Using Fortanix Data Security Manager with KeyFactor EJBCA (Primekey)

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Enterprise Java Beans Certificate Authority (EJBCA)

2.0 Prerequisites

  • Sudo privilege or Root access on the EJBCA server.
  • Internet connectivity from the EJBCA Server to the Fortanix Service.
  • Admin Access to the EJBCA UI to configure the Crypto Token.
  • The Fortanix PKCS#11 driver can be downloaded from here.

3.0 Integration Steps

3.1 Create an App and Copy the App API Key

  1. Log in to the Fortanix DSM UI.
  2. Click the Apps On the Apps page click the create a new app icon Add.pngto create a new app. CreateApp.pngFigure 1: Create new app
  3. Enter the following information:
    • App name: This is the name to identify the EJBCA app.
    • Authentication method: This can be left at the default API Key.
    • Group: This is a logical construct that will contain keys created and owned by the EJBCA cluster.
  4. Click Save to complete creating the application. NewApp.pngFigure 2: Create the application
  5. Note down the application’s API Key to use in Section 3.3:
    1. Go to the detailed view of an app and click the COPY API KEY as shown below. CopyAppAPIKey.pngFigure 3: Copy App API Key

3.2 Install PKCS#11 Driver

  1. SSH to the EJBCA server.
  2. Download the Fortanix PKCS#11 driver.
    curl -L https://download.fortanix.com/clients/4.2.1500/fortanix-pkcs11-4.2.1500-0.x86_64.rpm -o fortanix-pkcs11-4.2.1500-0.x86_64.rpm
  3. Install the Fortanix PKCS#11 driver.
    sudo dnf localinstall -y fortanix-pkcs11-4.2.1500-0.x86_64.rpm
    rm -rf fortanix-pkcs11-4.2.1500-0.x86_64.rpm
  4. Change to the wildfly user and open the web.properties file to edit.
    sudo su - wildfly
    vim /opt/ejbca/conf/web.properties
  5. Add the following to the end of the web.properties file.
    cryptotoken.p11.lib.60.name=Fortanix
    cryptotoken.p11.lib.60.file=/opt/fortanix/pkcs11/fortanix_pkcs11.so
  6. Save and close the file and exit the wildfly account.
    :wq
    exit
NOTE
To log in to Fortanix DSM from the Docker EJBCA container and create keys, add the following command to /opt/primekey/bin/start.sh.
export FORTANIX_API_ENDPOINT=https://sdkms.fortanix.com
The above command is for Linux only.

3.3 Create Crypto Token

  1. Restart the Wildfly Application Server.
    sudo systemctl restart wildfly
  2. Access the EJBCA adminweb with a web browser.
  3. Click Crypto Tokens in the left navigation pane to create a new crypto token. EJBCA-_SelectCrypto.pngFigure 4: EJBCA Adminweb
  4. Click the Create new... link to create a new crypto token. EJBCA-_CreateCrypto.pngFigure 5: Create new crypto token
    1. In the Type field, select PKCS#11 NG from the drop down menu. EJBCA-CryptoType.pngFigure 6: Crypto token type
    2. Select Fortanix from the PKCS#11 : Library drop down menu.
    3. Select Slot ID from the PKCS#11 : Reference Type drop down menu.
    4. Use the default value for the PKCS#11 : Reference field.
    5. Type a Name for the Crypto token, for example, Fortanix.
    6. Type the Fortanix App API key for the Authentication Code, and the Repeat Authentication Code.
    EJBCA-AddAPIKey.pngFigure 7: Configure crypto token
  5. Click Save to save the changes. EJBCA-Save.pngFigure 8: Save the new crypto token
  6. Use the default name for the key (signKey), select the key size (RSA4096), and select Sign and Encrypt for the key usage.
  7. Click the Generate new key pair button. EJBCA-CreateKeyPair.pngFigure 9: Create key pair
  8. Repeat Steps 6-7 to create the defaultKey and testKey. EJBCA-CreateKeyPair1.pngFigure 10: Create key pairs
  9. The three keys are created, and the crypto token can now be used to create a CA.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful