Don't include the curly brackets on the script arguments. The documentation is 
just using them to indicate that those are placeholders for real values.


John Vrbanac
________________________________
From: Asha Seshagiri <asha.seshag...@gmail.com>
Sent: Sunday, July 19, 2015 2:15 PM
To: OpenStack Development Mailing List (not for usage questions)
Cc: Reller, Nathan S.
Subject: Re: [openstack-dev] Barbican : Unable to store the secret when 
Barbican was Integrated with SafeNet HSM

Hi John ,

Thanks  for pointing me to the right script.
I appreciate your help .

I tried running the script with the following command :

[root@HSM-Client bin]# python pkcs11-key-generation --library-path 
{/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1  mkek --length 
32 --label 'an_mkek'
Traceback (most recent call last):
  File "pkcs11-key-generation", line 120, in <module>
    main()
  File "pkcs11-key-generation", line 115, in main
    kg = KeyGenerator()
  File "pkcs11-key-generation", line 38, in __init__
    ffi=ffi
  File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 315, in __init__
    self.lib = self.ffi.dlopen(library_path)
  File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 127, in dlopen
    lib, function_cache = _make_ffi_library(self, name, flags)
  File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 572, in 
_make_ffi_library
    backendlib = _load_backend_lib(backend, libname, flags)
  File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 561, in 
_load_backend_lib
    return backend.load_library(name, flags)
OSError: cannot load library {/usr/lib/libCryptoki2_64.so}: 
{/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file or 
directory

Unable to run the script since the library libCryptoki2_64.so cannot be opened.

Tried the following solution  :

  *    vi /etc/ld.so.conf
  *   Added both the paths of ld.so.conf in the  /etc/ld.so.conf file got  from 
the command find / -name libCryptoki2_64.so
     *   /usr/safenet/lunaclient/lib/libCryptoki2_64.so
     *   /usr/lib/libCryptoki2_64.so
  *   sudo ldconfig
  *   ldconfig -p

But the above solution failed and am geting the same error.

Any help would highly be apprecited.
Thanks in advance!

Thanks and Regards,
Asha Seshagiri

On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac 
<john.vrba...@rackspace.com<mailto:john.vrba...@rackspace.com>> wrote:

Asha,

It looks like you don't have your mkek label correctly configured. Make sure 
that the mkek_label and hmac_label values in your config correctly reflect the 
keys that you've generated on your HSM.

The plugin will cache the key handle to the mkek and hmac when the plugin 
starts, so if it cannot find them, it'll fail to load the plugin altogether.


If you need help generating your mkek and hmac, refer to 
http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html
 for instructions on how to create them using a script.


As far as who uses HSMs, I know we (Rackspace) use them with Barbican.


John Vrbanac
________________________________
From: Asha Seshagiri <asha.seshag...@gmail.com<mailto:asha.seshag...@gmail.com>>
Sent: Saturday, July 18, 2015 8:47 PM
To: openstack-dev
Cc: Reller, Nathan S.
Subject: [openstack-dev] Barbican : Unable to store the secret when Barbican 
was Integrated with SafeNet HSM

Hi All ,

I have configured Barbican to integrate with SafeNet  HSM.
Installed safenet client libraries , registered the barbican machine to point 
to HSM server  and also assigned HSM partition.

The following were the changes done in barbican.conf file


# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto

# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto

[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'test123'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'an_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'my_hmac_label'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
slot_id = 1

Unable to store the secret when Barbican was integrated with HSM.

[root@HSM-Client crypto]# curl -X POST -H 'content-type:application/json' -H 
'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": 
"text/plain"}' http://localhost:9311/v1/secrets
{"code": 500, "description": "Secret creation failure seen - please contact 
site administrator.", "title": "Internal Server Error"}[root@HSM-Client crypto]#


Please find the logs below :

2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils 
[req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen creating 
plugin: 'p11_crypto'
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback (most 
recent call last):
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File 
"/root/barbican/barbican/plugin/util/utils.py", line 42, in instantiate_plugins
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils     
plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs)
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File 
"/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils     
conf.p11_crypto_plugin.hmac_label)
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File 
"/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in 
cache_mkek_and_hmac
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils     
self.get_mkek(self.current_mkek_label, session)
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File 
"/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils     raise 
P11CryptoKeyHandleException()
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils 
P11CryptoKeyHandleException: No key handle was found
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers 
[req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation 
failure seen - please contact site administrator.


(I am not sure why we are geting CryptoPluginNotFound: Crypto plugin not found. 
Exception since the changes is able to hit the p11_crypto.py code)

2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback (most 
recent call last):
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File 
"/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return 
fn(inst, *args, **kwargs)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File 
"/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return 
fn(inst, *args, **kwargs)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File 
"/root/barbican/barbican/api/controllers/__init__.py", line 146, in 
content_types_enforcer
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return 
fn(inst, *args, **kwargs)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File 
"/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     
transport_key_id=data.get('transport_key_id'))
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File 
"/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     secret_model, 
project_model)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File 
"/root/barbican/barbican/plugin/resources.py", line 267, in 
_store_secret_using_plugin
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     
secret_metadata = store_plugin.store_secret(secret_dto, context)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File 
"/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     
crypto.PluginSupportTypes.ENCRYPT_DECRYPT
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File 
"/root/barbican/barbican/plugin/crypto/manager.py", line 80, in 
get_plugin_store_generate
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     raise 
crypto.CryptoPluginNotFound()
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers 
CryptoPluginNotFound: Crypto plugin not found.

Had chance to go though the code as to why are we geting the exception : 
P11CryptoKeyHandleException: No key handle was found .
It is because returned_count[0] == 0 .It needs to be 0 in order for the mkek to 
be created .From what I understand is that by default all the ffi variables 
would have the value 0 . I am not sure why the check returned_count[0] == 1: 
has been put .

if returned_count[0] == 1:

        key = object_handle_ptr[0]
        rv = self.lib.C_FindObjectsFinal(session)
        self.check_error(rv)
        if returned_count[0] == 1:

        return key
        elif returned_count[0] == 0:
        return None
Need Help .Any help would highly be appreciated .It is very critical for us to 
integrate with Barbican
Also would like to know if any one has integrated Barbican with HSM.

--
Thanks and Regards,
Asha Seshagiri

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




--
Thanks and Regards,
Asha Seshagiri
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to