utimaco hsm
Post on 10-Feb-2018
975 Views
Preview:
TRANSCRIPT
-
7/22/2019 Utimaco HSM
1/76
Utimaco HSM
DNSSEC Integration
Presented By Duy Nguyen
(PMS)
-
7/22/2019 Utimaco HSM
2/76
Agenda
Part 1: Utimaco HSM
CryptoServer LAN
Placing Into Operation
Administration Tools
Keys and Key Management
Basic Administration
Application
Part 2: Utimaco HSM and DNSSEC integration
Init slot
Build DNSSEC
DNSSEC Configuration
-
7/22/2019 Utimaco HSM
3/76
Agenda
Part 1: Utimaco HSM
CryptoServer LAN
Placing Into Operation
Administration Tools
Keys and Key Management
Basic Administration
Application
Part 2: Utimaco HSM and DNSSEC integration
Init slot
Build DNSSEC
DNSSEC Configuration
-
7/22/2019 Utimaco HSM
4/76
Hardware
CryptoServer LAN = CryptoServer + communication unit
Industry PC solution
Automatic voltage detection (100-240 V)
Dual Network Interface (2 x 1Gbit)
Flash Disk
Hardware Watchdog on board
4 x 40 Display + Navigation Panel
Serial + USB Port (e.g. pinpad) External battery exchange
-
7/22/2019 Utimaco HSM
5/76
Implementation environment with one or more
SafeGuard CryptoServer LAN
-
7/22/2019 Utimaco HSM
6/76
Software
Operating System
Selfmade, hardened kernel, basedon Linux from the scratch
CSXLAN
TCP Server (daemon) for remote access
Maps CryptoServer to Port (default 288)
Serialize commands
NTP Client / Server
Automatic time synchronization to externaltime reference
DSP_ADMIN
Display and Keyboard
Integrated Administration ofCryptoServer (e.g. loading of MBK)
and CSXLAN (e.g. setting of IP-address) Menu structure configurable
SSH
Remote Administration
SNMP
CryptoServer SE / CS
CryptoServer LAN
Operating system
LINUX
PCI driver
CSXLAN
DSP_ADMIN
NTP Client / Server
csxlan.conf
csadm
-
7/22/2019 Utimaco HSM
7/76
Software Update via Partitions
Concept: Three boot partitions:
factory (no permanent storage)
User1
User2
Updates do not change running system Two system states are kept
The actual and the old system is kept (for update)
User can revert back to Utimaco defaults
User can not change factory partition
-
7/22/2019 Utimaco HSM
8/76
Software Update via Partitions(cnt.)
Update: Copy new image fromUSB device to second bootpartition
Activate: Set second boot partitionto active
Reboot: User settings are copiedto new active boot partition
-
7/22/2019 Utimaco HSM
9/76
Agenda
Part 1: Utimaco HSM
CryptoServer LAN Placing Into Operation
Administration Tools
Keys and Key Management
Basic Administration
Application
Part 2: Utimaco HSM and DNSSEC integration
Init slot
Build DNSSEC
DNSSEC Configuration
-
7/22/2019 Utimaco HSM
10/76
Install LAN appliance
Connect SafeGuard CryptoServer LAN on the backpanel with a 100-240 V mains power supply.
Connect SafeGuard CryptoServer LAN with yournetwork by means of a twisted-pair cable (RJ45).
Turn the power supply switch on (back panel).
Turn SafeGuard CryptoServer LAN on (front panel).
If necessary, connect a PIN pad to SafeGuard
CryptoServer LAN (ill. front panel 2). This can also bedone during operation.
SafeGuard CryptoServer LAN is ready for operation afterapprox. 30 seconds.
-
7/22/2019 Utimaco HSM
11/76
Set IP-address
To Set IP:
-> LAN Box administration
-> Configuration
-> Network
->IP address
The 2 digits after the slash represent the number of consecutive1 bits in the desired netmask. The number 24 corresponds tothe netmask 255.255.255.0.
