Don't include the curly brackets on the script arguments. The documentation is just using them to indicate that those are placeholders for real values.
John Vrbanac ________________________________ From: Asha Seshagiri <asha.seshag...@gmail.com> Sent: Sunday, July 19, 2015 2:15 PM To: OpenStack Development Mailing List (not for usage questions) Cc: Reller, Nathan S. Subject: Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM Hi John , Thanks for pointing me to the right script. I appreciate your help . I tried running the script with the following command : [root@HSM-Client bin]# python pkcs11-key-generation --library-path {/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1 mkek --length 32 --label 'an_mkek' Traceback (most recent call last): File "pkcs11-key-generation", line 120, in <module> main() File "pkcs11-key-generation", line 115, in main kg = KeyGenerator() File "pkcs11-key-generation", line 38, in __init__ ffi=ffi File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 315, in __init__ self.lib = self.ffi.dlopen(library_path) File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 127, in dlopen lib, function_cache = _make_ffi_library(self, name, flags) File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 572, in _make_ffi_library backendlib = _load_backend_lib(backend, libname, flags) File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 561, in _load_backend_lib return backend.load_library(name, flags) OSError: cannot load library {/usr/lib/libCryptoki2_64.so}: {/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file or directory Unable to run the script since the library libCryptoki2_64.so cannot be opened. Tried the following solution : * vi /etc/ld.so.conf * Added both the paths of ld.so.conf in the /etc/ld.so.conf file got from the command find / -name libCryptoki2_64.so * /usr/safenet/lunaclient/lib/libCryptoki2_64.so * /usr/lib/libCryptoki2_64.so * sudo ldconfig * ldconfig -p But the above solution failed and am geting the same error. Any help would highly be apprecited. Thanks in advance! Thanks and Regards, Asha Seshagiri On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac <john.vrba...@rackspace.com<mailto:john.vrba...@rackspace.com>> wrote: Asha, It looks like you don't have your mkek label correctly configured. Make sure that the mkek_label and hmac_label values in your config correctly reflect the keys that you've generated on your HSM. The plugin will cache the key handle to the mkek and hmac when the plugin starts, so if it cannot find them, it'll fail to load the plugin altogether. If you need help generating your mkek and hmac, refer to http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html for instructions on how to create them using a script. As far as who uses HSMs, I know we (Rackspace) use them with Barbican. John Vrbanac ________________________________ From: Asha Seshagiri <asha.seshag...@gmail.com<mailto:asha.seshag...@gmail.com>> Sent: Saturday, July 18, 2015 8:47 PM To: openstack-dev Cc: Reller, Nathan S. Subject: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM Hi All , I have configured Barbican to integrate with SafeNet HSM. Installed safenet client libraries , registered the barbican machine to point to HSM server and also assigned HSM partition. The following were the changes done in barbican.conf file # ================= Secret Store Plugin =================== [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # ================= Crypto plugin =================== [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test123' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'an_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'my_hmac_label' # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 slot_id = 1 Unable to store the secret when Barbican was integrated with HSM. [root@HSM-Client crypto]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets {"code": 500, "description": "Secret creation failure seen - please contact site administrator.", "title": "Internal Server Error"}[root@HSM-Client crypto]# Please find the logs below : 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen creating plugin: 'p11_crypto' 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback (most recent call last): 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/util/utils.py", line 42, in instantiate_plugins 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs) 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__ 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils conf.p11_crypto_plugin.hmac_label) 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in cache_mkek_and_hmac 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils self.get_mkek(self.current_mkek_label, session) 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils raise P11CryptoKeyHandleException() 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils P11CryptoKeyHandleException: No key handle was found 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation failure seen - please contact site administrator. (I am not sure why we are geting CryptoPluginNotFound: Crypto plugin not found. Exception since the changes is able to hit the p11_crypto.py code) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback (most recent call last): 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 146, in content_types_enforcer 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers transport_key_id=data.get('transport_key_id')) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers secret_model, project_model) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/resources.py", line 267, in _store_secret_using_plugin 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers crypto.PluginSupportTypes.ENCRYPT_DECRYPT 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in get_plugin_store_generate 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers raise crypto.CryptoPluginNotFound() 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers CryptoPluginNotFound: Crypto plugin not found. Had chance to go though the code as to why are we geting the exception : P11CryptoKeyHandleException: No key handle was found . It is because returned_count[0] == 0 .It needs to be 0 in order for the mkek to be created .From what I understand is that by default all the ffi variables would have the value 0 . I am not sure why the check returned_count[0] == 1: has been put . if returned_count[0] == 1: key = object_handle_ptr[0] rv = self.lib.C_FindObjectsFinal(session) self.check_error(rv) if returned_count[0] == 1: return key elif returned_count[0] == 0: return None Need Help .Any help would highly be appreciated .It is very critical for us to integrate with Barbican Also would like to know if any one has integrated Barbican with HSM. -- Thanks and Regards, Asha Seshagiri __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Thanks and Regards, Asha Seshagiri
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev