The user application should carefully assign priorities to the different threads in the application. The application is not directly exposed to preemption support. If the current owner is inside a critical region the challenger will need to wait until the owner exits the critial region.
By default the challenger will not wait, and return an error code immediately. When the current owner is not inside any critical regions the challenger will arbitrate for ownership. If the challenger has higher priority than the current owner, the challenger will preempt the current owner by storing the context and assume ownership. By default the CPU core will move data with load and store instructions.
Alternatively the user application can select DMA to move data. AES block cipher. Elliptic curves over GF p. Portable timing interface. It is recommended that the certificate and CRL signing keys are linked to the same key since different keys are rarely supported by verifying applications. When implementing support for a new HSM the KeyStrings class could be used to manage the key properties described above.
There are four additional key properties that can optionally be used when renewing CA keys and to produce roll-over certificates. This sequence will replace the current sequence in the caRef field when signing a request with the CAs previous key. When updating a CA signed by an external CA this is used to send a request, but the CA is still active using the old key. Older JCE implementations are deprecated and removed.
Contact PrimeKey if you need to migrate. The command gives further instructions about the parameters required, PKCS 11 library and slot. The pin property is used to be able to automatically activate a CA token. The activation code may be specified in the property field with the keyword pin. The pin property can use a clear text password or an encrypted one.
These two properties contain the same password. This encrypted password is not a high security encryption. If the password. If an attacker gets hold of the encrypted password and the password. You have to check if that support is available. The PKCS 11 provider is tested with:. Besides the keys previously described, the Crypto Token property field matching with user friendly values of the Crypto Token in the Administration GUI should contain the following properties:.
This label may also be an integer or an 'i' followed by an integer like a number or an index. If keyspec is not given EJBCA tries to generate a key with the same specification as the current cert signing key. Now there is a built-in default configuration used when no attributesFile is specified. Below is an example of an 'attributesFile' that should not be used which will give generated keys same attribute values as the default:.
The private part of the key is stored in the HSM but not the public part which is in a certificate that is stored on the HSM. The default configuration will also disable certain signing mechanisms. This speeds up the signing in most cases, especially when your HSM is on another host and will not have any security impacts as no secret in the HSM is used for the hashing.
This is because the attributes are applied when the provider is installed during startup. If one configuration does not have the attributesFile it cannot be applied later on by the other configuration. Use it without parameters to get all valid options. Keys are generated either using a default specified slot and PKCS 11 library, or using a configuration file.
The contents of the configuration file is specified in the PKCS 11 wrapper documentation from Oracle. Generally it is sufficient to use the default but with some HSMs it may be necessary to define certain PKCS 11 attributes for the generated key. Note that all keys to be used have to be generated prior to the application server is started.
This placeholder will then be dynamically replaced with the key alias value, hex encoded:. A certificate - this is simply a holder of the public key used by java, and not the real certificate of a CA. A java keystore entry has no reference to a publickey pkcs 11 object, just a private key object and a certificate object, hence the public key object is not needed after the certificate object has been written to the keystore.
The value of the attribute is a hexadecimal string starting with "0h". These labels are normally seen only when you use the native HSM tools to list and manipulate objects. The example above gives the label key1 to the private key. You can give any label by simply looking up the hex codes of characters in the ascii table. The Utimaco PKCS11 module have a configurable timeout AppTimeout that clears all session information if you do not use the keys for some time.
The default time-out is 30 minutes, which may be way too short if your CA is not very active. We recommend that you set this timeout to a longer value, several days. Each slot must have been initialized before keys could be generated on the them. This includes setting a user PIN for it. The slot must also require login. The HSM vendor should provide this tool.
The password is user Although not recommended it is possible to import keys from a p12 file to CryptoServer. Import the. The key alias for the imported key is set to X Certificate taken from the imported certificate and cannot be change at import time. Make sure no other public keys using this label are present in the HSM. Even if more than one. The import and the rename process are tied together and cannot be separated.
Primarily clustering works by configuring two or more HSM IP adresses, and if there are issues with the connection to the first HSM it fails over to the second. A pre-requisite is that the HSM contents are identical and that slots and authentication are the same. You can also use the cluster configuration to a single HSM, causing a "fail over" to the same HSM if there is an intermittent network issue.
This subsection describes how the nShield card from nCipher is used. First the card has to be installed and admin and operator card sets has to be created. This is described in step 1. Step 2 describes environments variables that must be set before generating keys and installing a new CA. Step describe PKCS 11 keys are generated and how different CAs within an installation is configured to use these keys.
This has been removed since PKCS 11 keys are better in every respect. Make sure you have all necessary software and drivers installed and created the user and group nfast. Set the nCipher box to initialization mode by setting the switch to mode I.
Check that the mode is in pre-initialization mode and not in operational :. K of these cards will be needed to restore a module with a backup of the security world. Check with enquiry that the mode has changed to Operational Example on creation of operator cards:. This will generate 3 cards of the card set named ejbca. Any 2 of these cards will be needed when generating keys and starting ejbca.
Different card sets could be used for different CAs. It's probably because you sometime ran preload as another user, such as root or nfast. Step 2. Setup the environment Login as the user that is running the application server. This user must be a member of the nfast group. The following environment variables should be set for this user:. Step 3. An ECC key could not be used with preload at least not the curve secpr1. Such a key is generated OK and could be used as long as the current preload is running.
But if all preload processes are stopped and then if then preload is restarted the key could not be used. Step 4. In this example this was done in step 2. Preload is now used to start jboss:. Step 5. All preloaded operator card sets OCSs has its own slot. It is not possible to predict the slot ID. But the index of the slot in the slot list is predictable.
If only one OCS is preloaded this index is always 1. If several CAs are sharing the same OCS and hence slot each key identified by a key label may only be used for one CA but the test key. Same test key could be used for all CAs. Example with previous generated keys where signRoot is used for CAs signing, and defaultRoot is used for everything else encryption :. When preload is used no authentication code is needed to activate a CA. You could give any value for the authentication code when activating.
The pin property could be used in the configuration to automatically activate a CA. The value of this property could be anything. Module protected keys do not need an operator card set. Hence no PIN code is needed to active such a key. A CA could be configured to use a keystore with module protected keys. When using PKCS 11 slot 0 is used to indicate module protection. The only other thing except using slot 0 you have to do is to use a configuration file when creating the key.
The file could look like this:. If preload is not used, then jboss could be made to start automatically at boot time. For PKCS 11 simply do not use the preload command. The authentication code is now needed when activating the CA. It is also possible to use more than one OCS. This environment variable is also implicitly set when running with preload.
You then got to identify your OCSs with the slot index. The label in the list gives the name you gave to your OCS when creating it. Then you get the slot list index from the x in slot[x]. Use this for slotListIndex in the CA properties. To make the OCS persistent use the -p argument at createocs time, if this is not the case as soon as the card is removed then the cardset will unload itself.
When the application server then is started with preload, CAs defined for slot list index 2 and 4 could be activated. Same security world got to be loaded in all modules participating. After setting up the first netHSM, do the following on the second:. Sample catoken.
The document xxxxxxKeyperInstallation. As default there is only one slot - 0. The document xxxxxxKeyperP This HSM only works on Windows. The installation is done with an installer and the setup with a GUI. All generated keys will be on slot 1. But it might be helpful to mention some additional things:. Make sure that backup-restore work before taken the HSM in production since the first versions did not backup the certificate of a key which is needed by the java wrapper.
Indicates the crypto module is present and operational. (UDI) is the Cisco product identification standard for hardware products. Processor board ID FXSQ46M Crypto Hardware Module absent Conditions: When IPSECHW module inserted in the chassis. Installing The Crypto Module In A Cisco Asr Hx Router - Cisco ASR HX Hardware Installation Manual. Show thumbs. Also See for ASR HX.