1965086 – barbican with atos HSM operations alternately succeed and fail

Bug 1965086 - barbican with atos HSM operations alternately succeed and fail

Summary: barbican with atos HSM operations alternately succeed and fail

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-barbican
Sub Component:
Version:	16.1 (Train)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	z9
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Douglas Mendizábal
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-26 19:11 UTC by Matthew Secaur
Modified:	2022-12-07 20:30 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-barbican-9.0.1-1.20220112203415.07be198.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-12-07 20:30:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	811339	None	MERGED	Ignore network errors during C_Finalize	2021-10-25 16:54:35 UTC
Red Hat Issue Tracker	OSP-4197	None	None	None	2021-11-17 09:29:37 UTC
Red Hat Product Errata	RHSA-2022:8874	None	None	None	2022-12-07 20:30:28 UTC

Description Matthew Secaur 2021-05-26 19:11:03 UTC

Description of problem:
OSP 16.1.5 environment with two Atos HSM devices in HA configuration. Getting/Storing secrets using Barbican occasionally fails. When Barbican transactions succeed, access to one of the two Atos HSM devices can be seen. When a failure happens, there is no connection to either of the two Atos HSM devices.

This error is seen in the atos-barbican-api.log:

>>> TW_CK [Tue May 25 19:51:42:142] [pid:94 thid:140396351485696]
    C_GenerateKey(0x11000003,{CKM_AES_KEY_GEN, NULL_PTR, 0x00000000},((CLASS 04:00:00:00:00:00:00:00 #x00000008)
 (KEY_TYPE 1f:00:00:00:00:00:00:00 #x00000008)
 (VALUE_LEN 20:00:00:00:00:00:00:00 #x00000008)
 (TOKEN 00 #x00000001)
 (PRIVATE 01 #x00000001)
 (SENSITIVE 00 #x00000001)
 (ENCRYPT 01 #x00000001)
 (DECRYPT 01 #x00000001)
 (SIGN 00 #x00000001)
 (VERIFY 00 #x00000001)
 (WRAP 00 #x00000001)
 (UNWRAP 00 #x00000001)
 (EXTRACTABLE 01 #x00000001)
 ),13) ...starting
>>> TW_CK [Tue May 25 19:51:42:142] [pid:94 thid:140396351485696]
    cl_call network error (ERROR 0X81000071);
>>> TW_CK [Tue May 25 19:51:42:142] [pid:94 thid:140396351485696]
    processFinalize cnx = 0x843c2ea0 modeMonoCnx=0 (OK 0X0);
>>> TW_CK [Tue May 25 19:51:42:142] [pid:94 thid:140396351485696]
    C_GenerateKey ... failed (ERROR 0X81000071);
>>> TW_CK [Tue May 25 19:51:42:143] [pid:94 thid:140396351485696]
    C_Finalize((nil)) ...starting
>>> TW_CK [Tue May 25 19:51:42:143] [pid:94 thid:140396351485696]
    cl_call network error (ERROR 0X81000071);
>>> TW_CK [Tue May 25 19:51:42:143] [pid:94 thid:140396351485696]
    processFinalize cnx = 0x85037f00 modeMonoCnx=0 (OK 0X0);
>>> TW_CK [Tue May 25 19:51:42:143] [pid:94 thid:140396351485696]
    C_Finalize ...  0  HSM failed(OK 0X0);
>>> TW_CK [Tue May 25 19:51:42:143] [pid:94 thid:140396351485696]
    C_Finalize ... failed (ERROR 0X81000071);

And this error is in the barbican-api.log:

2021-05-25 19:51:42.143 94 ERROR barbican.api.controllers barbican.common.exception.P11CryptoPluginException: HSM returned response code: 0x81000071 CKR_????


Version-Release number of selected component (if applicable):

python3-barbicanclient-4.9.0-1.20201113110223.9c0e02d.el8ost.noarch
python3-barbican-9.0.1-1.20210310093023.el8ost.noarch
openstack-barbican-api-9.0.1-1.20210310093023.el8ost.noarch
openstack-barbican-common-9.0.1-1.20210310093023.el8ost.noarch


How reproducible:
Run repeated Barbican secret commands. Some will fail and some will not:

# date; openstack secret store --name mysecret --payload 'shhhhhh'
Tue May 25 19:51:39 UTC 2021
5xx Server error: Internal Server Error: Secret creation failure seen - please contact site administrator.
Internal Server Error: Secret creation failure seen - please contact site administrator.

# date; openstack secret store --name myothersecret --payload 'shhhhhh'
Tue May 25 20:25:40 UTC 2021
+---------------+-----------------------------------------------------------------------------------------------------+
| Field         | Value                                                                                               |
+---------------+-----------------------------------------------------------------------------------------------------+
| Secret href   | https://redacted.local:9311/v1/secrets/ac897b44-bfd0-4c9c-b4dd-bd86c77764b3 |
| Name          | myothersecret                                                                                         |
| Created       | None                                                                                                |
| Status        | None                                                                                                |
| Content types | None                                                                                                |
| Algorithm     | aes                                                                                                 |
| Bit length    | 256                                                                                                 |
| Secret type   | opaque                                                                                              |
| Mode          | cbc                                                                                                 |
| Expiration    | None                                                                                                |
+---------------+-----------------------------------------------------------------------------------------------------+

# date; openstack secret get https://redacted.local:9311/v1/secrets/ac897b44-bfd0-4c9c-b4dd-bd86c77764b3 --payload
Tue May 25 20:28:59 UTC 2021
5xx Server error: Internal Server Error: Secret payload retrieval failure seen - please contact site administrator.
Internal Server Error: Secret payload retrieval failure seen - please contact site administrator.

# date; openstack secret get https://redacted.local:9311/v1/secrets/ac897b44-bfd0-4c9c-b4dd-bd86c77764b3 --payload
Tue May 25 20:29:32 UTC 2021
+---------+---------+
| Field   | Value   |
+---------+---------+
| Payload | shhhhhh |
+---------+---------+


Actual results:
Secrets will get stored/retrieved if multiple attempts are made.

Expected results:
Secrets should get stored/retrieved on the first attempt.

Additional info:
CU has applied a fix available from BZ 1918480

Comment 3 Ade Lee 2021-06-14 14:44:38 UTC

Working on reproducing this issue this sprint.

Comment 4 David Hill 2021-07-20 15:27:55 UTC

Any updates on this @alee ?

Comment 36 errata-xmlrpc 2022-12-07 20:30:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenStack Platform 16.1.9 (openstack-barbican) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8874

Note You need to log in before you can comment on or make changes to this bug.