Chapter 13. Key Manager (barbican) Parameters

ParameterDescription

ApacheCertificateKeySize

Override the private key size used when creating the certificate for this service.

ATOSVars

Hash of atos-hsm role variables used to install ATOS client software.

BarbicanDogtagStoreGlobalDefault

Whether this plugin is the global default plugin. The default value is False.

BarbicanDogtagStoreHost

Hostname of the Dogtag server.

BarbicanDogtagStoreNSSPassword

Password for the NSS DB.

BarbicanDogtagStorePEMPath

Path for the PEM file used to authenticate requests. The default value is /etc/barbican/kra_admin_cert.pem.

BarbicanDogtagStorePort

Port for the Dogtag server. The default value is 8443.

BarbicanKmipStoreGlobalDefault

Whether this plugin is the global default plugin. The default value is False.

BarbicanKmipStoreHost

Host for KMIP device.

BarbicanKmipStorePassword

Password to connect to KMIP device.

BarbicanKmipStorePort

Port for KMIP device.

BarbicanKmipStoreUsername

Username to connect to KMIP device.

BarbicanPassword

The password for the OpenStack Key Manager (barbican) service account.

BarbicanPkcs11AlwaysSetCkaSensitive

Always set CKA_SENSITIVE=CK_TRUE. The default value is True.

BarbicanPkcs11CryptoAESGCMGenerateIV

Generate IVs for CKM_AES_GCM encryption mechanism. The default value is True.

BarbicanPkcs11CryptoATOSEnabled

Enable ATOS for PKCS11. The default value is False.

BarbicanPkcs11CryptoEnabled

Enable PKCS11. The default value is False.

BarbicanPkcs11CryptoEncryptionMechanism

Cryptoki Mechanism used for encryption. The default value is CKM_AES_CBC.

BarbicanPkcs11CryptoGlobalDefault

Whether this plugin is the global default plugin. The default value is False.

BarbicanPkcs11CryptoHMACKeygenMechanism

Cryptoki Mechanism used to generate Master HMAC Key. The default value is CKM_AES_KEY_GEN.

BarbicanPkcs11CryptoHMACKeyType

Cryptoki Key Type for Master HMAC key. The default value is CKK_AES.

BarbicanPkcs11CryptoHMACLabel

Label for the HMAC key.

BarbicanPkcs11CryptoLibraryPath

Path to vendor PKCS11 library.

BarbicanPkcs11CryptoLogin

Password (PIN) to login to PKCS#11 session.

BarbicanPkcs11CryptoLunasaEnabled

Enable Luna SA HSM for PKCS11. The default value is False.

BarbicanPkcs11CryptoMKEKLabel

Label for Master KEK.

BarbicanPkcs11CryptoMKEKLength

Length of Master KEK in bytes. The default value is 256.

BarbicanPkcs11CryptoOsLockingOk

Set CKF_OS_LOCKING_OK flag when initializing the client library. The default value is False.

BarbicanPkcs11CryptoRewrapKeys

Cryptoki Mechanism used to generate Master HMAC Key. The default value is False.

BarbicanPkcs11CryptoSlotId

Slot Id for the PKCS#11 token to be used. The default value is 0.

BarbicanPkcs11CryptoThalesEnabled

Enable Thales for PKCS11. The default value is False.

BarbicanPkcs11CryptoTokenLabel

(DEPRECATED) Use BarbicanPkcs11CryptoTokenLabels instead.

BarbicanPkcs11CryptoTokenLabels

List of comma separated labels for the tokens to be used. This is typically a single label, but some devices may require more than one label for Load Balancing and High Availability configurations.

BarbicanPkcs11CryptoTokenSerialNumber

Serial number for PKCS#11 token to be used.

BarbicanSimpleCryptoGlobalDefault

Whether this plugin is the global default plugin. The default value is False.

BarbicanSimpleCryptoKek

KEK used to encrypt secrets.

BarbicanWorkers

Set the number of workers for barbican::wsgi::apache. The default value is %{::processorcount}.

CertificateKeySize

Specifies the private key size used when creating the certificate. The default value is 2048.

LunasaClientIPNetwork

(Optional) When set OpenStack Key Manager (barbican) nodes will be registered with the HSMs using the IP from this network instead of the FQDN.

LunasaVars

Hash of lunasa-hsm role variables used to install Lunasa client software.

MemcacheUseAdvancedPool

Use the advanced (eventlet safe) memcached client pool. The default value is True.

NotificationDriver

Driver or drivers to handle sending notifications. The default value is noop.

ThalesHSMNetworkName

The network that the HSM is listening on. The default value is internal_api.

ThalesVars

Hash of thales-hsm role variables used to install Thales client software.