Escolar Documentos
Profissional Documentos
Cultura Documentos
www.thalesgroup.com/iss
Version: 1.0
Date: 6 September 2011
Version: 1.0
nShiNov10
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 2
Contents
Chapter 1: Introduction 4
Supported nCipher functionality 5
Requirements 5
Chapter 2: Procedures 6
Installing the HSM 6
Installing the support software and creating the Security World 6
Installing and configuring Red Hat Certificate System 8.0 7
Installing and configuring the Red Hat Directory Server 8.1 8
Installing and configuring the Red Hat Certificate System 8.0 10
Chapter 3: Troubleshooting 16
Addresses 18
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 3
Chapter 1: Introduction
Red Hat Certificate System provides a powerful security framework to manage user identities and
ensure privacy of communications. Handling all the major functions of the identity life cycle, Red
Hat Certificate System simplifies enterprise-wide deployment and adoption of a Public Key
Infrastructure.
Red Hat Certificate System works behind the scenes to issue, renew, suspend, revoke, and
manage single and dual key X.509v3 certificates needed to handle strong authentication, single
sign-on, and secure communications. Support for Global Platform permits direct communication
between a registration authority and a smart card for key management tasks such as enrollment
and PIN reset.
This guide explains how to set up and configure a Red Hat Certificate System 8.0 installation with
Thales nCipher Hardware Security Modules (HSMs). The instructions in this document have
been thoroughly tested and provide a straightforward method for integrating the Thales nCipher
HSM with Red Hat Certificate System. There may be other untested ways to achieve
interoperability.
This guide might not cover every step in the process of setting up all software. For more detail
about installing Red Hat Certificate System, see the Red Hat Certificate System documentation
supplied on CD-ROM/DVD-ROM. Some packages require that other packages already be
configured, initialized, and running before they can be installed successfully.
The integration between the HSM and Red Hat Certificate System uses the PKCS #11
cryptographic API. The integration has been successfully tested in the following configuration.
For more information about OS support, contact your Red Hat sales representative, or Support at
Thales nCipher. For more information about contacting Thales nCipher, see the contact
information in the Addresses section at the end of this guide.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 4
Supported nCipher functionality
Additional documentation produced to support your Thales nCipher product can be found in the
document directory of the CD-ROM or DVD-ROM for that product.
Note Throughout this guide, the term HSM refers to nShield Solo, nShield Connect, and netHSM
products. (nShield Solo products were formerly known as nShield.)
Requirements
To integrate the HSM and Red Hat Certificate System, you need the server and client machines
to be setup as follows:
Hardware Software
Server Red Hat Enterprise Linux 5.6 Thales nCipher support software
11.50
Red Hat Certificate System 8.0
Red Hat Directory Server 8.1
Client Windows Operating System (Tested with Windows Firefox 3.15.0 or latest
Server 2003)
We also recommend that there be an agreed organizational Certificate Practices Statement and
Security Policy/Procedure in place covering administration of the HSM. In particular, these
documents should specify the following aspects of HSM administration:
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and
the policy for managing these cards.
Whether the application keys are to be protected by Softcard or Operator Card Set (OCS).
The number and quorum of Operator Cards in the OCS (only 1-of-N is supported), and the
policy for managing these cards.
Whether the security world should be compliant with FIPS 140-2 level 3.
For more information, see the User Guide for the HSM.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 5
Chapter 2: Procedures
To integrate Red Hat Certificate System 8.0 with an HSM on Red Hat Enterprise Linux 5.6
x86_64 bit operating system:
2 Install the nShield support software, and then create the Security World.
1 Install the latest version of the support software and create a Security World as described in
the User Guide for the HSM.
Note We recommend that you uninstall any existing Thales nCipher software before installing the
new software.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 6
Installing and configuring Red Hat Certificate System 8.0
a Create a file called cknfastrc in the directory where the nShield support software is
installed. The default directory is /opt/nfast.
b For OCS and Softcard protection, add the following environment variables to the file:
CKNFAST_NO_ACCELERATOR_SLOTS=1
CKNFAST_LOADSHARING=1
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=tokenkeys
CKNFAST_NO_UNWRAP=1
For more information, see the PKCS #11 library environment variables in the User Guide for the
HSM.
The core of the Certificate System is the Certificate Manager. This is the only required
subsystem, and it handles the actual certificate management tasks. The other subsystems can be
added for extra functionality.
The Certificate Authority (CA) is a subsystem used to manage certificates, keys, and CRLs
through every step of the cycle of a certificate. Before installing the CA, check the requirements
and dependencies for the specific platform, and check which packages are installed. Before
proceeding further, see the Red Hat Certificate System Installation Guide, Install_Guide.pdf.
This section describes how to quickly set up and configure Red Hat Certificate System 8.0 on
Red Hat Enterprise Linux 5.6 x86_64 bit platform:
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 7
Installing and configuring Red Hat Certificate System 8.0
2 If the redhat-ds is not installed, download the redhat-ds iso file from the Red Hat Network
channel, and then perform the following steps.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 8
Installing and configuring Red Hat Certificate System 8.0
8 To create the yum local repository, edit the yum.conf in /etc as follows:
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 9
Installing and configuring Red Hat Certificate System 8.0
11 To configure the Red Hat Directory Server, use the following commands:
12 When prompted:
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 10
Installing and configuring Red Hat Certificate System 8.0
3 To create the yum local repository, edit the yum.conf in /etc as follows:
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 11
Installing and configuring Red Hat Certificate System 8.0
6 To install pki-ca:
Note Interoperating subsystems within Red Hat Certificate System carry out all common PKI
operations, such as:
- Publishing CRLs.
The CA is a subsystem that manages certificates at every stage, from requests through to
enrollment. The CA also publishes certificates and lists of revoked certificates for use by
clients such as the OCSP or web servers. The CA is the core of the PKI, and issues and
revokes all certificates. The CA is also the core of the Certificate System.
--
--
--
preop.configModules.module1.userFriendlyName=Thales nCipher's nFast Token Hardware Module
preop.configModules.module1.commonName=nfast
preop.configModules.module1.imagePath=../img/clearpixel.gif
--
--
--
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 12
Installing and configuring Red Hat Certificate System 8.0
9 Run the following command in /var/lib/pki-ca/alias/ to add the Thales nCipher module:
Note The output shown above is displayed when OCS protection is used.
11 SE Linux policies are created and configured automatically to enable Certificate System
instances to run with SE Linux in enforcing or permissive modes. In enforcing mode, any
hardware tokens that use the Certificate System instances must also be configured to run with
SE Linux in enforcing mode, otherwise the HSM will not be available during subsystem
installation. Before installing any Certificate System instances, run the following command
to reset the context of files in /dev/nfast to match the newly-installed policy:
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 13
Installing and configuring Red Hat Certificate System 8.0
Note The output shown above is displayed when OCS protection is used.
--
--
nfast:x:106:pkiuser
--
--
14 To allow access for the Thales nCipher library, run the following commands:
15 Open
https://hostname:9445/ca/admin/console/config/login?pin=xxxxxxxxxxxxxxxxxxxxxxxx. A
similar URL can found in /var/log/pki-ca-install.log.
16 In the Create a Security Domain panel, enter Red Hat Security as Security Domain Name.
17 In the Sub System Type panel, select Configure this instance as a New CA Subsystem, and then
select Certificate Authority as the Subsystem name.
18 In the PKI Hierarchy panel, select Make this Selfsigned Root CA.
19 In the Internal Database panel, fill in the correct LDAP server information.
20 In the Key Store panel, select Thales nCipher Hardware as the default login.
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 14
Installing and configuring Red Hat Certificate System 8.0
21 In the Key Pairs panel, select Use the following custom key Size. Select RSA as the key type,
and then enter the key size, for example 1024, 2048, or 4096.
23 In the Requests and Certificates panel, select Apply, and then select Next.
25 Click Next through the remaining panels to import the agent certificate into the browser and
complete the configuration.
26 When configuration is complete, run the following command to restart the subsystem:
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 15
Chapter 3: Troubleshooting
nfast:x:106:pkiuser
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 16
Troubleshooting
Problem The Certificate System CA Error Page appears when trying to open
https://hostname:9443/ca/services.
Cause Thales nCipher hardware is not listed in Modutil list.
Resolution Go to /var/lib/pki-ca/alias/ and run the following commands:
In the list that appears, the method of key protection is shown, for example Softcard or OCS.
java.lang.NullPointerException
The error 800704c7 occurred. The credentials could not be generated IE browser
at administrator panel
nCipher Modules: Integration Guide for Red Hat Certificate System 8.0 1.0 17
Addresses
Americas
2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA
Tel: +1 888 744 4976 or + 1 954 888 6200
sales@thalesesec.com
Asia Pacific
Units 4101, 41/F. 248 Queens Road East, Wanchai, Hong Kong, PRC
Tel: + 852 2815 8633
asia.sales@thales-esecurity.com
Internet addresses
Web site: www.thalesgroup.com/iss
Support: http://iss.thalesgroup.com/en/Support.aspx
Online documentation: http://iss.thalesgroup.com/Resources.aspx
International sales offices: http://iss.thalesgroup.com/en/Company/Contact%20Us.aspx