Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhos-18.0 Feature Release 2 (Mar 2025)
Affects Version/s: None
Component/s: openstack-barbican
Labels:
None

Story Points:
2
Epic Link:
Support Luna HSM's within Barbican operator
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Dev Approval:
?
Docs Approval:
?
Feature Link:
OSPRH-10421 - Support Thales HSM in RHOSO 18.0 [FR2]
PM Approval:
?
QE Approval:
?
Intelligence Requested:
Market:

Sprint:
DFG Security: UC Sprint 102, DFG Security: UC Sprint 103, DFG Security: UC Sprint 104, DFG Security: UC Sprint 105

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The default backend configuration for Thales Luna Network HSM uses a key-wrapping mechanism that is no longer supported in newer versions of the HSM firmware. This was reported upstream in a Launchpad bug: https://bugs.launchpad.net/barbican/+bug/2036506

Barbican PKCS#11 code needs to be modified so that we can configure a different key wrapping mechanism - the current one is hard-coded. Preferably we should use a NIST approved mechanism. I.e. CKM_WRAPKEY_AES_KWP - https://thalesdocs.com/gphsm/ptk/5.9.1/docs/Content/PTK-C_Program/PTK-C_Mechs/CKM_WRAPKEY_AES_KWP.htm

clones

OSPRH-1992 Add Luna Support to barbican-operator

In Progress

is cloned by

OSPRH-11019 Create component CI job to test Luna + Barbican

In Progress

Assignee:: Douglas Mendizabal

Reporter:: Dave Wilde

Team:: rhos-dfg-security

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/10/08 2:20 PM

Updated:: 2024/11/21 3:38 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty