Stein Series Release Notes¶
Added new tool
barbican-status upgrade check.
Added two new subcommands to barbican-manage hsm that can query the HSM to check if a MKEK or HMAC key with the given label already exists. See barbican-manage hsm check_mkek –help and barbican-manage hsm check_hmac –help for details.
New framework for
barbican-status upgrade checkcommand is added. This framework allows adding various checks which can be run before a Barbican upgrade to ensure if the upgrade can be performed safely.
Port existing policy RuleDefault objects to the newer, more verbose DocumentedRuleDefaults.
Operator can now use new CLI tool
barbican-status upgrade checkto check if Barbican deployment can be safely upgraded from N-1 to N release.
Deprecated the generate_iv option name. It has been renamed to aes_gcm_generate_iv to reflect the fact that it only applies to the CKM_AES_GCM mechanism.
Fixed Story #2004734: Added a new option always_set_cka_sensitive to fix a regression that affected Safenet HSMs. The option defaults to True as required by Safenet HSMs. Other HSMs may require it be set to False.
Fixed Story #2004734: Added a new option ‘hmac_keywrap_mechanism’ to make the mechanism used to calculate a HMAC from an wrapped PKEK configurable. This was introduced because of an problem with Utimaco HSMs which throw an ‘CKR_MECHANISM_INVALID’ error, e.g. when a new PKEK is generated. For Utimaco HSMs, ‘hmac_keywrap_mechanism’ should be set to ‘CKM_AES_MAC’ in barbican.conf.