Add new options for Barbican PKCS#11 backend
This patch adds two new parameters for deploying Barbican with the
PCKS#11 backend `BarbicanPkcs11CryptoTokenLabels` and
`BarbicanPkcs11CryptoOsLockingOk`.
The patch also deprecates `BarbicanPkcs11CryptoTokenLabel` in favor of
the new option that can be set to more than one label.
Depends-On: Iba7013dd6e1b1e4650b25cd4dd8dc1f355ceb538
Change-Id: I1c5059799f613a62a13379eb82ba516a8ed3a15a
(cherry picked from commit 3b4d488a6a
)
This commit is contained in:
parent
e361984f96
commit
9b67d64208
@ -88,7 +88,14 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoTokenLabel:
|
BarbicanPkcs11CryptoTokenLabel:
|
||||||
description: Label for PKCS#11 token to be used
|
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
BarbicanPkcs11CryptoTokenLabels:
|
||||||
|
description: List of comma separated labels for the tokens to be used.
|
||||||
|
This is typically a single label, but some devices may require
|
||||||
|
more than one label for Load Balancing and High Availability
|
||||||
|
configurations.
|
||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoHMACKeyType:
|
BarbicanPkcs11CryptoHMACKeyType:
|
||||||
@ -183,6 +190,7 @@ conditions:
|
|||||||
- lunasa_hsm_enabled
|
- lunasa_hsm_enabled
|
||||||
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
|
||||||
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
|
pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
|
||||||
|
pkcs11_tokens_unset: {equals: [{get_param: BarbicanPkcs11CryptoTokenLabels}, '']}
|
||||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
||||||
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
|
# Luna Clients use FQDN by default. When LunasaClientIPNetwork is set we
|
||||||
# will use the Controller's IP address from that network instead.
|
# will use the Controller's IP address from that network instead.
|
||||||
@ -491,11 +499,17 @@ outputs:
|
|||||||
- map_merge:
|
- map_merge:
|
||||||
- {get_param: LunasaVars}
|
- {get_param: LunasaVars}
|
||||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
|
- if:
|
||||||
|
- pkcs11_tokens_unset
|
||||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||||
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
|
||||||
- map_merge:
|
- map_merge:
|
||||||
- {get_param: LunasaVars}
|
- {get_param: LunasaVars}
|
||||||
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
- lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin}
|
||||||
|
- if:
|
||||||
|
- pkcs11_tokens_unset
|
||||||
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||||
|
- lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabels}
|
||||||
- lunasa_client_ip:
|
- lunasa_client_ip:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
|
@ -61,7 +61,14 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoTokenLabel:
|
BarbicanPkcs11CryptoTokenLabel:
|
||||||
description: Label for PKCS#11 token to be used
|
description: (DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
BarbicanPkcs11CryptoTokenLabels:
|
||||||
|
description: List of comma separated labels for the tokens to be used.
|
||||||
|
This is typically a single label, but some devices may require
|
||||||
|
more than one label for Load Balancing and High Availability
|
||||||
|
configurations.
|
||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
BarbicanPkcs11CryptoEncryptionMechanism:
|
BarbicanPkcs11CryptoEncryptionMechanism:
|
||||||
@ -84,6 +91,11 @@ parameters:
|
|||||||
description: Always set CKA_SENSITIVE=CK_TRUE
|
description: Always set CKA_SENSITIVE=CK_TRUE
|
||||||
type: boolean
|
type: boolean
|
||||||
default: true
|
default: true
|
||||||
|
BarbicanPkcs11CryptoOsLockingOk:
|
||||||
|
description: Set CKF_OS_LOCKING_OK flag when initializing the client
|
||||||
|
library.
