National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

The MyProxy CA supports the use of Hardware Security Modules (HSMs) via OpenSSL engines. HSMs protect the CA's private key by performing certificate signing operations on a protected hardware device where the private key resides. MyProxy's engine support is enabled via the certificate_openssl options in the myproxy-server.config file. For example, the command-line:

openssl engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pksc11.so

corresponds to the following myproxy-server.config lines:

certificate_openssl_engine_id "dynamic"
certificate_openssl_engine_pre "SO_PATH:/usr/lib/engines/engine_pkcs11.so" "ID:pkcs11" "LIST_ADD:1" "LOAD" "MODULE_PATH:/usr/lib/opensc-pksc11.so"

Please note that any shared library engines loaded through the "dynamic" engine must be compiled againt the correct version of OpenSSL. The Globus toolkit has its own installation and can be found by running $GLOBUS_LOCATION/bin/openssl version.

Building MyProxy with a Custom OpenSSL for your HSM

If your HSM requires patches to OpenSSL, you must build MyProxy (and Globus Toolkit libraries) using your patched OpenSSL version. For example:

# export GLOBUS_LOCATION=/usr/local/myproxy-gt5.0.3-openssl-0.9.7l-safenet
# export OPENSSL_LOCATION=/usr/local/openssl-0.9.7l-safenet
# export PATH=$OPENSSL_LOCATION/bin:$PATH
# export OPENSSL_INCLUDES=-I$OPENSSL_LOCATION/include
# export OPENSSL_LDFLAGS=-L$OPENSSL_LOCATION/lib
# export LD_LIBRARY_PATH=$OPENSSL_LOCATION/lib:$LD_LIBRARY_PATH
# mkdir -p $GLOBUS_LOCATION/src
# cd $GLOBUS_LOCATION/src
# wget http://www-unix.globus.org/ftppub/gt5/5.0/5.0.3/installers/src/gt5.0.3-all-source-installer.tar.gz
# tar xfz gt*-all-source-installer.tar.gz
# cd gt*-all-source-installer
# ./configure --prefix=$GLOBUS_LOCATION --with-buildopts="-verbose"
# make gsi-myproxy install > install.log 2>&1 &
# tail -f install.log

Example Configurations

Luna HSM

The following example myproxy-server.config shows a configuration for a Luna HSM:

authorized_retrievers "*"
passphrase_policy_program /usr/local/sbin/myproxy-passphrase-policy
pam "sufficient"
certificate_issuer_cert /usr/local/myproxy/myproxycacert.pem
certificate_issuer_key /usr/local/myproxy/myproxycakey.pem
certificate_serialfile /usr/local/myproxy/serial
certificate_openssl_engine_id "LunaCA3"
certificate_openssl_engine_lockfile /usr/local/myproxy/enginelock
certificate_out_dir /usr/local/myproxy/certificates
certificate_extfile /usr/local/myproxy/extensions
max_cert_lifetime 264
certificate_mapfile /etc/grid-security/grid-mapfile.myproxy
cert_dir /etc/grid-security/certificates

In the above example, the certificate_issuer_key value is the path to the file created by sautil when the private key is created in the Luna HSM, and the certificate_issuer_cert value is the path to the CA certificate created using openssl. For example:

# sautil -o -s 1 -i 1:1 -g 2048 -4 -f /usr/local/myproxy/myproxycakey.pem -c -p hsm-password
# openssl req -engine LunaCA3 -config /usr/local/myproxy/openssl.cnf \
  -new -x509 -sha1 -days 3652 -key /usr/local/myproxy/myproxycakey.pem \
  -set_serial 0 -out /usr/local/myproxy/myproxycacert.pem
# HASH=`openssl x509 -noout -hash -in /usr/local/myproxy/myproxycacert.pem`
# ln -s /usr/local/myproxy/myproxycacert.pem /usr/local/myproxy/$HASH.0

Additional Info

MyProxy's HSM support has been tested with:

  • Aladdin eToken
  • SafeNet Luna PCI

If you use MyProxy with an HSM, please report your experiences on the myproxy-users mailing list.

MyProxy's HSM support was contributed by David Spence from the UK National Grid Service.

Last modified 05/19/11.
©2000-2016 Board of Trustees of the University of Illinois.