Integration Guide - Utimaco

Integration Guide PrimeKey Enterprise Java Bean Certificate Authority (EJBCA)

Imprint

Copyright 2020 Utimaco IS GmbH Germanusstr. 4 D-52080 Aachen Germany

Phone +49 (0)241 / 1696-200

Fax +49 (0)241 / 1696-199

Internet http://hsm.utimaco.com

e-mail [email protected]

Document Version 1.0.0

Date March 2020

Document No. IG_EJBCA

Author Utimaco IS GmbH

All Rights reserved No part of this documentation may be reproduced in any form (printing, photocopy or according to any other process) without the written approval of Utimaco IS GmbH or be processed, reproduced or distributed using electronic systems.

Utimaco IS GmbH reserves the right to modify or amend the documentation at any time without prior notice. Utimaco IS GmbH assumes no liability for typographical errors and damages incurred due to them.

All trademarks and registered trademarks are the property of their respective owners.

http://hsm.utimaco.com/

mailto:[email protected]

Integration Guide: PrimeKey Enterprise Java Bean Certificate Authority

Page 3

Contents 1 Introduction ................................................................................................................................ 6

1.1 About this Manual ...................................................................................................................... 6

1.1.1 Target Audience for this Manual .......................................................................................... 6

1.1.2 Contents of this Manual ....................................................................................................... 6

1.1.3 Document Conventions ........................................................................................................ 6

1.1.4 Abbreviations........................................................................................................................ 7

2 Overview ..................................................................................................................................... 9

3 Prerequisites and Requirements ................................................................................................ 10

3.1 Software Requirements ............................................................................................................ 10

3.2 Hardware Requirements ........................................................................................................... 10

4 Primekey EJBCA Installation Guide ........................................................................................... 12

4.1 Configuration Files ................................................................................................................... 12

4.2 Configure Application Services ................................................ Error! Bookmark not defined. 4.2.1 Installation and Setup of MySQL Server ............................................................................. 13

4.2.2 Installation and Setup of Apache Ant ................................................................................. 14

4.2.3 Installation of Java 8 JDK .................................................................................................. 14

4.2.4 Installation of EJBCA Enterprise ........................................................................................ 14

5 Configuring PKCS#11 ................................................................................................................ 18

5.1 Introduction and Prerequisites ................................................................................................. 18

5.2 Installing PKCS#11 on the Workstation ................................................................................... 18

5.3 Generating the MBK ................................................................................................................. 19

5.4 Importing the MBK ................................................................................................................... 20

5.5 Initializing PKCS#11 on the HSM ............................................................................................. 20

6 Managing Crypto Tokens ........................................................................................................... 22

6.1 Creating a Crypto Token ........................................................................................................... 22

6.2 View or Edit a Crypto Token ..................................................................................................... 23

6.3 Key Management ...................................................................................................................... 23

6.4 Managing Crypto Tokens from the CLI ..................................................................................... 24

7 Creating Certificate Authorities ................................................................................................. 26

7.1 Using CLI .................................................................................................................................. 26

7.2 Using Admin GUI....................................................................................................................... 26

8 Backup and Restore .................................................................................................................. 27

8.1 Backing up and Restoring a Key Database............................................................................... 27

8.2 Backing up and Restoring a Key Database Using the P11CAT ................................................ 28

9 FIPS requirements ..................................................................................................................... 29

10 Further Information ................................................................................................................... 30

Page 4

References ........................................................................................................................................ 31


Page 5

Page 6

1 Introduction Thank you for purchasing our CryptoServer security system. We hope you are satisfied with our product. This paper provides an integration guide explaining how to integrate an Utimaco CryptoServer Hardware Security Module (HSM) with Primekey EJBCA.

Please do not hesitate to contact us if you have any complaints or comments.

1.1 About this Manual This manual describes how to enable Utimaco CryptoServer HSM integration with the Primekey EJBCA server, including the Primekey EJBCA server installation. In order to allow a quick start when setting up a Primekey EJBCA environment, instructions are provided for reference in the appendix for setting up an environment for this Manual. For more detailed information regarding Primekey EJBCA, please refer to the documentation provided by Primekey.

