Keystores Tab

The Keystores page enables a CORE partition SOClosedSecurity officer - UKC partition administrator role. to manage agents of its external keystores. The supported keystores are:

Cloud keystore SDK name SDK version CORE specification
AWS KMSClosedKey Management System aws-java-sdk-kms 1.11.682 AWS KMS
Azure Key Vault azure-keyvault 1.2.4 Azure Key Vault
GCP KMSClosedKey Management System google-cloud-kms 1.43.0 Google Cloud KMS
On-premises HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing vendor HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing model HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing client version CORE specification
Thales Safenet Luna 7.4 HSM - Luna
Entrust (nCipher) nShield Connect HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing 12.71.0 HSM - nCipher

Note
Unless explicitly noted, the term keystore or external keystore in this section refers to a cloud keystore or on-premises HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.

To enter this page, click Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Keystores tab. The page presents:

Table of Keystores

This table enables monitoring and managing agents of keystores. Each row in the table presents the following attributes of a keystore agent:

  • Name.
  • Description.
  • Status:
    • UNREGISTERED - the agent is pending further registration steps.
    • STOPPED - the agent is out of service.
    • RUNNING - the agent is ready to carry requests to its keystore.
  • [] - see Commands

New Keystore

It allows creation of a keystore agent. In a case of a cloud keystore, it is the only required step. In a case of HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing, this step must be followed by deployment and registration of the HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect service; see Register HSM Connect Agent.

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Keystores ˃ Create
→ The New Keystore dialog appears.

A new keystore is created. The status of the keystore shows one of the following:

Commands

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Keystores ˃ select keystore ˃ []

→ The list of commands appears.

Ping

CORE periodically checks responsiveness of the keystores referred from its partitions and updates their status [STOPPED, RUNNING].

In addition, a partition SOClosedSecurity officer - UKC partition administrator role. may manually trigger this test by clicking PING command. The realization of the PING command is keystore specific:

Show Error

Use this command to inspect the last error that occurred during the periodic or manual PING.

Edit

The Edit command allows changing the following attributes of the keystore's agent in CORE .

  • Description
  • SyncPolicy
  • Credentials
    • Access key ID
    • Secret key value
  • Parameter(s). However, since changing parameters really indicates changing the keystore, to change the parameters, unlink (or delete) all CORE UIDs that refer to keys in the specified keystore.

Delete

To delete the keystore's agent, unlink (or delete) all CORE UIDs that refer to the specified keystore.

Register HSM Connect Agent

CORE 's HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing agent ("HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect") runs as a service on a remote host and communicates with CORE using a secure TLSClosedTransport Layer Security - a cryptographic protocol that provides communications security over a computer network connection. Once the agent has been created, the next step is preparation for its registration with CORE. It includes two steps. The result of these two steps is summarized in Key Takeaways.

Step 1 - Register and Obtain Agent's P12 File

In this step we:

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Keystores ˃ Register
→ The registration dialog appears.

→ The <keystore name>_ks_client.p12 (PFXClosedAn archive file format for storing cryptography objects using Base64 encoding) file is downloaded to your default download folder.

Step 2 - Prepare CORE Root CA in JKS File

For the maximum security, the CORE and the HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect perform mutual authentication. To validate the identity of EP, the HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent needs:

To obtain the CORE Root CA certificate in JKSClosedA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. file, you need the following software:

Perform the following steps:

  1. Obtain Root CA certificate in PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" encoding:
  2. ucl root_ca -o ./root_ca.pem

  3. Create a JKSClosedA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. file (root_ca.jks) and import to it the certificate:
  4. keytool -importcert -file ./root_ca.pem -keystore root_ca.jks -storepass 123456

Key Takeaways

We created / announced the following

We will use these items to configure the HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent.