1.0 Introduction
This article describes how to integrate Fortanix Data Security Manager (DSM) with Enterprise Java Beans Certificate Authority (EJBCA).
2.0 Prerequisites
- Sudo privilege or Root access on the EJBCA server.
- Internet connectivity from the EJBCA Server to the Fortanix Service.
- Admin Access to the EJBCA UI to configure the Crypto Token.
- The Fortanix PKCS#11 driver can be downloaded from here.
3.0 Integration Steps
3.1 Create an App and Copy the App API Key
- Log in to the Fortanix DSM UI.
- Click the Apps On the Apps page click the create a new app icon
to create a new app.
Figure 1: Create new app
- Enter the following information:
- App name: This is the name to identify the EJBCA app.
- Authentication method: This can be left at the default API Key.
- Group: This is a logical construct that will contain keys created and owned by the EJBCA cluster.
- Click Save to complete creating the application.
Figure 2: Create the application
- Note down the application’s API Key to use in Section 3.3:
- Go to the detailed view of an app and click the COPY API KEY as shown below.
Figure 3: Copy App API Key
- Go to the detailed view of an app and click the COPY API KEY as shown below.
3.2 Install PKCS#11 Driver
- SSH to the EJBCA server.
- Download the Fortanix PKCS#11 driver.
curl -L https://download.fortanix.com/clients/4.2.1500/fortanix-pkcs11-4.2.1500-0.x86_64.rpm -o fortanix-pkcs11-4.2.1500-0.x86_64.rpm
- Install the Fortanix PKCS#11 driver.
sudo dnf localinstall -y fortanix-pkcs11-4.2.1500-0.x86_64.rpm rm -rf fortanix-pkcs11-4.2.1500-0.x86_64.rpm
- Change to the
wildfly
user and open theweb.properties
file to edit.sudo su - wildfly vim /opt/ejbca/conf/web.properties
- Add the following to the end of the
web.properties
file.cryptotoken.p11.lib.60.name=Fortanix cryptotoken.p11.lib.60.file=/opt/fortanix/pkcs11/fortanix_pkcs11.so
- Save and close the file and exit the wildfly account.
:wq exit
3.3 Create Crypto Token
- Restart the Wildfly Application Server.
sudo systemctl restart wildfly
- Access the EJBCA adminweb with a web browser.
- Click Crypto Tokens in the left navigation pane to create a new crypto token.
Figure 4: EJBCA Adminweb
- Click the Create new... link to create a new crypto token.
Figure 5: Create new crypto token
- In the Type field, select PKCS#11 NG from the drop down menu.
Figure 6: Crypto token type
- Select Fortanix from the PKCS#11 : Library drop down menu.
- Select Slot ID from the PKCS#11 : Reference Type drop down menu.
- Use the default value for the PKCS#11 : Reference field.
- Type a Name for the Crypto token, for example, Fortanix.
- Type the Fortanix App API key for the Authentication Code, and the Repeat Authentication Code.
Figure 7: Configure crypto token
- In the Type field, select PKCS#11 NG from the drop down menu.
- Click Save to save the changes.
Figure 8: Save the new crypto token
- Use the default name for the key (signKey), select the key size (RSA4096), and select Sign and Encrypt for the key usage.
- Click the Generate new key pair button.
Figure 9: Create key pair
- Repeat Steps 6-7 to create the defaultKey and testKey.
Figure 10: Create key pairs
- The three keys are created, and the crypto token can now be used to create a CA.
Comments
Please sign in to leave a comment.