# A Heat environment file to enable the barbican PKCS11 crypto backend. Note
# that barbican needs to be enabled in order to use this.
parameter_defaults:
  # In order to use this backend, you need to uncomment these values and
  # provide the appropriate values.
  #
  # BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
  # BarbicanPkcs11CryptoTokenLabels: The token label for the virtual HSM to be used.
  #   This is typically a single label, but may be more than one if you are using
  #   multiple HSMs in Load Balancing mode, and the HSMs have different labels.
  #   When listing more than one, separate them using a comma (,).
  # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin

  BarbicanPkcs11CryptoLibraryPath:         '/usr/lib64/libnethsm.so'
  BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
  BarbicanPkcs11CryptoHMACKeyType:         'CKK_GENERIC_SECRET'
  BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_GENERIC_SECRET_KEY_GEN'
  BarbicanPkcs11CryptoMKEKLabel:           'barbican_mkek_0'
  BarbicanPkcs11CryptoMKEKLength:          32
  BarbicanPkcs11CryptoHMACLabel:           'barbican_hmac_0'
  BarbicanPkcs11CryptoATOSEnabled:         true
  BarbicanPkcs11CryptoEnabled:             true
  BarbicanPkcs11AlwaysSetCkaSensitive:     false
  BarbicanPkcs11CryptoOsLockingOk:         true

  ATOSVars:
    atos_client_working_dir: /tmp/atos_client_install
    # atos_client_iso_location:
    # atos_client_iso_name:
    # atos_client_cert_location:
    # atos_client_key_loaction:
    # atos_hsms: # -- A list of HSMs.  When more than one HSM is specified,
    #            #    they will be configured in Load Balancing mode.
    #   - name: my-hsm-hostanme.example.com
    #     server_cert_location: https://user@PASSWORD:example.com/cert.CRT
    #     ip: 127.0.0.1

resource_registry:
  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml