红帽全球峰会3.3. 将 OpenStack Key Manager (barbican)与 Entrust nShield Connect XC HSM 集成
要将 PKCSFeature 后端与您的 Entrust nShield Connect XC HSM 集成,请使用 Ansible 角色在 Controller 上下载并安装 Entrust 客户端软件,并创建一个 Barbican 配置文件使其包含预定义的 HSM IP 和凭证。
前提条件
- 为 Entrust nShield Connect XC 提供厂商软件的密码保护 HTTPS 服务器。
流程
为 Barbican 创建
configure-barbican.yaml环境文件,并添加特定于您的环境的参数。使用以下片断作为示例:parameter_defaults: SwiftEncryptionEnabled: true ComputeExtraConfig: nova::glance::verify_glance_signatures: true nova::compute::verify_glance_signatures: true BarbicanPkcs11CryptoLogin: 'sample string' BarbicanPkcs11CryptoSlotId: '492971158' BarbicanPkcs11CryptoGlobalDefault: true BarbicanPkcs11CryptoLibraryPath: '/opt/nfast/toolkits/pkcs11/libcknfast.so' BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC' BarbicanPkcs11CryptoHMACKeyType: 'CKK_SHA256_HMAC' BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_NC_SHA256_HMAC_KEY_GEN' BarbicanPkcs11CryptoMKEKLabel: 'barbican_mkek_10' BarbicanPkcs11CryptoMKEKLength: '32' BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_10' BarbicanPkcs11CryptoThalesEnabled: true BarbicanPkcs11CryptoEnabled: true ThalesVars: thales_client_working_dir: /tmp/thales_client_install thales_client_tarball_location: https://your server/CipherTools-linux64-dev-12.40.2.tgz thales_client_tarball_name: CipherTools-linux64-dev-12.40.2.tgz thales_client_path: linux/libc6_11/amd64/nfast thales_client_uid: 42481 thales_client_gid: 42481 thales_km_data_location: https://your server/kmdata_post_card_creation.tar.gz thales_km_data_tarball_name: kmdata_post_card_creation.tar.gz thales_hsm_ip_address: 192.168.10.10 thales_rfs_server_ip_address: 192.168.10.11 thales_hsm_config_location: hsm-C90E-02E0-D947 thales_rfs_user: root thales_rfs_key: | -----BEGIN RSA PRIVATE KEY----- Sample private key -----END RSA PRIVATE KEY----- resource_registry: OS::TripleO::Services::BarbicanBackendPkcs11Crypto: /home/stack/tripleo-heat-templates/puppet/services/barbican-backend-pkcs11-crypto.yamlExpand 表 3.4. Heat 参数 参数 值 BarbicanSimpleCryptoGlobalDefault
这是一个布尔值,用于确定
simplecrypto是否为全局默认值。BarbicanPkcs11GlobalDefault
这是一个布尔值,用于确定
PKCS Filestore是否为全局默认值。BarbicanPkcs11CryptoSlotId
Barbican 使用的虚拟 HSM 的插槽 ID。
BarbicanPkcs11CryptoMKEKLabel
此参数定义 HSM 中生成的 mKEK 的名称。director 使用这个名称在 HSM 中创建此密钥。
BarbicanPkcs11CryptoHMACLabel
此参数定义 HSM 中生成的 HMAC 密钥的名称。director 使用这个名称在 HSM 中创建此密钥。
ThalesVars
thales_client_working_dir
用户定义的临时工作目录。
thales_client_tarball_location
指定 Entrust 软件的 HTTPS 服务器位置的 URL。
thales_km_data_tarball_name
Entrust 软件 tarball 的名称。
thales_rfs_key
用于获取与 RFS 服务器的 SSH 连接的私钥。您必须将它添加为 RFS 服务器的授权密钥。
包含自定义
configure-barbican.yaml环境文件,以及barbican.yaml和 Thales 特定的barbican-backend-pkcs11-thales.yaml环境文件,以及运行openstack overcloud deploy命令时部署所需的任何其他模板:$ openstack overcloud deploy \ --timeout 100 \ --templates /usr/share/openstack-tripleo-heat-templates \ --stack overcloud \ --libvirt-type kvm \ --ntp-server clock.redhat.com \ -e /home/stack/containers-prepare-parameter.yaml \ -e /home/stack/templates/config_lvm.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml \ -e /home/stack/templates/network/network-environment.yaml \ -e /home/stack/templates/hostnames.yml \ -e /home/stack/templates/nodes_data.yaml \ -e /home/stack/templates/extra_templates.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/services/barbican.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-pkcs11-thales.yaml \ -e /home/stack/templates/configure-barbican.yaml \ --log-file overcloud_deployment_with_atos.log
验证
创建测试 secret:
$ openstack secret store --name testSecret --payload 'TestPayload' +---------------+------------------------------------------------------------------------------------+ | Field | Value | +---------------+------------------------------------------------------------------------------------+ | Secret href | https://192.168.123.163/key-manager/v1/secrets/4cc5ffe0-eea2-449d-9e64-b664d574be53 | | Name | testSecret | | Created | None | | Status | None | | Content types | None | | Algorithm | aes | | Bit length | 256 | | Secret type | opaque | | Mode | cbc | | Expiration | None | +---------------+------------------------------------------------------------------------------------+检索您刚才创建的 secret 的有效负载:
openstack secret get https://192.168.123.163/key-manager/v1/secrets/4cc5ffe0-eea2-449d-9e64-b664d574be53 --payload +---------+-------------+ | Field | Value | +---------+-------------+ | Payload | TestPayload | +---------+-------------+
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}