# A Heat environment file to enable the barbican PKCS11 crypto backend with # a Thales HSM. # Note that barbican needs to be enabled in order to use this. parameter_defaults: # In order to use this backend, you need to uncomment these values and # provide the appropriate values. # # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session # BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used. # This is typically the label given to the Operator Card Set (OCS) # BarbicanPkcs11CryptoSlotId (optional): Slot Id for the HSM # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so' BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC' BarbicanPkcs11CryptoHMACKeyType: 'CKK_SHA256_HMAC' BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_NC_SHA256_HMAC_KEY_GEN' BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0' BarbicanPkcs11CryptoMKEKLength: '32' BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0' BarbicanPkcs11CryptoThalesEnabled: true BarbicanPkcs11CryptoEnabled: true BarbicanPkcs11AlwaysSetCkaSensitive: false ThalesVars: thales_client_working_dir: /tmp/thales_client_install # thales_client_tarball_location: URI where the CipherTools tarball can be downloaded. # thales_client_tarball_name: Filename for the CipherTools tarball. thales_client_path: linux/libc6_11/amd64/nfast thales_client_uid: 42481 thales_client_gid: 42481 # thales_km_data_location: URL where the RFS kmdata tarball can be downloaded. # thales_km_data_tarball_name: Filename for the kmdata tarball. # nshield_hsms: Dictionary including details about relevant HSMs. If more than HSM # is in the list, the HSMs will be configured in load sharing mode for HA. # e.g. nshield_hsms: # - name: hsm 1 # ip: X.X.X.X # - name: hsm 2 # ip: Y.Y.Y.Y # thales_hsm_config_location: The directory where the hsm configuration is stored in # your RFS server. e.g. hsm-XXXX-XXXX-XXXX. # thales_rfs_server_ip_address: IP address for the RFS Server. # thales_rfs_user: Username used to log into RFS server. # thales_rfs_key: RSA Private key in PEM format used to log into RFS server. # # The following parameter are deprecated and can be used to configure connection to a # single HSM. It is better to use the nshield_hsms parameter above instead: # thales_hsm_ip_address: IP address for the HSM # # This parameter is deprecated and is no longer needed: # thales_hsm_config_location: The directory where the hsm configuration is stored in # your RFS server. e.g. hsm-XXXX-XXXX-XXXX. resource_registry: OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml