Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello,
I have some questions concerning what exactly is implemented with respect
to the kmip plugin.
When I attempt to store a symmetric key using the command:
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d
'{"name": "AES key", "algorithm":"aes", "bit_length":256,
"mode":"cbc","payload":"9A855DC48159F6629EBFF919C045C24B57B6B0327AA43FAA5DD6C87FC3E000AB","payload_content_type":"application/octet-stream","payload_content_encoding":"base64",
"secret_type":"symmetric"}'
http://localhost:9311/v1/secrets
I receive the following error: SecretGeneralException: Problem seen during
crypto processing - Reason: 'NoneType' object has no attribute 'enum'
When I also ask barbican to generate a symmetric key using the orders
resource:
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d
'{ "type":"key", "meta": {"name": "secretname", "algorithm": "aes",
"bit_length": 256, "mode": "cbc", "payload_content_type":
"application/octet-stream"}}' http://localhost:9311/v1/orders
I get what appears to be the same error: AttributeError: 'NoneType' object
has no attribute 'enum'
Does this mean symmetric key storage is still not fully implemented? Or is
it possible there is a misconfiguration between my kmip plugin and
barbican?
Thank you!
Chris Solis
From: Christopher N Solis/Austin/IBM@IBMUS
To: "Coffman, Joel M."
Cc: "Reller, Nathan S." , "'OpenStack
Development Mailing List \(not for usage questions\)'"
, "Farr, Kaitlin M."
Date: 04/21/2015 03:50 PM
Subject:Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey Joel.
Thanks for the advice!
I was able to solve the problem and have the ssl connection become trusted.
Barbican seems to be authenticating correctly to the KMIP server as well
now.
However, I have another problem.
When I try to store a plain text secret into barbican I receive the
following error:
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line 104,
in handler
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line
90, in enforcer
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line
146, in content_types_enforcer
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/secrets.py", line
326, in on_post
transport_key_id=data.get('transport_key_id'))
File "/home/swift/barbican/barbican/plugin/resources.py", line 95, in
store_secret
plugin_name=plugin_name)
File "/home/swift/barbican/barbican/plugin/interface/secret_store.py",
line 478, in _check_plugins_configured
return plugin_related_function(self, *args, **kwargs)
File "/home/swift/barbican/barbican/plugin/interface/secret_store.py",
line 513, in get_plugin_store
if ext.obj.store_secret_supports(key_spec):
File "/home/swift/barbican/barbican/plugin/kmip_secret_store.py", line
481, in store_secret_supports
return self.generate_supports(key_spec)
File "/home/swift/barbican/barbican/plugin/kmip_secret_store.py", line
437, in generate_supports
alg_dict_entry = self.valid_alg_dict.get(key_spec.alg.lower())
AttributeError: 'NoneType' object has no attribute 'lower'
I don't really know what could be causing this error. Any ideas?
Regards,
CHRIS SOLIS
Inactive hide details for "Coffman, Joel M." ---04/16/2015 03:22:25
PM---However, I cannot not make a request to the kmip plugi"Coffman, Joel
M." ---04/16/2015 03:22:25 PM---However, I cannot not make a request to the
kmip plugin because of an ssl error: The keyfile, certfi
From: "Coffman, Joel M."
To: "'OpenStack Development Mailing List (not for usage questions)'"
, Christopher N Solis/Austin/IBM@IBMUS
Cc: "Reller, Nathan S." , "Farr, Kaitlin M."
, "Coffman, Joel M."
Date: 04/16/2015 03:22 PM
Subject: RE: [openstack-dev] [barbican] Utilizing the KMIP plugin
However, I cannot not make a request to the kmip plugin because of an ssl
error:
The keyfile, certfile, and ca_certs are passed directly to ssl.wrap_socket.
Debugging any SSL errors isn’t easy – Google is generally the best resource
to identify and resolve issues based on the error codes returned by
OpenSSL. :-(
What exactly is each variable suppose to contain?
See the ssl.wrap_socket documentation for more detail
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey Joel.
Thanks for the advice!
I was able to solve the problem and have the ssl connection become trusted.
Barbican seems to be authenticating correctly to the KMIP server as well
now.
However, I have another problem.
When I try to store a plain text secret into barbican I receive the
following error:
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line 104,
in handler
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line
90, in enforcer
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line
146, in content_types_enforcer
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/secrets.py", line
326, in on_post
transport_key_id=data.get('transport_key_id'))
File "/home/swift/barbican/barbican/plugin/resources.py", line 95, in
store_secret
plugin_name=plugin_name)
File "/home/swift/barbican/barbican/plugin/interface/secret_store.py",
line 478, in _check_plugins_configured
return plugin_related_function(self, *args, **kwargs)
File "/home/swift/barbican/barbican/plugin/interface/secret_store.py",
line 513, in get_plugin_store
if ext.obj.store_secret_supports(key_spec):
File "/home/swift/barbican/barbican/plugin/kmip_secret_store.py", line
481, in store_secret_supports
return self.generate_supports(key_spec)
File "/home/swift/barbican/barbican/plugin/kmip_secret_store.py", line
437, in generate_supports
alg_dict_entry = self.valid_alg_dict.get(key_spec.alg.lower())
AttributeError: 'NoneType' object has no attribute 'lower'
I don't really know what could be causing this error. Any ideas?
Regards,
CHRIS SOLIS
From: "Coffman, Joel M."
To: "'OpenStack Development Mailing List (not for usage
questions)'" , Christopher N
Solis/Austin/IBM@IBMUS
Cc: "Reller, Nathan S." , "Farr, Kaitlin
M." , "Coffman, Joel M."
Date: 04/16/2015 03:22 PM
Subject:RE: [openstack-dev] [barbican] Utilizing the KMIP plugin
However, I cannot not make a request to the kmip plugin because of an ssl
error:
The keyfile, certfile, and ca_certs are passed directly to ssl.wrap_socket.
Debugging any SSL errors isn’t easy – Google is generally the best resource
to identify and resolve issues based on the error codes returned by
OpenSSL. :-(
What exactly is each variable suppose to contain?
See the ssl.wrap_socket documentation for more details.
I have keyfile and certfile being a self signed certificate and 2048 bit
RSA key respectively for barbican to use and ca_certs is the kmip_plugins'
certificate for barbican to trust. Does this setup sound right?
In the sentence, you swap the key and certificate (i.e., the RSA key should
be the keyfile and the self-signed certificate should be the certfile), but
that’s probably not the real issue. :-)
If credentials (i.e., a key and certificate) weren’t provided to you for
the KMIP appliance, you’ll probably need to have the KMIP appliance sign
your self-signed certificate so it knows that it’s valid. The procedure
differs by appliance but loosely resembles the following:
1. Generate key and certificate on local machine using OpenSSL
2. Upload certificate to KMIP appliance
3. Sign the certificate using the KMIP appliance’s server
certificate
Alternatively, a key and certificate could be provided for the KMIP
appliance; you would use those files rather than generating them locally.
Hope that information is helpful.
Joel
From: John Wood [mailto:john.w...@rackspace.com]
Sent: Wednesday, April 15, 2015 9:19 AM
To: OpenStack Development Mailing List (not for usage questions)
Cc: Reller, Nathan S.; Farr, Kaitlin M.
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello Christopher,
I’m glad you are making progress. I’m including two folks that worked on
the KMIP plugin to see if they can help with your error diagnosis.
Thanks,
John
From: Christopher N Solis
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev@lists.openstack.org>
Date: Tuesday, April 14, 2015 at 10:21 AM
To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev@lists.openstack.org>
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey John.
Thanks!
You were right. It was reading the config from the /root directory because
I switched to the root user.
After switching back to the normal user it is reading the correct config
file again.
It is trying to use the kmip plugin now.
However, I cannot not make a request to the kmip plugin because of an ssl
error:
2015-04-14 10:02:26,219 - barbican.plugin.kmip_secr
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
However, I cannot not make a request to the kmip plugin because of an ssl error: The keyfile, certfile, and ca_certs are passed directly to ssl.wrap_socket. Debugging any SSL errors isn't easy - Google is generally the best resource to identify and resolve issues based on the error codes returned by OpenSSL. :-( What exactly is each variable suppose to contain? See the ssl.wrap_socket documentation for more details. I have keyfile and certfile being a self signed certificate and 2048 bit RSA key respectively for barbican to use and ca_certs is the kmip_plugins' certificate for barbican to trust. Does this setup sound right? In the sentence, you swap the key and certificate (i.e., the RSA key should be the keyfile and the self-signed certificate should be the certfile), but that's probably not the real issue. :-) If credentials (i.e., a key and certificate) weren't provided to you for the KMIP appliance, you'll probably need to have the KMIP appliance sign your self-signed certificate so it knows that it's valid. The procedure differs by appliance but loosely resembles the following: 1. Generate key and certificate on local machine using OpenSSL 2. Upload certificate to KMIP appliance 3. Sign the certificate using the KMIP appliance's server certificate Alternatively, a key and certificate could be provided for the KMIP appliance; you would use those files rather than generating them locally. Hope that information is helpful. Joel From: John Wood [mailto:john.w...@rackspace.com] Sent: Wednesday, April 15, 2015 9:19 AM To: OpenStack Development Mailing List (not for usage questions) Cc: Reller, Nathan S.; Farr, Kaitlin M. Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, I'm glad you are making progress. I'm including two folks that worked on the KMIP plugin to see if they can help with your error diagnosis. Thanks, John From: Christopher N Solis mailto:cnso...@us.ibm.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: Tuesday, April 14, 2015 at 10:21 AM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. Thanks! You were right. It was reading the config from the /root directory because I switched to the root user. After switching back to the normal user it is reading the correct config file again. It is trying to use the kmip plugin now. However, I cannot not make a request to the kmip plugin because of an ssl error: 2015-04-14 10:02:26,219 - barbican.plugin.kmip_secret_store - ERROR - Error opening or writing to client Traceback (most recent call last): File "/home/swift/barbican/barbican/plugin/kmip_secret_store.py", line 167, in generate_symmetric_key self.client.open() File "/home/swift/.pyenv/versions/barbican27/lib/python2.7/site-packages/kmip/services/kmip_client.py", line 86, in open self.socket.connect((self.host, self.port)) File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 333, in connect self._real_connect(addr, False) File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 314, in _real_connect self.ca_certs, self.ciphers) SSLError: [Errno 0] _ssl.c:343: error::lib(0):func(0):reason(0) I believe there is a problem in the KMIP plugin part of the barbican-api.conf file: keyfile = '/path/to/certs/cert.key' certfile = '/path/to/certs/cert.crt' ca_certs = '/path/to/certs/LocalCA.crt' What exactly is each variable suppose to contain? I have keyfile and certfile being a self signed certificate and 2048 bit RSA key respectively for barbican to use and ca_certs is the kmip_plugins' certificate for barbican to trust. Does this setup sound right? Regards, Christopher Solis [Inactive hide details for John Wood ---04/10/2015 07:24:59 PM---Hello Christopher, It does seem that configs are being read for]John Wood ---04/10/2015 07:24:59 PM---Hello Christopher, It does seem that configs are being read for another location. Try to remove that From: John Wood mailto:john.w...@rackspace.com>> To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: 04/10/2015 07:24 PM Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, It does seem that configs are being read for another location. Try to remove that copy in you home directory (so just keep the /etc location). If you see the same issue, try to rename your /etc/barbican/barbican-api.conf file to something else. Barbican should crash, probably with a No SQL connection error. Also, double c
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello Christopher, I’m glad you are making progress. I’m including two folks that worked on the KMIP plugin to see if they can help with your error diagnosis. Thanks, John From: Christopher N Solis mailto:cnso...@us.ibm.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: Tuesday, April 14, 2015 at 10:21 AM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. Thanks! You were right. It was reading the config from the /root directory because I switched to the root user. After switching back to the normal user it is reading the correct config file again. It is trying to use the kmip plugin now. However, I cannot not make a request to the kmip plugin because of an ssl error: 2015-04-14 10:02:26,219 - barbican.plugin.kmip_secret_store - ERROR - Error opening or writing to client Traceback (most recent call last): File "/home/swift/barbican/barbican/plugin/kmip_secret_store.py", line 167, in generate_symmetric_key self.client.open() File "/home/swift/.pyenv/versions/barbican27/lib/python2.7/site-packages/kmip/services/kmip_client.py", line 86, in open self.socket.connect((self.host, self.port)) File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 333, in connect self._real_connect(addr, False) File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 314, in _real_connect self.ca_certs, self.ciphers) SSLError: [Errno 0] _ssl.c:343: error::lib(0):func(0):reason(0) I believe there is a problem in the KMIP plugin part of the barbican-api.conf file: keyfile = '/path/to/certs/cert.key' certfile = '/path/to/certs/cert.crt' ca_certs = '/path/to/certs/LocalCA.crt' What exactly is each variable suppose to contain? I have keyfile and certfile being a self signed certificate and 2048 bit RSA key respectively for barbican to use and ca_certs is the kmip_plugins' certificate for barbican to trust. Does this setup sound right? Regards, Christopher Solis [Inactive hide details for John Wood ---04/10/2015 07:24:59 PM---Hello Christopher, It does seem that configs are being read for]John Wood ---04/10/2015 07:24:59 PM---Hello Christopher, It does seem that configs are being read for another location. Try to remove that From: John Wood mailto:john.w...@rackspace.com>> To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: 04/10/2015 07:24 PM Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, It does seem that configs are being read for another location. Try to remove that copy in you home directory (so just keep the /etc location). If you see the same issue, try to rename your /etc/barbican/barbican-api.conf file to something else. Barbican should crash, probably with a No SQL connection error. Also, double check the ‘kmip_plugin’ setting in setup.cfg as per below, and try running ‘pip install -e .’ again in your virtual environment. FWIW, this CR adds better logging of plugin errors once the loading problem you have is figured out: https://review.openstack.org/#/c/171868/ Thanks, John From: Christopher N Solis mailto:cnso...@us.ibm.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: Thursday, April 9, 2015 at 1:55 PM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. Thanks for letting me know about the error. But I think my configuration is not seeing the kmip_plugin selection. In my barbican-api.conf file in /etc/barbican I have set enabled_secretstore_plugins = kmip_plugin However, I don't think it is creating a KMIPSecretStore instance. I edited the code in kmip_secret_store.py and put a breakpoint at the very beginning of the init function. When I make a barbican request to put a secret in there, it did not stop at the breakpoint at all. I put another breakpoint in the store_crypto.py file inside the init function for the StoreCryptoAdapterPlugin and I was able to enter the code at that breakpoint. So even though in my barbican-api.conf file I specified kmip_plugin it seems to be using the store_crypto plugin instead. Is there something that might cause this to happen? I also want to note that my code has the most up to date pull from the community code. Here's what my /etc/barbican/barbican-api.conf file has in it: # = Secret Store Plugin === [s
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey John.
Thanks!
You were right. It was reading the config from the /root directory because
I switched to the root user.
After switching back to the normal user it is reading the correct config
file again.
It is trying to use the kmip plugin now.
However, I cannot not make a request to the kmip plugin because of an ssl
error:
2015-04-14 10:02:26,219 - barbican.plugin.kmip_secret_store - ERROR - Error
opening or writing to client
Traceback (most recent call last):
File "/home/swift/barbican/barbican/plugin/kmip_secret_store.py", line
167, in generate_symmetric_key
self.client.open()
File
"/home/swift/.pyenv/versions/barbican27/lib/python2.7/site-packages/kmip/services/kmip_client.py",
line 86, in open
self.socket.connect((self.host, self.port))
File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 333,
in connect
self._real_connect(addr, False)
File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 314,
in _real_connect
self.ca_certs, self.ciphers)
SSLError: [Errno 0] _ssl.c:343: error::lib(0):func(0):reason(0)
I believe there is a problem in the KMIP plugin part of the
barbican-api.conf file:
keyfile = '/path/to/certs/cert.key'
certfile = '/path/to/certs/cert.crt'
ca_certs = '/path/to/certs/LocalCA.crt'
What exactly is each variable suppose to contain?
I have keyfile and certfile being a self signed certificate and 2048 bit
RSA key respectively for barbican to use and
ca_certs is the kmip_plugins' certificate for barbican to trust. Does this
setup sound right?
Regards,
Christopher Solis
From: John Wood
To: "OpenStack Development Mailing List (not for usage questions)"
Date: 04/10/2015 07:24 PM
Subject:Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello Christopher,
It does seem that configs are being read for another location. Try to
remove that copy in you home directory (so just keep the /etc location). If
you see the same issue, try to rename your /etc/barbican/barbican-api.conf
file to something else. Barbican should crash, probably with a No SQL
connection error.
Also, double check the ‘kmip_plugin’ setting in setup.cfg as per below, and
try running ‘pip install -e .’ again in your virtual environment.
FWIW, this CR adds better logging of plugin errors once the loading problem
you have is figured out: https://review.openstack.org/#/c/171868/
Thanks,
John
From: Christopher N Solis
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev@lists.openstack.org>
Date: Thursday, April 9, 2015 at 1:55 PM
To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev@lists.openstack.org>
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey John.
Thanks for letting me know about the error. But I think my configuration is
not seeing the kmip_plugin selection.
In my barbican-api.conf file in /etc/barbican I have set
enabled_secretstore_plugins = kmip_plugin
However, I don't think it is creating a KMIPSecretStore instance.
I edited the code in kmip_secret_store.py and put a breakpoint at the very
beginning of the init function.
When I make a barbican request to put a secret in there, it did not stop at
the breakpoint at all.
I put another breakpoint in the store_crypto.py file inside the init
function for the StoreCryptoAdapterPlugin and I
was able to enter the code at that breakpoint.
So even though in my barbican-api.conf file I specified kmip_plugin it
seems to be using the store_crypto plugin instead.
Is there something that might cause this to happen?
I also want to note that my code has the most up to date pull from the
community code.
Here's what my /etc/barbican/barbican-api.conf file has in it:
# = Secret Store Plugin ===
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = kmip_plugin
...
...
...
# == KMIP plugin =
[kmip_plugin]
username = '**'
password = '**'
host = 10.0.2.15
port = 5696
keyfile = '/etc/barbican/rootCA.key'
certfile = '/etc/barbican/rootCA.pem'
ca_certs = '/etc/barbican/rootCA.pem'
Regards,
Christopher Solis
Inactive hide details for John Wood ---04/08/2015 03:16:58 PM---Hello
Christopher, My local configuration is indeed seeing the John Wood
---04/08/2015 03:16:58 PM---Hello Christopher, My local configuration is
indeed seeing the kmip_plugin selection, but when steve
From: John Wood
To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev@lists.openstack.org>
Date: 04/08/2015 03:16 PM
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello Christopher,
My local configuration is indeed seeing the kmip_plugin selection, but when
stevedor
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello Christopher, It does seem that configs are being read for another location. Try to remove that copy in you home directory (so just keep the /etc location). If you see the same issue, try to rename your /etc/barbican/barbican-api.conf file to something else. Barbican should crash, probably with a No SQL connection error. Also, double check the ‘kmip_plugin’ setting in setup.cfg as per below, and try running ‘pip install -e .’ again in your virtual environment. FWIW, this CR adds better logging of plugin errors once the loading problem you have is figured out: https://review.openstack.org/#/c/171868/ Thanks, John From: Christopher N Solis mailto:cnso...@us.ibm.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: Thursday, April 9, 2015 at 1:55 PM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. Thanks for letting me know about the error. But I think my configuration is not seeing the kmip_plugin selection. In my barbican-api.conf file in /etc/barbican I have set enabled_secretstore_plugins = kmip_plugin However, I don't think it is creating a KMIPSecretStore instance. I edited the code in kmip_secret_store.py and put a breakpoint at the very beginning of the init function. When I make a barbican request to put a secret in there, it did not stop at the breakpoint at all. I put another breakpoint in the store_crypto.py file inside the init function for the StoreCryptoAdapterPlugin and I was able to enter the code at that breakpoint. So even though in my barbican-api.conf file I specified kmip_plugin it seems to be using the store_crypto plugin instead. Is there something that might cause this to happen? I also want to note that my code has the most up to date pull from the community code. Here's what my /etc/barbican/barbican-api.conf file has in it: # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin ... ... ... # == KMIP plugin = [kmip_plugin] username = '**' password = '**' host = 10.0.2.15 port = 5696 keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' Regards, Christopher Solis [Inactive hide details for John Wood ---04/08/2015 03:16:58 PM---Hello Christopher, My local configuration is indeed seeing the]John Wood ---04/08/2015 03:16:58 PM---Hello Christopher, My local configuration is indeed seeing the kmip_plugin selection, but when steve From: John Wood mailto:john.w...@rackspace.com>> To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: 04/08/2015 03:16 PM Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, My local configuration is indeed seeing the kmip_plugin selection, but when stevedore tries to load the KMIP plugin it crashes because required files are missing in my local environment (see https://github.com/openstack/barbican/blob/master/barbican/plugin/kmip_secret_store.py#L131) for example. Stevedore logs the exception but then doesn’t load this module, so when Barbican asks for an available plugin it doesn’t see it and crashes as you see. So the root exception from stevedore isn’t showing up in my logs for some reason, and probably not in yours as well. We’ll try to put up a CR to at least expose this exception in logs. In the mean time, make sure the KMIP values checked via that link above are configured on your machine. Sorry for the inconvenience, John From: Christopher N Solis mailto:cnso...@us.ibm.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: Wednesday, April 8, 2015 at 11:27 AM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. I do have the barbican-api.conf file located in the /etc/barbican folder. But that does not seem to be the one that barbican reads from. It seems to be reading from the barbican-api.conf file locate in my home directory. Either way, both have the exact same configurations. I also checked the setup.cfg file and it does have the line for kmip_plugin . Regards, CHRIS SOLIS [Inactive hide details for John Wood ---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that barbican-api.conf]John Wood ---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that ba
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey John.
Thanks for letting me know about the error. But I think my configuration is
not seeing the kmip_plugin selection.
In my barbican-api.conf file in /etc/barbican I have set
enabled_secretstore_plugins = kmip_plugin
However, I don't think it is creating a KMIPSecretStore instance.
I edited the code in kmip_secret_store.py and put a breakpoint at the very
beginning of the init function.
When I make a barbican request to put a secret in there, it did not stop at
the breakpoint at all.
I put another breakpoint in the store_crypto.py file inside the init
function for the StoreCryptoAdapterPlugin and I
was able to enter the code at that breakpoint.
So even though in my barbican-api.conf file I specified kmip_plugin it
seems to be using the store_crypto plugin instead.
Is there something that might cause this to happen?
I also want to note that my code has the most up to date pull from the
community code.
Here's what my /etc/barbican/barbican-api.conf file has in it:
# = Secret Store Plugin ===
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = kmip_plugin
...
...
...
# == KMIP plugin =
[kmip_plugin]
username = '**'
password = '**'
host = 10.0.2.15
port = 5696
keyfile = '/etc/barbican/rootCA.key'
certfile = '/etc/barbican/rootCA.pem'
ca_certs = '/etc/barbican/rootCA.pem'
Regards,
Christopher Solis
From: John Wood
To: "OpenStack Development Mailing List (not for usage questions)"
Date: 04/08/2015 03:16 PM
Subject:Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello Christopher,
My local configuration is indeed seeing the kmip_plugin selection, but when
stevedore tries to load the KMIP plugin it crashes because required files
are missing in my local environment (see
https://github.com/openstack/barbican/blob/master/barbican/plugin/kmip_secret_store.py#L131
) for example.
Stevedore logs the exception but then doesn’t load this module, so when
Barbican asks for an available plugin it doesn’t see it and crashes as you
see. So the root exception from stevedore isn’t showing up in my logs for
some reason, and probably not in yours as well. We’ll try to put up a CR to
at least expose this exception in logs. In the mean time, make sure the
KMIP values checked via that link above are configured on your machine.
Sorry for the inconvenience,
John
From: Christopher N Solis
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev@lists.openstack.org>
Date: Wednesday, April 8, 2015 at 11:27 AM
To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev@lists.openstack.org>
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey John.
I do have the barbican-api.conf file located in the /etc/barbican folder.
But that does not seem to be the one that barbican
reads from. It seems to be reading from the barbican-api.conf file locate
in my home directory.
Either way, both have the exact same configurations.
I also checked the setup.cfg file and it does have the line for
kmip_plugin .
Regards,
CHRIS SOLIS
Inactive hide details for John Wood ---04/07/2015 10:39:18 AM---Hello
Christopher, Just checking, but is that barbican-api.confJohn Wood
---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that
barbican-api.conf file located in your local system's
From: John Wood
To: "openstack-dev@lists.openstack.org"
Date: 04/07/2015 10:39 AM
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello Christopher,
Just checking, but is that barbican-api.conf file located in your local
system’s /etc/barbican folder? If not that is the preferred place for local
development. Modifying the copy that is in your local git repository will
have no effect.
Also, please double check that your local git repository’s setup.cfg has a
line like this in there (at/around #35):
kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore
Thanks,
John
From: Christopher N Solis
Reply-To: "openstack-dev@lists.openstack.org" <
openstack-dev@lists.openstack.org>
Date: Monday, April 6, 2015 at 10:25 AM
To: "openstack-dev@lists.openstack.org"
Subject: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello!
Sorry to Kaitlin Farr for not responding directly to your e-mail.
My openstack settings were misconfigured and I was not receiving e-mail
from the dev mailing list.
Thanks for looking into the issue.
I double checked the permissions at the bottom of the kmip_plugin part in
the barbican-api.conf file
and they are set to 400.
I would also like to note that I do not think the code ever actually
entered the __init__ function
of KMIPSecretStore. I put a breakpoint in the __init__ function but the
debugger never
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello Christopher, My local configuration is indeed seeing the kmip_plugin selection, but when stevedore tries to load the KMIP plugin it crashes because required files are missing in my local environment (see https://github.com/openstack/barbican/blob/master/barbican/plugin/kmip_secret_store.py#L131) for example. Stevedore logs the exception but then doesn't load this module, so when Barbican asks for an available plugin it doesn't see it and crashes as you see. So the root exception from stevedore isn't showing up in my logs for some reason, and probably not in yours as well. We'll try to put up a CR to at least expose this exception in logs. In the mean time, make sure the KMIP values checked via that link above are configured on your machine. Sorry for the inconvenience, John From: Christopher N Solis mailto:cnso...@us.ibm.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: Wednesday, April 8, 2015 at 11:27 AM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. I do have the barbican-api.conf file located in the /etc/barbican folder. But that does not seem to be the one that barbican reads from. It seems to be reading from the barbican-api.conf file locate in my home directory. Either way, both have the exact same configurations. I also checked the setup.cfg file and it does have the line for kmip_plugin . Regards, CHRIS SOLIS [Inactive hide details for John Wood ---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that barbican-api.conf]John Wood ---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that barbican-api.conf file located in your local system's From: John Wood mailto:john.w...@rackspace.com>> To: "openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>" mailto:openstack-dev@lists.openstack.org>> Date: 04/07/2015 10:39 AM Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, Just checking, but is that barbican-api.conf file located in your local system's /etc/barbican folder? If not that is the preferred place for local development. Modifying the copy that is in your local git repository will have no effect. Also, please double check that your local git repository's setup.cfg has a line like this in there (at/around #35): kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore Thanks, John From: Christopher N Solis mailto:cnso...@us.ibm.com>> Reply-To: "openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>" mailto:openstack-dev@lists.openstack.org>> Date: Monday, April 6, 2015 at 10:25 AM To: "openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>" mailto:openstack-dev@lists.openstack.org>> Subject: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello! Sorry to Kaitlin Farr for not responding directly to your e-mail. My openstack settings were misconfigured and I was not receiving e-mail from the dev mailing list. Thanks for looking into the issue. I double checked the permissions at the bottom of the kmip_plugin part in the barbican-api.conf file and they are set to 400. I would also like to note that I do not think the code ever actually entered the __init__ function of KMIPSecretStore. I put a breakpoint in the __init__ function but the debugger never gets open. The error occurs and returns without ever seeming to enter the init function. Here are the parts of the barbican-api.conf file that concern the kmip_plugin: . [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin . [kmip_plugin] username = '**' password = '**' host = port = keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' ... Thank You!! Regards, Christopher Solis__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org<mailto:openstack-dev-requ...@lists.openstack.org>?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey John. I do have the barbican-api.conf file located in the /etc/barbican folder. But that does not seem to be the one that barbican reads from. It seems to be reading from the barbican-api.conf file locate in my home directory. Either way, both have the exact same configurations. I also checked the setup.cfg file and it does have the line for kmip_plugin . Regards, CHRIS SOLIS From: John Wood To: "openstack-dev@lists.openstack.org" Date: 04/07/2015 10:39 AM Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, Just checking, but is that barbican-api.conf file located in your local system’s /etc/barbican folder? If not that is the preferred place for local development. Modifying the copy that is in your local git repository will have no effect. Also, please double check that your local git repository’s setup.cfg has a line like this in there (at/around #35): kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore Thanks, John From: Christopher N Solis Reply-To: "openstack-dev@lists.openstack.org" < openstack-dev@lists.openstack.org> Date: Monday, April 6, 2015 at 10:25 AM To: "openstack-dev@lists.openstack.org" Subject: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello! Sorry to Kaitlin Farr for not responding directly to your e-mail. My openstack settings were misconfigured and I was not receiving e-mail from the dev mailing list. Thanks for looking into the issue. I double checked the permissions at the bottom of the kmip_plugin part in the barbican-api.conf file and they are set to 400. I would also like to note that I do not think the code ever actually entered the __init__ function of KMIPSecretStore. I put a breakpoint in the __init__ function but the debugger never gets open. The error occurs and returns without ever seeming to enter the init function. Here are the parts of the barbican-api.conf file that concern the kmip_plugin: . [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin . [kmip_plugin] username = '**' password = '**' host = port = keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' ... Thank You!! Regards, Christopher Solis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello Christopher, Just checking, but is that barbican-api.conf file located in your local system's /etc/barbican folder? If not that is the preferred place for local development. Modifying the copy that is in your local git repository will have no effect. Also, please double check that your local git repository's setup.cfg has a line like this in there (at/around #35): kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore Thanks, John From: Christopher N Solis mailto:cnso...@us.ibm.com>> Reply-To: "openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>" mailto:openstack-dev@lists.openstack.org>> Date: Monday, April 6, 2015 at 10:25 AM To: "openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>" mailto:openstack-dev@lists.openstack.org>> Subject: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello! Sorry to Kaitlin Farr for not responding directly to your e-mail. My openstack settings were misconfigured and I was not receiving e-mail from the dev mailing list. Thanks for looking into the issue. I double checked the permissions at the bottom of the kmip_plugin part in the barbican-api.conf file and they are set to 400. I would also like to note that I do not think the code ever actually entered the __init__ function of KMIPSecretStore. I put a breakpoint in the __init__ function but the debugger never gets open. The error occurs and returns without ever seeming to enter the init function. Here are the parts of the barbican-api.conf file that concern the kmip_plugin: . [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin . [kmip_plugin] username = '**' password = '**' host = port = keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' ... Thank You!! Regards, Christopher Solis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [barbican] Utilizing the KMIP plugin
Hello! Sorry to Kaitlin Farr for not responding directly to your e-mail. My openstack settings were misconfigured and I was not receiving e-mail from the dev mailing list. Thanks for looking into the issue. I double checked the permissions at the bottom of the kmip_plugin part in the barbican-api.conf file and they are set to 400. I would also like to note that I do not think the code ever actually entered the __init__ function of KMIPSecretStore. I put a breakpoint in the __init__ function but the debugger never gets open. The error occurs and returns without ever seeming to enter the init function. Here are the parts of the barbican-api.conf file that concern the kmip_plugin: . [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin . [kmip_plugin] username = '**' password = '**' host = port = keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' ... Thank You!! Regards, Christopher Solis__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hi Chris,
I would be happy to help you with the trouble you've encountered using the
KMIP plugin. From what you've described, it sounds like you have everything
set up correctly. If you've specified kmip_plugin under
enabled_secret_store_plugins, then the reason it would give you
SecretStorePluginsNotConfigured is if it had encountered an error in the
KMIPSecretStore __init__ method. Just to be sure, the permissions of the file
that you specified under the "keyfile" config option are 400, correct? Are
there any other error messages earlier in the logs?
Feel free to pass along your barbican-api.conf (changing any proprietary
information, of course) if you'd like another set of eyes to look at it.
Thanks,
Kaitlin Farr
Software Engineer
JHU/APL
-
Message: 39
Date: Fri, 3 Apr 2015 15:03:10 -0500
From: Christopher N Solis
To: openstack-dev@lists.openstack.org
Subject: [openstack-dev] [barbican] Utilizing the KMIP plugin
Message-ID:
Content-Type: text/plain; charset="us-ascii"
Hello!
I am having some trouble with the kmip_plugin and would like some help.
When I make a call to barbican to store a secret it returns the following
error:
2015-04-03 12:33:17,279 - barbican.api.controllers - ERROR - Secret
creation failure seen - please contact site administrator.
Traceback (most recent call last):
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line
98, in handler
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line
84, in enforcer
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line
140, in content_types_enforcer
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/secrets.py", line
294, in on_post
transport_key_id=data.get('transport_key_id'))
File "/home/swift/barbican/barbican/plugin/resources.py", line 101, in
store_secret
key_spec=key_spec, plugin_name=plugin_name)
File "/home/swift/barbican/barbican/plugin/interface/secret_store.py",
line 477, in _check_plugins_configured
raise SecretStorePluginsNotConfigured()
SecretStorePluginsNotConfigured: No secret store plugins have been
configured
In the barbican-api.conf file I have set enabled_secretstore_plugins to
kmip_plugin.
I have also updated the kmip_plugin part of the file to point to the host
and port where my kmip Key Manager is running
with all the required credentials and ssl certs.
I also made sure the ssl requirements are set to permissions 400.
Is there something I am missing that is causing this problem?
Thank You!!
- Christopher Solis
Regards,
CHRIS SOLIS
Software Developer - Cloud Infrastructure Services Security
Phone: 1-512-286-6458 | Mobile:IBM
1-210-844-5913
E-mail: cnso...@us.ibm.com 11501 Burnet Rd
Austin, TX 78758-3400
United States
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [barbican] Utilizing the KMIP plugin
Hello!
I am having some trouble with the kmip_plugin and would like some help.
When I make a call to barbican to store a secret it returns the following
error:
2015-04-03 12:33:17,279 - barbican.api.controllers - ERROR - Secret
creation failure seen - please contact site administrator.
Traceback (most recent call last):
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line
98, in handler
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line
84, in enforcer
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/__init__.py", line
140, in content_types_enforcer
return fn(inst, *args, **kwargs)
File "/home/swift/barbican/barbican/api/controllers/secrets.py", line
294, in on_post
transport_key_id=data.get('transport_key_id'))
File "/home/swift/barbican/barbican/plugin/resources.py", line 101, in
store_secret
key_spec=key_spec, plugin_name=plugin_name)
File "/home/swift/barbican/barbican/plugin/interface/secret_store.py",
line 477, in _check_plugins_configured
raise SecretStorePluginsNotConfigured()
SecretStorePluginsNotConfigured: No secret store plugins have been
configured
In the barbican-api.conf file I have set enabled_secretstore_plugins to
kmip_plugin.
I have also updated the kmip_plugin part of the file to point to the host
and port where my kmip Key Manager is running
with all the required credentials and ssl certs.
I also made sure the ssl requirements are set to permissions 400.
Is there something I am missing that is causing this problem?
Thank You!!
- Christopher Solis
Regards,
CHRIS SOLIS
Software Developer - Cloud Infrastructure Services Security
Phone: 1-512-286-6458 | Mobile:IBM
1-210-844-5913
E-mail: cnso...@us.ibm.com 11501 Burnet Rd
Austin, TX 78758-3400
United States
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
