[doc] Adjust documentation for Thales Luna

Luna Network HSM configuration was not full which may raise unnecessary questions during integration. Also worth mentioning, when store_crypto has effect on the barbican behavior. Change-Id: I33032226d0dd891b9c33c4705fd8627c66bd76d9
2020-11-12 14:05:25 +02:00 · 2020-11-12 14:05:25 +02:00 · 960c5ef519
parent 874cc2b33e
commit 960c5ef519
1 changed files with 52 additions and 5 deletions
--- a/doc/source/install/barbican-backend.rst
+++ b/doc/source/install/barbican-backend.rst
@ -70,6 +70,14 @@ The configuration for this plugin in ``/etc/barbican/barbican.conf`` is as follo
       # the kek should be a 32-byte value which is base64 encoded
       kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='

+.. note::
+
+   Setting crypto plugins has effect only when `secretstore` plugin is set to
+   `store_crypto` unless multibackend storage is used.
+   So, for example, using vault for secretstore and PKCS#11 for crypto will not
+   work (vault will be responsible for both storage and encryption).
+
+
 PKCS#11 Crypto Plugin
 ^^^^^^^^^^^^^^^^^^^^^

@ -77,15 +85,16 @@ This crypto plugin can be used to interface with a Hardware Security Module (HSM
 using the PKCS#11 protocol.

 Secrets are encrypted (and decrypted on retrieval) by a project specific
-Key Encryption Key (KEK), which resides in the HSM.
+Key Encryption Key (KEK), which in it's turn encrypted with Master Key (MKEK)
+and signed with HMAC key. Both MKEK and HMAC resides in the HSM.

 The configuration for this plugin in ``/etc/barbican/barbican.conf``.
 Settings for some different HSMs are provided below:

-Safenet
-+++++++
+Thales Luna Network HSM (Safenet)
+++++++++++++++++++++++++++++++++

-The PKCS#11 plugin configuration looks like:
+The PKCS#11 plugin configuration for Luna Network HSM looks like:

    .. code-block:: ini

@ -94,6 +103,11 @@ The PKCS#11 plugin configuration looks like:
       ..
       enabled_secretstore_plugins = store_crypto

+       # ================= Crypto plugin ===================
+       [crypto]
+       ..
+       enabled_crypto_plugins = p11_crypto
+
       [p11_crypto_plugin]
       # Path to vendor PKCS11 library
       library_path = '/usr/lib/libCryptoki2_64.so'
@ -101,7 +115,7 @@ The PKCS#11 plugin configuration looks like:
       # Token serial number used to identify the token to be used.  Required
       # when the device has multiple tokens with the same label. (string
       # value)
-       token_serial_number = 12345678
+       #token_serial_number = 12345678

       # Token label used to identify the token to be used.  Required when
       # token_serial_number is not specified. (string value)
@ -136,6 +150,24 @@ The PKCS#11 plugin configuration looks like:
       # Max number of items in pkek cache
       # pkek_cache_limit = 100

+.. note::
+
+   Barbican does not support FIPS mode enabled for SafeNet Luna HSM or
+   Data Protection on Demand HSM. Make sure that it's operating in non-FIPS
+   mode while integrating with Barbican.
+
+The HMAC and MKEK keys can be generated as follows:
+
+    .. code-block:: ini
+
+       barbican-manage hsm gen_hmac --library-path /usr/lib/libCryptoki2_64.so \
+       --passphrase XXX --slot-id 1 --label thales_hmac_0
+
+    .. code-block:: ini
+
+       barbican-manage hsm gen_mkek --library-path /usr/lib/libCryptoki2_64.so \
+       --passphrase XXX --slot-id 1 --label thales_hmac_0
+
 nCipher
 +++++++

@ -148,6 +180,11 @@ For a nCipher nShield Connect XC, the plugin configuration looks like:
       ..
       enabled_secretstore_plugins = store_crypto

+       # ================= Crypto plugin ===================
+       [crypto]
+       ..
+       enabled_crypto_plugins = p11_crypto
+
       [p11_crypto_plugin]
       # Path to vendor PKCS11 library
       library_path = '/opt/nfast/toolkits/pkcs11/libcknfast.so'
@ -237,6 +274,11 @@ For an ATOS Bull HSM, the plugin configuration looks like:
       ..
       enabled_secretstore_plugins = store_crypto

+       # ================= Crypto plugin ===================
+       [crypto]
+       ..
+       enabled_crypto_plugins = p11_crypto
+
       [p11_crypto_plugin]
       # Path to vendor PKCS11 library
       library_path = '/usr/lib64/libnethsm.so'
@ -320,6 +362,11 @@ The PKCS#11 plugin configuration looks like:
        ..
        enabled_secretstore_plugins = store_crypto

+        # ================= Crypto plugin ===================
+        [crypto]
+        ..
+        enabled_crypto_plugins = p11_crypto
+
        [p11_crypto_plugin]
        # Path to vendor PKCS11 library (string value)
        library_path = '/opt/utimaco/lib/libcs_pkcs11_R2.so'