https://bz.apache.org/bugzilla/show_bug.cgi?id=69481
--- Comment #1 from Steve Newbold <steve.newb...@thalestct.com> --- Instructions for p11 integration: Prepare for the Integration 1. The PKCS #11 engine openssl-pcks11 is installed with RHEL 8, but an upgrade will be performed. sudo yum list installed openssl-pkcs11 Updating Subscription Management repositories. Installed Packages openssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda sudo yum upgrade openssl-pkcs11.x86_64 <snip> Upgraded: openssl-pkcs11-0.4.10-2.el8.x86_64 2. Install gnutls-utils for access to p11tool which will be used for private key generation on the HSM. p11tool supports p11-kit and the use of URIs, and p11-kit will be upgraded during this installation as well. Consult the p11tool manpage to see all the options available with this tool. sudo yum install gnutls-utils <snip> Upgraded: p11-kit-server-0.23.22-1.el8.x86_64 p11-kit-trust-0.23.22-1.el8.x86_64 p11-kit-0.23.22-1.el8.x86_64 gnutls-3.6.16-4.el8.x86_64 Installed: gnutls-utils-3.6.16-4.el8.x86_64 autogen-libopts-5.18.12-8.el8.x86_64 gnutls-dane-3.6.16-4.el8.x86_64 3. If desired, the installed version of OpenSSL can be verified, as well as the availability of the PKCS #11 engine. A final check can also be made to verify the NTLS connection is available with the HSM. openssl version OpenSSL 1.1.1 FIPS 11 Sep 2018 openssl engine pkcs11 (pkcs11) pkcs11 engine sudo /usr/safenet/lunaclient/bin/vtl verify The following Slots/Partitions were found: Slot Serial # Label ==== ================ ===== 0 100093018 rhel8 Note: At any time during the ensuing integration, the lunalogs log file on the HSM can be viewed to see/verify NTLS activity. If Instruction is needed on how to do this, please see Appendix A. 6 Make the Luna HSM Known to p11-kit The first step in the integration is to make the HSM known to p11-kit, which will in turn make it available to the built-in PKCS#11 engine. 1. For informational purposes, query p11tool for the tokens currently available. The Trust Policy Module tokens seen are installed by default by RHEL8. They have no effect on the integration and can be ignored. (They can also be removed using instructions on this page.) sudo p11tool --list-tokens Token 0: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust <snip> Token 1: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust <snip> 2. To make the Luna HSM available to any application supporting p11-kit and the pkcs11 engine, a configuration file needs to be created in a specific directory (/etc/pkcs11/modules) that points to the Cryptoki library. For this integration, the most basic configuration file will be created, but more information on the possible contents of this file can be found here. The file created must have the .module extension, but can be otherwise named anything. Here, a file named luna.module will be created with the simple file contents shown below. sudo vi /etc/pkcs11/modules/luna.module File contents: # path to .so module: /usr/safenet/lunaclient/lib/libCryptoki2_64.so Note: Do not put any extraneous files in the /etc/pkcs11/modules directory. 3. By virtue of just creating that file, the Luna HSM should now be seen in the token list. The --list-token-urls command will provide a more compact list showing the available tokens. All that is needed to uniquely address a token in future steps is the token=xxxxxx part of the URI, which identifies the partition, but the full URI see below could be used. If an HA Group is established, the HA Group name should be used instead of the partition name. . sudo p11tool --list-token-urls pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust pkcs11:model=LunaSA%207.12.0;manufacturer=Thales%20TCT;serial=100093018;token=rhel8 4. To verify basic connectivity with the HSM using p11-kit, the following command could be issued which will list all the public objects on the partition. Note that no partition password is required for this action, and No matching objects found will be seen if the partition is empty. sudo p11tool --list-all "pkcs11:token=rhel8" -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
