Mitaka Series Release Notes¶
2.0.0¶
Prelude¶
This release includes a new command line utility ‘barbican-manage’ that consolidates and supersedes the separate HSM and database management scripts.
The Mitaka release includes a new API to add arbitrary user-defined metadata to Secrets.
This release includes significant improvements to the performance of the PKCS#11 Cryptographic Plugin driver. These changes will require a data migration of any existing data stored by previous versions of the PKCS#11 backend.
New Features¶
The ‘barbican-manage’ tool can be used to manage database schema changes as well as provision and rotate keys in the HSM backend.
Known Issues¶
The service will encounter errors if you attempt to run this new release using data stored by a previous version of the PKCS#11 Cryptographic Plugin that has not yet been migrated for this release. The logged errors will look like
'P11CryptoPluginException: HSM returned response code: 0xc0L CKR_SIGNATURE_INVALID'
Upgrade Notes¶
The Metadata API requires an update to the Database Schema. Existing deployments that are being upgraded to Mitaka should use the ‘barbican-manage’ utility to update the schema.
If you are upgrading from previous version of barbican that uses the PKCS#11 Cryptographic Plugin driver, you will need to run the migration script
python barbican/cmd/pkcs11_migrate_kek_signatures.py
Deprecation Notes¶
The ‘barbican-db-manage’ script is deprecated. Use the new ‘barbican-manage’ utility instead.
The ‘pkcs11-kek-rewrap’ script is deprecated. Use the new ‘barbican-manage’ utility instead.
The ‘pkcs11-key-generation’ script is deprecated. Use the new ‘barbican-manage’ utility instead.
Critical Issues¶
If you are upgrading from previous version of barbican that uses the PKCS#11 Cryptographic Plugin driver, you will need to run the migration script
python barbican/cmd/pkcs11_migrate_kek_signatures.py
