# A Heat environment file to enable the barbican PKCS11 crypto backend. Note
# that barbican needs to be enabled in order to use this.
parameter_defaults:
  # In order to use this backend, you need to uncomment these values and
  # provide the appropriate values.
  #
  # BarbicanPkcs11CryptoLogin: Password to login to PKCS11 session
  # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
  # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin

  BarbicanPkcs11CryptoLibraryPath:         '/usr/lib64/libnethsm.so'
  BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
  BarbicanPkcs11CryptoHMACKeyType:         'CKK_GENERIC_SECRET'
  BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_GENERIC_SECRET_KEY_GEN'
  BarbicanPkcs11CryptoMKEKLabel:           'barbican_mkek_0'
  BarbicanPkcs11CryptoMKEKLength:          32
  BarbicanPkcs11CryptoHMACLabel:           'barbican_hmac_0'
  BarbicanPkcs11CryptoATOSEnabled:         true
  BarbicanPkcs11CryptoEnabled:             true
  BarbicanPkcs11AlwaysSetCkaSensitive:     false
  ATOSVars:
    atos_client_working_dir: /tmp/atos_client_install
    # atos_client_iso_location:
    # atos_client_iso_name:
    # atos_client_cert_location:
    # atos_client_key_loaction:
    # atos_hsm_ip_address:

resource_registry:
  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml