Add configuration for keys stored in HSM

This document is written for PhenixID Server.

The reader should have some basic knowledge about PhenixID Server.

This document describes how to configure the system to read keys stored in a Hardware Security Module (HSM).

Overview

Keys stored in a Hardware Security Module can be used for all server-side signing operations. This includes:

- Signing SAML Assertions and SAML Responses

- Signing client certificates for OneTouch

- Signing PDF-files

 

Please make sure to have a backup copy of the configuration before adding the new settings.

Prerequisites

- HSM installed. HSM must have a pkcs11 interface

- Keys stored in HSM. Alias of keystore to use must be known.

- Path to the HSM Provider config file must be known.

- HSM Password must be known.

Change crypto module mode

Log in to the configuration UI, go to the "Advanced" tab and press the pencil to the right of "Modules".

Find the crypto module. Add the config parameters crypto_mode, hsmprovider and hsm_password. Change hsmprovider and hsm_password to suite your environment.

	{
		"name": "com.phenixidentity~phenix-crypto",
		"singleton": "true",
		"config": {
        "crypto_mode" : "hsm",
        "hsmprovider" : "/opt/hsm/softhsm.conf",
        "hsm_password" : "xxxx"
      },
		"enabled": "true",
		"created": "2017-04-05T14:19:26.709Z",
		"id": "27b26f37-a139-46d9-a770-cdbe04d4bb17"
	}

When done press Stage changes/Commit changes.

Referring to key store in HSM

Log in to the configuration UI, go to the "Advanced" tab and press the pencil to the right of "Keystores".

Add a new keystore object that points to the HSM key.

{
		"id": "myHsmKey",
		"certificateAlias": "0"
	}

When done press Stage changes/Commit changes.

Referrals to Keystore object

Make sure your configuration points to the newly created keystore. This is an example of a SAML Identity Provider object:

{
		"id": "87697ae0-bbf4-402d-8e4f-fcf60d43717a",
		"name": "SAML IDP",
		"keystore": "myHsmKey",
		"entityID": "https://myserver.phenixid.se/saml/idp/authn1",
		"requireSigned": "true",
		"postSSOURL": "https://myserver.phenixid.se/saml/authenticate/authn1",
		"created": "2017-04-06T06:35:35.955Z"
	}