This topic has 2 replies, 2 voices, and was last updated 3 years, 1 month ago by handat.
-
AuthorPosts
-
December 12, 2017 at 12:14 am #20060
handat
ParticipantCan the IG keystore be configured to use a HSM instead of a keystore file?
The current config appears to only allow a “url” as a file path to a jks file, is there an option to specify a hsm config file instead?
December 12, 2017 at 12:38 pm #20073Neil Madden
ParticipantYes, you can do this – using the Oracle/Sun PKCS#11 provider at least. The only tricky part is that the PKCS#11 provider wants the keystore source to be null, but IG’s configuration will disallow that. You can work around this by enabling the keyStoreCompatibilityMode (undocumented) configuration option in the SunPKCS11 provider configuration file, which will allow you to pass in any file (e.g., /dev/null) for the keystore and it will be ignored. For instance:
$ cat ~/hsm.conf name = NitrokeyHSM description = SunPKCS11 with Nitrokey HSM library = /usr/local/opt/opensc/lib/opensc-pkcs11.so slot = 0 keyStoreCompatibilityMode = true
Then configure your HSM in the JVM java.security (or use -Djava.security.properties= on startup):
security.provider.11=sun.security.pkcs11.SunPKCS11 /Users/neil/hsm.conf
You can then configure the HSM in IG’s config.json and use it to supply key-pairs, e.g. for the JwtSession or for configuring SSL:
{ "name": "HSM", "type": "KeyStore", "config": { "url": "file:/dev/null", "type": "PKCS11", "password": "${hsm.pin}" } }, { "name": "JwtSession", "type": "JwtSession", "config": { "keystore": "HSM", "alias": "rsaKeyPair", "password": "", "sharedSecret": "GWPdOSTntki4wVeGhht53rSFiZtfTtxP910D5kUZsfs=" } },
Edit: note that I set the key password to “”, because my particular HSM does not allow setting per-key passwords so that will pass in an empty character array, which is what it expects.
-
This reply was modified 3 years, 1 month ago by
Neil Madden.
-
This reply was modified 3 years, 1 month ago by
Neil Madden.
December 13, 2017 at 12:42 am #20099handat
ParticipantThanks Neil, that makes it crystal clear.
-
This reply was modified 3 years, 1 month ago by
-
AuthorPosts
You must be logged in to reply to this topic.