On-premises HSMs

CORE partition SOSecurity officer - UKC partition administrator role. may expand the partition's boundaries by attaching to it cloud keystores and on-premises HSMs. The partition users and can generate and use key material in the attached keystores. This type of integration is specified in CORE partition and key management guides. See

• Thales Luna

This section addresses scenarios where Thales and Entrust HSMs are used to store CORE backup keys.

CORE Database Protection using HSM

Unbound CORE database on EP or Partner servers is encrypted by the CORE DEKData Encryption Key - the key that encrypts the database. See also - KEK. key located in the server's file system. The content of the DEKData Encryption Key - the key that encrypts the database. See also - KEK. file is encrypted by another key (KEKKey Encryption Key - Used to encrypt the data encryption key (DEK).). The location of the KEKKey Encryption Key - Used to encrypt the data encryption key (DEK)., its key name, and the algorithm to be used to decrypt the DEKData Encryption Key - the key that encrypts the database. See also - KEK. are specified in the DEKData Encryption Key - the key that encrypts the database. See also - KEK.'s metadata file. For the general CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). and DEKData Encryption Key - the key that encrypts the database. See also - KEK. description, see Database Protection.

In this topic, we are addressing:

1. Migration of KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). protection from JKSA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. to HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.
2. Details for the following HSMs:
   • nCipher nShield
   • Thales Luna

CORE uses the following Java-standard and HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing-specific elements to access the specified HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing:

• PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 libraries provided by the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing vendors.
• SunPKCS11Java Security Provider. CORE utilizes this virtual provider to map the required JCEJava Cryptography Extension - Java frameworks for implementing cryptography primitives. API to the PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 methods provided by the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing vendor. For more information, see SunPKCS11 Provider.
• Permissions granted to the CORE server (as an HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing client) to generate and use its KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). in the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.

nCipher nShield

This section covers the installation and setup of the nShield Connect module, the generation of a key in nShield, and its assignment to become the CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK).. For more detailed instructions regarding nShield installation, see nCipher documentation.

Prerequisites

1. nShield client software must be installed on the CORE server.
2. The CORE server must be authorized to generate and use a key used for encryption and decryption.

3. Open the cknfastrc file located in C:\Program Files\nCipher\nfast\cknfastrc. Make sure its content is as follows:

CKNFAST_OVERRIDE_SECURITY_ASSURANCES=all
#CKNFAST_LOADSHARING=1
CKNFAST_JCE_COMPATIBILITY=1
#CKNFAST_DEBUG=10
#CKNFAST_DEBUGFILE=/opt/nfast/debug.log
CKNFAST_FAKE_ACCELERATOR_LOGIN=1

Preparations

The CORE server uses the Java SunPKCS11 Provider to utilize the nShield PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 interface.

Create SunPKCS11 Configuration File

Create nCipher's configuration file to be used by sun.security.pkcs11.SunPKCS11. It specifies the following attributes (see the example below):

• name - "cknfast0". It will be later used to produce the full name: SunPKCS11-cknfast0.
• library - path to PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library:
  • Windows - C:/Program Files/nCipher/nfast/toolkits/pkcs11/cknfast.dll
  • Linux - /opt/nfast/toolkits/pkcs11/libcknfast.so
• attributes - permitted operations per key category (secret key, private key, public key).

For example, in Windows, create C:\pkcs11.cfg file:

name=cknfast0
library="C:/Program Files/nCipher/nfast/toolkits/pkcs11/cknfast.dll"

attributes(*, CKO_SECRET_KEY, *) = {
CKA_TOKEN=true
CKA_ENCRYPT=true
CKA_DECRYPT=true
CKA_SENSITIVE=true
}

attributes(*,CKO_PRIVATE_KEY,*) = {
CKA_TOKEN=true
CKA_PRIVATE=true
CKA_DECRYPT=true
CKA_SIGN=true
}

attributes(*,CKO_PUBLIC_KEY,*) = {
CKA_ENCRYPT = true
}

Note
For the description of the attributes settings above, see Attributes Configurationhere.

Modify the Java.security File

Add or modify the sun.security.pkcs11.SunPKCS11 in the java.security file to access nShield HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.

If the sun.security.pkcs11.SunPKCS11 is missing in the enumerated List of providers section, add the following line to the list. Use the next available number to assign to the security.provider.<number>. For example: 

security.provider.12=sun.security.pkcs11.SunPKCS11 C:\\pkcs11.cfg

Generate a Key in HSM

Run keytool genkeypair specifying:

• providerName - SunPKCS11-cknfast
• storetype - PKCS11, and keystore - NONE

See details in Using keytool and jarsigner with PKCS#11 Tokens. For example, generate <alias> key:

java -Dprotect=module -DignorePassphrase=true sun.security.tools.keytool.Main \
-keystore NONE \
-storetype PKCS11 \
-providerName SunPKCS11-cknfast0 \
-genkeypair -v \
-alias <alias> \
-keyalg RSA -keysize 2048

Apply the Key as CORE KEK

1. Follow the CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). replacement procedure defined here to replace the default CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). with the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing-based one. For example,

   java -jar "C:\Program Files\Dyadic\ekm\lib\ekmconfig.jar" -database -protect \
   -n <alias> \
   -p SunPKCS11-cknfast0 \
   -t PKCS11 \
   -a RSA/ECB/PKCS1Padding

2. Next, edit the Catalina batch file (catalina.sh) located here. In the batch file,
1. Search for JAVA_OPTS="$JAVA_OPTS $JSSE_OPTS" statement.
2. Include in it the following options -Dprotect=module -DignorePassphrase=true:

JAVA_OPTS="%JAVA_OPTS% %JSSE_OPTS% -Dprotect=module -DignorePassphrase=true"

3. Restart the EKMEnterprise Key Management - previous name of the product. service.

KEK Rotation

The CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). is rotated by creating a new key (NEW alias) in the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing  and by declaring the new key to become the new CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK).:

Step 1 - create a <NEW alias> key:

java -Dprotect=module -DignorePassphrase=true sun.security.tools.keytool.Main \
-keystore NONE \
-storetype PKCS11 \
-providerName SunPKCS11-cknfast0 \
-genkeypair -v \
-alias <NEW alias> \
-keyalg RSA -keysize 2048 \
-dname "CN=KEK" -sigalg SHA256withRSA

Step 2 - declare the new KEKKey Encryption Key - Used to encrypt the data encryption key (DEK).

java -jar "C:\Program Files\Dyadic\ekm\lib\ekmconfig.jar" -database -protect \
-n <NEW alias> \
-p SunPKCS11-cknfast0 -t PKCS11 \
-a RSA/ECB/PKCS1Padding

Note
This step takes care to decrypt the DEKData Encryption Key - the key that encrypts the database. See also - KEK. using the previous KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). and encrypt it using the new KEKKey Encryption Key - Used to encrypt the data encryption key (DEK).. See Updating the Database KEK.

Thales Luna

This section covers the installation and setup of the Thales Luna client, the generation of a key in Luna HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing, and its assignment to become the CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK).. For more detailed instructions regarding Luna client configuration, see Thales Luna HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing documentation.

Prerequisites

This integration has the following prerequisites:

• Luna client software must be installed on the CORE server.
• The CORE server must be authorized to generate and use a key used for encryption and decryption.

Preparations

The CORE server uses the Java SunPKCS11 Provider to utilize the Luna client PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 interface.

Create SunPKCS11 Configuration File

Create Luna's configuration file to be used by sun.security.pkcs11.SunPKCS11. It specifies the following attributes (see the example below):

• name - "luna". It will be later used to produce the full name: SunPKCS11-luna.
• library - path to PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library:
  • Windows - C:\Program Files\SafeNet\LunaClient\cryptoki.dll
  • Linux - /usr/safenet/lunaclient/bin/cryptoki.so
• slot - Luna slot that will hold the key
• attributes - permitted operations per key category (secret key, private key, public key).

For example, in Windows, create C:\pkcs11.cfg file:

name = luna
library = C:\Program Files\SafeNet\LunaClient\cryptoki.dll
slot = 0

attributes(*,*,*) = {
#CKA_TOKEN = true
}

attributes(*,CKO_SECRET_KEY,*) = {
CKA_CLASS=4
CKA_PRIVATE= true
CKA_KEY_TYPE = 21
CKA_SENSITIVE= true
CKA_ENCRYPT= true
CKA_DECRYPT= true
CKA_WRAP= true
CKA_UNWRAP= true
}

attributes(*,CKO_PRIVATE_KEY,*) = {
CKA_CLASS=3
CKA_LABEL=true
CKA_PRIVATE = true
CKA_DECRYPT=true
CKA_SIGN=true
CKA_UNWRAP=true
}

attributes(*,CKO_PUBLIC_KEY,*) = {
CKA_CLASS=2
CKA_LABEL=true
CKA_ENCRYPT = true
CKA_VERIFY=true
CKA_WRAP=true
}

Note
For the description of the attributes settings above, see Attributes Configurationhere.

Modify the Java.security File

Add or modify the sun.security.pkcs11.SunPKCS11 in the java.security file to access nShield HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.

If the sun.security.pkcs11.SunPKCS11 is missing in the enumerated List of providers section, add the following line to the list. Use the next available number to assign to the security.provider.<number>. For example: 

security.provider.12=sun.security.pkcs11.SunPKCS11 C:\\pkcs11.cfg

Generate a Key in HSM

Run keytool genkeypair specifying:

• providerName - SunPKCS11-luna
• storetype - PKCS11, and keystore - NONE

See details in Using keytool and jarsigner with PKCS#11 Tokens. For example, generate <alias> key:

keytool \
-keystore NONE -storetype PKCS11 \
-providerName SunPKCS11-luna \
-genkeypair -v \
-alias <alias> \
-keyalg RSA -keysize 2048 \

Note
When prompted for the passphrase, enter Luna's crypto officer (CO) password.

Apply the Key as CORE KEK

1. Follow the CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). replacement procedure defined here to replace the default CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). with the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing-based one. For example

java -jar "C:\Program Files\Dyadic\ekm\lib\ekmconfig.jar" -database -protect \
-n <alias> \
-p SunPKCS11-Luna \
-t pkcs11 \
-w <Luna Crypto Officer (CO) password> \
-a RSA/ECB/PKCS1Padding

2. Restart the EKMEnterprise Key Management - previous name of the product. service.

KEK Rotation

The CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). is rotated by creating a new key (NEW alias) in the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing  and by declaring the new key to become the new CORE KEKKey Encryption Key - Used to encrypt the data encryption key (DEK).:

Step 1 - create a <NEW alias> key:

keytool \
-keystore NONE -storetype PKCS11 \
-providerName SunPKCS11-luna \
-genkeypair -v \
-alias <NEW alias> \
-keyalg RSA -keysize 2048 \
-dname "CN=KEK" -sigalg SHA256withRSA

Note
Provide Luna's crypto officer (CO) password as the keystore password to create the keys.

Step 2 - declare the new KEKKey Encryption Key - Used to encrypt the data encryption key (DEK).:

java -jar "C:\Program Files\Dyadic\ekm\lib\ekmconfig.jar" -database -protect \
-n <NEW alias> \
-p SunPKCS11-luna -t PKCS11 -w <CO Password> \
-a RSA/ECB/PKCS1Padding

Note
This step takes care to decrypt the DEKData Encryption Key - the key that encrypts the database. See also - KEK. using the previous KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). and encrypt it using the new KEKKey Encryption Key - Used to encrypt the data encryption key (DEK).. See Updating the Database KEK.