Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

OpenSSL

Configuring OpenSSL and GemEngine for a ProtectServer 3 HSM

search

Configuring OpenSSL and GemEngine for a ProtectServer 3 HSM

This section describes how to configure OpenSSL to support GemEngine, which will allow OpenSSL to store security keys on the ProtectServer 3 HSM.

To configure OpenSSL and GemEngine for a ProtectServer 3 HSM

  1. Navigate to the GemEngine directory.

    # cd /opt/gemengine-1.5/

  2. Use gembuild to locate the OpenSSL engines directory.

    # ./gembuild locate-engines

    The OpenSSL engines directory is usr/lib64/openssl/engines/

    Tip

    Run ./gembuild locate-engines -c to cache the directory for the --openssl-engines option.

  3. Copy the pre-built engine to the OpenSSL engines directory.

    # cp /opt/gemengine-1.5/builds/linux/rhel/64/1.0.2/libgem.so /usr/lib64/openssl/engines/

  4. Configure OpenSSL by creating and using a new configuration file.

    Note

    You must create a new configuration file because you will encounter issues if you modify the contents of original configuration file (openssl.cnf).

    1. Locate the directory where OpenSSL is installed.

      # openssl version -d
OPENSSLDIR: "/etc/pki/tls"

    2. Create the new configuration file in the following directory:

      /etc/pki/tls/<file_name>.cnf

    3. Copy all of the contents of openssl.cnf and paste them into <file_name>.cnf.

    4. Add openssl_conf = openssl_init below RANDFILE= $ENV::HOME/.rnd.

      # This definition stops the following lines choking if HOME isn't
# defined
HOME                    = .
RANDFILE                = $ENV::HOME/ .rnd
openssl_conf = openssl_init

    5. Add the following lines to the end of the document:

      [ openssl_init ]
engines = engine_section

[ engine_section ]
gem = gem_section

[ gem_section ]
dynamic_path = /usr/lib64/openssl/engines/libgem.so
default_algorithms = ALL

    6. Point your OpenSSL configuration to the newly created file by using the following command:

      export OPENSSL_CONF=/etc/pki/tls/<file_name\>.cnf

    7. Verify that OpenSSL is detecting GemEngine.

      # openssl engine -v
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
     SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
(gem) Gem engine support
     enginearg, openSession, closeSession, login, logout, engineinit,
     CONF_PATH, ENGINE_INIT, ENGINE2_INIT, engine2init, DisableCheckFinalize,
     SO_PATH, GET_HA_STATE, SET_FINALIZE_PENDING, SKIP_C_INITIALIZE

  5. Create the following file:

    /etc/Chrystoki.conf

  6. Add the following contents to Chrystoki.conf:

    Chrystoki2 {
LibUNIX64 = /opt/safenet/protecttoolkit7/ptk/lib/libcryptoki.so;
}

GemEngine = {
LibPath64 =/opt/safenet/protecttoolkit7/ptk/lib/libcryptoki.so;
EngineInit = "<slot_name>":0:0:passdev=console; 
EnableLoginInit = 1;
EnableRsaGenKeyPair = 1;
DisableDsa = 0;
DisableRand = 0;
EnableDsaGenKeyPair = 1;
}

  7. Verify successful integration by generating an RSA key.

    openssl genrsa -out apache.pem -engine gem 2048

    Note

    -engine gem in the preceding command sets GemEngine as the default engine.

If the RSA key generates successfully, you have successfully completed the integration.

On this page