Using Fortanix Data Security Manager with Keyfactor EJBCA (Primekey)

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Enterprise Java Beans Certificate Authority (EJBCA)

2.0 Prerequisites

  • Sudo privilege or Root access on the EJBCA server.

  • Internet connectivity from the EJBCA Server to the Fortanix Service.

  • Admin Access to the EJBCA UI to configure the Crypto Token.

  • The Fortanix PKCS#11 driver can be downloaded from here.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

Figure 1: Logging In

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

    Figure 2: Add Groups

  2. On the Adding new group page, enter the following details:

    • Title: Enter a title for your group.

    • Description (optional): Enter a short description for the group.

  3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

    Figure 3: Add Application

  2. On the Adding new app page, enter the following details:

    • App name: Enter the name of your application.

    • ADD DESCRIPTION (optional): Enter a short description for the application.

    • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

    • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

  3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click the VIEW API KEY DETAILS button.

  3. From the API Key Details dialog box, copy the API Key of the app to use it later.

4.0 Install PKCS#11 Driver

  1. SSH to the EJBCA server.

  2. Download the Fortanix PKCS#11 driver.

    curl -L https://download.fortanix.com/clients/4.2.1500/fortanix-pkcs11-4.2.1500-0.x86_64.rpm -o fortanix-pkcs11-4.2.1500-0.x86_64.rpm
  3. Install the Fortanix PKCS#11 driver.

    sudo dnf localinstall -y fortanix-pkcs11-4.2.1500-0.x86_64.rpm
    rm -rf fortanix-pkcs11-4.2.1500-0.x86_64.rpm
  4. Change to the wildfly user and open the web.properties file to edit.

    sudo su - wildfly
    vim /opt/ejbca/conf/web.properties
  5. Add the following to the end of the web.properties file.

    cryptotoken.p11.lib.60.name=Fortanix
    cryptotoken.p11.lib.60.file=/opt/fortanix/pkcs11/fortanix_pkcs11.so
  6. Save and close the file and exit the wildfly account.

    :wq
    exit

NOTE

To log in to Fortanix DSM from the Docker EJBCA container and create keys, add the following command to /opt/primekey/bin/start.sh.

export FORTANIX_API_ENDPOINT=https://<FORTANIX_DSM_URL>

The above command is for Linux only.

5.0 Create Crypto Token

  1. Restart the Wildfly Application Server.

    sudo systemctl restart wildfly
  2. Access the EJBCA adminweb with a web browser.

  3. Click Crypto Tokens in the left navigation pane to create a new crypto token.  

    EJBCA-_SelectCrypto.png

    Figure 4: EJBCA Adminweb

  4. Click the Create new... link to create a new crypto token.  

    EJBCA-_CreateCrypto.png

    Figure 5: Create new crypto token

    1. In the Type field, select PKCS#11 NG from the drop down menu.  

      EJBCA-CryptoType.png

      Figure 6: Crypto token type

    2. Select Fortanix from the PKCS#11 : Library drop down menu.

    3. Select Slot ID from the PKCS#11 : Reference Type drop down menu.

    4. Use the default value for the PKCS#11 : Reference field.

    5. Type a Name for the Crypto token, for example, Fortanix.

    6. Type the Fortanix App API key for the Authentication Code, and the Repeat Authentication Code.

    EJBCA-AddAPIKey.png

    Figure 7: Configure crypto token

  5. Click Save to save the changes.  

    EJBCA-Save.png

    Figure 8: Save the new crypto token

  6. Use the default name for the key (signKey), select the key size (RSA4096), and select Sign and Encrypt for the key usage.

  7. Click the Generate new key pair button.  

    EJBCA-CreateKeyPair.png

    Figure 9: Create key pair

  8. Repeat Steps 6-7 to create the defaultKey and testKey.  

    EJBCA-CreateKeyPair1.png

    Figure 10: Create key pairs

  9. The three keys are created, and the crypto token can now be used to create a CA.