Wednesday, 2020-11-11

*** d34dh0r53 has quit IRC		03:34
openstackgerrit	wu.shiming proposed openstack/barbican master: Replace deprecated UPPER_CONSTRAINTS_FILE variable https://review.opendev.org/762291	06:29
openstackgerrit	wu.shiming proposed openstack/castellan master: Replace deprecated UPPER_CONSTRAINTS_FILE variable https://review.opendev.org/762293	06:40
*** tosky has joined #openstack-barbican		07:23
*** prernadembla05 has joined #openstack-barbican		08:09
*** jaosorior has joined #openstack-barbican		09:06
*** iurygregory has quit IRC		10:19
*** iurygregory has joined #openstack-barbican		10:36
*** iurygregory has quit IRC		11:11
*** iurygregory_ has joined #openstack-barbican		11:35
*** iurygregory_ is now known as iurygregory		11:35
*** jaosorior has quit IRC		12:01
*** jaosorior has joined #openstack-barbican		12:02
*** raildo has joined #openstack-barbican		12:33
*** d34dh0r53 has joined #openstack-barbican		13:05
*** jaosorior has quit IRC		13:40
*** jaosorior has joined #openstack-barbican		13:41
openstackgerrit	Nayara Souza proposed openstack/barbican master: [WIP]Barbican new default roles https://review.opendev.org/755163	15:37
*** jaosorior has quit IRC		15:46
noonedeadpunk	hey! sorry for bothering you, but never interacted with hsm before... I getting this now http://paste.openstack.org/show/799925/	15:55
noonedeadpunk	the only missing mechanism seems to be for hmac_key_type	15:55
noonedeadpunk	but I have only these supported http://paste.openstack.org/show/799926/	15:56
noonedeadpunk	and there seems to be no allowed according to https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/pkcs11.py#L50-L54	15:56
noonedeadpunk	or maybe I'm looking at wrong direction?	15:56
*** strigazi has quit IRC		15:58
*** jaosorior has joined #openstack-barbican		15:59
redrobot	noonedeadpunk, so, the defaults should work with Thales Luna Network HSM (previously Safenet Luna)	15:59
openstackgerrit	Nayara Souza proposed openstack/barbican master: [WIP]Barbican new default roles https://review.opendev.org/755163	15:59
redrobot	noonedeadpunk, The CKK_* values are for Key Types	16:00
redrobot	noonedeadpunk, mechanisms start with CKM_*	16:00
redrobot	noonedeadpunk, https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/pkcs11.py#L138-L146	16:00
redrobot	noonedeadpunk, default wrapping mechanism is CKM_SHA256_HMAC, which is listed as supported in your paste https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L83	16:03
*** strigazi has joined #openstack-barbican		16:04
noonedeadpunk	yeah, it's Safenet Luna	16:07
noonedeadpunk	probably I haven't configured client properly...	16:08
redrobot	noonedeadpunk, sorry, looking at the stacktrace, it looks like your encryption mechanism is not supported, not the HMAC one	16:08
noonedeadpunk	as right before it I have uwsgi[16354]: dGVtcDEyMyM= /opt/barbican/etc/CAFile.pem	16:08
noonedeadpunk	but I hav	16:09
noonedeadpunk	*have CKM_AES_CBC in the list....	16:09
noonedeadpunk	eventualy I don't have /opt/barbican/etc/CAFile.pem	16:10
noonedeadpunk	think that might be a reason	16:12
noonedeadpunk	was actually trying to follow https://cpl.thalesgroup.com/sites/default/files/content/integration_guides/field_document/2020-05/007-013570-001_OpenStackBarbican_SafeNetLunaHSM_IntegrationGuide_RevB.pdf :(	16:14
redrobot	oh wow, I didn't know that was a thing. :-O	16:15
redrobot	noonedeadpunk, what release are you using?	16:15
noonedeadpunk	I faced it while googling lol	16:15
noonedeadpunk	I think I'm kind of on master or U at the moment	16:15
noonedeadpunk	playing in sandbox	16:15
redrobot	noonedeadpunk, I'm trying to match your stacktrace's line numbers to the code	16:16
redrobot	noonedeadpunk, seems it's not master?	16:16
noonedeadpunk	10.1.0.dev44	16:16
noonedeadpunk	should be SHA 3f6f9e7cdf8b601e3110c0f744260a99c56313c0	16:17
noonedeadpunk	oh, ok, I should probably remove FIPS according to that doc, which I've probably missed	16:19
redrobot	Oh, yeah, I have not used the Lunas under FIPS	16:19
redrobot	the Mechanism in question is https://opendev.org/openstack/barbican/src/commit/3f6f9e7cdf8b601e3110c0f744260a99c56313c0/barbican/plugin/crypto/pkcs11.py#L635	16:19
noonedeadpunk	seems I have it:(	16:20
noonedeadpunk	redrobot: yeah needed to disable fips	16:32
noonedeadpunk	otherwise I get this trace	16:32
redrobot	Interesting.	16:32
redrobot	ade_lee, ^^^ Somewhat related to our FIPS work, seems the keywrap mechanism used in Lunas is not FIPS compliant	16:33
noonedeadpunk	doc says `The OpenStack Barbican integration does not work with a SafeNet Luna HSM or Data Protection on Demand HSM on Demand services operating in FIPS mode. To integrate an HSMoD service with OpenStack barbican you must create a non-FIPS HSMoD service. ` just didn't notice at once	16:34
ade_lee	redrobot, interesting - so we need a different key mechanism?	17:04
ade_lee	keywrap mechanism ..	17:04
ade_lee	redrobot, good to know - this would have eventually shown up in our testing - good to know now	17:06
*** jaosorior has quit IRC		17:07
redrobot	ade_lee, well, we'll only see it if the HSM itself is FIPS-enabled	17:10
redrobot	ade_lee, so I'm not sure if we need to worry about it, but definitely good to know.	17:10
ade_lee	redrobot, ack	17:16
*** jaosorior has joined #openstack-barbican		17:23
*** prernadembla05 has quit IRC		17:32
*** raildo has quit IRC		18:58
*** raildo has joined #openstack-barbican		18:58
openstackgerrit	Nayara Souza proposed openstack/barbican master: [WIP]Barbican new default roles https://review.opendev.org/755163	19:45
*** jaosorior has quit IRC		19:56
*** jaosorior has joined #openstack-barbican		20:15
openstackgerrit	Ade Lee proposed openstack/barbican master: DNM: testing FIPS gate job https://review.opendev.org/760665	20:24
openstackgerrit	Ade Lee proposed openstack/barbican master: DNM: testing FIPS gate job https://review.opendev.org/760665	21:15
*** osmanlicilegi has quit IRC		21:37
*** timburke has quit IRC		21:37
*** osmanlicilegi has joined #openstack-barbican		21:37
*** timburke has joined #openstack-barbican		21:37
*** tosky has quit IRC		21:40
*** tosky has joined #openstack-barbican		21:41
*** strigazi has quit IRC		21:41
*** strigazi has joined #openstack-barbican		21:42
*** iurygregory has quit IRC		21:46
*** frickler has quit IRC		21:46
*** icey has quit IRC		21:46
*** trident has quit IRC		21:46
*** iurygregory has joined #openstack-barbican		21:47
*** frickler has joined #openstack-barbican		21:47
*** johnsom has quit IRC		21:48
*** gagehugo has quit IRC		21:48
*** johnsom has joined #openstack-barbican		21:50
*** gagehugo has joined #openstack-barbican		21:50
*** icey has joined #openstack-barbican		21:50
*** trident has joined #openstack-barbican		21:50
*** raildo has quit IRC		21:51
*** noonedeadpunk has quit IRC		21:51
*** jaosorior has quit IRC		21:51
*** moguimar has quit IRC		21:51
*** jaosorior has joined #openstack-barbican		21:53
*** moguimar has joined #openstack-barbican		21:53
*** raildo has joined #openstack-barbican		21:53
*** noonedeadpunk has joined #openstack-barbican		21:53
*** d34dh0r53 has quit IRC		21:53
*** bbezak has quit IRC		21:53
*** jamespage has quit IRC		21:53
*** d34dh0r53 has joined #openstack-barbican		21:53
*** bbezak has joined #openstack-barbican		21:53
*** jamespage has joined #openstack-barbican		21:53
*** d34dh0r53 has quit IRC		21:53
*** bbezak has quit IRC		21:53
*** jamespage has quit IRC		21:53
*** raildo has quit IRC		21:53
*** noonedeadpunk has quit IRC		21:53
*** jaosorior has quit IRC		21:53
*** moguimar has quit IRC		21:53
*** icey has quit IRC		21:53
*** trident has quit IRC		21:53
*** johnsom has quit IRC		21:53
*** gagehugo has quit IRC		21:53
*** iurygregory has quit IRC		21:53
*** frickler has quit IRC		21:53
*** strigazi has quit IRC		21:53
*** tosky has quit IRC		21:53
*** osmanlicilegi has quit IRC		21:53
*** timburke has quit IRC		21:53
*** lxkong has quit IRC		21:53
*** mnaser has quit IRC		21:53
*** tinwood has quit IRC		21:53
*** irclogbot_3 has quit IRC		21:53
*** jmlowe has quit IRC		21:53
*** hindret has quit IRC		21:53
*** andrewbogott has quit IRC		21:53
*** coreycb has quit IRC		21:53
*** gmann has quit IRC		21:53
*** ade_lee has quit IRC		21:53
*** tkajinam has quit IRC		21:53
*** dayou has quit IRC		21:53
*** openstackgerrit has quit IRC		21:53
*** mnasiadka has quit IRC		21:53
*** rm_work has quit IRC		21:53
*** knikolla has quit IRC		21:53
*** zigo has quit IRC		21:53
*** redrobot has quit IRC		21:53
*** jamespage has joined #openstack-barbican		21:54
*** bbezak has joined #openstack-barbican		21:54
*** d34dh0r53 has joined #openstack-barbican		21:54
*** noonedeadpunk has joined #openstack-barbican		21:54
*** raildo has joined #openstack-barbican		21:54
*** moguimar has joined #openstack-barbican		21:54
*** jaosorior has joined #openstack-barbican		21:54
*** trident has joined #openstack-barbican		21:54
*** icey has joined #openstack-barbican		21:54
*** gagehugo has joined #openstack-barbican		21:54
*** johnsom has joined #openstack-barbican		21:54
*** frickler has joined #openstack-barbican		21:54
*** iurygregory has joined #openstack-barbican		21:54
*** strigazi has joined #openstack-barbican		21:54
*** tosky has joined #openstack-barbican		21:54
*** timburke has joined #openstack-barbican		21:54
*** osmanlicilegi has joined #openstack-barbican		21:54
*** jmlowe has joined #openstack-barbican		21:54
*** lxkong has joined #openstack-barbican		21:54
*** mnaser has joined #openstack-barbican		21:54
*** rm_work has joined #openstack-barbican		21:54
*** mnasiadka has joined #openstack-barbican		21:54
*** knikolla has joined #openstack-barbican		21:54
*** hindret has joined #openstack-barbican		21:54
*** andrewbogott has joined #openstack-barbican		21:54
*** coreycb has joined #openstack-barbican		21:54
*** gmann has joined #openstack-barbican		21:54
*** ade_lee has joined #openstack-barbican		21:54
*** tkajinam has joined #openstack-barbican		21:54
*** tinwood has joined #openstack-barbican		21:54
*** irclogbot_3 has joined #openstack-barbican		21:54
*** dayou has joined #openstack-barbican		21:54
*** openstackgerrit has joined #openstack-barbican		21:54
*** zigo has joined #openstack-barbican		21:54
*** redrobot has joined #openstack-barbican		21:54
*** mnasiadka has quit IRC		21:54
*** rm_work has quit IRC		21:54
*** knikolla has quit IRC		21:54
*** trident has quit IRC		21:54
*** zigo has quit IRC		21:54
*** redrobot has quit IRC		21:54
*** raildo has quit IRC		21:54
*** rm_work has joined #openstack-barbican		21:54
*** mnasiadka has joined #openstack-barbican		21:54
*** knikolla has joined #openstack-barbican		21:54
*** raildo has joined #openstack-barbican		21:54
*** zigo has joined #openstack-barbican		21:55
*** redrobot has joined #openstack-barbican		21:55
*** trident has joined #openstack-barbican		21:55
*** mnasiadka has quit IRC		21:57
*** mnasiadka has joined #openstack-barbican		21:57
*** tosky has quit IRC		23:08

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!