Keystores Tab
The Keystores page enables a CORE partition SOSecurity officer - UKC partition administrator role. to manage agents of its external keystores. The supported keystores are:
Cloud keystore | SDK name | SDK version | CORE specification |
---|---|---|---|
AWS KMS![]() |
aws-java-sdk-kms | 1.11.682 | AWS KMS |
Azure Key Vault | azure-keyvault | 1.2.4 | Azure Key Vault |
GCP KMS![]() |
google-cloud-kms | 1.43.0 | Google Cloud KMS |
Note
Unless explicitly noted, the term keystore or external keystore in this section refers to a cloud keystore or on-premises HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.
To enter this page, click Partition SOSecurity officer - UKC partition administrator role. ˃ Keystores tab. The page presents:
- Table of keystores. See Table of Keystores.
Create
button. See New Keystore.
Note
Despite the name, this function creates only an agent to the existing cloud or HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing keystore.
Table of Keystores
This table enables monitoring and managing agents of keystores. Each row in the table presents the following attributes of a keystore agent:
- Name.
- Description.
- Status:
- UNREGISTERED - the agent is pending further registration steps.
- STOPPED - the agent is out of service.
- RUNNING - the agent is ready to carry requests to its keystore.
- [
] - see Commands
New Keystore
It allows creation of a keystore agent. In a case of a cloud keystore, it is the only required step. In a case of HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing, this step must be followed by deployment and registration of the HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect service; see Register HSM Connect Agent.
Partition SOSecurity officer - UKC partition administrator role. ˃ Keystores ˃ Create
→ The
New Keystore dialog appears.
- Name - mandatory and permanent.
- Description - optional, can be modified later.
- Deploy as an external service - check box.
This setting is applicable and mandatory for HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing keystores only.It indicates that the HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing agent is resides on a remote host. For example, a device located within the HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing owner's perimeter. Such agent requires separate deployment and activation steps. See Register HSM Connect Agent and Keystore Service Deployment Options.
- Sync Policy - specifies how key material changes in the keystore are propagated to the partition. Provides the following options:
- None - do not sync the changes. It is the default setting.
- Apply to keys that are already present in the partition.
- Apply to all keys in the keystore, including keys that were added to the keystore.
- Credentials:
- Access key ID - the Secret keyowner's ID. Its requirement depends on the keystore:
- AWS - required
- Azure - required
- GCP - not required
- Luna HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing - not required
- nCipher HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing - not required
- Secret key - mandatory.
Note
To obtain credentials for your keystore see the corresponding section in AWS KMS, Azure Key Vault, Google Cloud KMS, HSM - Luna , or HSM - nCipher specification. - Access key ID - the Secret keyowner's ID. Its requirement depends on the keystore:
- Add parameters button. Required to identify the cloud keystore (in conjunction with the info provided in the Credentials).
- Enter Name and the corresponding Value and click
√
. - AWS KMS
Key Management System
- Azure Key Vault
- GCP KMS
Key Management System
- Safenet Luna HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing
Not applicable.
- Entrust (nCipher) nShield Connect HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing
Not applicable.
- Click
Create keystore
Note
1. A keystore parameter names and values depend on the keystore provider. See below.
2. HSMs are identify during their Registration.
To add the parameters, click Add parameters
.
→ The Parameter-name and its Value dialog appears.
Parameter-name | Value |
Cloud keystore parameter names and values are case-sensitive. They depend on the keystore provider as follows:
Parameter-name | Value | Example of value |
---|---|---|
REGION | Name of the region | US_WEST_2 |
Parameter-name | Value | Example of value |
---|---|---|
URL | URL of the key vault | https://hello-world.vault.azure.net/ |
Parameter-name | Value | Example of value |
---|---|---|
location | Name of the region | us-east1 |
keyring_id | Name of the keyring | my-keyring |
Note
To modify a name-value pair, click the edit
icon next to it.
To delete a name-value pair, click the trash bin
icon next to it.
To add the next Name-Value pair, click the Add parameter
button.
A new keystore is created. The status of the keystore shows one of the following:
- Cloud keystore:
- RUNNING - the created agent is ready to service requests to the keystore
- STOPPED - an issue prevents to establish the above. Click Show Error.
- HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing
- UNREGISTERED - the registration procedure is required to establish connectivity and authorization to use the HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. See Register HSM Connect Agent.
- UNREGISTERED - the registration procedure is required to establish connectivity and authorization to use the HSM
Commands
Partition SOSecurity officer - UKC partition administrator role. ˃ Keystores ˃ select keystore ˃ [
]
→ The list of commands appears.
Ping
CORE periodically checks responsiveness of the keystores referred from its partitions and updates their status [STOPPED, RUNNING].
In addition, a partition SOSecurity officer - UKC partition administrator role. may manually trigger this test by clicking PING command. The realization of the PING command is keystore specific:
- AWS - Send request to generate a random number.
- Azure - Send key list request.
- GCP - Send Get key-ring request.
- Luna HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing - Open a session, login, close the session.
- nCipher HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing - Open a session, login, close the session.
Show Error
Use this command to inspect the last error that occurred during the periodic or manual PING.
Edit
The Edit command allows changing the following attributes of the keystore's agent in CORE .
- Description
- SyncPolicy
- Credentials
- Access key ID
- Secret key value
- Parameter(s). However, since changing parameters really indicates changing the keystore, to change the parameters, unlink (or delete) all CORE UIDs that refer to keys in the specified keystore.
Delete
To delete the keystore's agent, unlink (or delete) all CORE UIDs that refer to the specified keystore.
Register HSM Connect Agent
CORE 's HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing agent ("HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect") runs as a service on a remote host and communicates with CORE using a secure TLS
Transport Layer Security - a cryptographic protocol that provides communications security over a computer network connection.
Once the agent has been created, the next step is preparation for its registration with CORE. It includes two steps. The result of these two steps is summarized in Key Takeaways.
Step 1 - Register and Obtain Agent's P12 File
In this step we:
- Register the agent's URL in CORE.
- Generate a private key and CORE-signed certificate designated for use by the HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent. Both items are contained in P12 (.PFX
An archive file format for storing cryptography objects using Base64 encoding) file.
Partition SOSecurity officer - UKC partition administrator role. ˃ Keystores ˃ Register
→ The
registration dialog appears.
- Keystore service URL - mandatory and permanent. URL of the HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent.
- PFX
An archive file format for storing cryptography objects using Base64 encoding password - the created P12 (PFX
An archive file format for storing cryptography objects using Base64 encoding) file contains the key material and certificate to be used by HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent. The file name is derived from the keystore and partition name - see below.
- Certificate SAN
Subject Alternative Names - Certificate field with a list of IP addresses. - IP or/and DNS name of the device that hosts the HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent.This data is required by EP to validate the origin of the certificate's presenter.
- Click
Register
For example, https://192.168.0.15:8888
For example, 192.168.0.15
→ The <keystore name>_ks_client.p12
(PFXAn archive file format for storing cryptography objects using Base64 encoding) file is downloaded to your default download folder.
Step 2 - Prepare CORE Root CA in JKS File
For the maximum security, the CORE and the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect perform mutual authentication. To validate the identity of EP, the HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent needs:
- A certificate that can validate signature in the EP certificate.
- The required certificate must be stored in the Java Keystore (JKS
A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.) file to be consumed by the agent's Tomcat server.
To obtain the CORE Root CA certificate in JKSA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. file, you need the following software:
- The CORE
UCL
to obtain the Root CA certificate.Unbound Command Language
- The Java
Keytool
to store the obtained certificate in JKSA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. file.
Perform the following steps:
- Obtain Root CA certificate in PEM
Base64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" encoding:
- Create a JKS
A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. file (
root_ca.jks
) and import to it the certificate:
ucl root_ca -o ./root_ca.pem
keytool -importcert -file ./root_ca.pem -keystore root_ca.jks -storepass 123456
Key Takeaways
We created / announced the following
<keystore name>_ks_client.p12
and its password. Let's assume that it isPassword1!
.root_ca.jks
and its password123456
.- The HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent shall be receiving CORE requests at
https://192.168.0.15:8888
.
We will use these items to configure the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent.