Utimaco CryptoServer
The following sections provide information on the Utimaco CryptoServer.
Configuration File
The CryptoServer PKCS#11 configuration file cs2_pkcs11.ini should be copied to /etc/utimaco/cs2_pkcs11.ini.
Note that the Utimaco PKCS11 module has a configurable timeout (AppTimeout) that clears all session information if you do not use the keys for some time. The default time-out is 30 minutes, which is generally too low if your CA is not very active. We recommend increasing the timeout to, for example, 172800 seconds (2 days), allowing your CA to idle for an extended time.
Open the configuration file /etc/utimaco/cs2_pkcs11.ini with a text editor and update the AppTimeout parameter according to the following example:
[Global]
Timeout = 5000
Logging = 0
Logpath = /tmp
[CryptoServer]
Device = TCP:3001@172.16.175.128
Timeout = 600000
AppTimeout = 172800
SlotCount = 100
Generating Keys
When using a PKCS#11 token, first create keys with the command:
$EJBCA_HOME/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate
Note that each CA should have its own slot and each slot must be initialized before keys can be generated. The initialization includes setting a user PIN for the slot, which also must require login. Tools for slot initialization should be provided by the HSM vendor and are not provided by PrimeKey.
.
/p11tool
Slot=1 InitToken=sopassword123
.
/p11tool
Slot=1 Label=CVCA LoginSO=sopassword123 InitPin=userpassword123
The following displays an example for generating keys on a slot using the password is user1, using the Java PKCS#11 provider:
$EJBCA_HOME
/dist/clientToolBox/ejbcaClientToolBox
.sh PKCS11HSMKeyTool generate .
/libcs2_pkcs11
.so 4096 signKey 1
PKCS11 Token [SunPKCS11-libcs2_pkcs11.so-slot1] Password:
Creating certificate with entry signKey.
$EJBCA_HOME
/dist/clientToolBox/ejbcaClientToolBox
.sh PKCS11HSMKeyTool generate .
/libcs2_pkcs11
.so 2048 defaultKey 1
PKCS11 Token [SunPKCS11-libcs2_pkcs11.so-slot1] Password:
Creating certificate with entry defaultKey.
$EJBCA_HOME
/dist/clientToolBox/ejbcaClientToolBox
.sh PKCS11HSMKeyTool generate .
/libcs2_pkcs11
.so 512 testKey 1
PKCS11 Token [SunPKCS11-libcs2_pkcs11.so-slot1] Password:
Creating certificate with entry testKey.
Or with P11NG, where you can use additional algorithms:
$.
/p11ng-cli
.sh generatekeypair --lib-
file
/etc/utimaco/libcs_pkcs11_R3
.so --slot-ref SLOT_NUMBER --slot 0 --
alias
ec1 --key-spec P-256
Enter slot login password:
Generated key pair with
alias
ec1
$.
/p11ng-cli
.sh generatekeypair --lib-
file
/etc/utimaco/libcs_pkcs11_R3
.so --slot-ref SLOT_NUMBER --slot 0 --
alias
ed1 --key-spec Ed25519
Enter slot login password:
Generated key pair with
alias
ed1
.
/p11ng-cli
.sh generatekeypair --lib-
file
/etc/utimaco/libcs_pkcs11_R3
.so --slot-ref SLOT_NUMBER --slot 0 --
alias
rsa1 --key-spec RSA2048
Enter slot login password:
Generated key pair with
alias
rsa1
You can test the keys with P11NG as well:
$.
/p11ng-cli
.sh signperformancetest --lib-
file
/etc/utimaco/libcs_pkcs11_R3
.so --slot 0 --
alias
ed1 --
time
-limit 1000 --signature-algorithm Ed25519 --password userpassword123
Running signing
test
with 1 threads using signature algorithm Ed25519.
Using cache
for
reading keys.
Starting thread 0
Number of operations
for
thread 0: 980
Total number of signings: 980
Signings per second: 831.2128922815946
$.
/p11ng-cli
.sh signperformancetest --lib-
file
/etc/utimaco/libcs_pkcs11_R3
.so --slot 0 --
alias
ec1 --
time
-limit 1000 --signature-algorithm SHA256WithECDSA --password userpassword123
Running signing
test
with 1 threads using signature algorithm SHA256WithECDSA.
Using cache
for
reading keys.
Starting thread 0
Number of operations
for
thread 0: 1113
Total number of signings: 1113
Signings per second: 790.4829545454546
You can view the PKCS11 objects created with the HSM command:
.
/p11tool
Slot=1 Login=userpassword123 ListObjects
This is a example of a property field when creating a CA using the CLI, the easier way is to use the Admin UI of course:
defaultKey defaultKey
certSignKey signKey
crlSignKey signKey
testKey testKey
pin user1
sharedLibrary
/opt/utimaco/p11/libcs2_pkcs11
.so
slotLabelType=SLOT_NUMBER
slotLabelValue=1
Utimaco have an emulator for their CryptoServer LAN HSM that can be used for test and development. If you have the emulation kit there is a howto in doc/howto/cryptoserver-lan-emulator.txt with steps to follow in order to use it with EJBCA.
You can check the status of a CryptoServer LAN device, for example the emulator with:
.
/csadm
Device=TCP:3001@172.16.175.128 GetState
Import a PKCS#12 file in Utimaco CryptoServer
Although not recommended it is possible to import keys from a p12 file to CryptoServer. These steps were contributed by Philipp Vogt and Helmut Edlhaimb-Rexeis. The tools used are a combination of p11tool that ships with Utimaco HSMs and ejbcaClientToolBox.sh PKCS11HSMKeyTool.
Import the .p12 file with p11Tool from Utimaco (into slot 20 in this example). p11tool Slot=22 AuthRSASign=GenPKIAd,:cs2:cyb:/dev/ttyS0 Login=123456 ID=TestCA2XYID ImportP12=mycert.p12,1234 It is absolutely necessary to set an unique id (ID=...) at import time. The key alias for the imported key is set to X509 Certificate (taken from the imported certificate) and cannot be change at import time.
Rename the key alias to an unique key alias with PKCS11HSMKeyTool rename from ejbcaClientToolbox. ejbcaClientToolBox.sh PKCS11HSMKeyTool rename /etc/utimaco/libcs2_pkcs11.so 20 X509 Certificate TestCA2Key The new key alias is set to the label and the id of the CKO_CERTIFICATE and the id of the CKO_PRIVATE_KEY.
Optional: Delete the public key with p11Tool using Label="RSA Public Key". p11tool Slot=20 Login=123456 Label="RSA Public Key" DeleteObject
Test the keys, to make sure they are usable from EJBCA. ejbcaClientToolBox.sh PKCS11HSMKeyTool test ./libcs2_pkcs11.so 20 1
Make sure no other public keys using this label are present in the HSM. Even if more than one .p12 file needs to be imported only one at a time can be imported and renamed. The import and the rename process are tied together and cannot be separated.
Clustering
The Utimaco PKCS#11 driver has built in clustering capabilities for network attached HSMs. Primarily clustering works by configuring two (or more) HSM IP adresses, and if there are issues with the connection to the first HSM it fails over to the second. A pre-requisite is that the HSM contents are identical and that slots and authentication are the same.
You can also use the cluster configuration to a single HSM, causing a "fail over" (to the same HSM) if there is an intermittent network issue. This guards against PKCS#11 failures in Java so you don't have to restart EJBCA/Application server if there is a network glitch.
Example cluster configuration in the Utimaco configuration file:
[Global]
Logging =
5
Logpath = /log/TEST
Logsize =
100000000
CommandTimeout =
60000
ConnectionTimeout =
10000
KeepAlive = TRUE
[CryptoServer]
Device = {TCP:
288
@123
.123.
123.123
TCP:
288
@123
.123.
123.123
}
SlotCount =
100
SlotMultiSession = FALSE
In a clustered configuration with failover mode, all the HSMs need to have the necessary key material. Thus, the HSMs must be synchronized before the failover mode is enabled according to the following sequence of procedure:
Use the primary HSM standalone mode.
Generate all keys in the primary HSM.
Manual synchronization from primary HSM to all other HSMs (backup/restore).
Enable HSM failover mode.
Note that, whenever there is a key generation or renewal procedure, for example, renewing the private key of a CA, this sequence of action needs to be repeated. This allows a standalone HSM to generate the key material and then safely transfer it to other HSMs during synchronization. Hence fall back to the standalone mode of operation before the key generation or renewal operation, and then repeat steps 2 to 4.
The reason for this is that when a key is opened (which includes the creation of a key) in PKCS#11, the key is retrieved as an external blob to be able to switch to a different node in case of a failover (Store::getInternalObject). Although C_SetAttributeValue reopens a key, it also uses this function and, thus, works on the external blob and changes the attribute only there and not on the HSM.