Stein Series Release Notes



Added new tool barbican-status upgrade check.

New Features

  • Added two new subcommands to barbican-manage hsm that can query the HSM to check if a MKEK or HMAC key with the given label already exists. See barbican-manage hsm check_mkek –help and barbican-manage hsm check_hmac –help for details.

  • New framework for barbican-status upgrade check command is added. This framework allows adding various checks which can be run before a Barbican upgrade to ensure if the upgrade can be performed safely.

  • Port existing policy RuleDefault objects to the newer, more verbose DocumentedRuleDefaults.

Upgrade Notes

  • Operator can now use new CLI tool barbican-status upgrade check to check if Barbican deployment can be safely upgraded from N-1 to N release.

Deprecation Notes

  • Deprecated the generate_iv option name. It has been renamed to aes_gcm_generate_iv to reflect the fact that it only applies to the CKM_AES_GCM mechanism.

Bug Fixes

  • Fixed Story #2004734: Added a new option always_set_cka_sensitive to fix a regression that affected Safenet HSMs. The option defaults to True as required by Safenet HSMs. Other HSMs may require it be set to False.

  • Fixed Story #2004734: Added a new option ‘hmac_keywrap_mechanism’ to make the mechanism used to calculate a HMAC from an wrapped PKEK configurable. This was introduced because of an problem with Utimaco HSMs which throw an ‘CKR_MECHANISM_INVALID’ error, e.g. when a new PKEK is generated. For Utimaco HSMs, ‘hmac_keywrap_mechanism’ should be set to ‘CKM_AES_MAC’ in barbican.conf.