nCipher nShield/netHSM

The following covers how the nCipher nShield card is installed and used.

Introduction

nCipher's Security World Concept

The key material for the nShield HSM is stored inside so-called key blobs on the host computer. Each key blob is an encrypted container that contains keys and an Access Control List (ACL) which determines how the keys in the key blob are allowed to be used.

Before a nShield HSM can be used, you must set up a security world. A security world consists of the following:

A set of HSMs sharing the same module key
Exactly one Administrator Card Set (ACS) which grants administrative access to the security world
Zero or more key blobs, where each key blob is protected by one of the following
- The module key and an Operator Card Set (OCS)
- The module key and a passphrase
- The module key only

When a security world is created, a new module key is generated inside the HSM and an ACS is created. Both the ACS and the OCS are a set of N smart cards, such that any M smart cards are required to authorize an operation or decrypt a key blob.

Preload Key Blobs

Each key blob created in the security world corresponds to a token in EJBCA. To make the token visible when creating a new crypto token in EJBCA, you need to preload the key blobs you want to use. When a key blob is preloaded, the key blob is copied to and decrypted inside the HSM. The user on the host computer which ran the preload command is then able to use the keys in the key blob until:

There is a timeout (controlled by the --timeout parameter of the createocs command)
The last operator card from the OCS was ejected from the HSM (if an OCS is used to protect the key blob and the OCS is a non-persistent card set)
Or if the PKCS#11 session was killed, e.g. because the HSM was disconnected from the host

To preload key blobs, the preload command, for OCS tokens, or the ppmk command, for softcard tokens is used.

Example Installation Instructions

Step 1 - Install the nShield Module and Create a Token

Install the nShield module as described in the nShield Installation Guide. Install the client software on the EJBCA server and connect the EJBCA server to the HSM.

The client components needed to install are:

hwsp (drivers, daemon etc)
ctls (key management, and other core tools, key generation tools, config, test tools, pkcs11, etc)
ctd (native and standard basic API tools)

The following provides a summarized example of the above, how to install the nShield Module and create admin and operator card sets:

Make sure you have all necessary software and drivers installed and created the user and group nfast. In Linux should the software be installed to /opt/nfast or the location environment variable NFAST_HOME is pointing to.
Login as the nfast user: sudo su nfast
Set the nCipher box to initialization mode by setting the switch to mode I.
Clear the nCipher box by pressing the reset button on the device.

Check that the mode is in pre-initialization mode and not in operational:

$ /opt/nfast/bin/enquiry
Server:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        41C5-BA04-6D2C
 mode                 operational
 version              2.23.6
 speed index          147
 rec. queue           442..642
 level one flags      Hardware HasTokens
 version string       2.23.6cam5, 2.22.6cam7 built on Apr 25 2005 18:15:46
 checked in           00000000431dca98 Tue Sep  6 18:58:00 2005
 level two flags      none
 max. write size      8192
 level three flags    KeyStorage
 level four flags     OrderlyClearUnit HasRTC HasNVRAM HasNSOPermsCmd ServerHasPollCmds FastPollSlotList HasSEE HasKLF HasShareACL HasFeatureEnable HasFileOp HasLongJobs ServerHasLongJobs AESModuleKeys NTokenCmds LongJobsPreferred
 module type code     0
 product name         nFast server
 device name
 EnquirySix version   4
 impath kx groups
 feature ctrl flags   none
 features enabled     none
 version serial       0
 remote server port   9004
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        41C5-BA04-6D2C
 mode                 pre-initialisation
 version              2.22.6
 speed index          147
 rec. queue           9..152
 level one flags      Hardware HasTokens InitialisationMode PreMaintInitMode
 version string       2.22.6cam7 built on Apr 25 2005 18:15:46
 checked in           00000000426636cd Wed Apr 20 13:02:37 2005
 level two flags      none
 max. write size      8192
 level three flags    KeyStorage
 level four flags     OrderlyClearUnit HasRTC HasNVRAM HasNSOPermsCmd ServerHasPollCmds FastPollSlotList HasSEE HasKLF HasShareACL HasFeatureEnable HasFileOp HasLongJobs ServerHasLongJobs AESModuleKeys NTokenCmds LongJobsPreferred
 module type code     6
 product name         nC1002P/nC3022P
 device name          #1 nFast PCI device, bus 0, slot 13.
 EnquirySix version   5
 impath kx groups     DHPrime1024
 feature ctrl flags   LongTerm
 features enabled     StandardKM
 version serial       24
 rec. LongJobs queue  8
 SEE machine type     gen1AIF

BASH

Create the security world with the command:

$ /opt/nfast/bin/new-world -i -Q 1/1
15:04:50 WARNING: Module #1: preemptively erasing module to see its slots!

