+ All Categories
Home > Documents > Utimaco HSM

Utimaco HSM

Date post: 10-Feb-2018
Category:
Upload: nguyen-huy-gia-minh
View: 975 times
Download: 52 times
Share this document with a friend

of 76

Transcript
  • 7/22/2019 Utimaco HSM

    1/76

    Utimaco HSM

    DNSSEC Integration

    Presented By Duy Nguyen

    (PMS)

  • 7/22/2019 Utimaco HSM

    2/76

    Agenda

    Part 1: Utimaco HSM

    CryptoServer LAN

    Placing Into Operation

    Administration Tools

    Keys and Key Management

    Basic Administration

    Application

    Part 2: Utimaco HSM and DNSSEC integration

    Init slot

    Build DNSSEC

    DNSSEC Configuration

  • 7/22/2019 Utimaco HSM

    3/76

    Agenda

    Part 1: Utimaco HSM

    CryptoServer LAN

    Placing Into Operation

    Administration Tools

    Keys and Key Management

    Basic Administration

    Application

    Part 2: Utimaco HSM and DNSSEC integration

    Init slot

    Build DNSSEC

    DNSSEC Configuration

  • 7/22/2019 Utimaco HSM

    4/76

    Hardware

    CryptoServer LAN = CryptoServer + communication unit

    Industry PC solution

    Automatic voltage detection (100-240 V)

    Dual Network Interface (2 x 1Gbit)

    Flash Disk

    Hardware Watchdog on board

    4 x 40 Display + Navigation Panel

    Serial + USB Port (e.g. pinpad) External battery exchange

  • 7/22/2019 Utimaco HSM

    5/76

    Implementation environment with one or more

    SafeGuard CryptoServer LAN

  • 7/22/2019 Utimaco HSM

    6/76

    Software

    Operating System

    Selfmade, hardened kernel, basedon Linux from the scratch

    CSXLAN

    TCP Server (daemon) for remote access

    Maps CryptoServer to Port (default 288)

    Serialize commands

    NTP Client / Server

    Automatic time synchronization to externaltime reference

    DSP_ADMIN

    Display and Keyboard

    Integrated Administration ofCryptoServer (e.g. loading of MBK)

    and CSXLAN (e.g. setting of IP-address) Menu structure configurable

    SSH

    Remote Administration

    SNMP

    CryptoServer SE / CS

    CryptoServer LAN

    Operating system

    LINUX

    PCI driver

    CSXLAN

    DSP_ADMIN

    NTP Client / Server

    csxlan.conf

    csadm

  • 7/22/2019 Utimaco HSM

    7/76

    Software Update via Partitions

    Concept: Three boot partitions:

    factory (no permanent storage)

    User1

    User2

    Updates do not change running system Two system states are kept

    The actual and the old system is kept (for update)

    User can revert back to Utimaco defaults

    User can not change factory partition

  • 7/22/2019 Utimaco HSM

    8/76

    Software Update via Partitions(cnt.)

    Update: Copy new image fromUSB device to second bootpartition

    Activate: Set second boot partitionto active

    Reboot: User settings are copiedto new active boot partition

  • 7/22/2019 Utimaco HSM

    9/76

    Agenda

    Part 1: Utimaco HSM

    CryptoServer LAN Placing Into Operation

    Administration Tools

    Keys and Key Management

    Basic Administration

    Application

    Part 2: Utimaco HSM and DNSSEC integration

    Init slot

    Build DNSSEC

    DNSSEC Configuration

  • 7/22/2019 Utimaco HSM

    10/76

    Install LAN appliance

    Connect SafeGuard CryptoServer LAN on the backpanel with a 100-240 V mains power supply.

    Connect SafeGuard CryptoServer LAN with yournetwork by means of a twisted-pair cable (RJ45).

    Turn the power supply switch on (back panel).

    Turn SafeGuard CryptoServer LAN on (front panel).

    If necessary, connect a PIN pad to SafeGuard

    CryptoServer LAN (ill. front panel 2). This can also bedone during operation.

    SafeGuard CryptoServer LAN is ready for operation afterapprox. 30 seconds.

  • 7/22/2019 Utimaco HSM

    11/76

    Set IP-address

    To Set IP:

    -> LAN Box administration

    -> Configuration

    -> Network

    ->IP address

    The 2 digits after the slash represent the number of consecutive1 bits in the desired netmask. The number 24 corresponds tothe netmask 255.255.255.0.

    Note:You should also take note of the network connection, either "eth0" or"eth1", to which you have connected the network cable to the CryptoServerLAN

  • 7/22/2019 Utimaco HSM

    12/76

    Entering the IP address of thedefault gateway

    To set default gateway:

    -> LAN Box administration

    -> Configuration

    -> Network-> Default Gateway

  • 7/22/2019 Utimaco HSM

    13/76

    SSH

    To enable the SSH daemon:-> "LAN Box Administration

    -> "Configuration" menu item.

    -> "Services"

    -> "SSH Daemon

    -> "Configuration

    -> "Configuration of SSH Daemon

    -> "[x]Enable" and confirm by pressing "OK

    Set the IP area for which SSH access is to be permitted:

  • 7/22/2019 Utimaco HSM

    14/76

    Changing the password for the"root" user

    As we have already set the password foraccessing the operating system ("root" user), westrongly recommend you change it as soon as

    possible.

    You can change the password for the "root" user in two differentways. Either via an SSH connection from your Admin PC

    Or directly on the CryptoServer LAN, by connecting a keyboard and a screen toit.

  • 7/22/2019 Utimaco HSM

    15/76

    Enabling the web interface

    CryptoServer can display different statusinformation about a web interface in a normalbrowser.

    To enable the web interface:-> LAN Box Administration

    -> Configuration

    -> Services

    -> Web Interface and [X]EnableYou can also access the web interface using a browser via HTTP port 80. In this case, you must enterthe CryptoServer LAN's IP address as the URL. You can then use the web interfaces to display statusinformation. However, you cannot configure the CryptoServer LAN or the CryptoServer via the webinterface.

  • 7/22/2019 Utimaco HSM

    16/76

    Demo

    CS LAN:

    Connect to power and network cable.

    Set IP address

    Set Gateway

    Test connectivity (ping)

    Enable SSH

    Changing the password for the "root" user

  • 7/22/2019 Utimaco HSM

    17/76

    Agenda

    Part 1: Utimaco HSM

    CryptoServer LAN Placing Into Operation

    Administration Tools

    Keys and Key Management

    Basic Administration

    Application

    Part 2: Utimaco HSM and DNSSEC integration

    Init slot

    Build DNSSEC

    DNSSEC Configuration

  • 7/22/2019 Utimaco HSM

    18/76

    Administration Tools

    CAT GUI

    Java based

    Windows, Linux, Solaris

    csadm Command line tool

    Windows, Linux, Solaris, AIX

  • 7/22/2019 Utimaco HSM

    19/76

    Command Line Tool

    Command groups: Basic: Help, PrintError, Version Load Preparation: MakeMTC, Pack, Unpack, Raw Commands: Reset, ResetToBL, GetInfo, Bootloader: StartOS, RecoverOS,

    BLChangeInitKey, BLLoadFile,BLSetRTC, BLResetAlarm

    Administration: GetState, GetAlarmLog, ListFiles,LoadPkg, LoadFile, DeleteFile,ListModulesActive, GetBootLog

    Usermanagement: ListUser, AddUserRSASign,ChangeUser, DeleteUser,

    Authentication: LogonSign, LogonPass, AuthRSASign,AuthClearPwd, Login, Logoff,

    CSLAN: CSLGetLogFile, CSLShutdown, Init-Key management: GenKey, Backupkey, Master Box Key Management

    Misc: CMD, GenRandom,

  • 7/22/2019 Utimaco HSM

    20/76

    Command Line Tool

    Parameter Description Used by

    Dev= Address of SafeGuard CryptoServer, e.g.:

    TCP:[email protected], PCI:0, /dev/cs2a

    nearly all

    InitPrvKey= Key identifier of private init key many boot loader commands

    AuthRSASign=

    AuthSHA1PWD=

    AuthClrPWD=

    User authentication nearly all

    Help available: csadm help= Parameter (selection):

  • 7/22/2019 Utimaco HSM

    21/76

    Command Line Tool

    Key identifier Description

    C:\my_keys\initprv.key Local key file

    :cs2:cyb:USB Specifies a connected PIN-Pad. The name has the following form:smartcard-id:pinpad-id:port -id

    :cs2 CryptoServer Smartcard:cyb cyberjack ReinerSCT PINPad used:USB USB port (COM1 for serial port 1)

    Parameter:

    Environment variables could be used for parameter setting.After set CRYPTOSERVER=TCP:192.168.4.161it is no more necessary to specify the Device Parameter.

    Commands could be bundled:csadm AuthRSASign=ADMIN,:cs2:cyb:USB LoadFile= LoadFile=loads several files, PIN has to be entered only once.

  • 7/22/2019 Utimaco HSM

    22/76

    Agenda

    Part 1: Utimaco HSM

    CryptoServer LAN Placing Into Operation

    Administration Tools

    Keys and Key Management

    Basic Administration

    Application

    Part 2: Utimaco HSM and DNSSEC integration

    Init slot Build DNSSEC

    DNSSEC Configuration

  • 7/22/2019 Utimaco HSM

    23/76

    Master Box Key

    MBK is ..

    An AES 256 key, 3DES for backward compatibilitysupported

    Necessary to backup and restore keys stored at the

    SafeGuard CryptoServer on the host system Supporting the k out of n key sharing

    Usable at several SafeGuard CryptoServer to realizehigh availability

    Remote administrable (import possible withoutadministrator on site)

  • 7/22/2019 Utimaco HSM

    24/76

    OK

    Exit

    PS/2 COM CS (1) CS (2)

    utimacos a f e w a r e

    1 2 3

    4 5 6 DEL

    7 8 9 CLR

    * 0 . OK

    Key set consists of N smartcards, whereof K are needed to recombine

    MBK (here: N=4, K=2)

    Generate key andstore on 4

    smartcards, whereof

    2 are needed to

    recombine key

    Import MBK

    from two

    smartcards

    OK

    Exit

    PS/2 COM CS (1) CS (2)

    utimacos a f e w a r e

    1 2 3

    4 5 6 DEL

    7 8 9 CLR

    * 0 . OK

    Master Box Key

  • 7/22/2019 Utimaco HSM

    25/76

    Administration Keys

    Administration keys could be stored on a smartcardrecommended as key file plain or password encrypted

    Administration keys would be assignedto a administration role

    User Manager (0x2000 0000) andFirmware Manager (0x0200 0000)can be created(exclusive permission or 4 eyes)

    If a customer specific, fully qualifiedadministration role is created, thedefault ADMIN user can be deleted

    If the administration keys are lost, it is possible to reset theSafeGuard CryptoServer to the factory defaultconfiguration. An external erase has to be performed. Afterwards the SafeGuard CryptoServer could be reseted to the factory default

    configuration

  • 7/22/2019 Utimaco HSM

    26/76

    Customer Keys overview

    Standard Interfaces

    CXI, PKCS#11, Customer Interface

    PCI driver

    CSAPI

    Administrator Keys

    Master Box Key (MBK)

    Client PC

    (Windows, Linux, Solaris)

    CAT or CSADM

    Administration Tool

  • 7/22/2019 Utimaco HSM

    27/76

    Agenda

    Part 1: Utimaco HSM

    CryptoServer LAN Placing Into Operation

    Administration Tools

    Keys and Key Management

    Basic Administration

    Application

    Part 2: Utimaco HSM and DNSSEC integration

    Init slot Build DNSSEC

    DNSSEC Configuration

  • 7/22/2019 Utimaco HSM

    28/76

    Basic Administration

    How to generate and assign an administrator key

    re-initialization of the SafeGuard CryptoServer

    Se change PIN on a smartcard

    manage user and keys

    monitoring

  • 7/22/2019 Utimaco HSM

    29/76

    Basic Administration - Users

  • 7/22/2019 Utimaco HSM

    30/76

    Basic AdministrationUser Group

    User groups 6,7: CryptoServer administration purposes.

    User groups 0 to 5: application-specific access rights.

    The following user groups are predefined:

  • 7/22/2019 Utimaco HSM

    31/76

    Permissions and authenticationstatus

  • 7/22/2019 Utimaco HSM

    32/76

    Generate and assignadministrator keys

    Select the algorithm

    The Key-Info text is the name of thekey at the smartcard (shown when

    calling KeyTools -> SmartCard -> ShowSmartCard info)

    Choose the number of backups tocreate

    One backup half of the key could bestored together with the user key (notrecommended) on a smartcard.

    Prepare smartcards for alladministrators.

    In CAT select KeyTools -> SmartCard Management

  • 7/22/2019 Utimaco HSM

    33/76

    Generate and assignadministrator keys

    OR:

    In CAT select KeyTools -> KeyFile Management ->Generate to generate a file based administration key

    The key file could bestored password encryptedor plain

  • 7/22/2019 Utimaco HSM

    34/76

    Generate and assignadministrator keys

    Login in the ADMIN user

    Select the ADMIN user and clickLogin

  • 7/22/2019 Utimaco HSM

    35/76

    Generate and assign anadministrator key

    Select User Management and press Add

    user

  • 7/22/2019 Utimaco HSM

    36/76

    Generate and assignadministrator keys

    Create an administration user(here: 4-eyes-principle)

    Group 7 = 1

    Group 6 = 1 Assign the key created

    before

  • 7/22/2019 Utimaco HSM

    37/76

    Generate and assignadministrator keys

    Perform these steps for the secondadministrator

    As last step, select the user ADMIN and

    press Delete user

  • 7/22/2019 Utimaco HSM

    38/76

    Generate and Import the MasterBox Key MBK

    First login a user to the SafeGuard CryptoServer

    Select an Admin user from the list and click Login

    Follow the instructions

  • 7/22/2019 Utimaco HSM

    39/76

    m & n

    "m (shares)" is the number of people towhich the key is to be distributed

    "n (shares)" is the minimum number ofpeople required to use the key.

    G d I h M

  • 7/22/2019 Utimaco HSM

    40/76

    Generate and Import the MasterBox Key MBK

    Open the Remote MBK Management dialogKey Management -> Remote MBK Management

    Enter the name of the MBK, select the type(AES is recommended)

    Choose the number of shares needed to recombine the

    MBK (k value) and the number of shares you want to create(k value)

    Select automatic MBK Import to loadthe MBK to the SafeGuard CryptoServer,otherwise the Import tab has to be used.

    Press Generate

    If an existing MBK should be imported,use the Import tab.

  • 7/22/2019 Utimaco HSM

    41/76

    SafeGuard CryptoServer CS/Se : Basic AdministrationChange PIN of a smartcard

    In CAT select KeyTools ->SmartCard Management

    Switch to tab Change PIN

    Press Change PIN

    Follow the instructions at thePIN-Pad

    This command changes the User PIN of a smartcard, the MBK PIN of a

    smartcard is changed with the MBK Management dialogs

  • 7/22/2019 Utimaco HSM

    42/76

    Monitoring

    Extended SNMP support

    CryptoServer objects

    Status, internal temperature, alarm state, firmware module state, operational mode, bootloader version, serialnumber, battery state, system time

    CryptoServer LAN objects

    Load, CryptoServer LAN software version, serial number, battery state, system time, number of client connections

    SNMP traps when

    Temperature, load, number of clients exceed min/max threshold

    Configurable threshold

    Battery low, alarm state, CryptoServer changes operating mode, CryptoServer LAN boot/shutdown/restart

    Configuration through CryptoServer LAN front panel menu or ssh

    Monitoring could be done by a script on the host evaluating the following commands:

    Get actual state of the SafeGuard CryptoServer with thecsadm GetState command.

    Check if the SafeGuard CryptoServer is alive and state is operational and temperature is in range

    Check if the needed functionality is available with thecsadm ListModulesActive command

    All modules have state INIT_OK ?

    Check battery state with csadm GetBattState command

  • 7/22/2019 Utimaco HSM

    43/76

    Demo

    Create Administrators

    Generate and import MasterBoxKeys

    Agenda

  • 7/22/2019 Utimaco HSM

    44/76

    Agenda

    Part 1: Utimaco HSM

    CryptoServer LAN Placing Into Operation

    Administration Tools

    Keys and Key Management

    Basic Administration

    Application

    Part 2: Utimaco HSM and DNSSEC integration

    Init slot Build DNSSEC

    DNSSEC Configuration

  • 7/22/2019 Utimaco HSM

    45/76

    Product Portfolio

    SafeGuard CryptoServer

    Roadmap September 2012

    45

    PKCS#11, JCE, MS CSP/CNG/SQL EKM, OpenSSL, CXI

    RFC 3161,

    CTS API

    RFC 3161,

    CTS API

    Software Development Kit for Customized Functionality

    SafeGuard

    SecurityServer

    SafeGuard

    TimestampServer

    SafeGuardCryptoServer

    SDK

    SafeGuard CryptoServer

    Se-Series

    SafeGuard CryptoServer

    CS-Series

  • 7/22/2019 Utimaco HSM

    46/76

    Security Server Overview

    Security Server including thefollowing interfaces:

    PKCS#11 CSP and CNG for Microsoft CryptoAPI (MSCAPI) Utimaco Cryptographic Extended Interface (CXI)

    JCE Open SSL

    Product CD with installation

    on Windows systems Select the aim of installation:Runtime/Development/Custom

    Including CAT

  • 7/22/2019 Utimaco HSM

    47/76

    Security Server Overview

    Supported operatingsystems:

    Microsoft Windows XP, Vista, Server 2003, Server2008

    Linux kernel 2.4.0 and higher

    RHEL 6, SUSE 10

    Solaris 8 and higher

    AIX

  • 7/22/2019 Utimaco HSM

    48/76

    Security Server PKCS#11

    Benefits

    2 operation modes:

    In cluster mode every device is accessible separately by different slotIDs

    In failover mode transparent failover functionality available

    Secure channel between application and SafeGuard CryptoServer available

    Strong authentication available, 2 FA, 4 Eyes

    Thread-save for use in multi threading applications

    Multiple SafeGuard CryptoServer support for each application

    Up to 256 parallel sessions/applications perSafeGuard CryptoServer

  • 7/22/2019 Utimaco HSM

    49/76

    Security Server PKCS#11

    Architecture PKCS#11 libraries:

    cs2_pkcs11_R2.dlllibcs2_pkcs11_R2.so

    CXI Firmware module

  • 7/22/2019 Utimaco HSM

    50/76

    Security Server PKCS#11

    Configuration of the PKCS#11 interface:

    cs_pkcs11_R2.cfg file can contain several sections:

    [Global] section for general configuration (timeout, logging)

    Several [CryptoServer] sections for each SafeGuard CryptoServer devicethat should be addressed by the application.

    Several [Slot] sections, the slot number must be defined, non standardauthentication can be configured

  • 7/22/2019 Utimaco HSM

    51/76

    Microsoft CSP / CNG

    Benefits

    Multitenancy: Assign a key to a user group, these keys are not visible foruser not in the assigned group

    When SafeGuard CryptoServer LAN is employed, several clients/applications canuse one single SafeGuard CryptoServer.

    Failover and clustering available External storage of keys available to synchronize several CryptoServer LAN.

    Hardware random number generator for the generation of high-quality RSAkeys.

    Tamper-proof storage of numerous cryptographic keys (e.g. more than30,000 RSA keys, 1,024 bits).

    Use 2 factor authentication to backup/restore cryptographic keys.

    All cryptographic algorithms (also encryption/decryption, hashing) areperformed directly in the HSM and are therefore protected againstmanipulation.

  • 7/22/2019 Utimaco HSM

    52/76

    Microsoft CSP / CNG

    Architecture

    CSP libraries:cs2csp.dll cs2csplib.dll

    CXI Firmware module

    Client Computer

    Utimaco

    CryptoServer CSP

    CryptoServer PCI

    PCI Driver

    TCP Server

    CryptoServer PCI

    PCI Driver

    Utimaco CryptoServer LAN

    MicrosoftCryptoAPI

    Digital Signature (Microsoft)

    Application(e.g. Microsoft PKI)

    CXI Cryptographic Core

  • 7/22/2019 Utimaco HSM

    53/76

    CXI - Cryptographic CoreInterface

    Benefits:

    All important platforms supported

    Comfortable and flexible implementation

    High performance Nearly all cryptographic functions are available

    Easy to extend according the needs of the customer

    FIPS 1402 Level 3 certification in process

    Used for PCI DSS implementation

    CXI Cryptographic Core

  • 7/22/2019 Utimaco HSM

    54/76

    CXI - Cryptographic CoreInterface

    Based on the CXI firmware moduleseveral host API are implemented:

    OpenSSL

    CryptoServerJCE

    CXI .net

    CXI C-Interface

    CXI Java Class Library

    Easy to use, fast implementation in yourapplication:

    Source code examples for all host APIs are available

    Integrated authentication and secure messaging

    CXI Cryptographic Core

  • 7/22/2019 Utimaco HSM

    55/76

    Application

    CXI DLL / Jar

    CXIconfigurationfile

    OptionalKeyStorage

    Host System /

    application Server

    Secure channel

    over TCP/IP

    CryptoServer

    remote

    Management

    CXI - Cryptographic CoreInterface

    CXI Failover Architecture

    CXI Cryptographic Core

  • 7/22/2019 Utimaco HSM

    56/76

    CXI - Cryptographic CoreInterface

    CXI Failover Architecture From application point of view, transparency of

    HSM hardware: Cluster may consist of CryptoServer PCI(e)and/or CryptoServer LAN

    Cluster size: 2 or more HSMs in cluster

    Installation sites: local or remote HSMs Failover mechanism

    Failover from 1stto 2nd to nth to 1st

    Priorization of HSMs in planning (e.g. local or higher-performance HSMs get higher priority when scheduling next

    HSM)

    Re-Use of failed CryptoServer after repair/replacement Flexibility

    HSM may belong to several clusters

    Internal or external key storage

    Agenda

  • 7/22/2019 Utimaco HSM

    57/76

    Agenda

    Part 1: Utimaco HSM

    CryptoServer LAN Placing Into Operation

    Administration Tools

    Keys and Key Management

    Basic Administration

    Application

    Part 2: Utimaco HSM and DNSSEC integration

    Init slot Build DNSSEC

    DNSSEC Configuration

  • 7/22/2019 Utimaco HSM

    58/76

    Preparation

    This Demo will show in Linux RHEL 6.3

    And use the following package:

    bind-9.9.2-P2.tar.gz

    openssl-1.0.0f.tar.gz

  • 7/22/2019 Utimaco HSM

    59/76

    Environment Variables

    Check environment variables: export CS_PKCS11_R2_CFG=/dnssec/utimaco/cs_pkcs11_R2.cfg

    Export [email protected]

    LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/dnssec/utimaco/

    export LD_LIBRARY_PATH

    Check PKCS#11 configure fileLogpath = /utimaco

    # Prevents expiring session after inactivity of 15 minutes

    KeepAlive = true

    [CryptoServer]

    Device = [email protected]

  • 7/22/2019 Utimaco HSM

    60/76

    Init slotCreate User

  • 7/22/2019 Utimaco HSM

    61/76

    Init slotCreate SO User

    Login with

  • 7/22/2019 Utimaco HSM

    62/76

    Login withPKCS#11 CryptoServer Administration

    Init slot Create SO/User

  • 7/22/2019 Utimaco HSM

    63/76

    Init slotCreate SO/UserWith Command Line

    Init SO PIN:p11tool2 [Lib=] [Slot=] [Label=][Force=] [Login=,]InitToken=

    Example:./p11tool2 Slot=0 Login=ADMIN,init_dev_prv.key Force=1 InitToken=12345678

    Init PIN:

    p11tool2 [Lib=] [Slot=] LoginSO=

    InitPIN=

    Example:

    ./p11tool2 Slot=0 LoginSO=12345678 InitPIN=123456

  • 7/22/2019 Utimaco HSM

    64/76

    Some other commands

    ./p11tool2

    ./p11tool2 help=InitPIN

    ./p11tool2 Slot=1 GetSlotInfo

    ./p11tool2 Slot=1 LoginUser=123456ListObjects

    Agenda

  • 7/22/2019 Utimaco HSM

    65/76

    Agenda

    Part 1: Utimaco HSM

    CryptoServer LAN Placing Into Operation

    Administration Tools

    Keys and Key Management

    Basic Administration

    Application

    Part 2: Utimaco HSM and DNSSEC integration

    Init slot Build DNSSEC

    DNSSEC Configuration

  • 7/22/2019 Utimaco HSM

    66/76

    Extract Bind & OpenSSL

    cd /dnssec

    tar zxf openssl-1.0.0f.tar.gz

    tar zxf bind-9.9.2-P2.tar.gz

    mv openssl-1.0.0f openssl

    mv bind-9.9.2-P2 bind

    WARNING:RHEL will need pcsc-lite-devel package.pcsc-lite-1.5.2-7.el6.x86_64pcsc-lite-openct-0.6.19-4.el6.x86_64

    pcsc-lite-devel-1.5.2-7.el6.x86_64

    pcsc-lite-libs-1.5.2-7.el6.x86_64

  • 7/22/2019 Utimaco HSM

    67/76

    Patch OpenSSL

    Just run the following command:cd openssl

    patch -p1 < /dnssec/bind/bin/pkcs11/openssl-1.0.0f-patch

    Result

    [root@dnssec openssl]# patch -p1 < /dnssec/bind/bin/pkcs11/openssl-1.0.0f-patchpatching file Configure

    patching file Makefile.org

    patching file README.pkcs11

    patching file crypto/opensslconf.h

    patching file crypto/bio/bss_file.c

    patching file test/clean_test.com

    patching file util/libeay.num

    patching file util/mk1mf.pl

    patching file util/mkdef.pl

    patching file util/pl/VC-32.pl

    [root@dnssec openssl]#

  • 7/22/2019 Utimaco HSM

    68/76

    Build OpenSSLJust run the following command:

