Merge "Add template code to configure hsm backends for barbican"

This commit is contained in:
Zuul 2019-01-05 02:47:09 +00:00 committed by Gerrit Code Review
commit df10ea7afa
6 changed files with 547 additions and 121 deletions

@ -49,10 +49,76 @@ parameters:
default: false default: false
description: Remove package if the service is being disabled during upgrade description: Remove package if the service is being disabled during upgrade
type: boolean type: boolean
BarbicanPkcs11CryptoATOSEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoThalesEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoEnabled:
type: boolean
default: false
BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library
type: string
default: ''
BarbicanPkcs11CryptoLogin:
description: Password to login to PKCS11 session
type: string
hidden: true
default: ''
BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK
type: string
default: ''
BarbicanPkcs11CryptoMKEKLength:
description: Length of Master KEK in bytes
type: string
default: '256'
BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key
type: string
default: ''
BarbicanPkcs11CryptoSlotId:
description: Slot Id for the HSM
type: string
default: '0'
BarbicanPkcs11CryptoEncryptionMechanism:
description: Cryptoki Mechanism used for encryption
type: string
default: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
default: 'CKK_AES'
BarbicanPkcs11CryptoHMACKeygenMechanism:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
ThalesHSMNetworkName:
description: The network that the HSM is listening on.
type: string
default: 'internal_api'
ThalesVars:
default: {}
description: Hash of tripleo-barbican-thales variables used to
install Thales client software.
type: json
ATOSVars:
default: {}
description: Hash of tripleo-barbican-atos variables used to
install ATOS client software.
type: json
conditions: conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
thales_or_atos_hsm_enabled:
or:
- thales_hsm_enabled
- atos_hsm_enabled
pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
resources: resources:
@ -119,128 +185,384 @@ outputs:
dest: "/" dest: "/"
merge: true merge: true
preserve_properties: true preserve_properties: true
external_deploy_tasks:
if:
- thales_hsm_enabled
-
- name: Add ip addresses to the RFS server
when: step == '2'
block:
- name: get the ip addresses for the barbican nodes
set_fact:
thales_rfs_playbook_dir: "/tmp/thales_rfs_role_working_dir"
thales_client_ips:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] + ' ' }}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_bootstrap_client_ip:
str_replace:
template: >-
{% for host in groups['barbican_backend_pkcs11_crypto'] -%}
{% if hostvars[host]['bootstrap_server_id'] == hostvars[host]['deploy_server_id'] -%}
{{ hostvars[host]['$THALES_HSM_NETWORK_NAME_ip'] }}
{%- endif %}
{%- endfor %}
params:
$THALES_HSM_NETWORK_NAME: {get_param: ThalesHSMNetworkName}
thales_hsm_ip_address: {get_param: [ThalesVars, thales_hsm_ip_address]}
thales_hsm_config_location: {get_param: [ThalesVars, thales_hsm_config_location]}
thales_rfs_user: {get_param: [ThalesVars, thales_rfs_user]}
- name: set playbook vars
set_fact:
thales_rfs_inventory: "{{thales_rfs_playbook_dir}}/inventory"
thales_rfs_keyfile: "{{thales_rfs_playbook_dir}}/rfs_rsa"
thales_rfs_playbook: "{{thales_rfs_playbook_dir}}/rfs.yaml"
- name: creating working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: directory
- name: generate an inventory
copy:
dest: "{{thales_rfs_inventory}}"
content: {get_param: [ThalesVars, thales_rfs_server_ip_address]}
- name: write SSH key to file
copy:
dest: "{{thales_rfs_keyfile}}"
content: {get_param: [ThalesVars, thales_rfs_key]}
mode: 0400
- name: generate playbook to run
copy:
dest: "{{thales_rfs_playbook}}"
content: |
---
- hosts: all
remote_user: "{{thales_rfs_user}}"
vars:
thales_client_ips: "{{thales_client_ips}}"
thales_hsm_ip_address: "{{thales_hsm_ip_address}}"
thales_hsm_config_location: "{{thales_hsm_config_location}}"
thales_bootstrap_client_ip: "{{thales_bootstrap_client_ip}}"
roles:
- tripleo-barbican-thales-rfs
- name: call ansible on rfs server
shell: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "{{thales_rfs_inventory}}" --key-file "{{thales_rfs_keyfile}}" --ssh-extra-args "-o StrictHostKeyChecking=no" "{{thales_rfs_playbook}}"
- name: clean up working directory
file:
path: "{{thales_rfs_playbook_dir}}"
state: absent
- null
deploy_steps_tasks:
if:
- thales_or_atos_hsm_enabled
- list_concat:
-
if:
- thales_hsm_enabled
-
- name: Thales client install
when: step == '2'
block:
- set_fact:
my_thales_client_ip:
str_replace:
template:
"{{$NETWORK_ip}}"
params:
$NETWORK: {get_param: ThalesHSMNetworkName}
- include_role:
name: tripleo-barbican-thales
vars:
{get_param: ThalesVars}
- null
-
if:
- atos_hsm_enabled
-
- name: ATOS client install
when: step == '2'
block:
- include_role:
name: tripleo-barbican-atos
vars:
{get_param: ATOSVars}
- null
- null
docker_config: docker_config:
# db sync runs before permissions set by kolla_config # db sync runs before permissions set by kolla_config
step_2: step_2:
get_attr: [BarbicanApiLogging, docker_config, step_2] map_merge:
- get_attr: [BarbicanApiLogging, docker_config, step_2]
- if:
- atos_hsm_enabled
- barbican_init_atos_directory:
image: &barbican_api_image {get_param: DockerBarbicanApiImage}
user: root
volumes:
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnetshm.so:/usr/lib64/libnethsm.so
command: ['/bin/bash', '-c', 'chown -R barbican:barbican /etc/proteccio && chown barbican:barbican /usr/lib64/libnethsm.so']
- {}
step_3: step_3:
barbican_api_db_sync: map_merge:
start_order: 0 - if:
image: &barbican_api_image {get_param: DockerBarbicanApiImage} - pkcs11_plugin_enabled
net: host - barbican_api_create_mkek:
detach: false start_order: 0
user: root image: *barbican_api_image
volumes: &barbican_api_volumes net: host
list_concat: detach: false
- {get_attr: [ContainersCommon, volumes]} user: root
- {get_attr: [BarbicanApiLogging, volumes]} volumes: &barbican_api_volumes
- list_concat:
- /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro - {get_attr: [ContainersCommon, volumes]}
- /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro - {get_attr: [BarbicanApiLogging, volumes]}
command: -
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part - /var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the - /var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro
# final single quote that's part of the list_join. -
list_join: if:
- ' ' - thales_hsm_enabled
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" -
- {get_attr: [BarbicanApiLogging, cmd_extra_args]} - /opt/nfast:/opt/nfast
- "db upgrade" - null
- "'" -
barbican_api_secret_store_sync: if:
start_order: 1 - atos_hsm_enabled
image: *barbican_api_image -
net: host - /etc/proteccio:/etc/proteccio
detach: false - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
user: root - null
volumes: *barbican_api_volumes command:
command: list_join:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part - ' '
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
# final single quote that's part of the list_join. - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
list_join: - "hsm check_mkek --library-path"
- ' ' - {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - "--slot-id"
- {get_attr: [BarbicanApiLogging, cmd_extra_args]} - {get_param: [BarbicanPkcs11CryptoSlotId]}
- "db sync_secret_stores --verbose" - "--passphrase"
- "'" - {get_param: [BarbicanPkcs11CryptoLogin]}
barbican_api: - "--label"
# NOTE(alee): Barbican should start after keystone processes - {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
start_order: 5 - "|| /usr/bin/barbican-manage"
image: *barbican_api_image - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
net: host - "hsm gen_mkek --library-path"
privileged: false - {get_param: [BarbicanPkcs11CryptoLibraryPath]}
restart: always - "--slot-id"
user: root - {get_param: [BarbicanPkcs11CryptoSlotId]}
healthcheck: - "--passphrase"
test: /openstack/healthcheck - {get_param: [BarbicanPkcs11CryptoLogin]}
volumes: - "--label"
list_concat: - {get_param: [BarbicanPkcs11CryptoMKEKLabel]}
- {get_attr: [ContainersCommon, volumes]} - "'"
- {get_attr: [BarbicanApiLogging, volumes]} - {}
- - if:
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro - pkcs11_plugin_enabled
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro - barbican_api_create_hmac:
- start_order: 0
if: image: *barbican_api_image
- internal_tls_enabled net: host
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro detach: false
- '' user: root
- volumes: *barbican_api_volumes
if: command:
- internal_tls_enabled list_join:
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - ' '
- '' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
environment: &kolla_env - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - "hsm check_hmac --library-path"
barbican_keystone_listener: - {get_param: [BarbicanPkcs11CryptoLibraryPath]}
start_order: 6 - "--slot-id"
image: {get_param: DockerBarbicanKeystoneListenerImage} - {get_param: [BarbicanPkcs11CryptoSlotId]}
net: host - "--passphrase"
privileged: false - {get_param: [BarbicanPkcs11CryptoLogin]}
restart: always - "--label"
user: barbican - {get_param: [BarbicanPkcs11CryptoHMACLabel]}
healthcheck: - "--key-type"
test: - {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
list_join: - "|| /usr/bin/barbican-manage hsm gen_hmac --library-path"
- {get_param: [BarbicanPkcs11CryptoLibraryPath]}
- "--slot-id"
- {get_param: [BarbicanPkcs11CryptoSlotId]}
- "--passphrase"
- {get_param: [BarbicanPkcs11CryptoLogin]}
- "--label"
- {get_param: [BarbicanPkcs11CryptoHMACLabel]}
- "--key-type"
- {get_param: [BarbicanPkcs11CryptoHMACKeyType]}
- "--mechanism"
- {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]}
- "'"
- {}
- if:
- thales_hsm_enabled
- barbican_api_update_rfs_server_with_mkek_and_hmac_keys:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command: "/usr/bin/bootstrap_host_exec barbican_api /opt/nfast/bin/rfs-sync --commit"
- {}
- if:
- thales_hsm_enabled
- barbican_api_get_mkek_and_hmac_keys_from_rfs:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command: "/opt/nfast/bin/rfs-sync --update"
- {}
- barbican_api_db_sync:
start_order: 0
image: *barbican_api_image
net: host
detach: false
user: root
volumes: *barbican_api_volumes
command:
# NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
# of the bash -c invocation, so we include them in the quoted db sync command. Hence the
# final single quote that's part of the list_join.
list_join:
- ' ' - ' '
- - '/openstack/healthcheck' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- yaql: - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
expression: str($.data.port) - "db upgrade"
data: - "'"
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']} - barbican_api_secret_store_sync:
volumes: start_order: 1
list_concat: image: *barbican_api_image
- {get_attr: [ContainersCommon, volumes]} net: host
- {get_attr: [BarbicanApiLogging, volumes]} detach: false
- user: root
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro volumes: *barbican_api_volumes
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro command:
environment: *kolla_env # NOTE(jaosorior): When providing extra arguments, we need to make sure that they're part
barbican_worker: # of the bash -c invocation, so we include them in the quoted db sync command. Hence the
start_order: 7 # final single quote that's part of the list_join.
image: {get_param: DockerBarbicanWorkerImage} list_join:
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
- ' ' - ' '
- - '/openstack/healthcheck' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage"
- yaql: - {get_attr: [BarbicanApiLogging, cmd_extra_args]}
expression: str($.data.port) - "db sync_secret_stores --verbose"
data: - "'"
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']} - barbican_api:
volumes: # NOTE(alee): Barbican should start after keystone processes
list_concat: start_order: 5
- {get_attr: [ContainersCommon, volumes]} image: *barbican_api_image
- {get_attr: [BarbicanApiLogging, volumes]} net: host
- privileged: false
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro restart: always
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro user: root
environment: *kolla_env healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- null
-
if:
- thales_hsm_enabled
-
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
environment: &kolla_env
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- barbican_keystone_listener:
start_order: 6
image: {get_param: DockerBarbicanKeystoneListenerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_keystone_listener.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
environment: *kolla_env
- barbican_worker:
start_order: 7
image: {get_param: DockerBarbicanWorkerImage}
net: host
privileged: false
restart: always
user: barbican
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [BarbicanApiBase, role_data, config_settings, 'barbican::api::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [BarbicanApiLogging, volumes]}
-
- /var/lib/kolla/config_files/barbican_worker.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/barbican/:/var/lib/kolla/config_files/src:ro
-
if:
- thales_hsm_enabled
-
- /opt/nfast:/opt/nfast
- null
-
if:
- atos_hsm_enabled
-
- /etc/proteccio:/etc/proteccio
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
environment: *kolla_env
host_prep_tasks: {get_attr: [BarbicanApiLogging, host_prep_tasks]} host_prep_tasks: {get_attr: [BarbicanApiLogging, host_prep_tasks]}
upgrade_tasks: upgrade_tasks:
- when: step|int == 3 - when: step|int == 3

@ -0,0 +1,29 @@
# A Heat environment file to enable the barbican PKCS11 crypto backend. Note
# that barbican needs to be enabled in order to use this.
parameter_defaults:
# In order to use this backend, you need to uncomment these values and
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoLibraryPath: '/usr/lib64/libnethsm.so'
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType: 'CKK_GENERIC_SECRET'
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_GENERIC_SECRET_KEY_GEN'
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
BarbicanPkcs11CryptoMKEKLength: 32
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
BarbicanPkcs11CryptoATOSEnabled: true
BarbicanPkcs11CryptoEnabled: true
ATOSVars:
atos_client_working_dir: /tmp/atos_client_install
# atos_client_iso_location:
# atos_client_iso_name:
# atos_client_cert_location:
# atos_client_key_loaction:
# atos_hsm_ip_address:
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

@ -0,0 +1,38 @@
# A Heat environment file to enable the barbican PKCS11 crypto backend with
# a Thales HSM.
# Note that barbican needs to be enabled in order to use this.
parameter_defaults:
# In order to use this backend, you need to uncomment these values and
# provide the appropriate values.
#
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so'
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType: 'CKK_SHA256_HMAC'
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_NC_SHA256_HMAC_KEY_GEN'
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
BarbicanPkcs11CryptoMKEKLength: '32'
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
BarbicanPkcs11CryptoThalesEnabled: true
BarbicanPkcs11CryptoEnabled: true
ThalesVars:
thales_client_working_dir: /tmp/thales_client_install
# thales_client_tarball_location: URI where the CipherTools tarball can be downloaded.
# thales_client_tarball_name: Filename for the CipherTools tarball.
thales_client_path: linux/libc6_11/amd64/nfast
thales_client_uid: 42481
thales_client_gid: 42481
# thales_km_data_location: URL where the RFS kmdata tarball can be downloaded.
# thales_km_data_tarball_name: Filename for the kmdata tarball.
# thales_hsm_ip_address: IP address for the HSM
# thales_rfs_server_ip_address: IP address for the RFS Server.
# thales_hsm_config_location: The directory where the hsm configuration is stored in
# your RFS server. e.g. hsm-XXXX-XXXX-XXXX.
# thales_rfs_user: Username used to log into RFS server.
# thales_rfs_key: RSA Private key in PEM format used to log into RFS server.
resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

@ -11,6 +11,7 @@ parameter_defaults:
# BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key # BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoEnabled: true
resource_registry: resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

@ -34,22 +34,44 @@ parameters:
BarbicanPkcs11CryptoLibraryPath: BarbicanPkcs11CryptoLibraryPath:
description: Path to vendor PKCS11 library description: Path to vendor PKCS11 library
type: string type: string
default: ''
BarbicanPkcs11CryptoLogin: BarbicanPkcs11CryptoLogin:
description: Password to login to PKCS11 session description: Password to login to PKCS11 session
type: string type: string
hidden: true hidden: true
default: ''
BarbicanPkcs11CryptoMKEKLabel: BarbicanPkcs11CryptoMKEKLabel:
description: Label for Master KEK description: Label for Master KEK
type: string type: string
default: ''
BarbicanPkcs11CryptoMKEKLength: BarbicanPkcs11CryptoMKEKLength:
description: Length of Master KEK in bytes description: Length of Master KEK in bytes
type: number type: string
default: '256'
BarbicanPkcs11CryptoHMACLabel: BarbicanPkcs11CryptoHMACLabel:
description: Label for the HMAC key description: Label for the HMAC key
type: string type: string
default: ''
BarbicanPkcs11CryptoSlotId: BarbicanPkcs11CryptoSlotId:
description: Slot Id for the HSM description: Slot Id for the HSM
type: number type: string
default: '0'
BarbicanPkcs11CryptoEncryptionMechanism:
description: Cryptoki Mechanism used for encryption
type: string
default: 'CKM_AES_CBC'
BarbicanPkcs11CryptoHMACKeyType:
description: Cryptoki Key Type for Master HMAC key
type: string
default: 'CKK_AES'
BarbicanPkcs11CryptoHMACKeygenMechanism:
description: Cryptoki Mechanism used to generate Master HMAC Key
type: string
default: 'CKM_AES_KEY_GEN'
BarbicanPkcs11CryptoAESGCMGenerateIV:
description: Generate IVs for CKM_AES_GCM encryption mechanism
type: boolean
default: true
BarbicanPkcs11CryptoGlobalDefault: BarbicanPkcs11CryptoGlobalDefault:
description: Whether this plugin is the global default plugin description: Whether this plugin is the global default plugin
type: boolean type: boolean
@ -61,10 +83,14 @@ outputs:
value: value:
service_name: barbican_backend_pkcs11_crypto service_name: barbican_backend_pkcs11_crypto
config_settings: config_settings:
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path {get_param: BarbicanPkcs11CryptoLibraryPath} barbican::plugins::p11_crypto::p11_crypto_plugin_library_path: {get_param: BarbicanPkcs11CryptoLibraryPath}
barbican::plugins::p11_crypto::p11_crypto_plugin_login {get_param: BarbicanPkcs11CryptoLogin} barbican::plugins::p11_crypto::p11_crypto_plugin_login: {get_param: BarbicanPkcs11CryptoLogin}
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel} barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength} barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId} barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault} barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}

@ -0,0 +1,10 @@
---
features:
- |
Added code in the barbican-api.yaml template to allow barbican to be
configured to run with either an ATOS or Thales HSM back-end. Also
added environment files with all the required variables. The added code
installs and configures the client software on the barbican nodes,
generates the required kets for the PKCS#11 plugin, and configures
barbican correctly. For the Thales case, it also contacts the RFS server
to add the new clients to the HSM.