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
BarbicanPkcs11CryptoGlobalDefault:
|
BarbicanPkcs11CryptoGlobalDefault:
|
||||||
description: Whether this plugin is the global default plugin
|
description: Whether this plugin is the global default plugin
|
||||||
type: boolean
|
type: boolean
|
||||||
@ -103,9 +115,11 @@ outputs:
|
|||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_labels: {get_param: BarbicanPkcs11CryptoTokenLabels}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
|
||||||
barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive}
|
barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive}
|
||||||
|
barbican::plugins::p11_crypto::p11_crypto_plugin_os_locking_ok: {get_param: BarbicanPkcs11CryptoOsLockingOk}
|
||||||
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
|
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
|
||||||
|
@ -5,7 +5,10 @@ parameter_defaults:
|
|||||||
# provide the appropriate values.
|
# provide the appropriate values.
|
||||||
#
|
#
|
||||||
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
|
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
|
||||||
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
|
# BarbicanPkcs11CryptoTokenLabels: The token label for the virtual HSM to be used.
|
||||||
|
# This is typically a single label, but may be more than one if you are using
|
||||||
|
# multiple HSMs in Load Balancing mode, and the HSMs have different labels.
|
||||||
|
# When listing more than one, separate them using a comma (,).
|
||||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||||
|
|
||||||
BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
|
BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
|
||||||
@ -18,13 +21,19 @@ parameter_defaults:
|
|||||||
BarbicanPkcs11CryptoATOSEnabled: true
|
BarbicanPkcs11CryptoATOSEnabled: true
|
||||||
BarbicanPkcs11CryptoEnabled: true
|
BarbicanPkcs11CryptoEnabled: true
|
||||||
BarbicanPkcs11AlwaysSetCkaSensitive: false
|
BarbicanPkcs11AlwaysSetCkaSensitive: false
|
||||||
|
BarbicanPkcs11CryptoOsLockingOk: true
|
||||||
|
|
||||||
ATOSVars:
|
ATOSVars:
|
||||||
atos_client_working_dir: /tmp/atos_client_install
|
atos_client_working_dir: /tmp/atos_client_install
|
||||||
# atos_client_iso_location:
|
# atos_client_iso_location:
|
||||||
# atos_client_iso_name:
|
# atos_client_iso_name:
|
||||||
# atos_client_cert_location:
|
# atos_client_cert_location:
|
||||||
# atos_client_key_loaction:
|
# atos_client_key_loaction:
|
||||||
# atos_hsm_ip_address:
|
# atos_hsms: # -- A list of HSMs. When more than one HSM is specified,
|
||||||
|
# # they will be configured in Load Balancing mode.
|
||||||
|
# - name: my-hsm-hostanme.example.com
|
||||||
|
# server_cert_location: https://user@PASSWORD:example.com/cert.CRT
|
||||||
|
# ip: 127.0.0.1
|
||||||
|
|
||||||
resource_registry:
|
resource_registry:
|
||||||
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|
||||||
|
@ -7,11 +7,10 @@ parameter_defaults:
|
|||||||
#
|
#
|
||||||
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
|
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
|
||||||
#
|
#
|
||||||
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
|
# BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
|
||||||
# For single HSM deployments this value should be the partition label
|
# For single HSM deployments this value should be the partition label
|
||||||
# that will be assigned to the clients.
|
# that will be assigned to the clients.
|
||||||
# For HA deployments this value should be the label for the HA group.
|
# For HA deployments this value should be the label for the HA group.
|
||||||
# BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used
|
|
||||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||||
#
|
#
|
||||||
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
|
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
|
||||||
|
@ -6,9 +6,8 @@ parameter_defaults:
|
|||||||
# provide the appropriate values.
|
# provide the appropriate values.
|
||||||
#
|
#
|
||||||
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
|
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
|
||||||
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
|
# BarbicanPkcs11CryptoTokenLabels: Label for PKCS#11 token to be used.
|
||||||
# This is typically the label given to the Operator Card Set (OCS)
|
# This is typically the label given to the Operator Card Set (OCS)
|
||||||
# BarbicanPkcs11CryptoSlotId (optional): Slot Id for the HSM
|
|
||||||
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
||||||
|
|
||||||
BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'
|
BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'
|
||||||
|
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Added new options for deploying Barbican with PKCS#11 backends:
|
||||||
|
`BarbicanPkcs11CryptoTokenLabels` and `BarbicanPkcs11CryptoOsLockingOk`
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
The `BarbicanPkcs11CryptoTokenLabel` option has been deprecated and
|
||||||
|
replaced with the `BarbicanPkcs11CryptoTokenLabels` option.
|
Loading…
Reference in New Issue
Block a user