Configuring OpenSSL and GemEngine for a ProtectServer 3 HSM
This section describes how to configure OpenSSL to support GemEngine, which will allow OpenSSL to store security keys on the ProtectServer 3 HSM.
To configure OpenSSL and GemEngine for a ProtectServer 3 HSM
-
Navigate to the GemEngine directory.
-
Use gembuild to locate the OpenSSL engines directory.
The OpenSSL engines directory is usr/lib64/openssl/engines/
Tip
Run
./gembuild locate-engines -c
to cache the directory for the --openssl-engines option. -
Copy the pre-built engine to the OpenSSL engines directory.
-
Configure OpenSSL by creating and using a new configuration file.
Note
You must create a new configuration file because you will encounter issues if you modify the contents of original configuration file (openssl.cnf).
-
Locate the directory where OpenSSL is installed.
-
Create the new configuration file in the following directory:
/etc/pki/tls/<file_name>.cnf
-
Copy all of the contents of openssl.cnf and paste them into <file_name>.cnf.
-
Add openssl_conf = openssl_init below RANDFILE= $ENV::HOME/.rnd.
-
Add the following lines to the end of the document:
-
Point your OpenSSL configuration to the newly created file by using the following command:
-
Verify that OpenSSL is detecting GemEngine.
-
-
Create the following file:
/etc/Chrystoki.conf
-
Add the following contents to Chrystoki.conf:
-
Verify successful integration by generating an RSA key.
Note
-engine gem
in the preceding command sets GemEngine as the default engine.
If the RSA key generates successfully, you have successfully completed the integration.