Thales CipherTrust as a HSM provider
This document provides instructions for setting up Thales CipherTrust as a HSM provider for PrivX. This integration allows PrivX to store and/or encrypt its cryptographic keys with the HSM.
These instructions are only applicable to fresh deployments: existing PrivX deployments cannot be integrated with HSM.
These instructions are to be used together with the PrivX-setup instructions at Setting up PrivX components.
Prerequisites
- CipherTrust Manager 2.16.0 or later
- CADP for C 8.17.0 or later
It is also recommended to create a service account and a domain for PrivX.
A service account can be created under Access Management→Users→Add User.
A domain can be created under Admin Settings→Domains→Add Domain. Set the service account as the admin for the domain.
Integration Steps
The high-level workflow for CipherTrust integration involves:
- Connecting PrivX machines to a CipherTrust Manager.
- Setting up PrivX-Server software on PrivX machines.
These steps are described in more detail in the following sections.
Connecting PrivX to CipherTrust Manager
Install CADP for C on the PrivX machine.
When prompted for the username and password, provide the service-account credentials.
When asked for the server protocol, choose SSL authentication. You will be asked to give a password to protect the private key; this will be required later for the PKCS#11 PIN.
After installation, edit /opt/CipherTrust/CADP_for_C/CADP_PKCS11.properties
: change the Client_Compatibility_Mode
field's value to LegacyVAE
. This is the only mode supported by PrivX.
Setting Up PrivX-Server Software on PrivX Machines
Set up PrivX-server software on a PrivX machine according to the PrivX Administrator Manual, while paying attention to the following points.
You will be prompted for HSM settings during postinstall. Provide them as follows:
Enable pkcs11 keyvault support? [y/N]
To enable, enter y
Select pkcs11 provider:
Select the option corresponding to Thales CipherTrust.Enter pkcs11 provider library file path:
Enter /opt/CipherTrust/CADP_for_C/libcadp_pkcs11.so
Enter pkcs11 slot:
Enter 0
Enter pkcs11 pin:
and Enter pkcs11 pin again:
If you created a domain for PrivX, input the credentials in the following format: key_password:domain||username:password
If you chose to use the root domain instead, input the credentials in the following format: key_password:username:password