Chapter 12. Key Manager (barbican) Parameters

ParameterDescription

ATOSVars

Hash of atos-hsm role variables used to install ATOS client software.

BarbicanDogtagStoreGlobalDefault

Whether this plugin is the global default plugin. The default value is False.

BarbicanDogtagStoreHost

Hostname of the Dogtag server.

BarbicanDogtagStoreNSSPassword

Password for the NSS DB.

BarbicanDogtagStorePEMPath

Path for the PEM file used to authenticate requests. The default value is /etc/barbican/kra_admin_cert.pem.

BarbicanDogtagStorePort

Port for the Dogtag server. The default value is 8443.

BarbicanKmipStoreGlobalDefault

Whether this plugin is the global default plugin. The default value is False.

BarbicanKmipStoreHost

Host for KMIP device.

BarbicanKmipStorePassword

Password to connect to KMIP device.

BarbicanKmipStorePort

Port for KMIP device.

BarbicanKmipStoreUsername

Username to connect to KMIP device.

BarbicanPassword

The password for the OpenStack Key Manager (barbican) service account.

BarbicanPkcs11AlwaysSetCkaSensitive

Always set CKA_SENSITIVE=CK_TRUE. The default value is True.

BarbicanPkcs11CryptoAESGCMGenerateIV

Generate IVs for CKM_AES_GCM encryption mechanism. The default value is True.

BarbicanPkcs11CryptoATOSEnabled

Enable ATOS for PKCS11. The default value is False.

BarbicanPkcs11CryptoEnabled

Enable PKCS11. The default value is False.

BarbicanPkcs11CryptoEncryptionMechanism

Cryptoki Mechanism used for encryption. The default value is CKM_AES_CBC.

BarbicanPkcs11CryptoGlobalDefault

Whether this plugin is the global default plugin. The default value is False.

BarbicanPkcs11CryptoHMACKeyType

Cryptoki Key Type for Master HMAC key. The default value is CKK_AES.

BarbicanPkcs11CryptoHMACKeygenMechanism

Cryptoki Mechanism used to generate Master HMAC Key. The default value is CKM_AES_KEY_GEN.

BarbicanPkcs11CryptoHMACLabel

Label for the HMAC key.

BarbicanPkcs11CryptoLibraryPath

Path to vendor PKCS11 library.

BarbicanPkcs11CryptoLogin

Password (PIN) to login to PKCS#11 session.

BarbicanPkcs11CryptoLunasaEnabled

Enable Luna SA HSM for PKCS11. The default value is False.

BarbicanPkcs11CryptoMKEKLabel

Label for Master KEK.

BarbicanPkcs11CryptoMKEKLength

Length of Master KEK in bytes. The default value is 256.

BarbicanPkcs11CryptoRewrapKeys

Cryptoki Mechanism used to generate Master HMAC Key. The default value is False.

BarbicanPkcs11CryptoSlotId

Slot Id for the PKCS#11 token to be used. The default value is 0.

BarbicanPkcs11CryptoThalesEnabled

Enable Thales for PKCS11. The default value is False.

BarbicanPkcs11CryptoTokenLabel

Label for PKCS#11 token to be used.

BarbicanPkcs11CryptoTokenSerialNumber

Serial number for PKCS#11 token to be used.

BarbicanSimpleCryptoGlobalDefault

Whether this plugin is the global default plugin. The default value is False.

BarbicanSimpleCryptoKek

KEK used to encrypt secrets.

BarbicanWorkers

Set the number of workers for barbican::wsgi::apache. The default value is %{::processorcount}.

LunasaClientIPNetwork

(Optional) When set OpenStack Key Manager (barbican) nodes will be registered with the HSMs using the IP from this network instead of the FQDN.

LunasaVars

Hash of lunasa-hsm role variables used to install Lunasa client software.

NotificationDriver

Driver or drivers to handle sending notifications. The default value is messagingv2.

ThalesHSMNetworkName

The network that the HSM is listening on. The default value is internal_api.

ThalesVars

Hash of thales-hsm role variables used to install Thales client software.