Create Security World:
 Module 1: 0 cards of 1 written
 Module 1 slot 0: empty
 Module 1 slot 0: unknown card
 Module 1 slot 0:- passphrase specified - overwriting card
Card writing complete.

security world generated on module #0; hknso = 6807e0b031c4f797b739ec33ca7dba05279cf54f

BASH

The -Q K/N option tells how many administration cards that are created N. K of these cards will be needed to restore a module with a backup of the security world. 1/1 is a bad choice in production but will do in this example. Choose K>=3 and N>K in production.

Change mode on the switch on the device to mode O.
Click Clear again.

Check with enquiry that the mode has changed to Operational
Example on creation of operator cards:

$ /opt/nfast/bin/createocs -m 1 -Q 2/3 -N ejbca -M -p -T 0

Creating Cardset:
 Module 1: 0 cards of 3 written
 Module 1 slot 0: Admin Card #1
 Module 1 slot 0: empty
 Module 1 slot 0: blank card
 Module 1 slot 0:- passphrase specified - writing card (naming `EJBCA card 1')
 Module 1: 1 card of 3 written
 Module 1 slot 0: remove already-written card #1
 Module 1 slot 0: empty
 Module 1 slot 0: blank card
 Module 1 slot 0:- passphrase specified - writing card (naming `EJBCA card 2')
 Module 1: 2 cards of 3 written
 Module 1 slot 0: remove already-written card #2
 Module 1 slot 0: empty
 Module 1 slot 0: blank card
New passphrases do not match; please try again.
 Module 1 slot 0:- passphrase specified - writing card (naming `EJBCA card 3')
Card writing complete.

cardset created; hkltu = 8d30f2ab5bdccacd8a4333aefed2c0ea1ff0e6db
$

BASH

This will generate 3 cards of the card set named ejbca. Any 2 of these cards will be needed when generating keys and starting ejbca. Different card sets could be used for different CAs.

The preload command (see below) must always be called as the same user unless the directory /opt/nfast/kmdata/preload is removed.
If you get a HostDataAccessDenied error when running preload or starting JBoss, it is because the file permissions on the directory /opt/nfast/kmdata/preload are wrong. It's probably because you (at some time) ran preload as another user, such as root or nfast.

Load the card set so that keys protected by the card set could be generated (card set named ejbca):

$ /opt/nfast/bin/preload -c ejbca pause
Loading cardsets:
ejbca on modules 1

Loading `ejbca':
 Module 1 slot 0: `ejbca' #3 (`EJBCA card 3')
 Module 1 slot 0:- passphrase supplied - reading card
 Module 1 slot 0: `ejbca' #3 (`EJBCA card 3'): already read
 Module 1 slot 0: empty
 Module 1 slot 0: `ejbca' #2 (`EJBCA card 2')
 Module 1 slot 0:- passphrase supplied - reading card
Card reading complete.

Loading complete; now pausing

BASH

Step 2 - Create PKCS#11 Keys on the nShield Module

You can create keys in HSM either with EJBCA using either the clientToolBox command line interface, or using the web based Admin UI. Using the CLI is a very fast and convenient way to verify that HSM connections are working.

All preloaded operator card sets (OCSs) has their own slot. It is not possible to predict the slot ID. But the label of the slot is the name of the OCS. The index of the slots depends on what order OCS are loaded, therefore it is recommended to reference slots using Slot/Token Label.

The below commands assume that EJBCA is installed in /opt/ejbca, JBoss in /opt/jboss and nShield in /opt/nfast. The software can be installed in other locations and you have to modify the commands accordingly.

To create PKCS#11 keys on the nShield module, using the command line interface:

Log in as the user that is running the application server. This user must be a member of the nfast group.

To create PKCS#11 keys, do the following:

Create 3 keys protected by the key set ejbca like this:

$ ~nfast/bin/preload -c ejbca /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/nfast/toolkits/pkcs11/libcknfast.so 4096 signKey TOKEN_LABEL:ejbca
PKCS11 Token [SunPKCS11-NFastJava] Password: 
Creating certificate with entry signKey.

$ ~nfast/bin/preload -c ejbca /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/nfast/toolkits/pkcs11/libcknfast.so 2048 defaultKey TOKEN_LABEL:ejbca
Loaded pkcs11 uc17cfc7c330e613af5709789ff823a476177e233c-d165e440baa8dc9963780c682836ba17513e8cbf key (RSAPrivate) on modules 1
PKCS11 Token [SunPKCS11-NFastJava] Password: 
Creating certificate with entry defaultKey.

$ ~nfast/bin/preload -c ejbca /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/nfast/toolkits/pkcs11/libcknfast.so 1024 testKey TOKEN_LABEL:ejbca
Loaded pkcs11 uc17cfc7c330e613af5709789ff823a476177e233c-27cfdae84bf4298f2dde83cd00980a81bcf095bf key (RSAPrivate) on modules 1
PKCS11 Token [SunPKCS11-NFastJava] Password: 
Creating certificate with entry testKey.

BASH

Step 3 - Create a CA using the nShield HSM

To start EJBCA, preload must be running with the required key stores loaded. In this example this was done in step 2. Preload is now used to start JBoss/WildFly:

$ ~nfast/bin/preload -c ejbca $APPSRV_HOME/bin/standalone.sh

BASH

To create a new CA, perform the following in the EJBCA Admin UI:

Create a new Crypto Token. Choose PKCS#11 as Type. Use ‘Slot/Token Label’ to reference the slot, and slot index may change depending on the order that OCS is loaded. Depending on the token type you either provide an authentication code or none. After creating the crypto token you should see the keys listed and you can test them by clicking the Test button.
Create a new CA, selecting the nShield Crypto Token, and selecting suitable algorithms and keys. See the EJBCA documentation for details o CA creation.
1. With the previously generated keys, a best practice example is to use signKey for cert- and CRL signing, testKey for tests and defaultKey for everything else (encryption):

If several CAs are sharing the same OCS (and hence slot) you should only create one Crypto Token in EJBCA and reference this crypto token from all CAs.

When preload is used no authentication code is needed to activate a CA. You could give any value for the authentication code when activating.

Module-, OCS- and Softcard protected Tokens

nCipher has (at least) three different types of tokens. You can use all different types of tokens with EJBCA. Module, Operator Card Set (OCS), or Softcard protected tokens.

OCS Protected Tokens

Using OCSP protected tokens the preload command must be used to load the OCS and keys.

The preload command (see below) must always be called as the same user unless the directory /opt/nfast/kmdata/preload is removed.
If you get a HostDataAccessDenied error when running preload or starting the application server, it is because the file permissions on the directory /opt/nfast/kmdata/preload are wrong. It's probably because you (at some time) ran preload as another user, such as root or nfast.

Load the card set so that keys protected by the card set can be generated (in this example we named the OCS ejbca, but it can be named arbitrarily):

$ /opt/nfast/bin/preload -c ejbca pause
Loading cardsets:
ejbca on modules 1
Loading `ejbca':
Module 1 slot 0: `ejbca' #3 (`EJBCA card 3')
Module 1 slot 0:- passphrase supplied - reading card
Module 1 slot 0: `ejbca' #3 (`EJBCA card 3'): already read
Module 1 slot 0: empty
Module 1 slot 0: `ejbca' #2 (`EJBCA card 2')
Module 1 slot 0:- passphrase supplied - reading card
Card reading complete.
Loading complete; now pausing

CODE

Not Using Preload

If a 1/N card set is used, then preload does not have to be used (but it can be used). For PKCS#11 simply do not use the preload command. The authentication code is now needed when activating the Crypto Token in EJBCA.

When using a 1/n OCS one card of the OCS must be inserted when activating a crypto token in EJBCA. If the OCS is persistent then the card cn be removed and you could then activate another crypto token by inserting its OCS. If the OCS is not persistent the cardset will unload itself as soon as the card is removed.

When using k/n OCS where k>1 you have to load all OCSs to be used with preload and then start the application server also with preload.

Example:

$ ~nfast/bin/preload -c 2of3_0 pause
-- follow instruction to insert cards and enter pins. --
-- then press ctr-z --
$ bg
$ ~nfast/bin/preload -c 2of3_1 exit
-- follow instruction to insert cards and enter pins. –

CODE

Using More Than One OCS

It is possible to use more than one OCS. This is needed when you want different CAs protected by different OCSs. For this to work, you set the environment variable CKNFAST_LOADSHARING=1. This environment variable is also implicitly set when running with preload. To get a list of all available slots you can run the following command:

$ CKNFAST_LOADSHARING=1 ~nfast/bin/ckinfo

CODE

Softcard Protected Tokens

Softcard protected tokens behave similarly to OCS protected tokens with the only difference that the ppmk command is used instead of preload. For example:

$ /opt/nfast/bin/ppmk -m 1 -p ejbca pause

CODE

Module Protected Tokens

Module protected keys do not need a card set and no preload or ppmk commands need to be run. Hence no PIN code is needed to activate such a token. Module Protected keys are suitable as database protection keys in EJBCA.

Module protected keys are stored in a slot with the slot index 0. This slot is visible if the environment variable CKNFAST_NO_ACCELERATOR_SLOTS is set to 0. This variable can be set permanently for all PKCS#11 applications by adding the following to /opt/nfast/cknfastrc

# Enable module protected keys
CKNFAST_NO_ACCELERATOR_SLOTS=0

CODE

Except for using slot index 0 you have to use a PKCS#11 configuration file when creating keys. This is because the PKCS#11 attribute CKA_PRIVATE must be set to false to allow the key to be used without login. The file could look like this when using EJBCA clientToolBox:

Example:

name=NFastJava
library=/opt/nfast/toolkits/pkcs11/libcknfast.so
slotListIndex=0
attributes(*,CKO_PUBLIC_KEY,*) = {
  CKA_TOKEN = false
}
attributes(*,CKO_PRIVATE_KEY,*) = {
  CKA_TOKEN = true
  CKA_PRIVATE = false
  CKA_SIGN = true
  CKA_DECRYPT = true
}
disabledMechanisms = {
  CKM_SHA1_RSA_PKCS
  CKM_SHA256_RSA_PKCS
  CKM_SHA384_RSA_PKCS
  CKM_SHA512_RSA_PKCS
  CKM_MD2_RSA_PKCS
  CKM_MD5_RSA_PKCS
  CKM_DSA_SHA1
  CKM_ECDSA_SHA1
}

CODE

When adding it as an attributes file to be used in the Admin UI, the rows name, library and slotListIndex must be removed, as they are added by your selection in the UI. Hence you need two files, one for usage with clientToolBox and one for usage in the Admin UI.

Reference the fie used for the Admin UI in $EJBCA_HOME/conf/web.properties, by adding the following two lines, if the file is put in /opt/ejbca-custom/attrib/ModuleProtectedKey.conf.

cryptotoken.p11.attr.0.name=ModuleProtectedKey
cryptotoken.p11.attr.0.file=/opt/ejbca-custom/attrib/ModuleProtectedKey.conf

CODE

Build and redeploy EJBCA

cd /opt/ejbca
ant -q clean deployear

CODE

Load Balancing

If you want to use the Loadsharing with multiple modules, be it PCI cards of NetHSM's then you must ensure you have a 1/N OCS and the N quorum to be able to have enough cards to be inserted in every HSM you want to load balance the key at server/CA start up when logging in. The same security world got to be loaded in all modules participating.

After setting up the first netHSM, do the following on the second:

Use the panel of the second netHSM to configure the rfs
Use the panel of the second netHSM to load the security world
Use the panel of the second netHSM to configure clients
on each client run: /opt/nfast/bin/nethsmenroll

With load balancing, you need to have CKNFAST_LOADSHARING=1.

If preload is used fail-over to the other HSM, if one of the HSMs is broken, is not working.

Example of starting jboss:

ejbca@host:/usr/local/ejbca> CKNFAST_LOADSHARING=1 ../jboss/bin/standalone.sh

BASH

When activating a CA you need a smart card from the OCS of the corresponding slot inserted in both HSMs. The OCS got to be 1/n since preload can not be used.

Support for Elliptic Curve Cryptography

If you want to generate elliptic curve (EC) keys such as secp256r1, and use the ECDSA signature algorithm, you need to buy a license from nCipher. When you try to generate an EC key in EJBCA without a license installed on the HSM, you get an error message similar to "Algorithm EC was not recognized".