Documente Academic
Documente Profesional
Documente Cultură
www.thalesgroup.com/iss
Version:
1.0
Date:
6 September 2011
Version:
1.0
Date:
06 September 2011
2011
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
nShiNov10
Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified,
adapted, published, translated in any material form (including storage in any medium by electronic means
whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior
written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which
it is supplied.
CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks of
Thales e-Security Limited.
CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra,
nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited.
All other trademarks are the property of the respective trademark holders.
Information in this document is subject to change without notice.
Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limited
to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall
not be liable for errors contained herein or for incidental or consequential damages concerned with the
furnishing, performance or use of this material.
These installation instructions are intended to provide step-by-step instructions for installing Thales software
with third-party software. These instructions do not cover all situations and are intended as a supplement to the
documentation provided with Thales products. Disclaimer: Thales e-Security Limited disclaims all liabilities
regarding third-party products and only provides warranties and liabilities with its own products as addressed
in the Terms and Conditions for Sale.
Contents
Chapter 1:
Chapter 2:
Introduction
Requirements
Procedures
Chapter 3:
Troubleshooting
Addresses
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
8
10
16
18
Chapter 1: Introduction
Red Hat Certificate System provides a powerful security framework to manage user identities and
ensure privacy of communications. Handling all the major functions of the identity life cycle, Red
Hat Certificate System simplifies enterprise-wide deployment and adoption of a Public Key
Infrastructure.
Red Hat Certificate System works behind the scenes to issue, renew, suspend, revoke, and
manage single and dual key X.509v3 certificates needed to handle strong authentication, single
sign-on, and secure communications. Support for Global Platform permits direct communication
between a registration authority and a smart card for key management tasks such as enrollment
and PIN reset.
This guide explains how to set up and configure a Red Hat Certificate System 8.0 installation with
Thales nCipher Hardware Security Modules (HSMs). The instructions in this document have
been thoroughly tested and provide a straightforward method for integrating the Thales nCipher
HSM with Red Hat Certificate System. There may be other untested ways to achieve
interoperability.
This guide might not cover every step in the process of setting up all software. For more detail
about installing Red Hat Certificate System, see the Red Hat Certificate System documentation
supplied on CD-ROM/DVD-ROM. Some packages require that other packages already be
configured, initialized, and running before they can be installed successfully.
The integration between the HSM and Red Hat Certificate System uses the PKCS #11
cryptographic API. The integration has been successfully tested in the following configuration.
Operating system
Red Hat
Thales
Certificate nCipher
System
version
8.0
11.50
nShield
Connect
support
Yes
Yes
For more information about OS support, contact your Red Hat sales representative, or Support at
Thales nCipher. For more information about contacting Thales nCipher, see the contact
information in the Addresses section at the end of this guide.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
Additional documentation produced to support your Thales nCipher product can be found in the
document directory of the CD-ROM or DVD-ROM for that product.
Note
Throughout this guide, the term HSM refers to nShield Solo, nShield Connect, and netHSM
products. (nShield Solo products were formerly known as nShield.)
Yes
Yes
Yes
Key Management
Yes
Load Sharing
Yes
Key Import
Softcards
Yes
Fail Over
Yes
Key Recovery
Module-only Key
Requirements
To integrate the HSM and Red Hat Certificate System, you need the server and client machines
to be setup as follows:
Hardware
Software
Server
Client
We also recommend that there be an agreed organizational Certificate Practices Statement and
Security Policy/Procedure in place covering administration of the HSM. In particular, these
documents should specify the following aspects of HSM administration:
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and
the policy for managing these cards.
Whether the application keys are to be protected by Softcard or Operator Card Set (OCS).
The number and quorum of Operator Cards in the OCS (only 1-of-N is supported), and the
policy for managing these cards.
Whether the security world should be compliant with FIPS 140-2 level 3.
For more information, see the User Guide for the HSM.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
Chapter 2: Procedures
To integrate Red Hat Certificate System 8.0 with an HSM on Red Hat Enterprise Linux 5.6
x86_64 bit operating system:
1
2 Install the nShield support software, and then create the Security World.
3
Install the latest version of the support software and create a Security World as described in
the User Guide for the HSM.
Note
We recommend that you uninstall any existing Thales nCipher software before installing the
new software.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
Create a file called cknfastrc in the directory where the nShield support software is
installed. The default directory is /opt/nfast.
For OCS and Softcard protection, add the following environment variables to the file:
CKNFAST_NO_ACCELERATOR_SLOTS=1
CKNFAST_LOADSHARING=1
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=tokenkeys
CKNFAST_NO_UNWRAP=1
For more information, see the PKCS #11 library environment variables in the User Guide for the
HSM.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
All subsystems require access to Red Hat Directory Server 8.1 on the local machine or a
remote machine. This Directory Server instance is used by the subsystems to store their
system certificates and user data. The Directory Server used by the Certificate System
subsystems can be installed on Red Hat Enterprise Linux 5.6 x86_64-bit. Check that the Red
Hat Directory Server is already installed. For example:
If the redhat-ds is not installed, download the redhat-ds iso file from the Red Hat Network
channel, and then perform the following steps.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
To create the yum local repository, edit the yum.conf in /etc as follows:
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
11 To configure the Red Hat Directory Server, use the following commands:
root@hostname RPMS]# cd /usr/sbin
[root@hostname sbin]# ./setup-ds-admin.pl
12 When prompted:
a
The individual subsystems for Red Hat Certificate System are installed and then configured
individually. The initial installation is done using package management tools such as RPM.
The subsystem setup is done using an HTML-based configuration wizard. Download the
Certificate System packages from the Red Hat Network channel. For installing Red Hat
Certificate system 8.0, create a folder called localrepo1 in /opt.
Mount the Red Hat Certificate system 8.0 package RHEL5.3-RHCertSystem-8.0-x86_64disc1-ftp.iso, and then copy the folder RPMS into /opt/localrepo1:
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
10
To create the yum local repository, edit the yum.conf in /etc as follows:
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
11
6 To install pki-ca:
[root@hostname RPMS]# yum install pki-ca-8.0.0-21.el5pki.noarch.rpm
Note
Interoperating subsystems within Red Hat Certificate System carry out all common PKI
operations, such as:
Publishing CRLs.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
12
Run the following command in /var/lib/pki-ca/alias/ to add the Thales nCipher module:
Note
-libfile
Note
11 SE Linux policies are created and configured automatically to enable Certificate System
instances to run with SE Linux in enforcing or permissive modes. In enforcing mode, any
hardware tokens that use the Certificate System instances must also be configured to run with
SE Linux in enforcing mode, otherwise the HSM will not be available during subsystem
installation. Before installing any Certificate System instances, run the following command
to reset the context of files in /dev/nfast to match the newly-installed policy:
[root@hostname alias]#/sbin/restorecon -R /dev/nfast
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
13
Note
14 To allow access for the Thales nCipher library, run the following commands:
[root@hostnamehome]# chcon -t bin_t '/opt/nfast/toolkits/pkcs11/libcknfast.so'
[root@hostname home]# semanage fcontext -a -t bin_t '/opt/nfast/toolkits/pkcs11/libcknfast.so'
Note
15 Open
https://hostname:9445/ca/admin/console/config/login?pin=xxxxxxxxxxxxxxxxxxxxxxxx. A
similar URL can found in /var/log/pki-ca-install.log.
16 In the Create a Security Domain panel, enter Red Hat Security as Security Domain Name.
17 In the Sub System Type panel, select Configure this instance as a New CA Subsystem, and then
select Certificate Authority as the Subsystem name.
18 In the PKI Hierarchy panel, select Make this Selfsigned Root CA.
19 In the Internal Database panel, fill in the correct LDAP server information.
20 In the Key Store panel, select Thales nCipher Hardware as the default login.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
14
21 In the Key Pairs panel, select Use the following custom key Size. Select RSA as the key type,
and then enter the key size, for example 1024, 2048, or 4096.
22 In the Subject Name panel, select Next.
23 In the Requests and Certificates panel, select Apply, and then select Next.
24 In the Administrator panel, enter the correct details.
25 Click Next through the remaining panels to import the agent certificate into the browser and
complete the configuration.
26 When configuration is complete, run the following command to restart the subsystem:
# service pki-ca restart
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
15
Chapter 3: Troubleshooting
Cause
Resolution
Recheck the Directory Server password, and check if the following variable is present in
/etc/pki-ca/CS.cfg: preop.configModules.module1.commonName=nfast.
Problem
Cause
Resolution
1
2
nfast:x:106:pkiuser
Problem
Cause
Resolution
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
16
Troubleshooting
Problem
Cause
Resolution
In the list that appears, the method of key protection is shown, for example Softcard or OCS.
Problem
Cause
Resolution
Problem
Cause
Resolution
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0
17
Addresses
Americas
2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA
Tel: +1 888 744 4976 or + 1 954 888 6200
sales@thalesesec.com
Asia Pacific
Units 4101, 41/F. 248 Queens Road East, Wanchai, Hong Kong, PRC
Tel: + 852 2815 8633
asia.sales@thales-esecurity.com
Internet addresses
Web site:
Support:
Online documentation:
International sales offices:
www.thalesgroup.com/iss
http://iss.thalesgroup.com/en/Support.aspx
http://iss.thalesgroup.com/Resources.aspx
http://iss.thalesgroup.com/en/Company/Contact%20Us.aspx