Note:You should also take note of the network connection, either "eth0" or"eth1", to which you have connected the network cable to the CryptoServerLAN
-
7/22/2019 Utimaco HSM
12/76
Entering the IP address of thedefault gateway
To set default gateway:
-> LAN Box administration
-> Configuration
-> Network-> Default Gateway
-
7/22/2019 Utimaco HSM
13/76
SSH
To enable the SSH daemon:-> "LAN Box Administration
-> "Configuration" menu item.
-> "Services"
-> "SSH Daemon
-> "Configuration
-> "Configuration of SSH Daemon
-> "[x]Enable" and confirm by pressing "OK
Set the IP area for which SSH access is to be permitted:
-
7/22/2019 Utimaco HSM
14/76
Changing the password for the"root" user
As we have already set the password foraccessing the operating system ("root" user), westrongly recommend you change it as soon as
possible.
You can change the password for the "root" user in two differentways. Either via an SSH connection from your Admin PC
Or directly on the CryptoServer LAN, by connecting a keyboard and a screen toit.
-
7/22/2019 Utimaco HSM
15/76
Enabling the web interface
CryptoServer can display different statusinformation about a web interface in a normalbrowser.
To enable the web interface:-> LAN Box Administration
-> Configuration
-> Services
-> Web Interface and [X]EnableYou can also access the web interface using a browser via HTTP port 80. In this case, you must enterthe CryptoServer LAN's IP address as the URL. You can then use the web interfaces to display statusinformation. However, you cannot configure the CryptoServer LAN or the CryptoServer via the webinterface.
-
7/22/2019 Utimaco HSM
16/76
Demo
CS LAN:
Connect to power and network cable.
Set IP address
Set Gateway
Test connectivity (ping)
Enable SSH
Changing the password for the "root" user
-
7/22/2019 Utimaco HSM
17/76
Agenda
Part 1: Utimaco HSM
CryptoServer LAN Placing Into Operation
Administration Tools
Keys and Key Management
Basic Administration
Application
Part 2: Utimaco HSM and DNSSEC integration
Init slot
Build DNSSEC
DNSSEC Configuration
-
7/22/2019 Utimaco HSM
18/76
Administration Tools
CAT GUI
Java based
Windows, Linux, Solaris
csadm Command line tool
Windows, Linux, Solaris, AIX
-
7/22/2019 Utimaco HSM
19/76
Command Line Tool
Command groups: Basic: Help, PrintError, Version Load Preparation: MakeMTC, Pack, Unpack, Raw Commands: Reset, ResetToBL, GetInfo, Bootloader: StartOS, RecoverOS,
BLChangeInitKey, BLLoadFile,BLSetRTC, BLResetAlarm
Administration: GetState, GetAlarmLog, ListFiles,LoadPkg, LoadFile, DeleteFile,ListModulesActive, GetBootLog
Usermanagement: ListUser, AddUserRSASign,ChangeUser, DeleteUser,
Authentication: LogonSign, LogonPass, AuthRSASign,AuthClearPwd, Login, Logoff,
CSLAN: CSLGetLogFile, CSLShutdown, Init-Key management: GenKey, Backupkey, Master Box Key Management
Misc: CMD, GenRandom,
-
7/22/2019 Utimaco HSM
20/76
Command Line Tool
Parameter Description Used by
Dev= Address of SafeGuard CryptoServer, e.g.:
TCP:288@194.168.4.107, PCI:0, /dev/cs2a
nearly all
InitPrvKey= Key identifier of private init key many boot loader commands
AuthRSASign=
AuthSHA1PWD=
AuthClrPWD=
User authentication nearly all
Help available: csadm help= Parameter (selection):
-
7/22/2019 Utimaco HSM
21/76
Command Line Tool
Key identifier Description
C:\my_keys\initprv.key Local key file
:cs2:cyb:USB Specifies a connected PIN-Pad. The name has the following form:smartcard-id:pinpad-id:port -id
:cs2 CryptoServer Smartcard:cyb cyberjack ReinerSCT PINPad used:USB USB port (COM1 for serial port 1)
Parameter:
Environment variables could be used for parameter setting.After set CRYPTOSERVER=TCP:192.168.4.161it is no more necessary to specify the Device Parameter.
Commands could be bundled:csadm AuthRSASign=ADMIN,:cs2:cyb:USB LoadFile= LoadFile=loads several files, PIN has to be entered only once.
-
7/22/2019 Utimaco HSM
22/76
Agenda
Part 1: Utimaco HSM
CryptoServer LAN Placing Into Operation
Administration Tools
Keys and Key Management
Basic Administration
Application
Part 2: Utimaco HSM and DNSSEC integration
Init slot Build DNSSEC
DNSSEC Configuration
-
7/22/2019 Utimaco HSM
23/76
Master Box Key
MBK is ..
An AES 256 key, 3DES for backward compatibilitysupported
Necessary to backup and restore keys stored at the
SafeGuard CryptoServer on the host system Supporting the k out of n key sharing
Usable at several SafeGuard CryptoServer to realizehigh availability
Remote administrable (import possible withoutadministrator on site)
-
7/22/2019 Utimaco HSM
24/76
OK
Exit
PS/2 COM CS (1) CS (2)
utimacos a f e w a r e
1 2 3
4 5 6 DEL
7 8 9 CLR
* 0 . OK
Key set consists of N smartcards, whereof K are needed to recombine
MBK (here: N=4, K=2)
Generate key andstore on 4
smartcards, whereof
2 are needed to
recombine key
Import MBK
from two
smartcards
OK
Exit
PS/2 COM CS (1) CS (2)
utimacos a f e w a r e
1 2 3
4 5 6 DEL
7 8 9 CLR
* 0 . OK
Master Box Key
-
7/22/2019 Utimaco HSM
25/76
Administration Keys
Administration keys could be stored on a smartcardrecommended as key file plain or password encrypted
Administration keys would be assignedto a administration role
User Manager (0x2000 0000) andFirmware Manager (0x0200 0000)can be created(exclusive permission or 4 eyes)
If a customer specific, fully qualifiedadministration role is created, thedefault ADMIN user can be deleted
If the administration keys are lost, it is possible to reset theSafeGuard CryptoServer to the factory defaultconfiguration. An external erase has to be performed. Afterwards the SafeGuard CryptoServer could be reseted to the factory default
configuration
-
7/22/2019 Utimaco HSM
26/76
Customer Keys overview
Standard Interfaces
CXI, PKCS#11, Customer Interface
PCI driver
CSAPI
Administrator Keys
Master Box Key (MBK)
Client PC
(Windows, Linux, Solaris)
CAT or CSADM
Administration Tool
-
7/22/2019 Utimaco HSM
27/76
Agenda
Part 1: Utimaco HSM
CryptoServer LAN Placing Into Operation
Administration Tools
Keys and Key Management
Basic Administration
Application
Part 2: Utimaco HSM and DNSSEC integration
Init slot Build DNSSEC
DNSSEC Configuration
-
7/22/2019 Utimaco HSM
28/76
Basic Administration
How to generate and assign an administrator key
re-initialization of the SafeGuard CryptoServer
Se change PIN on a smartcard
manage user and keys
monitoring
-
7/22/2019 Utimaco HSM
29/76
Basic Administration - Users
-
7/22/2019 Utimaco HSM
30/76
Basic AdministrationUser Group
User groups 6,7: CryptoServer administration purposes.
User groups 0 to 5: application-specific access rights.
The following user groups are predefined:
-
7/22/2019 Utimaco HSM
31/76
Permissions and authenticationstatus
-
7/22/2019 Utimaco HSM
32/76
Generate and assignadministrator keys
Select the algorithm
The Key-Info text is the name of thekey at the smartcard (shown when
calling KeyTools -> SmartCard -> ShowSmartCard info)
Choose the number of backups tocreate
One backup half of the key could bestored together with the user key (notrecommended) on a smartcard.
Prepare smartcards for alladministrators.
In CAT select KeyTools -> SmartCard Management
-
7/22/2019 Utimaco HSM
33/76
Generate and assignadministrator keys
OR:
In CAT select KeyTools -> KeyFile Management ->Generate to generate a file based administration key
The key file could bestored password encryptedor plain
-
7/22/2019 Utimaco HSM
34/76
Generate and assignadministrator keys
Login in the ADMIN user
Select the ADMIN user and clickLogin
-
7/22/2019 Utimaco HSM
35/76
Generate and assign anadministrator key
Select User Management and press Add
user
-
7/22/2019 Utimaco HSM
36/76
Generate and assignadministrator keys
Create an administration user(here: 4-eyes-principle)
Group 7 = 1
Group 6 = 1 Assign the key created
before
-
7/22/2019 Utimaco HSM
37/76
Generate and assignadministrator keys
Perform these steps for the secondadministrator
As last step, select the user ADMIN and
press Delete user
-
7/22/2019 Utimaco HSM
38/76
Generate and Import the MasterBox Key MBK
First login a user to the SafeGuard CryptoServer
Select an Admin user from the list and click Login
Follow the instructions
-
7/22/2019 Utimaco HSM
39/76
m & n
"m (shares)" is the number of people towhich the key is to be distributed
"n (shares)" is the minimum number ofpeople required to use the key.
G d I h M
-
7/22/2019 Utimaco HSM
40/76
Generate and Import the MasterBox Key MBK
Open the Remote MBK Management dialogKey Management -> Remote MBK Management
Enter the name of the MBK, select the type(AES is recommended)
Choose the number of shares needed to recombine the
MBK (k value) and the number of shares you want to create(k value)
Select automatic MBK Import to loadthe MBK to the SafeGuard CryptoServer,otherwise the Import tab has to be used.
Press Generate
If an existing MBK should be imported,use the Import tab.
-
7/22/2019 Utimaco HSM
41/76
SafeGuard CryptoServer CS/Se : Basic AdministrationChange PIN of a smartcard
In CAT select KeyTools ->SmartCard Management
Switch to tab Change PIN
Press Change PIN
Follow the instructions at thePIN-Pad
This command changes the User PIN of a smartcard, the MBK PIN of a
smartcard is changed with the MBK Management dialogs
-
7/22/2019 Utimaco HSM
42/76
Monitoring
Extended SNMP support
CryptoServer objects
Status, internal temperature, alarm state, firmware module state, operational mode, bootloader version, serialnumber, battery state, system time
CryptoServer LAN objects
Load, CryptoServer LAN software version, serial number, battery state, system time, number of client connections
SNMP traps when
Temperature, load, number of clients exceed min/max threshold
Configurable threshold
Battery low, alarm state, CryptoServer changes operating mode, CryptoServer LAN boot/shutdown/restart
Configuration through CryptoServer LAN front panel menu or ssh
Monitoring could be done by a script on the host evaluating the following commands:
Get actual state of the SafeGuard CryptoServer with thecsadm GetState command.
Check if the SafeGuard CryptoServer is alive and state is operational and temperature is in range
Check if the needed functionality is available with thecsadm ListModulesActive command
All modules have state INIT_OK ?
Check battery state with csadm GetBattState command
-
7/22/2019 Utimaco HSM
43/76
Demo
Create Administrators
Generate and import MasterBoxKeys
Agenda
-
7/22/2019 Utimaco HSM
44/76
Agenda
Part 1: Utimaco HSM
CryptoServer LAN Placing Into Operation
Administration Tools
Keys and Key Management
Basic Administration
Application
Part 2: Utimaco HSM and DNSSEC integration
Init slot Build DNSSEC
DNSSEC Configuration
-
7/22/2019 Utimaco HSM
45/76
Product Portfolio
SafeGuard CryptoServer
Roadmap September 2012
45
PKCS#11, JCE, MS CSP/CNG/SQL EKM, OpenSSL, CXI
RFC 3161,
CTS API
RFC 3161,
CTS API
Software Development Kit for Customized Functionality
SafeGuard
SecurityServer
SafeGuard
TimestampServer
SafeGuardCryptoServer
SDK
SafeGuard CryptoServer
Se-Series
SafeGuard CryptoServer
CS-Series
-
7/22/2019 Utimaco HSM
46/76
Security Server Overview
Security Server including thefollowing interfaces:
PKCS#11 CSP and CNG for Microsoft CryptoAPI (MSCAPI) Utimaco Cryptographic Extended Interface (CXI)
JCE Open SSL
Product CD with installation
on Windows systems Select the aim of installation:Runtime/Development/Custom
Including CAT
-
7/22/2019 Utimaco HSM
47/76
Security Server Overview
Supported operatingsystems:
Microsoft Windows XP, Vista, Server 2003, Server2008
Linux kernel 2.4.0 and higher
RHEL 6, SUSE 10
Solaris 8 and higher
AIX
-
7/22/2019 Utimaco HSM
48/76
Security Server PKCS#11
Benefits
2 operation modes:
In cluster mode every device is accessible separately by different slotIDs
In failover mode transparent failover functionality available
Secure channel between application and SafeGuard CryptoServer available
Strong authentication available, 2 FA, 4 Eyes
Thread-save for use in multi threading applications
Multiple SafeGuard CryptoServer support for each application
Up to 256 parallel sessions/applications perSafeGuard CryptoServer
-
7/22/2019 Utimaco HSM
49/76
Security Server PKCS#11
Architecture PKCS#11 libraries:
cs2_pkcs11_R2.dlllibcs2_pkcs11_R2.so
CXI Firmware module
-
7/22/2019 Utimaco HSM
50/76
Security Server PKCS#11
Configuration of the PKCS#11 interface:
cs_pkcs11_R2.cfg file can contain several sections:
[Global] section for general configuration (timeout, logging)
Several [CryptoServer] sections for each SafeGuard CryptoServer devicethat should be addressed by the application.
Several [Slot] sections, the slot number must be defined, non standardauthentication can be configured
-
7/22/2019 Utimaco HSM
51/76
Microsoft CSP / CNG
Benefits
Multitenancy: Assign a key to a user group, these keys are not visible foruser not in the assigned group
When SafeGuard CryptoServer LAN is employed, several clients/applications canuse one single SafeGuard CryptoServer.
Failover and clustering available External storage of keys available to synchronize several CryptoServer LAN.
Hardware random number generator for the generation of high-quality RSAkeys.
Tamper-proof storage of numerous cryptographic keys (e.g. more than30,000 RSA keys, 1,024 bits).
Use 2 factor authentication to backup/restore cryptographic keys.
All cryptographic algorithms (also encryption/decryption, hashing) areperformed directly in the HSM and are therefore protected againstmanipulation.
-
7/22/2019 Utimaco HSM
52/76
Microsoft CSP / CNG
Architecture
CSP libraries:cs2csp.dll cs2csplib.dll
CXI Firmware module
Client Computer
Utimaco
CryptoServer CSP
CryptoServer PCI
PCI Driver
TCP Server
CryptoServer PCI
PCI Driver
Utimaco CryptoServer LAN
MicrosoftCryptoAPI
Digital Signature (Microsoft)
Application(e.g. Microsoft PKI)
CXI Cryptographic Core
-
7/22/2019 Utimaco HSM
53/76
CXI - Cryptographic CoreInterface
Benefits:
All important platforms supported
Comfortable and flexible implementation
High performance Nearly all cryptographic functions are available
Easy to extend according the needs of the customer
FIPS 1402 Level 3 certification in process
Used for PCI DSS implementation
CXI Cryptographic Core
-
7/22/2019 Utimaco HSM
54/76
CXI - Cryptographic CoreInterface
Based on the CXI firmware moduleseveral host API are implemented:
OpenSSL
CryptoServerJCE
CXI .net
CXI C-Interface
CXI Java Class Library
Easy to use, fast implementation in yourapplication:
Source code examples for all host APIs are available
Integrated authentication and secure messaging
CXI Cryptographic Core
-
7/22/2019 Utimaco HSM
55/76
Application
CXI DLL / Jar
CXIconfigurationfile
OptionalKeyStorage
Host System /
application Server
Secure channel
over TCP/IP
CryptoServer
remote
Management
CXI - Cryptographic CoreInterface
CXI Failover Architecture
CXI Cryptographic Core
-
7/22/2019 Utimaco HSM
56/76
CXI - Cryptographic CoreInterface
CXI Failover Architecture From application point of view, transparency of
HSM hardware: Cluster may consist of CryptoServer PCI(e)and/or CryptoServer LAN
Cluster size: 2 or more HSMs in cluster
Installation sites: local or remote HSMs Failover mechanism
Failover from 1stto 2nd to nth to 1st
Priorization of HSMs in planning (e.g. local or higher-performance HSMs get higher priority when scheduling next
HSM)
Re-Use of failed CryptoServer after repair/replacement Flexibility
HSM may belong to several clusters
Internal or external key storage
Agenda
-
7/22/2019 Utimaco HSM
57/76
Agenda
Part 1: Utimaco HSM
CryptoServer LAN Placing Into Operation
Administration Tools
Keys and Key Management
Basic Administration
Application
Part 2: Utimaco HSM and DNSSEC integration
Init slot Build DNSSEC
DNSSEC Configuration
-
7/22/2019 Utimaco HSM
58/76
Preparation
This Demo will show in Linux RHEL 6.3
And use the following package:
bind-9.9.2-P2.tar.gz
openssl-1.0.0f.tar.gz
-
7/22/2019 Utimaco HSM
59/76
Environment Variables
Check environment variables: export CS_PKCS11_R2_CFG=/dnssec/utimaco/cs_pkcs11_R2.cfg
Export CRYPTOSERVER=3001@192.168.66.15
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/dnssec/utimaco/
export LD_LIBRARY_PATH
Check PKCS#11 configure fileLogpath = /utimaco
# Prevents expiring session after inactivity of 15 minutes
KeepAlive = true
[CryptoServer]
Device = 3001@192.168.66.15
-
7/22/2019 Utimaco HSM
60/76
Init slotCreate User
-
7/22/2019 Utimaco HSM
61/76
Init slotCreate SO User
Login with
-
7/22/2019 Utimaco HSM
62/76
Login withPKCS#11 CryptoServer Administration
Init slot Create SO/User
-
7/22/2019 Utimaco HSM
63/76
Init slotCreate SO/UserWith Command Line
Init SO PIN:p11tool2 [Lib=] [Slot=] [Label=][Force=] [Login=,]InitToken=
Example:./p11tool2 Slot=0 Login=ADMIN,init_dev_prv.key Force=1 InitToken=12345678
Init PIN:
p11tool2 [Lib=] [Slot=] LoginSO=
InitPIN=
Example:
./p11tool2 Slot=0 LoginSO=12345678 InitPIN=123456
-
7/22/2019 Utimaco HSM
64/76
Some other commands
./p11tool2
./p11tool2 help=InitPIN
./p11tool2 Slot=1 GetSlotInfo
./p11tool2 Slot=1 LoginUser=123456ListObjects
Agenda
-
7/22/2019 Utimaco HSM
65/76
Agenda
Part 1: Utimaco HSM
CryptoServer LAN Placing Into Operation
Administration Tools
Keys and Key Management
Basic Administration
Application
Part 2: Utimaco HSM and DNSSEC integration
Init slot Build DNSSEC
DNSSEC Configuration
-
7/22/2019 Utimaco HSM
66/76
Extract Bind & OpenSSL
cd /dnssec
tar zxf openssl-1.0.0f.tar.gz
tar zxf bind-9.9.2-P2.tar.gz
mv openssl-1.0.0f openssl
mv bind-9.9.2-P2 bind
WARNING:RHEL will need pcsc-lite-devel package.pcsc-lite-1.5.2-7.el6.x86_64pcsc-lite-openct-0.6.19-4.el6.x86_64
pcsc-lite-devel-1.5.2-7.el6.x86_64
pcsc-lite-libs-1.5.2-7.el6.x86_64
-
7/22/2019 Utimaco HSM
67/76
Patch OpenSSL
Just run the following command:cd openssl
patch -p1 < /dnssec/bind/bin/pkcs11/openssl-1.0.0f-patch
Result
[root@dnssec openssl]# patch -p1 < /dnssec/bind/bin/pkcs11/openssl-1.0.0f-patchpatching file Configure
patching file Makefile.org
patching file README.pkcs11
patching file crypto/opensslconf.h
patching file crypto/bio/bss_file.c
patching file test/clean_test.com
patching file util/libeay.num
patching file util/mk1mf.pl
patching file util/mkdef.pl
patching file util/pl/VC-32.pl
[root@dnssec openssl]#
-
7/22/2019 Utimaco HSM
68/76
Build OpenSSLJust run the following command:
Linux 64Bit:./Configure linux-generic64 -m64 -pthread \
--pk11-libname=/dnssec/utimaco/libcs_pkcs11_R2.so \
--pk11-flavor=crypto-accelerator \
--prefix=/opt/openssl-p11
Linux 32Bit:./Configure linux-generic32 -m32 -pthread \
--pk11-libname=/dnssec/utimaco/libcs_pkcs11_R2.so \
--pk11-flavor=crypto-accelerator \
--prefix=/opt/openssl-p11
make
make install[root@dnssec dnssec]# /opt/openssl-p11/bin/openssl engine pkcs11 -t
(pkcs11) PKCS #11 engine support (crypto accelerator)
[ available ]
Agenda
-
7/22/2019 Utimaco HSM
69/76
g
Part 1: Utimaco HSM
CryptoServer LAN Placing Into Operation
Administration Tools
Keys and Key Management
Basic Administration
Application
Part 2: Utimaco HSM and DNSSEC integration
Init slot
Build DNSSEC
DNSSEC Configuration
Install BIND Domain Name
-
7/22/2019 Utimaco HSM
70/76
Install BIND Domain NameServer
Run the following command:
./configure CC="gcc -m64" -enable-threads \
--with-openssl=/opt/openssl-p11 \
--with-pkcs11=/dnssec/utimaco/libcs2_pkcsll.so
make
make install
Generate Keys and Sign a
-
7/22/2019 Utimaco HSM
71/76
Generate Keys and Sign aDomain Zone
1. Generate a zone-signing key and a key-signing key
# pkcs11-keygen -b 2048 -l ksk
# pkcs11-keygen -b 1024 -l zsk
The parameter -b specifies the key size and -l the label of thekey pair.
Since the library path was exported, it is not necessary to specifyit using the parameter -m (module) any more.
You will be prompted to enter the user pin for the PKCS#11 slot.
-
7/22/2019 Utimaco HSM
72/76
View Keys
Use command:pkcs11-list [-P] [-m module] [-s slot] [-i ID] [-llabel] [-p PIN]
Example: SLot1:
pkcs11-list -s 1 -p 123456
Slot:0pkcs11-list -p 123456
Generate Keys and Sign a
-
7/22/2019 Utimaco HSM
73/76
Generate Keys and Sign aDomain Zone (cont.)
2. Generate the key files for BIND# dnssec-keyfromlabel -l ksk -f KSK utimaco.com
# dnssec-keyfromlabel -l zsk utimaco.com
The parameter -l specifies the label again and after -f follows the keyflag. The key files are generated for a specific zone which in this case isutimaco.com.
Now you should find the corresponding key files in the current directorywhich are composed of K.++.(key|private).
Generate Keys and Sign a
-
7/22/2019 Utimaco HSM
74/76
Generate Keys and Sign aDomain Zone (cont.)
3. Before you can sign a zone, it is necessary to add thecontents of both K*.key files or to include them byreference - using the key file names - to the zone masterfile. Open the zone file and add the following lines e.g.
$include Kutimaco.com.+005+35677.key $include Kutimaco.com.+005+63263.key
4. Finally sign the zone# dnssec-signzone -S -o
-
7/22/2019 Utimaco HSM
75/76
Demo
1. Placing Into Operation: Configure HSM IP
2. Administration Tools:- Install admin tool
- Install Pin-pad driver, check configuration in admin tool.
3. Keys and Key Management- Create administrators
- Issue MBK
4. Build DNSSEC
5. DNSSEC Configuration
-
7/22/2019 Utimaco HSM
76/76
Questions & Answers
The End
top related