1.1.1 Target Audience for this Manual

This manual is primarily intended for EJBCA and HSM administrators.

1.1.2 Contents of this Manual

Chapter 2 describes an overview of Primekey EJBCA and CryptoServer.

Chapter 3 provides the Prerequisites and Requirements

Chapter 4 provides an overview of the installation of the Primekey EJBCA server and its prerequisites.

Chapter 5 describes the necessary configuration steps for configuring PKCS#11.

Chapter 6 shows how to create, view and manage crypto tokens.

Chapter 7 shows how to create certificate authorities.

Chapter 8 shows how to backup and restore the keys stored on the HSM.

1.1.3 Document Conventions

We use the following conventions in this manual:

Convention Use Example

Bold Items of the Graphical User Interface (GUI), e.g., menu options

Press the OK button.


Page 7

Convention Use Example

Monospaced File names, folder and directory names, commands, file outputs, programming code samples

You will find the file example.conf in the /exmp/demo/ directory.

Italic References and important terms See Chapter 3, "Sample Chapter", in the CryptoServer - csadm Manual or [CSADMIN]

Table 1: Document conventions

Special icons are used to highlight the most important notes and information.

Here you find important safety information that should be followed.

Here you find additional notes or supplementary information

1.1.4 Abbreviations

We use the following abbreviations in this manual:

Abbreviation Meaning

CA Certificate Authority

CAT CryptoServer Administration Tool

CLI Command Line Interface

CXI Cryptographic eXtended Interface

EAP Enterprise Application Platform

eID e-Identity

Page 8

Abbreviation Meaning

EJBCA Enterprise Java Bean Certificate Authority developed by Primekey

HSM Hardware Security Module

MBK Master Backup Key

P11CAT PKCS#11 CryptoServer Administration Tool

PEM Privacy-Enhanced Mail

PKCS Public Key Cryptography Standards

PKCS#11 PKCS Part 11: The Cryptographic Token Interface Standard

PKI Public Key Infrastructure

SO The PKCS#11 cryptographic slot Security Officer

VM Virtual Machine

Table 2: List of Abbreviations


Page 9

2 Overview Primekey EJBCA is one of the longest running CA software projects, providing time-proven robustness and reliability. Primekey EJBCA is platform independent, and can easily be scaled down in order to match the needs of your PKI requirements, whether you are setting up a national eID, securing an industrial IOT platform, or managing your own internal PKI.

Primekey EJBCA covers all your needs - from certificate management, registration, and enrolment to certificate validation. It is one of the most widely deployed PKI softwares. It can be used in government, corporate, and individual scenarios. It is one of the most flexible, performant, and scalable PKIs used all around the world. If we want to enhance the security of the generated keys and certificates, the EJBCA needs to be configured to use a Hardware Security Module (HSM). When the HSM module is enabled with Primekey EJBCA, this strengthens the protection of keys and certificates. CryptoServer is a hardware security module developed by Utimaco IS GmbH. CryptoServer is a physically protected specialized computer unit designed to perform sensitive cryptographic tasks and to securely manage as well as store cryptographic keys and data. It can be used as a universal, independent security component for heterogeneous computer systems.

Page 10

3 Prerequisites and Requirements Ensure that the system environment you will be using meets the following hardware and software requirements.

3.1 Software Requirements

Software Software Requirements

Primekey EJBCA EJBCA 7 Enterprise

Operating system CentOS 7,8

Red Hat Enterprise Linux: 7,8

Java OpenJDK 8

Build tool Apache Ant 1.8 or later

eID e-Identity

Application Server JBoss EAP 7.0-7.2

WildFly 10, 12, 14

Database MariaDB

MySQL

Oracle Database

PostgreSQL

MariaDB

MySQL

Table 3: List of Software Requirements

3.2 Hardware Requirements

Hardware Hardware Requirements

Utimaco LAN HSM CryptoServer CSe-Series/Se-Series LAN with firmware SecurityServer 4.30.0


Page 11

Hardware Hardware Requirements

Utimaco PCI-e HSM CryptoServer CSe-Series/Se-Series PCI-e with firmware SecurityServer 4.30.0

Table 4: List of Hardware Requirements

Page 12

4 Installing Primekey EJBCA

4.1 Configuration Files The configuration of EJBCA - that cannot be configured in the Admin GUI - is located in the property's files in the conf directory. All properties are documented in the sample files. To configure the properties copy the sample file from conf/ejbca.properties.sample to conf/ejbca.properties and configure conf/ejbca.properties. You should first familiarize yourself with different options before you continue.

Copy the conf/install.propeties.sample file to conf/install.properties. Copy the conf/ejbca.properties.sample file to conf/ejbca.properties and the conf/cessecore.properties.sample file to conf/cesecore.properties then customize the files if needed. The default values work fine for a test installation.

1. It is necessary to configure the value of "appserver.home" in ejbca.properties. It has to be configured to point to the application server directory. Examples of how to do this can be found in the ejbca.properties.sample file. This makes libraries from the application server available to EJBCA during the build.

If you are only testing EJBCA at this stage and not setting up a production environment, the rest of this step can be skipped. There are default configuration options that should work in a test environment for everything.

2. In the Slot List on the left-hand side click on the 0000 0000 row. If needed, customize the CA properties in conf/ejbca.properties.

For production use do not forget to set new secure passwords. Keep conf/ejbca.properties as secret as possible. DO NOT forget the passwords in case you need to re-install the software at a later date!

3. To use a hard CA token from the start, change the "ca.tokentype", "ca.tokenpassword", and "ca.tokenproperties" values in the install.properties file. Appropriate values also need to be set in the ca.tokenproperties file for the HSM.

4. To put the initial superadmin certificate on a smartcard, set "superadmin.batch=false" in the web.properties file. Sign in after the installation is complete, as you would with any other smartcard user. The username is "superadmin" and the password is the value of "superadmin.password" in the web.properties file.


Page 13

If you are deploying on JBoss EAP, it is recommended to consider also jboss.config, since production may be the default server to start on JBoss EAP (depends on your configuration).

5. Do the same with the other configuration files that might need to be customized. The default values are generally sufficient, and most options are documented in the sample files.

4.2 Configuring Application Services

4.2.1 Installation and Setup of MySQL Server

The database that will be used in this integration guide is MySQL. To download and install MySQL Server execute the next command in the terminal window.

›_ Console

# sudo yum install mysql-server

When the installation is complete, open the MySQL command interface and make a connection as the root user.

›_ Console

# mysql -u -root -p

Password: (enter the root password)

After a successful login, create a database for EJBCA. In this guide the database is named "ejbcatest".

›_ Console

# mysql> CREATE database ejbcatest;

Page 14

Create a user with access to the "ejbcatest" database. The tables are created automatically, when the application server starts for the first time.

›_ Console

# sudo mysql -u root -p

mysql> USE ejbcatest;

mysql> CREATE DATABASE ejbcatest CHARACTER SET utf8 COLLATE utf8_general_ci;

mysql> GRANT ALL PRIVILEGES ON ejbcatest.* TO 'ejbca'@'localhost' IDENTIFIED BY 'ejbca';

Now the user EJCBA has access to the "ejbcatest" database that was created. The installation of MySQL is finished and ready for the setup.

4.2.2 Installing and Setting up Apache Ant

The command below will download and install the Apache Ant 1.9.x application.

›_ Console

# sudo yum install -y ant

4.2.3 Installing Java 8 JDK

The command below will download and install the OpenJDK 8.

4.2.4 Installing EJBCA Enterprise

4.2.4.1 Clean EJBCA Enterprise Installation

If you do not have the EJBCA 7.x.x.x Enterprise download available, please contact your Primekey partner or contact Primekey directly at [email protected].

1. Download and prepare the installation files.

›_ Console

# sudo yum install java-1.8.0-openjdk-devel



Page 15

›_ Console

# unzip ejbca_ee_7_X_X_X.zip -d <installdir>

# cd <installdir>

# ls

ejbca_ee_7_X_X_X

2. Configure the ejbca-setup script in <ejbca-install-directory>/bin/extra/ejbca-setup with the database user and password.

3. Run the ejbca-setup script with ./<ejbca-install-directory>/bin/extra/ejbca-setup according to the following example:

›_ Console

# ./ejbca_ee_7_X_X_X/bin/extra/ejbca-setup.sh

Do not run the ejbca-setup.sh script from the inside of the EJBCA directory. The script creates new directories and links and is thus dependent on being run only from outside the EJBCA directory.

The script will download WildFly 10 and the MariaDB database connector, and install them, resulting in a working EJBCA installation.

4. Import superadmin.p12 in your web browser using the password printed in the last line after running the script.

5. Open the EJBCA Administration Web at https://localhost:8443/ejbca/adminweb/ (localhost being the hostname of your Primekey EJBCA server). A console like the one indicated on Figure 1 should appear.

Page 16

Figure 1: A working EJBCA installation

4.2.4.2 Installing EJBCA from the Pre-installed OVA File

This guide is intended for users, who do not have the EJBCA installed yet. If you already have an EJBCA installation-ready, you can skip this section and continue to Section 5. This section covers how to do a test installation of EJBCA on a VirtualBox virtual machine (VM). The EJBCA installation used here consists of the following components: - EJBCA 7.0.1.3 Enterprise (r31942), - Linux CentOS, - WildFly 10 and Java 8 used for the java application server, - MySQL database backend. Follow the steps below to install EJBCA on a VirtualBox VM:

1. Download the latest version of Oracle VirtualBox from https://www.virtualbox.org/wiki/Downloads

2. Install Oracle VirtualBox on the host operating system by using all the default settings from the installation wizard. Please, refer to the guide at https://www.virtualbox.org/manual/ch02.html

https://www.virtualbox.org/wiki/Downloads

https://www.virtualbox.org/manual/ch02.html


Page 17

3. Download the EJBCA Enterprise 7.x.x.x Enterprise packaged OVA file that you received from Primekey. If you do not have the EJBCA 7.x.x.x Enterprise download available, please contact your Primekey partner or contact Primekey directly at [email protected]

4. Extract the content of the EJBCA Enterprise 7.x.x.x package, which results in the .ova file as an application to import. Import the selected .ova file with the default settings. When the EJBCA is successfully imported, it appears in the VirtualBox as the VM labeled "EJBCA.x.x". Set the static IP address up by accessing the configuration in the VirtualBox

5. Start the VM with the .ova file. CentOS with SSH access is launched in the VM.

6. Access the web interface of the EJBCA through the IP address that was set up for the VM. E.g. https://127.0.0.1:8080/ejbca. (127.0.0.1 is the IP of the VM)

7. In the EJBCA web GUI click Administration, which opens the EJBCA Administration page. In order to login, select the "SuperAdmin" certificate, when prompted by the web browser. The default password of the "SuperAdmin" PKCS12 certificate is found in the documentation received with the .ova file. If the installation is successful, the EJBCA Administration web page should be displayed as indicated on the Figure 2.

Figure 2: A working EJBCA installation


https://127.0.0.1:8080/ejbca

Page 18

5 Configuring PKCS#11

5.1 Introduction and Prerequisites Before the PKCS#11 interface and library can be used, some manual actions have to be performed. Follow the steps below to configure the PKCS#11 library and initialize a PKCS#11 slot. For further information about the PKCS#11 setup, refer to [CSPKCSDG].

5.2 Installing PKCS#11 on the Workstation The installation file for PKCS#11 is located on the Product CD. The installer creates an environment variable called CS_PKCS11_R2_CFG. It contains the path to Utimaco’s PKCS#11 configuration file. In Linux we have to copy the file to /etc/utimaco by default. We have to set the CS_PKCS11_R2_CFG environment variable to point to this location.

In order to be able to access the HSM via PKCS#11, the configuration file needs to be modified.

1. Set the path to the log file and set the desired log level.

[Global] # For unix: Logpath = /tmp # For windows: # Logpath = C:/ProgramData/Utimaco/PKCS11_R2 # Loglevel (0 = NONE; 1 = ERROR; 2 = WARNING; 3 = INFO; 4 = TRACE) Logging = 4

2. Set the IP address of the HSM.

[CryptoServer] # Device specifier (here: CryptoServer is CSLAN with IP address 127.0.0.1) Device = 127.0.0.1

3. Optionally, make any additional modifications to the configuration file, such as setting up an external key store, as described in [CSPKCSM]. We suggest to modify the PKCS#11 config file to KeepAlive flag active.

[Global]

# Prevents expiring session after inactivity of 15 minutes


Page 19

KeepAlive = true

5.3 Generating an MBK One of the steps of the HSM initialization is generating a new MBK, which can be used for creating backups, for using an external storage and for synchronizing HSM clusters. By default, MBK is an AES256 key, though it is also possible to generate a DES MBK using the csadm tool for backward compatibility reasons.

It is required to generate an MBK for the HSM to become operational. Without the MBK no cryptographic operations can be run.

To generate the MBK:

1. Open the Crypto Administration Tool.

2. Achieve the permission level of at least 02000000.

3. Click Manage MBK to access the Remote Master Backup Key Management window and select the tab Generate.

4. Type the name of the MBK in the section MBK Name.

5. Select the mode of backing up the MBK shares as either XOR or m out of n.

▣ If m out of n was selected it is necessary to select the number of m (shares) and n (shares) by using the dropdown menus set by default as 2 and 3.

6. In case this MBK also needs to be imported at the same time into the HSM, select the Automatic MBK Import option.

7. Click Generate.

8. Select whether to save the MBK parts on smartcards or as keyfiles by selecting either Smartcard Token or Keyfile Token option.

▣ If you chose to export the MBK shares on smartcards, follow the instructions on the smart card reader to export all m parts.

Page 20

5.4 Importing the MBK In case the MBK was not imported when it was generated or if you want to upload it to another HSM, you need to import it from the keyfiles or smartcards that carry its parts. The MBK was divided into multiple parts by using Shamir’s Secret Sharing or XOR and can be restored by using the “m out of n” or XOR principle.

1. Make sure that at least m out of n smart cards/keyfiles are available.

2. Open the CryptoServer Administration Tool.

3. Achieve the permission level of at least 02000000.

4. Click Manage MBK to access the Remote Master Backup Key Management window and select the Import tab.

5. Select the type of MBK that will be imported and the value m.

6. Click Import.

7. Select whether to save the MBK parts on smartcards or as keyfiles by selecting either Smartcard Token or Keyfile Token option.

8. Follow the instructions to import all m parts.

5.5 Initializing PKCS#11 on HSM In addition to PKCS#11, the PKCS#11 graphical interface tool (P11CAT) and the PKCS#11 command line interface (p11tool2) are installed as well. This chapter shows how to use the P11CAT in order to initialize the PKCS#11 Slot 0. There are 10 active PKCS#11 slots by default. The number of PKCS#11 slots can be modified in the PKCS#11 configuration file.

1. Make sure that the PKCS#11 configuration file contains the IP address of your HSM, and that the HSM is running.

2. Open the P11CAT tool on your workstation. When opening the tool for the first time, the slots should be as indicated in Figure 3.


Page 21

Figure 3: PKCS#11 slots before initialization

3. Select the row 0000 0000 under Slot ID on the top left-hand side in the Slot List.

4. Click on Login/Logout.

5. Click on Login Generic.

6. Login as a user with permission mask at least 20000000 (User Manager permission).

7. Click Slot Management.

8. Create the Security Officer (SO) for the Slot 0. Click Init Token. Write the Token Label. Set the SO PIN. Confirm the SO PIN. Click Init Token. Observe the changed Token Init. status for the Slot 0.

9. Logout the ADMIN user. Click Login/Logout. Click Logout All.

10. Login as SO. Click Login/Logout. Click Login SO. Enter the SO PIN. Click Login.

11. Click Slot Management.

12. Create the User for Slot 0. Select Init PIN. Enter Normal User PIN. Confirm Normal User PIN. Click Init PIN. Observe the changed PIN Init. status for the Slot 0.

13. Logout the SO. Click Login/Logout. Click Logout All.

Slot 0 is now initialized. An application or a user can now connect to the PKCS#11 Slot 0 and create/store objects on the slot. Find further information about creating or deleting objects and users in [CSPKCSM] and [LPKCSHD].

Page 22

6 Managing Crypto Tokens

6.1 Creating a Crypto Token 1. Select the Crypto Tokens menu option to display the Manage Crypto Tokens page as

indicated in Figure 4.

Figure 4: "Manage Crypto Tokens" view

2. Click Create new… at the bottom left side of the page.

3. On the New Crypto Token page (Example shown in Figure 5) that appeared

a) Give the token a Name. b) Select the token Type. c) Type in the Authentication Code and repeat it. d) Select usage of Auto-activation. e) Select usage Use explicit ECC parameters (ICAO CSCA and DS certificates). f) Select the appropriate PKCS#11 Library. g) Select the appropriate PKCS#11 Reference Type. h) Input the PKCS#11 Reference. i) Select the PKCS#11 Attribute File. j) Check the parameters and click Save.


Page 23

Figure 5: Specifying parameters for a new crypto token

6.2 View or Edit a Crypto Token This view is similar to the page New Crypto Token creation of a token in Figure 5, except for showing the ID and the activation status. This page allows changing of values, such as the name or auto-activation status.

It is not possible to change the crypto token ID or the crypto token type.

6.3 Key Management An active Crypto Token's keys can be viewed and interacted with.

Page 24

Figure 6: List of all the keys belonging to a UtimacoIG-CA Crypto Token

1. A new key pair can be created by giving it an alias, a key algorithm, specification and by clicking Generate new key pair.

2. The Key pairs can be removed by clicking Remove for a specific key pair or by selecting multiple keys by clicking the box on the far left of the row and clicking Remove selected.

3. A key pair can be tested by clicking Test for a specific key pair.

4. A key pair's public key can be downloaded in PEM format by clicking Download Public Key.

6.4 Managing Crypto Tokens from the CLI Nearly all functionalities concerning crypto tokens are displayed in the command line using the crypto token command:

›_ Console

$HOME/bin/ejbca.sh cryptotoken

--------------------------------

The following commands are available:

Activate Activate CryptoToken

Create Create a new CryptoToken

Deactivate Deactivate CryptoToken

Delete Delete CryptoToken

Generatekey Generate new key pair

List List all available CryptoTokens


Page 25

Listkeys List all key pairs in an active token

Removekey Remove a key pair

Setpin Modifies the current keystore and/or auto-activation pin.

Testkey Test key pair

Page 26

7 Creating Certificate Authorities Creating certificate authorities (CAs) can be done by either using the Admin GUI or the command line interface (CLI). The recommended way is by using the Admin GUI since it gives more control over all parameters. The CAs can be either:

■ root CAs,

■ subordinate CAs to another CA in EJBCA,

■ subordinate CAs to an external CA.

7.1 Using CLI The CAs can be created by using the CLI command:

›_ Console

$HOME/bin/ejbca.sh ca init

7.2 Using Admin GUI Creating CAs in the Admin GUI is done by selecting Certificate Authorities in the menu, entering a new CA name in the text field, and clicking Create (See Figure 7).

Figure 7: Creating a new CA


Page 27

8 Backup and Restore The Utimaco HSM enables different ways of making backups of either the entire database of keys or just certain groups of keys. All the backups are encrypted by the Master Backup Key (MBK), which the system administrator generates, when setting up the HSM. More information about the MBK can be found in [CSADMIN].

8.1 Backing up and Restoring a Key Database All the keys inside the HSM are stored in a CXI database and it is possible to backup the entire database at once. In the same way, the user database can be backed up as well. In FIPS mode, this utility is not supported.

1. Open the Crypto Administration Tool.

2. Make sure the HSM is connected and in the operational mode.

3. Click on Login/Logoff to open the Login/Logoff User window.

4. Login the appropriate users to achieve permission level of at least 22000000.

5. Click Backup/Restore to open the CryptoServer Database Backup/Restore Wizard window.

a) In the Command section select either to:

□ Backup databases from source CryptoServer to backup directory,

□ Restore databases from backup directory to target CryptoServer,

□ Copy databases from source CryptoServer to target CryptoServer.

b) In the Settings section:

□ Select the appropriate Source CryptoServer,

□ If available select the appropriate Target CryptoServer,

□ In the Backup directory section type the appropriate backup directory path (set to C:\Program Files\Utimaco\CryptoServer\Administration as default), or click … to browse for the appropriate directory

6. Select the databases to backup or restore.

7. Click Execute.

8. A confirmation window appears.

Page 28

For FIPS backup, please use the P11CAT or the p11tool2.

8.2 Backing up and Restoring a Key Database with P11CAT It is possible to backup separate PKCS#11 slots by either using the P11CAT or the p11tool2. In this guide we use the P11CAT for the backup procedure. Please refer to [CSP11TOOL2] for the backup procedure with the p11tool2.

1. Open the PKCS#11 CryptoServer Administration (P11CAT).

2. Login to the slot you want to backup as the Cryptographic User (achieve permission level of at least 00000002).

3. Click Backup/Restore.

4. Click Backup/Restore Keys.

5. Select one among the 4 options. Click the one that corresponds to your case. The possibilities are to perform either:

▣ Backup Internal Keys,

▣ Backup External Keys,

▣ Restore Key Backup to Internal Key Store,

▣ Restore Key Backup to External Key Store.

6. A popup window opens.

a) Select the directory where the key database will be backed up and type the name of the key database in the section File name.

b) If you chose to restore a key backup to an internal or an external key store, select the directory where your backup is located.

c) To confirm your choice, click on Save.

7. In the Status window a log of the performed action can be seen.


Page 29

9 FIPS Requirements All the steps are identical for HSM in FIPS 140-2 approved mode. The only difference is that the backup of the entire key database is not possible. In this case the P11CAT or the p11tool2 are used for backing up the keys.

Note that although the integration does not require extra steps, the HSM running in FIPS mode will accept ONLY FIPS compliant parameters. Be careful to select FIPS compliant algorithms, key lengths, and elliptic curves when generating new keys. For more information about the FIPS compliant algorithms please refer to the CryptoServer User and Administration Guides.

Page 30

10 Further Information This document forms a part of the information and support, which is provided by the Utimaco IS GmbH. Additional documentation can be found on the product CD in the Documentation directory. All CryptoServer product documentation is also available at the Utimaco IS GmbH website: http://hsm.utimaco.com


Page 31

References Reference Title/Company Document No.

[CSPKCSM] CryptoServer - PKCS#11 P11CAT Manual M013-0001-en

[LPKCSHD] Learning PKCS#11 in Half a Day 2015-0008

[CSPKCSDG] CryptoServer PKCS#11 R2 Developer Guide 2012-0007

[EJBCA] EJBCA Offical Installation Guide 2019

[CSP11TOOL2] CryptoServer PKCS#11 p11tool2 Reference Manual 2012-0004

Contact

Utimaco IS GmbH Germanusstr. 4 D-52080 Aachen Germany Phone: +49 241 1696 – 200 Fax: +49 241 1696 – 199 Web: http://hsm.utimaco.com

E-mail: [email protected]



Date post:	28-Oct-2021
Category:	Documents
Upload:	others
View:	14 times
Download:	0 times

Integration Guide - Utimaco

Documents