Unable to access HSM to create keys using pkcs11 from F5

[SteveAgather]

We are having trouble connecting to the HSMs in order to create keys. We believe the issue is related to a failed handshake after the initial connection is made, and could use MS's help resolving this issue.

Thanks, Steve

[kprunella]

You're able to access your Managed HSM Pool via REST API or Azure CLI but just not through the TLS Offload Library?

[SteveAgather]

Keith,

Yes, that's correct. We have no issue accessing the HSMs via AKV. I can create keys without issue and we've been able to integrate our applications via a Service Principal that provides an authentication mechanism. We are using a similar approach with the F5s where an SP provides the necessary authentication and we think that works, but as you can see from the included screen shot, key creation is failing.

Thanks, Steve

---

From: Keith Prunella @.> Sent: Monday, November 14, 2022 10:07 PM To: microsoft/AzureManagedHsmTLSOffload @.> Cc: Steve Agather @.>; Author @.> Subject: [EXTERNAL] Re: [microsoft/AzureManagedHsmTLSOffload] Unable to create keys in HSM using pkcs11 from F5 (Issue #1)

You're able to access your Managed HSM Pool via REST API or Azure CLI but just not through the TLS Offload Library? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread. Message ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

You're able to access your Managed HSM Pool via REST API or Azure CLI but just not through the TLS Offload Library?

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/AzureManagedHsmTLSOffload/issues/1#issuecomment-1314699767, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A4F5XLU6RBLYD3G5FPJLED3WIL5ADANCNFSM6AAAAAASAFUDIQ. You are receiving this because you authored the thread.Message ID: @.***>

[kprunella]

The trace screenshot you shared shows TLSv1. Are you using TLS V1.0? Our TLS Offload Library supports only TLS 1.2 and TLS 1.3.

[SteveAgather]

Can you please join our meeting discussing this issue at this time? We have representatives from our team for networking, firewall, F5, etc. It would be beneficial to have you join.

Thanks, Steve

---

From: Keith Prunella @.> Sent: Tuesday, November 15, 2022 12:05 PM To: microsoft/AzureManagedHsmTLSOffload @.> Cc: Steve Agather @.>; Author @.> Subject: [EXTERNAL] Re: [microsoft/AzureManagedHsmTLSOffload] Unable to create keys in HSM using pkcs11 from F5 (Issue #1)

The trace screenshot you shared shows TLSv1. Are you using TLS V1. 0? Our TLS Offload Library supports only TLS 1. 2 and TLS 1. 3. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

The trace screenshot you shared shows TLSv1. Are you using TLS V1.0? Our TLS Offload Library supports only TLS 1.2 and TLS 1.3.

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/AzureManagedHsmTLSOffload/issues/1#issuecomment-1315614918, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A4F5XLUVV7UA4BLEAGEVB3DWIO7HBANCNFSM6AAAAAASAFUDIQ. You are receiving this because you authored the thread.Message ID: @.***>

[kprunella]

Triage of Shared Log Data and Progression Original error message in logs shared prior to enabling private link for Managed HSM. == P11 Call: ERROR: :KeyVaultSession_FindObject.cppL#64:EXCEPT: std::exception: Curl error 35 (CURLE_SSL_CONNECT_ERROR) == P11 Call: INFO: :KeyVaultSession_FindObject.cppL#69:FindObjectsInit exit (6) == P11 Call: INFO: :pkcs11_interface.cppL#762:C_FindObjectsInit exit (6) Returning 6 (CKR_FUNCTION_FAILED)

With now private link enabled the error below is due to not having firewall rules. == P11 Call: ERROR: :KeyVaultSession.cppL#1062:EXCEPT: KeyVaultClientException(401): Authentication Failed. An unknown error occurred in the authentication callback: Curl error 35 (CURLE_SSL_CONNECT_ERROR) == P11 Call: INFO: :KeyVaultSession.cppL#1062:GenerateRandom exit (257) == P11 Call: INFO: :pkcs11_interface.cppL#1595:C_GenerateRandom exit (257) Returning 257 (CKR_USER_NOT_LOGGED_IN)

After applying firewall rules to allow traffic through it shows we can now reach the Managed HSM but error returned ‘Not Authorized’. This is due to not having access policies / role assignments applied to the Managed HSM. == CURL Info: Response body={"error":{"code":"AccessDenied","message":"Not authorized to access Microsoft.KeyVault/managedHsm/rng/action on \"/\" (Activity ID: ****----****)"}} == CURL Info: Response code=403 == P11 Call: ERROR: :KeyVaultSession.cppL#1062:EXCEPT: KeyVaultClientException(403): {"error":{"code":"AccessDenied","message":"Not authorized to access Microsoft.KeyVault/managed

Error Logs also indicate incorrect object id for your F5 VM is being passed. Once you correct Object Id and update Role Assignments and RBAC this should resolve the issue.

Reference Documents for applying Role Assignments, Access Controls & Local RBAC RBAC requires access at both the data plane and the management plane. Example User1 has Crypto Officer. User1 will be able to create keys but not read its content. A user with Crypto User will be able to use the key's content but not manage the keys

Managed HSM Role Management

• https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/role-management

Managed HSM Access Control

• https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/access-control

Local RBAC (Built-In-Roles)

• https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/built-in-roles

[kprunella]

From our support call the not authorized error has been resolved after applying correct role assignments and access controls to your Managed HSM. Customer has successfully created a key along with a single CSR generated. Closing Issue. Thank you.

[kprunella]

Customer Feedback Two things came out of this issue that may assist others experiencing similar issues:

1. When creating the role, use the identifier --assignee-object-id and use the ID for the entity (service provider in our case) but NOT the Object ID as shown in Azure Portal. To find the ID run the CLI command az ad sp list --display-name and take the ID from that output.

2. When creating the role, set the scope to '--scope /'. Using '--scope /keys' seems like the correct option, but that was insufficient based on the errors we were getting in our testing.

The final command in CLI follows this form: az keyvault role assignment create --hsm-name --role "Managed HSM Crypto User" --assignee-object-id