b269eec7b1
This patch adds support for two new options in barbican.conf for the
PKCS#11 backend plugin: [p11_crypto]token_label and
[p11_crypto]token_serial_number by adding two new parameters
to the Barbican deployment BarbicanPkcs11CryptoTokenSerialNumber
and BarbicanPkcs11CryptoTokenLabel.
This patch also simplifies the use of barbican-manage to generate
the MKEK and PKEK in the HSM backend by using the values provided
in barbican.conf instead of duplicating them on the command line.
For the Thales Luna Network device, this patch uses the label
parameters to identify the partition to be used. Because we are
using labels we no longer need to write the runtime generated
Slot ID of the HA group into hieradata.
Depends-On: I4e86e73bbdef0e16d3699cec1cc8f7e17dfb643b
Change-Id: Id05acb6516daa62279c9aade41256bcec7c5fce7
(cherry picked from commit 04b4ec3866)
51 lines
2.7 KiB
YAML
51 lines
2.7 KiB
YAML
# A Heat environment file to enable the barbican PKCS#11 crypto backend using
|
|
# one or more Thales Luna Network HSMs.
|
|
# Note that Barbican needs to be enabled in order to use this.
|
|
parameter_defaults:
|
|
# In order to use this backend, you need to uncomment these values and
|
|
# provide the appropriate values.
|
|
#
|
|
# BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session
|
|
#
|
|
# BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used.
|
|
# For single HSM deployments this value should be the partition label
|
|
# that will be assigned to the clients.
|
|
# For HA deployments this value should be the label for the HA group.
|
|
# BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used
|
|
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
|
|
#
|
|
# LunasaClientIPNetwork: (Optional) Network to be used by the controllers
|
|
# to connect to the HSM. By default this option is empty ('') and the
|
|
# controllers are registered on the HSM using the controller's FQDN.
|
|
# When this option is set, the controllers will be registered using the
|
|
# controller's IP on this network instead.
|
|
|
|
BarbicanPkcs11CryptoLibraryPath: '/usr/lib/libCryptoki2_64.so'
|
|
BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
|
|
BarbicanPkcs11CryptoHMACKeyType: 'CKK_AES'
|
|
BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_AES_KEY_GEN'
|
|
BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_0'
|
|
BarbicanPkcs11CryptoMKEKLength: '32'
|
|
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
|
|
BarbicanPkcs11CryptoLunasaEnabled: true
|
|
BarbicanPkcs11CryptoEnabled: true
|
|
BarbicanPkcs11AlwaysSetCkaSensitive: true
|
|
|
|
LunasaVars:
|
|
# lunasa_client_tarball_location: URI where the CipherTools tarball can be downloaded.
|
|
# lunasa_client_tarball_name: Filename for the CipherTools tarball.
|
|
# lunasa_client_installer_path: path to install.sh in the tarball.
|
|
# lunasa_client_rotate_cert: (Optional) Set to true to generate a new
|
|
# client certificate and re-register clients during deployment.
|
|
# lunasa_hsms: A list of HSMs. When more than one HSM is specified, they
|
|
# will be configured as an HA group. Each entry should specify the
|
|
# following:
|
|
# - hostname: Hostname for the HSM
|
|
# admin_password: admin password for the HSM, used to add a new client
|
|
# for each controller node.
|
|
# partition: HSM partition to be assigned to the clients.
|
|
# partition_serial: serial number for the partition.
|
|
|
|
resource_registry:
|
|
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml
|