Thales CipherTrust as a HSM provider

This document provides instructions for setting up Thales CipherTrust as a HSM provider for PrivX. This integration allows PrivX to store and/or encrypt its cryptographic keys with the HSM.

These instructions are only applicable to fresh deployments: existing PrivX deployments cannot be integrated with HSM.

These instructions are to be used together with the PrivX-setup instructions at Setting up PrivX components.

Prerequisites

  • CipherTrust Manager 2.16.0 or later
  • CADP for C 8.17.0 or later

It is also recommended to create a service account and a domain for PrivX.

A service account can be created under Access Management→Users→Add User.

A domain can be created under Admin Settings→Domains→Add Domain. Set the service account as the admin for the domain.

Integration Steps

The high-level workflow for CipherTrust integration involves:

  1. Connecting PrivX machines to a CipherTrust Manager.
  2. Setting up PrivX-Server software on PrivX machines.
    These steps are described in more detail in the following sections.

Connecting PrivX to CipherTrust Manager

Install CADP for C on the PrivX machine.

When prompted for the username and password, provide the service-account credentials.

When asked for the server protocol, choose SSL authentication. You will be asked to give a password to protect the private key; this will be required later for the PKCS#11 PIN.

After installation, edit /opt/CipherTrust/CADP_for_C/CADP_PKCS11.properties: change the Client_Compatibility_Mode field's value to LegacyVAE. This is the only mode supported by PrivX.

Setting Up PrivX-Server Software on PrivX Machines

Set up PrivX-server software on a PrivX machine according to the PrivX Administrator Manual, while paying attention to the following points.

You will be prompted for HSM settings during postinstall. Provide them as follows:

Enable pkcs11 keyvault support? [y/N]
To enable, enter y
Select pkcs11 provider:
Select the option corresponding to Thales CipherTrust.
Enter pkcs11 provider library file path:
Enter /opt/CipherTrust/CADP_for_C/libcadp_pkcs11.so
Enter pkcs11 slot:
Enter 0
Enter pkcs11 pin: and Enter pkcs11 pin again:
If you created a domain for PrivX, input the credentials in the following format: key_password:domain||username:password
If you chose to use the root domain instead, input the credentials in the following format: key_password:username:password

Was this page helpful?

On this page