We have a successfully working Big-IP integration with Azure managed HSM. TLS offload of traffic works fine.
We would like to debug connections to the Azure managed HSM by enabling the curl logging. We have done this successfully in the past on RPM versions prior to build v1.1.0.02319.
We are wondering if this is a possible regression after curl libraries were modified in v1.1.0.02319?
We can replicate this issue on the latest version of the RPM v1.1.0.02650.
After enabling the curl logging to Verbose in /etc/mhsm-pkcs11.conf, and restarting pkcs11d service on F5, the log file gets generated but shows curl logging as off.
However our configuration file has curl logging set to Verbose:
cat /etc/mhsm-pkcs11.conf
// Copyright (C) Microsoft. All rights reserved.
// Licensed under the MIT license.
//
// This file contains the slot/token definitions for accessing the
// HSM using mhsm-pkcs11.so (Linux) or mhsm-pkcs11.dll (Windows)
//
// Searching for this file on Linux:
// 1) $HOME/.mhsm-pkcs11.conf
// 2) $HOME/mhsm-pkcs11.conf
// 3) /etc/mhsm-pkcs11.conf
// 4) /usr/share/mhsm-pkcs11/mhsm-pkcs11.conf
// 5) $MHSM_PKCS11_CONFIG_FILE_PATH/mhsm-pkcs11.conf (if set)
{
"tokens": [
{
"slotid": 0,
"protocol": "https://",
"uri": "managedhsm.azure.net",
"resourceName": "redacted",
"resourceType": "mhsm"
}
],
// Set the login PIN within the configuration file to override PIN provided in C_Login() call.
// This is a workaround for p11tool which limits the PIN size to 32 bytes.
// "operation": {
// "login-pin": "<MHSM_CLIENT_ID>:<MHSM_CLIENT_SECRET>"
// },
// Never set 'DisableTLSAuthentication' to true when running in production.
// This setting allows curl TLS authentication to be skipped when certificates aren't available.
"options": {
"DisableTLSAuthentication": false
},
"msi": {
"identityMSI": false, // use MSI for authentication
"MSIClientId": "<MSI CLIENT ID>" // MSI client id for user-assigned managed identity
},
// Keep the logging off for better performance.
"log": {
"directory": "/var/log", // full path of log directory (must exist)
"module": {
"P11Interfaces": false, // log PKCS#11 interface entry/exit, parameters, and result
"FunctionLevelTrace": false, // log function level trace information
"curl": { // log curl communication packets
"Level": "Verbose", // Level of logging: "Verbose" or "Minimal" or "Off"
"DisplayAsHex": false // Display packets as table of hex characters w/ decoding
}
},
"flags": {
"CloseFileAfterWrite": false, // (decreases performance but log file can be deleted when needed)
"SendToFile": true, // enables logging into the log file
"SendToStdOut": false, // enables logging to stdout
"SendToStdErr": false, // enables logging to stderr
"IncludeProcessId": false, // enables logging of process id
"IncludeThreadId": false, // enables logging of thread id
"IncludePINs": false // enables logging of PINs (set to 'false' to hide the PIN value)
}
},
ƒ
// MaxConnections should be set to more number of P11 sessions.
"ConnectionCache": {
"Disable": false, // Disable Connection Caching. Caching is enabled by default i.e. Disable is false.
"MaxConnections": 24 // Specifies maximum number of connections to cache.
}
}
We have a successfully working Big-IP integration with Azure managed HSM. TLS offload of traffic works fine.
We would like to debug connections to the Azure managed HSM by enabling the curl logging. We have done this successfully in the past on RPM versions prior to build v1.1.0.02319.
We are wondering if this is a possible regression after curl libraries were modified in v1.1.0.02319?
We can replicate this issue on the latest version of the RPM v1.1.0.02650.
After enabling the curl logging to
Verbosein /etc/mhsm-pkcs11.conf, and restarting pkcs11d service on F5, the log file gets generated but shows curl logging asoff.Example log file when curl is set to
Verbose:However our configuration file has curl logging set to Verbose: