Stein Series Release Notes¶
8.0.0¶
Prelude¶
Added new tool barbican-status upgrade check
.
New Features¶
Added two new subcommands to barbican-manage hsm that can query the HSM to check if a MKEK or HMAC key with the given label already exists. See barbican-manage hsm check_mkek –help and barbican-manage hsm check_hmac –help for details.
New framework for
barbican-status upgrade check
command is added. This framework allows adding various checks which can be run before a Barbican upgrade to ensure if the upgrade can be performed safely.
Port existing policy RuleDefault objects to the newer, more verbose DocumentedRuleDefaults.
Upgrade Notes¶
Operator can now use new CLI tool
barbican-status upgrade check
to check if Barbican deployment can be safely upgraded from N-1 to N release.
Deprecation Notes¶
Deprecated the generate_iv option name. It has been renamed to aes_gcm_generate_iv to reflect the fact that it only applies to the CKM_AES_GCM mechanism.
Bug Fixes¶
Fixed Story #2004734: Added a new option always_set_cka_sensitive to fix a regression that affected Safenet HSMs. The option defaults to True as required by Safenet HSMs. Other HSMs may require it be set to False.
Fixed Story #2004734: Added a new option ‘hmac_keywrap_mechanism’ to make the mechanism used to calculate a HMAC from an wrapped PKEK configurable. This was introduced because of an problem with Utimaco HSMs which throw an ‘CKR_MECHANISM_INVALID’ error, e.g. when a new PKEK is generated. For Utimaco HSMs, ‘hmac_keywrap_mechanism’ should be set to ‘CKM_AES_MAC’ in barbican.conf.