbicanPkcs11CryptoGlobalDefault:
description: Whether this plugin is the global default plugin
type: boolean
@ -103,9 +115,11 @@ outputs:
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_token_labels: {get_param: BarbicanPkcs11CryptoTokenLabels}
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive}
barbican::plugins::p11_crypto::p11_crypto_plugin_os_locking_ok: {get_param: BarbicanPkcs11CryptoOsLockingOk}
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}

13
environments/barbican-backend-pkcs11-atos.yaml

@ -5,7 +5,10 @@ parameter_defaults:
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoTokenLabels: The token label for the virtual HSM to be used.
# This is typically a single label, but may be more than one if you are using
# multiple HSMs in Load Balancing mode, and the HSMs have different labels.
# When listing more than one, separate them using a comma (,).
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
@ -18,13 +21,19 @@ parameter_defaults:
BarbicanPkcs11CryptoATOSEnabled: true
BarbicanPkcs11CryptoEnabled: true
BarbicanPkcs11AlwaysSetCkaSensitive: false
BarbicanPkcs11CryptoOsLockingOk: true
ATOSVars:
atos_client_working_dir: /tmp/atos_client_install
# atos_client_iso_location:
# atos_client_iso_name:
# atos_client_cert_location:
# atos_client_key_loaction:
# atos_hsm_ip_address:
# atos_hsms: # -- A list of HSMs. When more than one HSM is specified,
# # they will be configured in Load Balancing mode.
# - name: my-hsm-hostanme.example.com
# server_cert_location: https://user@PASSWORD:example.com/cert.CRT
# ip: 127.0.0.1
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml

3
environments/barbican-backend-pkcs11-lunasa.yaml

@ -7,11 +7,10 @@ parameter_defaults:
#
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
#
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
# BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
# For single HSM deployments this value should be the partition label
# that will be assigned to the clients.
# For HA deployments this value should be the label for the HA group.
# BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
#
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers

3
environments/barbican-backend-pkcs11-thales.yaml

@ -6,9 +6,8 @@ parameter_defaults:
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
# BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
# This is typically the label given to the Operator Card Set (OCS)
# BarbicanPkcs11CryptoSlotId (optional): Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'

9
releasenotes/notes/add-support-for-barbican-pkcs11-options-a2ec14369518b40e.yaml

@ -0,0 +1,9 @@
---
features:
- |
Added new options for deploying Barbican with PKCS#11 backends:
`BarbicanPkcs11CryptoTokenLabels` and `BarbicanPkcs11CryptoOsLockingOk`
deprecations:
- |
The `BarbicanPkcs11CryptoTokenLabel` option has been deprecated and
replaced with the `BarbicanPkcs11CryptoTokenLabels` option.
Loading…
Cancel
Save