How To
Summary
Note: With V4.1, IBM Security Key Lifecycle Manager is renamed as IBM Security Guardium Key Lifecycle Manager.
Use this page to configure IBM Security Guardium Key Lifecycle Manager with nCipher HSM.
High-level steps:
A. Complete the prerequisite tasks.
B. Configure the nCipher HSM client.
C. Configure the IBM Security Guardium Key Lifecycle Manager server.
Steps
- Ensure that nCipher HSM is installed. For instructions, see the nCipher HSM guide.
Note: The nCipher HSM guide is accessible only through registration on the nCipher Support page. To register, send an email to support@ncipher.com. After registering, you can access the guide by using the following link: https://ncipher.zendesk.com/hc/en-us/articles/360002627898-Security-World-v12-60-documentation - Ensure that the the world and module files are received from the nCipher HSM team.
- Ensure that IBM Security Guardium Key Lifecycle Manager is installed.
B. Configuring nCipher Security World Client (nCipher HSM client)
Complete the following steps on the system on which IBM Security Guardium Key Lifecycle Manager is installed:
1. Log in as root user.
2. Install nCipher Security World Client. For instructions, see the nCipher HSM guide.
3. Copy the world and module files to the kmdata/local directory.
Default location of the directory:
4. Enroll the client to the remote HSM server:
nethsmenroll --port [Assigned HSM Port] [Assigned HSM IP Address]
5. Test the connectivity to the remote HSM by using either or both these diagnostic commands:
Diagnostic command |
Description |
Sample response |
enquiry |
Confirms that the module is connected and provide a list of available nShield features. |
serial number DB13-03E0-D947 mode operational … … |
nfkminfo |
Displays information about the Security World. |
Server: … … |
6. (Optional) Test benchmarking and verify the consistency of Security World by using either or both these commands:
Command |
Description |
perfcheck -m1 signing:287 |
Performs a test of the module. |
nfkmcheck |
Checks the consistency of the Security World data. |
7. Create a SoftToken.
ppmk --new --recoverable ibmsklm
Sample response:
Enter new pass phrase:
Enter new pass phrase again:
New softcard created: HKLTU 38071fa5eebe3ac4176f6d98477e958d4c8d1c6f
If the response "ppmk: World does not support PIN recovery" is received when you run the following command:
ppmk --new --recoverable ibmsklm
Then, use the following command to create a SoftToken:
ppmk --new --non-recoverable ibmsklm
8. To verify that the slot allotted to softToken is in listening mode, use the cklist command.
# ./cklist
Sample response:
Listing contents of slot 0
(token label "loadshared accelerator ")
Public objects only (token has no PIN)
Listing contents of slot 1
(token label "ibmsklm ")
Passphrase:
CKA_CLASS CKO_SECRET_KEY
CKA_TOKEN true
CKA_PRIVATE true
CKA_MODIFIABLE true
CKA_LABEL "tklmcipherkey"
CKA_NFKM_APPNAME "pkcs11"
CKA_NFKM_ID "uc9d434fe8d01807f2a913f6ddda338b170855410e-47463bfb73c34a2d463d479de9c7bbba92088b62"
…
…
9. If the cklist command output shows that the slot is not listening, then add the CKNFAST_LOADSHARING=1 entry in the cknfastrc file.
Sample output of cklist that shows the slot is not listening:
Listing contents of slot 0
(token label "accelerator ")
Public objects only (token has no PIN)
Skipping slot 1 (not present)
Skipping slot 2 (not present)
…
…
Configuration of the nCipher HSM Client is complete.
C. Configuring the IBM Security Guardium Key Lifecycle Manager server
1. Create the ncipher config file (nCipher.cfg).
Default location of the directory:
Windows - C:\Program Files\IBM\WebSphere\Liberty\products\sklm\configLiberty
UNIX - /opt/IBM/WebSphere/Liberty/products/sklm/config
Sample nCipher.cfg file:
-----------
name = TKLM
library=/opt/nfast/toolkits/pkcs11/cknfast.so
# library=C:/nCipher/nfast/cknfast.dll
description= nCipher sample config for TKLM
slotListIndex=1
attributes(*, CKO_SECRET_KEY, *) = {
CKA_ENCRYPT=true
CKA_DECRYPT=true
CKA_SENSITIVE=true
CKA_TOKEN=true
}
attributes(*, CKO_PRIVATE_KEY, *) = {
CKA_SIGN=true
CKA_SENSITIVE=false
# CKA_DERIVE=true
# when using KeyAgreement CKA_DERIVE should
# set to true and CKA_SIGN should set to false
}
attributes(GENERATE, CKO_PUBLIC_KEY, *) = {
CKA_VERIFY=true
}
attributes(GENERATE, CKO_PRIVATE_KEY, CKK_RSA) = {
CKA_DECRYPT=true
CKA_UNWRAP=true
CKA_EXTRACTABLE=true
}
attributes(*, CKO_PUBLIC_KEY, CKK_RSA) = {
CKA_ENCRYPT=true
CKA_WRAP=true
CKA_VERIFY=true
}
attributes(IMPORT, CKO_PRIVATE_KEY, CKK_RSA) = {
CKA_EXTRACTABLE=true
CKA_DECRYPT=true
CKA_UNWRAP=true
CKA_DERIVE=true
}
2. Only for UNIX, change the ownership of the nCipher.cfg file to db user. For example, klmdb42.
chown klmdb42:klmdb42 nCipher.cfg
3. In the nCipher.cfg file, change the library parameter to point to the path of the nCipher library, as follows.
For Windows:
library=C:/nCipher/nfast/cknfast.dll
For UNIX:
library=/opt/nfast/toolkits/pkcs11/cknfast
4. Add the following parameters in the SKLMConfig.properties file:
On a clean IBM Security Guardium Key Lifecycle Manager server without any data, add the following parameters.
pkcs11.config=/opt/IBM/WebSphere/Liberty/products/sklm/config/nCipher.cfg
pkcs11.pin=passphrase
useMasterKeyInHSM=true
On a IBM Security Guardium Key Lifecycle Manager server with pre-created data, add the following parameters.
pkcs11.config=/opt/IBM/WebSphere/Liberty/products/sklm/config/nCipher.cfg
pkcs11.pin=passphrase
Default location of the properties file:
Windows - C:\Program Files\IBM\WebSphere\Liberty\products\sklm\config\
UNIX - /opt/IBM/WebSphere/Liberty/products/sklm/config
Run Master Key REST Service to move the master key from local Java keystore to HSM.
For more information, see: https://www.ibm.com/docs/en/sgklm/4.2?topic=services-master-key-rest-service#ref_ic_rest_master_key
To update the properties file, use the IBM Security Guardium Key Lifecycle Manager REST API or commands.
Sample REST API request:
PUT https://localhost:port/SKLM/rest/v1/configProperties
{" pkcs11.config” : “SKLM_HOME/data/nCipher.cfg”, “pkcs11.pin”: “passphrase"}
Sample commands:
print AdminTask.tklmConfigUpdateEntry(’[-name pkcs11.config -value hsm_config_file]’)
print AdminTask.tklmConfigUpdateEntry(’[-name pkcs11.pin -value passphrase]’)
where, passphrase is the "pass phrase" value that you configured in step #7 of B. Configuring the nCipher HSM client.
Note:
The parameter pkcs11.pin=passphrase automatically changes to pkcs11.pin.obfuscated after you restart IBM Security Guardium Key Lifecycle Manager and perform a key operation.
The IBM Security Guardium Key Lifecycle Manager command-line interface is not available from V4.1.1.0.
5. Restart WebSphere Liberty.
a. Log in as the Db2 user (for example klmdb42).
b. Go to the bin directory under the WebSphere Application Server Liberty home directory.
Windows - drive:\Program Files\IBM\WebSphere\Liberty\bin
Linux - path/IBM/WebSphere/Liberty/bin
c. Restart the server by using the restartLibertyServer script.
Windows
restartLibertyServer.bat C:\Program Files\IBM\WebSphere\Liberty\bin
6. To confirm that nCipher HSM is configured with IBM Security Guardium Key Lifecycle Manager, create a new server certificate.
a. Log in to the IBM Security Guardium Key Lifecycle Manager graphical user interface.
b. Click Advanced configuration > Server certificates.
c. Click Add and select Create self-signed certificate.
d. Specify a certificate name and description and retain the other default values.
e. Click Add Certificate.
In the Administer Server Certificates page, the new certificate is displayed.
IBM Security Guardium Key Lifecycle Manager is now configured with nCipher HSM.
For more information about configuring IBM Security Guardium Key Lifecycle Manager with HSM,
see: https://www.ibm.com/support/pages/node/6528284
Additional Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
31 January 2024
UID
ibm16259721