04b4ec3866
This patch adds support for two new options in barbican.conf for the PKCS#11 backend plugin: [p11_crypto]token_label and [p11_crypto]token_serial_number by adding two new parameters to the Barbican deployment BarbicanPkcs11CryptoTokenSerialNumber and BarbicanPkcs11CryptoTokenLabel. This patch also simplifies the use of barbican-manage to generate the MKEK and PKEK in the HSM backend by using the values provided in barbican.conf instead of duplicating them on the command line. For the Thales Luna Network device, this patch uses the label parameters to identify the partition to be used. Because we are using labels we no longer need to write the runtime generated Slot ID of the HA group into hieradata. Depends-On: I4e86e73bbdef0e16d3699cec1cc8f7e17dfb643b Change-Id: Id05acb6516daa62279c9aade41256bcec7c5fce7
112 lines
4.5 KiB
YAML
112 lines
4.5 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Barbican API PKCS#11 crypto backend configured with Puppet
|
|
|
|
parameters:
|
|
# Required default parameters
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
BarbicanPkcs11CryptoLibraryPath:
|
|
description: Path to vendor PKCS11 library
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoLogin:
|
|
description: Password (PIN) to login to PKCS#11 session
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
BarbicanPkcs11CryptoMKEKLabel:
|
|
description: Label for Master KEK
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoMKEKLength:
|
|
description: Length of Master KEK in bytes
|
|
type: string
|
|
default: '256'
|
|
BarbicanPkcs11CryptoHMACLabel:
|
|
description: Label for the HMAC key
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoSlotId:
|
|
description: Slot Id for the PKCS#11 token to be used
|
|
type: string
|
|
default: '0'
|
|
BarbicanPkcs11CryptoTokenSerialNumber:
|
|
description: Serial number for PKCS#11 token to be used
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoTokenLabel:
|
|
description: Label for PKCS#11 token to be used
|
|
type: string
|
|
default: ''
|
|
BarbicanPkcs11CryptoEncryptionMechanism:
|
|
description: Cryptoki Mechanism used for encryption
|
|
type: string
|
|
default: 'CKM_AES_CBC'
|
|
BarbicanPkcs11CryptoHMACKeyType:
|
|
description: Cryptoki Key Type for Master HMAC key
|
|
type: string
|
|
default: 'CKK_AES'
|
|
BarbicanPkcs11CryptoHMACKeygenMechanism:
|
|
description: Cryptoki Mechanism used to generate Master HMAC Key
|
|
type: string
|
|
default: 'CKM_AES_KEY_GEN'
|
|
BarbicanPkcs11CryptoAESGCMGenerateIV:
|
|
description: Generate IVs for CKM_AES_GCM encryption mechanism
|
|
type: boolean
|
|
default: true
|
|
BarbicanPkcs11AlwaysSetCkaSensitive:
|
|
description: Always set CKA_SENSITIVE=CK_TRUE
|
|
type: boolean
|
|
default: true
|
|
BarbicanPkcs11CryptoGlobalDefault:
|
|
description: Whether this plugin is the global default plugin
|
|
type: boolean
|
|
default: false
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Barbican PKCS#11 backend.
|
|
value:
|
|
service_name: barbican_backend_pkcs11_crypto
|
|
config_settings:
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_library_path: {get_param: BarbicanPkcs11CryptoLibraryPath}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_login: {get_param: BarbicanPkcs11CryptoLogin}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_label: {get_param: BarbicanPkcs11CryptoMKEKLabel}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
|
|
barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive}
|
|
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}
|