    Linux 64Bit:./Configure linux-generic64 -m64 -pthread \

    --pk11-libname=/dnssec/utimaco/libcs_pkcs11_R2.so \

    --pk11-flavor=crypto-accelerator \

    --prefix=/opt/openssl-p11

    Linux 32Bit:./Configure linux-generic32 -m32 -pthread \

    --pk11-libname=/dnssec/utimaco/libcs_pkcs11_R2.so \

    --pk11-flavor=crypto-accelerator \

    --prefix=/opt/openssl-p11

    make

    make install[root@dnssec dnssec]# /opt/openssl-p11/bin/openssl engine pkcs11 -t

    (pkcs11) PKCS #11 engine support (crypto accelerator)

    [ available ]

    Agenda

  • 7/22/2019 Utimaco HSM

    69/76

    g

    Part 1: Utimaco HSM

    CryptoServer LAN Placing Into Operation

    Administration Tools

    Keys and Key Management

    Basic Administration

    Application

    Part 2: Utimaco HSM and DNSSEC integration

    Init slot

    Build DNSSEC

    DNSSEC Configuration

    Install BIND Domain Name

  • 7/22/2019 Utimaco HSM

    70/76

    Install BIND Domain NameServer

    Run the following command:

    ./configure CC="gcc -m64" -enable-threads \

    --with-openssl=/opt/openssl-p11 \

    --with-pkcs11=/dnssec/utimaco/libcs2_pkcsll.so

    make

    make install

    Generate Keys and Sign a

  • 7/22/2019 Utimaco HSM

    71/76

    Generate Keys and Sign aDomain Zone

    1. Generate a zone-signing key and a key-signing key

    # pkcs11-keygen -b 2048 -l ksk

    # pkcs11-keygen -b 1024 -l zsk

    The parameter -b specifies the key size and -l the label of thekey pair.

    Since the library path was exported, it is not necessary to specifyit using the parameter -m (module) any more.

    You will be prompted to enter the user pin for the PKCS#11 slot.

  • 7/22/2019 Utimaco HSM

    72/76

    View Keys

    Use command:pkcs11-list [-P] [-m module] [-s slot] [-i ID] [-llabel] [-p PIN]

    Example: SLot1:

    pkcs11-list -s 1 -p 123456

    Slot:0pkcs11-list -p 123456

    Generate Keys and Sign a

  • 7/22/2019 Utimaco HSM

    73/76

    Generate Keys and Sign aDomain Zone (cont.)

    2. Generate the key files for BIND# dnssec-keyfromlabel -l ksk -f KSK utimaco.com

    # dnssec-keyfromlabel -l zsk utimaco.com

    The parameter -l specifies the label again and after -f follows the keyflag. The key files are generated for a specific zone which in this case isutimaco.com.

    Now you should find the corresponding key files in the current directorywhich are composed of K.++.(key|private).

    Generate Keys and Sign a

  • 7/22/2019 Utimaco HSM

    74/76

    Generate Keys and Sign aDomain Zone (cont.)

    3. Before you can sign a zone, it is necessary to add thecontents of both K*.key files or to include them byreference - using the key file names - to the zone masterfile. Open the zone file and add the following lines e.g.

    $include Kutimaco.com.+005+35677.key $include Kutimaco.com.+005+63263.key

    4. Finally sign the zone# dnssec-signzone -S -o

  • 7/22/2019 Utimaco HSM

    75/76

    Demo

    1. Placing Into Operation: Configure HSM IP

    2. Administration Tools:- Install admin tool

    - Install Pin-pad driver, check configuration in admin tool.

    3. Keys and Key Management- Create administrators

    - Issue MBK

    4. Build DNSSEC

    5. DNSSEC Configuration

  • 7/22/2019 Utimaco HSM

    76/76

    Questions & Answers

    The End


Recommended