|
The MyProxy CA supports the use of Hardware Security Modules (HSMs) via OpenSSL engines. HSMs protect the CA's private key by performing certificate signing operations on a protected hardware device where the private key resides. MyProxy's engine support is enabled via the certificate_openssl options in the myproxy-server.config file. For example, the command-line: openssl engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pksc11.so corresponds to the following myproxy-server.config lines: certificate_openssl_engine_id "dynamic" certificate_openssl_engine_pre "SO_PATH:/usr/lib/engines/engine_pkcs11.so" "ID:pkcs11" "LIST_ADD:1" "LOAD" "MODULE_PATH:/usr/lib/opensc-pksc11.so" Please note that any shared library engines loaded through the "dynamic" engine must be compiled againt the correct version of OpenSSL. The Globus toolkit has its own installation and can be found by running $GLOBUS_LOCATION/bin/openssl version. Building MyProxy with a Custom OpenSSL for your HSMIf your HSM requires patches to OpenSSL, you must build MyProxy (and Globus Toolkit libraries) using your patched OpenSSL version. For example: # export GLOBUS_LOCATION=/usr/local/myproxy-gt5.0.3-openssl-0.9.7l-safenet # export OPENSSL_LOCATION=/usr/local/openssl-0.9.7l-safenet # export PATH=$OPENSSL_LOCATION/bin:$PATH # export OPENSSL_INCLUDES=-I$OPENSSL_LOCATION/include # export OPENSSL_LDFLAGS=-L$OPENSSL_LOCATION/lib # export LD_LIBRARY_PATH=$OPENSSL_LOCATION/lib:$LD_LIBRARY_PATH # mkdir -p $GLOBUS_LOCATION/src # cd $GLOBUS_LOCATION/src # wget http://www-unix.globus.org/ftppub/gt5/5.0/5.0.3/installers/src/gt5.0.3-all-source-installer.tar.gz # tar xfz gt*-all-source-installer.tar.gz # cd gt*-all-source-installer # ./configure --prefix=$GLOBUS_LOCATION --with-buildopts="-verbose" # make gsi-myproxy install > install.log 2>&1 & # tail -f install.log Example ConfigurationsLuna HSMThe following example myproxy-server.config shows a configuration for a Luna HSM: authorized_retrievers "*" passphrase_policy_program /usr/local/sbin/myproxy-passphrase-policy pam "sufficient" certificate_issuer_cert /usr/local/myproxy/myproxycacert.pem certificate_issuer_key /usr/local/myproxy/myproxycakey.pem certificate_serialfile /usr/local/myproxy/serial certificate_openssl_engine_id "LunaCA3" certificate_openssl_engine_lockfile /usr/local/myproxy/enginelock certificate_out_dir /usr/local/myproxy/certificates certificate_extfile /usr/local/myproxy/extensions max_cert_lifetime 264 certificate_mapfile /etc/grid-security/grid-mapfile.myproxy cert_dir /etc/grid-security/certificates In the above example, the certificate_issuer_key value is the path to the file created by sautil when the private key is created in the Luna HSM, and the certificate_issuer_cert value is the path to the CA certificate created using openssl. For example: # sautil -o -s 1 -i 1:1 -g 2048 -4 -f /usr/local/myproxy/myproxycakey.pem -c -p hsm-password # openssl req -engine LunaCA3 -config /usr/local/myproxy/openssl.cnf \ -new -x509 -sha1 -days 3652 -key /usr/local/myproxy/myproxycakey.pem \ -set_serial 0 -out /usr/local/myproxy/myproxycacert.pem # HASH=`openssl x509 -noout -hash -in /usr/local/myproxy/myproxycacert.pem` # ln -s /usr/local/myproxy/myproxycacert.pem /usr/local/myproxy/$HASH.0 Additional InfoMyProxy's HSM support has been tested with:
If you use MyProxy with an HSM, please report your experiences on the myproxy-users mailing list. MyProxy's HSM support was contributed by David Spence from the UK National Grid Service.
Last modified
05/19/11. |