Thanks! Oliver. I also tried to write the engine module, but it was not easy to understand fully the samples, such as nChiper.pm.
I thought that openxpki uses openssl with pkcs11 engine, didn't you? And I can access the specific key of HSM using the pkcs11 engine. To integrate HSM with PKCS11, I configured openssl.conf file like the sample ( https://github.com/openxpki/openxpki/blob/develop/core/server/OpenXPKI/Crypto/Backend/OpenSSL/Engine/PKCS11.pm, snip part!) And then load pkcs11 engine dynamically via openssl as follows: OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/opt/safenet/protecttoolkit5/ptk/lib/libcryptoki.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libpkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/opt/safenet/protecttoolkit5/ptk/lib/libcryptoki.so Loaded: (pkcs11) pkcs11 engin e OpenSSL> engine pkcs11 -t -v (pkcs11) pkcs11 engine [ available ] SO_PATH, MODULE_PATH, PIN, VERBOSE, QUIET, INIT_ARGS, FORCE_LOGIN After that, I can sign using the key of HSM. So I thought if I can figure out a way to connect between openxpki and openssl with pkcs11 engine without a backend safenetprotectserver.pm file., then I can integrate openxpki with the Gemalto HSM. openxpki <---> openssl <----> pkcs11 engine <-----> Gemalto HSM is it possible? Then Which parts do I should configure for that. best regards, Sang-Ho Na --------------------------------------------------------------------------------------- *Korea Institute of Science and Technology Information(KISTI)* Division of Supercomputing Sang-Ho Na Senior Researcher / Ph.D. E-mail: [email protected] / [email protected] Phone: +82-42-869-0663 Fax: +82-42-869-1015 Mobile: +82-10-7193-7295 address : 335 Gwahangro, Yusong-gu, Daejeon, 34141, Korea --------------------------------------------------------------------------------------- 2019년 2월 14일 (목) 오후 10:38, Oliver Welter <[email protected]>님이 작성: > Hello, > > Gemalto HSM are currently not supported directly - you need to write > your own implementation of the "Engine" module, have a look here at > those for OpenSSL and nCipher. > > > https://github.com/openxpki/openxpki/blob/develop/core/server/OpenXPKI/Crypto/Backend/OpenSSL/Engine/ > > You can then either reference the keys using the pseudo-key files which > are provided by the HSM driver or change the key definitions in the > crypto.yaml file to directly use the names of the keys. > > best regards > > Oliver > > Am 14.02.19 um 03:37 schrieb Sang-Ho Johan Na: > > Dear OpenXPKI User, > > I want to setup openXPKI with HSM (Gemalto ProtectServer +). > > Is there anyone who had experienced? > > > > At first, I wonder how can I configure key location of HSM. > > > > OpenXPKI document says, > > > > "*Move the key files to /etc/openxpki/ssl/ca-one/ *and name them > > ca-one-signer-1.pem, ca-one-vault-1.pem, ca-one-scep-1.pem. *The key > > files must be readable by the openxpki user*, so we recommend to make > > them owned by the openxpki user with mode 0400. > > Now import the certificates to the database." > > > > I can move my certificates to /etc/openxpki/ssl/ca-one/, except the keys > > of my hsm and name them like that. Then how openxpki app can read my > > keys in the hsm? > > I cannot find any configurations regarding HSM for key management. > > > > Best regards, > > Sang-Ho Na > > -- > > > --------------------------------------------------------------------------------------- > > *Korea Institute of Science and Technology Information(KISTI)* > > *G*lobal *S*cience experimental *D*ata hub *C*enter > > > > Sang-Ho Na > > Senior Researcher / Ph.D. > > > > E-mail: [email protected] > > <mailto:[email protected]> / [email protected] > > <mailto:[email protected]> > > Phone: +82-42-869-0663 Fax: +82-42-869-1015 > > Mobile: +82-10-7193-7295 > > address : 245, Daehak-ro, Yusong-gu, Daejeon, 34141, Korea > > > --------------------------------------------------------------------------------------- > > > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
