Transcription
Axway ValidationAuthoritynShield HSM Integration Guide
Version: 1.0Date: Monday, August 9, 2021Copyright 2021 nCipher Security Limited. All rights reserved.Copyright in this document is the property of nCipher Security Limited. It is not to bereproduced modified, adapted, published, translated in any material form (includingstorage in any medium by electronic means whether or not transiently or incidentally) inwhole or in part nor disclosed to any third party without the prior written permission ofnCipher Security Limited neither shall it be used otherwise than for the purpose forwhich it is supplied.Words and logos marked with or are trademarks of nCipher Security Limited or itsaffiliates in the EU and other countries.Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. inthe United States and/or other countries.Information in this document is subject to change without notice.nCipher Security Limited makes no warranty of any kind with regard to this information,including, but not limited to, the implied warranties of merchantability and fitness for aparticular purpose. nCipher Security Limited shall not be liable for errors containedherein or for incidental or consequential damages concerned with the furnishing,performance or use of this material.Where translations have been made in this document English is the canonical language.nCipher Security LimitedRegistered Office: One Station SquareCambridge, UK CB1 2GARegistered in England No. 11673268nCipher is an Entrust company.Entrust, Datacard, and the Hexagon Logo are trademarks, registered trademarks, and/orservice marks of Entrust Corporation in the U.S. and/or other countries. All other brandor product names are the property of their respective owners. Because we arecontinuously improving our products and services, Entrust Corporation reserves the rightto change specifications without prior notice. Entrust is an equal opportunity employer.2 of 16Axway Validation Authority nShield HSM Integration Guide
Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2. Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3. Product configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.4. Supported nShield functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.1. Install and configure the nShield HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2. Select the key protection method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3. Initial VA server setup and configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.4. Basic integration tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Contact Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Axway Validation Authority nShield HSM Integration Guide3 of 16
1. IntroductionThe Axway Validation Authority (VA) server is a high-performance Online CertificateStatus Protocol (OCSP) server for distribution of certificate revocation information forcertificates issued by any certification authority (CA). The VA Server provides integrityand validity for online transactions by validating, in real-time, digital certificates issued bya CA. The Entrust nShield Hardware Security Module (HSM) integrates with the AxwayVA responder server through the nShield PKCS #11 cryptographic API to securelygenerate and store the OCSP response signing keys. The following image shows such anintegration.1.1. RequirementsThe Axway VA installation requires either Microsoft Windows Server or Red HatEnterprise Linux for the base operating system. Conceptually, a CentOS platform willwork the same way. You can get the installation package for Windows or Linux fromAxway Support.The Axway Validation Authority Administrators Guide recommends the followinghardware specification for installing a production Axway VA responder server.ComponentMinimum RequirementProcessor3.0 GHz, quad core/CPUMemory16 GBHard Disk500 GB4 of 16Axway Validation Authority nShield HSM Integration Guide
ComponentMinimum RequirementNetwork Adapter1System components required for installation:ComponentVersionRed Hat Enterprise Linux7.xMicrosoft Windows Server2012 R2, 2016, or 2019FirewallLinux firewalld or Windows FirewallBefore starting this integration, familiarize yourself with: The documentation for the nShield Connect HSM. The documentation and configuration process for Axway VA.Before you start to use nShield products: For creating a Security World, define who within the organization act as custodiansof the administrator card set (ACS). Obtain enough blank smartcards to create the ACS. 6 cards are delivered with thenShield Connect HSM. Define the Security World parameters. For details of the security implications of thechoices, see the nShield Security Manual.1.2. LicensingConfiguring Axway VA requires importing a license text file into the Axway VAadministration web UI. You must have this license file when you configure Axway VA.1.3. Product configurationsEntrust tested nShield HSM integration with Axway VA in the following configurations:Axway Validation Authority nShield HSM Integration Guide5 of 16
Axway VAnShieldnShieldnShield onnect XCFIPSSoftware12.60.1012.50.1112.60.11Connect Plus 12.60.1012.50.812.60.11140-2 level 31.4. Supported nShield functionalityFeatureSupportKey GenerationYesKey ManagementYesKey ImportNoKey RecoveryYesStrict FIPS mode supportYesCommon Criteria mode support N/A1-of-N Operator Card SetYesK-of-N Operator Card SetYesSoftcardsYesModule-only keysYesLoad SharingYesFailoverYes6 of 16Axway Validation Authority nShield HSM Integration Guide
2. ProceduresAn overview of the integration procedures is as follows:1. Install the HSM.2. Install the nShield Security World software and create a Security World.3. Install and configure the Axway Validation Authority (VA) responder server.4. Test the VA server OCSP response functionality and verify responses are signed bythe private keys generated and protected by the HSM.2.1. Install and configure the nShield HSMThis guide does not cover the basic installation and configuration of the nShield HSM orthe nShield Security World client software. For instructions, see the Installation Guide foryour HSM.When you are creating the Operator Card Set (OCS) or Softcards forthe Security World, the passphrases must match the VA server password that will be set in the initial VA server configuration process.The VA server password, and therefore by extension the OCS orSoftcard passphrase, must have at least 8 characters in length, oneuppercase letter, one lowercase letter, one number, and one specialcharacter.The following lines need to be added to the cknfastrc configuration file of the SecurityWorld. The file is in the %NFAST HOME% directory, which is C:\Program Files\nCipher\nfast onWindows and /opt/nfast on Linux.Module protection:CKNFAST OVERRIDE SECURITY ASSURANCES noneCKNFAST FAKE ACCELERATOR LOGIN 1Softcard protection:CKNFAST OVERRIDE SECURITY ASSURANCES noneCKNFAST LOADSHARING 1CKNFAST NO ACCELERATOR SLOTS 1OCS protection with a K/N quorum where K 1CKNFAST OVERRIDE SECURITY ASSURANCES noneCKNFAST LOADSHARING 1CKNFAST NO ACCELERATOR SLOTS 1Axway Validation Authority nShield HSM Integration Guide7 of 16
OCS protection with a K/N quorum where K 1CKNFAST OVERRIDE SECURITY ASSURANCES noneCKNFAST LOADSHARING 1CKNFAST NO ACCELERATOR SLOTS 1NFAST NFKM TOKENSFILE C:\ProgramData\nCipher\nfast-nfkm-tokensfileOn Windows, C:\ProgramData\nCipher\nfast-nfkm-tokensfile is an example location forcreating the preload file. On Linux, an example location isNFAST NFKM TOKENSFILE /opt/nfast/kmdata/nfast-nfkm-tokensfile. You can change it toanother location as required.Optionally, enable PKCS #11 debugging by adding the following lines to cknfastrc:CKNFAST DEBUG 10CKNFAST DEBUGFILE C:\ProgramData\nCipher\Log Files\pkcs11.logLinux: CKNFAST DEBUGFILE /opt/nfast/log/pkcs11.log2.2. Select the key protection methodIf more than one key protection mechanism is available, for example OCS and Softcard,OCS and module protection, or two Softcards, you must modify theC:\ProgramData\nCipher\Key Management Data\local directory on Windows to contain theminimum required key protection mechanism files. On Linux, this directory is/opt/nfast/kmdata/local. In other words, if you are using a certain key protection method,make sure that only the files pertaining to that specific method are present in the localdirectory.If you are using module protection, remove all OCS and Softcard files from local. Makesure that an ACS card is inserted into an available slot of the HSM. The ACS card canprovide FIPS-authorization in place of the OCS card for this application (which will notwork since the associated OCS card file must be removed).If you are using Softcard protection, remove all OCS files from local. Make sure that anACS card is inserted into an available slot of the HSM to provide FIPS-authorization.If you are using OCS protection, remove all Softcard files from local. Insert the OCSquorum to provide FIPS-authorization.For either OCS or Softcard protection, you should have only the Softcard or OCS cardfiles for the token used to protect the OCSP signing key. In other words, do not havemultiple Softcard files or multiple OCS card file sets.For more information about the environment variables used in cknfastrc, see:8 of 16Axway Validation Authority nShield HSM Integration Guide
The nShield Cryptographic API Guide. The PKCS #11 library environment variables section in the User Guide for the HSM.2.3. Initial VA server setup and configurationAxway VA consists of: A VA Host Server acting as either a Repeater or Responder operating on WindowsServer or Red Hat Enterprise Linux. A web-based Administration Server that provides centralized management of thevalidation processing components.Client applications can query the VA Server utilizing open standard protocols includingthe Online Certificate Status Protocol (OCSP) or the Server-based Certificate ValidationProtocol (SCVP), allowing clients to delegate the entire certificate validation operationincluding path construction and intermediate CA validation to the VA Server.This section describes how to set up and configure a Responder. Before setting up theAxway VA Server (Responder), you must: Obtain a Responder product license from Axway and make it available on the hostplatform. Obtain a root certificate from a CA and make it available in on the host platform. Obtain an associated Certificate Revocation List (CRL) for the CA and make itavailable on the host platform.To install the Axway VA (Responder) server:1. See the Axway VA Administrators Guide for steps on installing the server onWindows and Linux. Install the nShield Security World software before installingAxway VA. This is especially important on Linux so that during installation, you canselect nfast as the group to run the VA server.2. After installing Axway VA, browse to the Axway VA Web Administration and loginusing the credentials specified during installation.a. If you are using OCS protected keys with a K/N quorum where K 1, use preloadto load the OCS K/N quorum. Enter the OCS passphrase when prompted.% preload -m module-number -c ocs-cardset-name -f path-to-nfkm-tokensfile pause3. Select the Enter License tab from the menu.4. In the textbox, paste the license certificate from Axway. Select Submit License.5. The Axway Validation Authority License page appears. Confirm the license detailsand select Next Step.Axway Validation Authority nShield HSM Integration Guide9 of 16
6. On the Import Configuration File page, select Skip.7. On the Install Custom Extensions page, select NO, then select Submit.8. On the Server Password page, enter and confirm the new VA server password. Thepassword must match the OCS or Softcard passphrase and is required to have atleast: 8 characters in length one alphabetic character one digit one special character one upper case character one lower case characterIf your server password already matches the OCS or Softcard passphrase andmeets these minimum requirements, you may skip this step. SelectCreate/Import Key Pair to go to the next step.Select Submit when finished.9. On the SUCCESS! page, select Next Step.10. On the Key Type Selection page, under Mandatory, select Default OCSP/SCVPResponse Signing. Then select Submit Key Type.11. On the Key Generation/Import Mechanism: Default OCSP/SCVP Response Signingpage, select Hardware Key Generation/Import using nCipher.If that is not an option, select the following: Hardware Key Generation/Import on custom PKCS11 provider Vendor: nCipher PKCS#11 Library Path: Windows: C:\Program Files\nCipher\nfast\toolkits\cknfast.dll Linux: /opt/nfast/toolkits/pkcs11/libcknfast.so12. Select Submit Key Generation Technique.13. Select Generate new private key. Then select Submit Key Generation or Import.14. On the Generate Hardware key and Certificate: Default OCSP/SCVP ResponseSigning page:Under PKCS11 Token Information: USER PIN: enter the VA server password, which is also the OCS or Softcardpassphrase. If you are using module protection, still enter the VA serverpassword.10 of 16Axway Validation Authority nShield HSM Integration Guide
Friendly Key Name: Enter a name to identify the key. Key Expiration in days: Enter 0 for non-expiring keys or enter another numberfor the key lifetime. Slot ID: Select either -1 or the decimal number representing the PKCS11 slot.Never select Auto Sense. If you are using module protection (loadsharing isdisabled in cknfastrc), this decimal number will begin with 4929711. If you areusing OCS or Softcard (loadsharing enabled in cknfastrc), this decimal numberwill begin with 7614066. Key Algorithm: RSA Key Length: 2048 Hash Algorithm: SHA256 (or any other one as long as it is not a SHA1 algorithm)Under Certificate Information: Type: Self-signed Certificate (Alternatively, select Certificate Request if you wantto have an external CA sign the certificate.) Certificate Validity (days): Enter how long you want the certificate to be validfor (default 365 days). Select Simple DN Entry and enter the certificate parameters (country, city, etc.).Under Certificate Options, select Key Use: Sign/Signature Verification.Leave all other options unselected.15. Review the PKCS11 token and certificate parameters and select Submit whenfinished.16. If the key and certificate were successfully generated, you should see a SUCCESS!message followed by Self signed certificate for Default OCSP/SCVP ResponseSigning was created successfully. Click here to view certificate information.If there is an error and you enabled PKCS #11 debugging in cknfastrc, check thecontents of the debug file at the path specified to troubleshoot key generation.To generate a private key for OCSP responses, the following files are created: OCSP RESP SIGN DateTimeStamp GMT.crt (Self-signed OCSP Respondercertificate) OCSP RESP SIGN DateTimeStamp GMT.req (PKCS#10 request) vacs DateTimeStamp These files are located at: Windows: C:\ProgramData\Axway\VA\entserv\.vacsbakAxway Validation Authority nShield HSM Integration Guide11 of 16
Linux: /var/lib/va-01/entserv/.vacsbak17. Open a command prompt and run the following command to verify the key is listedunder the key protection method you intended.% nfkminfo -lKeys protected by cardsets:key pkcs11 9251f88e948217499c4736daf16027193 Friendly KeyName RSAPrv'18. Back on the VA server web UI, select Click here to view certificate information. Apop-up window opens displaying the OCSP response signing certificate that wasgenerated.19. Select Next Step.20. The generated certificate is used to digitally sign OCSP and SCVP responses fromthe Validation Authority server. OCSP requests are essentially queries to the VAserver asking for the status of a certificate (good, revoked, or unknown) for a specificCertificate Authority. The private key used to sign the responses from the VA serveris stored and protected within the HSM. The next step is to configure CA certificatesfor which the VA server will provide OCSP responses.21. On the Manage Certificate Store page, under Mandatory Stores, select CACertificates [OCSP Protocol]. Then select Submit.22. On the Certificate Import Method page, select Local File. Then select SubmitCertificate Import Method.23. On the Import Certificate File page, select Choose File, and select the root CAcertificate you want the VA server to provide OCSP responses for. Then selectSubmit Certificate File.24. On the Select Certificates page, the root CA certificate you imported should belisted. Select Submit Certificates if the information displayed is correct.25. On the Configure VA Certificate Store page, you should see the root CA certificatelisted again. Select Add to add more root CA certificates (repeat above process) orselect Next Step to continue.26. On the Configure CRL Imports page, select the appropriate method for retrieving aCRL associated with the CA. Then select Add CRL Source. Integration testing wasdone using an HTTPS CRL source, so the next few steps reflect this selection.27. On the Configure CRL Import (HTTP/FTP/FILE) page: Under CRL Source: Set Protocol to the appropriate protocol for retrieving the CRL sourceinformation. For integration testing, this was set to HTTPS. CRL Source URL: Enter the URL for the CRL source. See the AxwayValidation Authority Administrators Guide for the appropriate syntax for theselected protocol.12 of 16Axway Validation Authority nShield HSM Integration Guide
CRL Encoding: Select the appropriate encoding from the dropdown. Configure other parameters as needed. Leave the Import Schedule and Connection Settings to their defaults and selectAdd Source.28. Back on the Configure CRL Imports page, repeat above steps to add additional CRLsources or select Next Step to continue.29. On the Configure Server URLs page, enter the following: Hostname: n Port: 80Select Add and then Submit. This is the URL and port the VA server will listen on for OCSPrequests/queries.30. On the SUCCESS! page, select Next Step.31. On the VA Responder Server Configuration Parameters page, configure asappropriate for your environment. See the Axway Validation Authority AdministratorsGuide.Then select Submit Configuration Parameters.32. On the SUCCESS! page, select Next Step.33. On the Server Start/Stop page, enter the VA server password, which is also the OCSor Softcard passphrase. Then select Start Server.34. The server status changes from OFF to ON. The VA responder server is nowoperational.35. Confirm the Responder is importing CRLs from the configured CRL URL address byaccessing the server log to view publisher-specific events. You can view CRLspublished on the Responder by navigating to CRLs CRLs & OCSP Databases.2.4. Basic integration testsThe following sections will test the Axway VA nShield HSM integration.2.4.1. Verify OCSP response signing keyTo verify the OCSP signing key was generated on the HSM, run the following commands.Replace pkcs11-key-hash with the hash at the end of the key pkcs11 pkcs11-key-hash file that is generated in the local directory. For example:Axway Validation Authority nShield HSM Integration Guide13 of 16
% nfkminfo -lKeys protected by cardsets:key pkcs11 pkcs11-key-hash OCSKeyOCSPCert RSAPrv'% nfkmverify -v -m module-number pkcs11 pkcs11-key-hash ** [Security world] **Ciphersuite: DLf3072s256mAEScSP800131Ar1.--** [Application key pkcs11 pkcs11-key-hash ] **[Named OCSKeyOCSPCert RSAPrv']Useable by HOST applicationsCardset protected: 1/2 PERSISTENT [0s axwayva ocs']Cardset hash f581378f4a81d3ba312fcd19859247049bf18161(Currently in Module #1 Slot #2: Card #2).Verification successful, confirm details above. 1 key verified.2.4.2. Verify OCSP signing certificateTo verify the OCSP signing certificate that is presented to clients, use either the vatesttool provided by Axway or the curl and openssl tools if they are on your system.To use Axway’s vatest tool:Windows% C:\Program Files\axway\va\tools\vatest getconfig -url http://127.0.0.1:80Linux% /opt/axway/va/tools/vatest getconfig -url http://127.0.0.1:80OCSP Host: Server-hostname-or-IP OCSP Port: 80OCSP Certificates: ocspcerts.pemTo use curl and openssl:% curl "http://127.0.0.1:80/getvaconfig?mirroring" openssl x509 -out ocspcerts.pemRunning either command generates a certificate file ocspcerts.pem in the directory thecommand was run from. Open the ocspcerts.pem file to see the OCSP signing certificate inBase64 format.2.4.3. Test OCSP server functionalityThis section details the steps to test the VA server’s OCSP response capability torequests on the status of various certificates.Open a command prompt and use the openssl OCSP client to make a request to the VA14 of 16Axway Validation Authority nShield HSM Integration Guide
server for the status of a certificate. Replace full-path-to-root-CA-cert with the path tothe root CA certificate, and replace cert-serial-number with the serial number of thecertificate you want to check the status of.% openssl ocsp -text -host 127.0.0.1:80 -issuer " full-path-to-root-CA-cert " CSP RESP SIGN * GMT.crt" -serial cert-serial-number An example response for a valid certificate that is not on the CRL:OCSP Response Data:OCSP Response Status: successful (0x0)Response Type: Basic OCSP ResponseVersion: 1 (0x0).Responses:.Serial Number: 099FCert Status: goodThis Update: Jul 20 15:07:56 2021 GMTNext Update: Aug 4 02:26:08 2021 GMT.Response verify OK0x099F: goodThis Update: Jul 20 15:07:56 2021 GMTNext Update: Aug 4 02:26:08 2021 GMTAn example response for a revoked certificate that is on the CRL:OCSP Response Data:OCSP Response Status: successful (0x0)Response Type: Basic OCSP ResponseVersion: 1 (0x0).Responses:.Serial Number: 026FCert Status: revokedRevocation Time: Jun 15 14:38:52 2017 GMTThis Update: Jul 20 15:07:56 2021 GMTNext Update: Aug 4 02:16:22 2021 GMT.Response verify OK0x026F: revokedThis Update: Jul 20 15:07:56 2021 GMTNext Update: Aug 4 02:16:22 2021 GMTRevocation Time: Jun 15 14:38:52 2017 GMTAxway Validation Authority nShield HSM Integration Guide15 of 16
Contact UsWeb upport.entrust.comEmail SupportnShield.support@entrust.comOnline documentation:Available from the Support site listedabove.You can also contact our Support teams by telephone, using the following numbers:Europe, Middle East, and AfricaUnited Kingdom: 44 1223 622444One Station SquareCambridge, UK CB1 2GAAmericasToll Free: 1 833 425 1990Fort Lauderdale: 1 954 953 5229Sawgrass Commerce Center – ASuite 13013800 NW 14 StreetSunrise, FL 33323 USAAsia PacificAustralia: 61 8 9126 9070World Trade Centre Northbank WharfSiddeley StMelbourne VIC 3005 AustraliaJapan: 81 50 3196 4994Hong Kong: 852 3008 318831/F, Hysan Place,500 Hennessy Road,Causeway Bay16 of 16Axway Validation Authority nShield HSM Integration Guide
To get help withEntrust nShield ust.comABOUT ENTRUST CORPORATIONEntrust keeps the world moving safely by enabling trustedidentities, payments, and data protection. Today more than ever,people demand seamless, secure experiences, whether they’recrossing borders, making a purchase, accessing e-governmentservices, or logging into corporate networks. Entrust offers anunmatched breadth of digital security and credential issuancesolutions at the very heart of all these interactions. With morethan 2,500 colleagues, a network of global partners, andcustomers in over 150 countries, it’s no wonder the world’s mostentrusted organizations trust us.
Axway Validation Authority nShield HSM Integration Guide 5 of 16. Axway VA nShield Hardware nShield (Connect) Image nShield HSM Firmware Security World Software FIPS 5.2 Connect XC 12.60.10 12.50.11 12.60.11 140-2 level 3 Connect Plus 12.60.10 12.50.8 12.60.11 1.4. Supported nShield functionality
