Fix can't find /usr/lib/libCryptoki2_64.so in barbican
Link https://docs.openstack.org/project-install-guide/key-manager/newton/barbican-backend.html#simple-crypto-plugin Change-Id: I351738c2a98090c56ac69e477fbe5ddec4cc5b26 Closes-Bug: #1672001
This commit is contained in:
parent
c0df4ab8b6
commit
6d0e31f232
@ -437,6 +437,13 @@ ceilometer_database_type: "mongodb"
|
|||||||
ceilometer_event_type: "mongodb"
|
ceilometer_event_type: "mongodb"
|
||||||
|
|
||||||
|
|
||||||
|
#######################
|
||||||
|
# Barbican options
|
||||||
|
#######################
|
||||||
|
# Valid options are [ simple_crypto, p11_crypto ]
|
||||||
|
barbican_crypto_plugin: "simple_crypto"
|
||||||
|
barbican_library_path: "/usr/lib/libCryptoki2_64.so"
|
||||||
|
|
||||||
########################
|
########################
|
||||||
### Panko options
|
### Panko options
|
||||||
########################
|
########################
|
||||||
|
@ -2,7 +2,6 @@
|
|||||||
debug = {{ barbican_logging_debug }}
|
debug = {{ barbican_logging_debug }}
|
||||||
log_dir = /var/log/kolla/barbican
|
log_dir = /var/log/kolla/barbican
|
||||||
|
|
||||||
|
|
||||||
bind_port = {{ barbican_api_port }}
|
bind_port = {{ barbican_api_port }}
|
||||||
bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
||||||
host_href = {{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}
|
host_href = {{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}
|
||||||
@ -23,11 +22,12 @@ enabled_secretstore_plugins = store_crypto
|
|||||||
# ================= Crypto plugin ===================
|
# ================= Crypto plugin ===================
|
||||||
[crypto]
|
[crypto]
|
||||||
namespace = barbican.crypto.plugin
|
namespace = barbican.crypto.plugin
|
||||||
enabled_crypto_plugins = p11_crypto
|
enabled_crypto_plugins = {{ barbican_crypto_plugin }}
|
||||||
|
|
||||||
|
{% if barbican_crypto_plugin == 'p11_crypto' %}
|
||||||
[p11_crypto_plugin]
|
[p11_crypto_plugin]
|
||||||
# Path to vendor PKCS11 library
|
# Path to vendor PKCS11 library
|
||||||
library_path = '/usr/lib/libCryptoki2_64.so'
|
library_path = {{ barbican_library_path }}
|
||||||
# Password to login to PKCS11 session
|
# Password to login to PKCS11 session
|
||||||
login = '{{ barbican_p11_password }}'
|
login = '{{ barbican_p11_password }}'
|
||||||
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
|
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
|
||||||
@ -36,6 +36,12 @@ mkek_label = 'kolla_master_kek'
|
|||||||
mkek_length = 32
|
mkek_length = 32
|
||||||
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
|
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
|
||||||
hmac_label = 'kolla_hmac'
|
hmac_label = 'kolla_hmac'
|
||||||
|
{% endif %}
|
||||||
|
{% if barbican_crypto_plugin == 'simple_crypto' %}
|
||||||
|
[simple_crypto_plugin]
|
||||||
|
# the kek should be a 32-byte value which is base64 encoded
|
||||||
|
kek = '{{ barbican_crypto_password }}'
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
|
||||||
[keystone_notifications]
|
[keystone_notifications]
|
||||||
|
@ -240,6 +240,14 @@ kolla_internal_vip_address: "10.10.10.254"
|
|||||||
# Valid options are [ mongodb, gnocchi, panko ]
|
# Valid options are [ mongodb, gnocchi, panko ]
|
||||||
#ceilometer_event_type: "mongodb"
|
#ceilometer_event_type: "mongodb"
|
||||||
|
|
||||||
|
|
||||||
|
#######################
|
||||||
|
# Barbican options
|
||||||
|
#######################
|
||||||
|
# Valid options are [ simple_crypto, p11_crypto ]
|
||||||
|
#barbican_crypto_plugin: "simple_crypto"
|
||||||
|
#barbican_library_path: "/usr/lib/libCryptoki2_64.so"
|
||||||
|
|
||||||
#######################
|
#######################
|
||||||
## Panko options
|
## Panko options
|
||||||
#######################
|
#######################
|
||||||
|
@ -30,6 +30,8 @@ aodh_keystone_password:
|
|||||||
barbican_database_password:
|
barbican_database_password:
|
||||||
barbican_keystone_password:
|
barbican_keystone_password:
|
||||||
barbican_p11_password:
|
barbican_p11_password:
|
||||||
|
barbican_crypto_key:
|
||||||
|
|
||||||
|
|
||||||
keystone_admin_password:
|
keystone_admin_password:
|
||||||
keystone_database_password:
|
keystone_database_password:
|
||||||
|
@ -21,6 +21,7 @@ import sys
|
|||||||
|
|
||||||
from Crypto.PublicKey import RSA
|
from Crypto.PublicKey import RSA
|
||||||
from hashlib import md5
|
from hashlib import md5
|
||||||
|
from hashlib import sha256
|
||||||
from oslo_utils import uuidutils
|
from oslo_utils import uuidutils
|
||||||
import yaml
|
import yaml
|
||||||
|
|
||||||
@ -70,6 +71,9 @@ def main():
|
|||||||
# HMAC-MD5 keys
|
# HMAC-MD5 keys
|
||||||
hmac_md5_keys = ['designate_rndc_key']
|
hmac_md5_keys = ['designate_rndc_key']
|
||||||
|
|
||||||
|
# HMAC-SHA256 keys
|
||||||
|
hmac_sha256_keys = ['barbican_crypto_key']
|
||||||
|
|
||||||
# length of password
|
# length of password
|
||||||
length = 40
|
length = 40
|
||||||
|
|
||||||
@ -96,6 +100,10 @@ def main():
|
|||||||
passwords[k] = (hmac.new(
|
passwords[k] = (hmac.new(
|
||||||
uuidutils.generate_uuid(), '', md5)
|
uuidutils.generate_uuid(), '', md5)
|
||||||
.digest().encode('base64')[:-1])
|
.digest().encode('base64')[:-1])
|
||||||
|
elif k in hmac_sha256_keys:
|
||||||
|
passwords[k] = (hmac.new(
|
||||||
|
uuidutils.generate_uuid(), '', sha256)
|
||||||
|
.digest().encode('base64')[:-1])
|
||||||
else:
|
else:
|
||||||
passwords[k] = ''.join([
|
passwords[k] = ''.join([
|
||||||
random.SystemRandom().choice(
|
random.SystemRandom().choice(
|
||||||
|
Loading…
Reference in New Issue
Block a user