Keystores Tab

The Keystores page enables a CORE partition SOSecurity officer - UKC partition administrator role. to manage agents of its external keystores. The supported keystores are:

Cloud keystore	SDK name	SDK version	CORE specification
AWS KMSKey Management System	aws-java-sdk-kms	1.11.682	AWS KMS
Azure Key Vault	azure-keyvault	1.2.4	Azure Key Vault
GCP KMSKey Management System	google-cloud-kms	1.43.0	Google Cloud KMS

On-premises HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing vendor	HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing model	HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing client version	CORE specification
Thales	Safenet Luna	7.4	HSM - Luna

Unless explicitly noted, the term keystore or external keystore in this section refers to a cloud keystore or on-premises HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.

To enter this page, click Partition SOSecurity officer - UKC partition administrator role. ˃ Keystores tab. The page presents:

• Table of keystores. See Table of Keystores.
• Create button. See New Keystore.

Note
Despite the name, this function creates only an agent to the existing cloud or HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing keystore.

Table of Keystores

This table enables monitoring and managing agents of keystores. Each row in the table presents the following attributes of a keystore agent:

• Name.
• Description.
• Status:
  • UNREGISTERED - the agent is pending further registration steps.
  • STOPPED - the agent is out of service.
  • RUNNING - the agent is ready to carry requests to its keystore.
• [] - see Commands

New Keystore

It allows creation of a keystore agent. In a case of a cloud keystore, it is the only required step. In a case of HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing, this step must be followed by deployment and registration of the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect service; see Register HSM Connect Agent.

Partition SOSecurity officer - UKC partition administrator role. ˃ Keystores ˃ Create
→ The New Keystore dialog appears.

• Name - mandatory and permanent.
• Description - optional, can be modified later.
• Deploy as an external service - check box.

  This setting is applicable and mandatory for HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing keystores only.It indicates that the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing agent is resides on a remote host. For example, a device located within the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing owner's perimeter. Such agent requires separate deployment and activation steps. See Register HSM Connect Agent and Keystore Service Deployment Options.

• Sync Policy - specifies how key material changes in the keystore are propagated to the partition. Provides the following options:
  • None - do not sync the changes. It is the default setting.
  • Apply to keys that are already present in the partition.
  • Apply to all keys in the keystore, including keys that were added to the keystore.

  See Keystore Sync Service.

• Credentials:
  • Access key ID - the Secret key owner's ID. Its requirement depends on the keystore:
    • AWS - required
    • Azure - required
    • GCP - not required
    • Luna HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing - not required
  • Secret key - mandatory.

  To obtain credentials for your keystore see the corresponding section in AWS KMS, Azure Key Vault, Google Cloud KMS, or HSM - Luna specification.

• Add parameters button. Required to identify the cloud keystore (in conjunction with the info provided in the Credentials).

Notes
1. A keystore parameter names and values depend on the keystore provider. See below.
2. HSMs are identify during their Registration.

To add the parameters, click Add parameters.

→ The Parameter-name and its Value dialog appears.

• Enter Name and the corresponding Value and click √.

Parameter-name	Value

Cloud keystore parameter names and values are case-sensitive. They depend on the keystore provider as follows:

• AWS KMSKey Management System

Parameter-name	Value	Example of value
REGION	Name of the region	US_WEST_2

• Azure Key Vault

Parameter-name	Value	Example of value
URL	URL of the key vault	https://hello-world.vault.azure.net/

• GCP KMSKey Management System

Parameter-name	Value	Example of value
location	Name of the region	us-east1
keyring_id	Name of the keyring	my-keyring

• Safenet Luna HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing

  Not applicable.

To modify a name-value pair, click the edit icon next to it.
To delete a name-value pair, click the trash bin icon next to it.
To add the next Name-Value pair, click the Add parameter button.


• Click Create keystore

A new keystore is created. The status of the keystore shows one of the following:

• Cloud keystore:
  • RUNNING - the created agent is ready to service requests to the keystore
  • STOPPED - an issue prevents to establish the above. Click Show Error.
• HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing
  • UNREGISTERED - the registration procedure is required to establish connectivity and authorization to use the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. See Register HSM Connect Agent.

Commands

Partition SOSecurity officer - UKC partition administrator role. ˃ Keystores ˃ select keystore ˃ []

→ The list of commands appears.

• Ping
• Show Error
• Edit
• Delete

• Register HSM Connect Agent

Ping

CORE periodically checks responsiveness of the keystores referred from its partitions and updates their status [STOPPED, RUNNING].

In addition, a partition SOSecurity officer - UKC partition administrator role. may manually trigger this test by clicking PING command. The realization of the PING command is keystore specific:

• AWS - Send request to generate a random number.
• Azure - Send key list request.
• GCP - Send Get key-ring request.
• Luna HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing - Open a session, login, close the session.

Show Error

Use this command to inspect the last error that occurred during the periodic or manual PING.

Edit

The Edit command allows changing the following attributes of the keystore's agent in CORE .

• Description
• SyncPolicy
• Credentials
  
  • Access key ID
  • Secret key value
• Parameter(s). However, since changing parameters really indicates changing the keystore, to change the parameters, unlink (or delete) all CORE UIDs that refer to keys in the specified keystore.

Delete

To delete the keystore's agent, unlink (or delete) all CORE UIDs that refer to the specified keystore.

Register HSM Connect Agent

CORE 's HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing agent ("HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect") runs as a service on a remote host and communicates with CORE using a secure TLSTransport Layer Security - a cryptographic protocol that provides communications security over a computer network connection. Once the agent has been created, the next step is preparation for its registration with CORE. It includes two steps. The result of these two steps is summarized in Key Takeaways.

Step 1 - Register and Obtain Agent's P12 File

In this step we:

• Register the agent's URL in CORE.
• Generate a private key and CORE-signed certificate designated for use by the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent. Both items are contained in P12 (.PFXAn archive file format for storing cryptography objects using Base64 encoding) file.

Partition SOSecurity officer - UKC partition administrator role. ˃ Keystores ˃ Register
→ The registration dialog appears.

• Keystore service URL - mandatory and permanent. URL of the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent.

For example, https://192.168.0.15:8888

• PFXAn archive file format for storing cryptography objects using Base64 encoding password - the created P12 (PFXAn archive file format for storing cryptography objects using Base64 encoding) file contains the key material and certificate to be used by HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent. The file name is derived from the keystore and partition name - see below.
• Certificate SANSubject Alternative Names - Certificate field with a list of IP addresses. - IP or/and DNS name of the device that hosts the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent.This data is required by EP to validate the origin of the certificate's presenter.

For example, 192.168.0.15

• Click Register

→ The <keystore name>_ks_client.p12 (PFXAn archive file format for storing cryptography objects using Base64 encoding) file is downloaded to your default download folder.

Step 2 - Prepare CORE Root CA in JKS File

For the maximum security, the CORE and the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect perform mutual authentication. To validate the identity of EP, the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent needs:

• A certificate that can validate signature in the EP certificate.
• The required certificate must be stored in the Java Keystore (JKSA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.) file to be consumed by the agent's Tomcat server.

To obtain the CORE Root CA certificate in JKSA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. file, you need the following software:

• The CORE UCLUnbound Command Language to obtain the Root CA certificate.
• The Java Keytool to store the obtained certificate in JKSA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. file.

Perform the following steps:

1. Obtain Root CA certificate in PEMBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" encoding:

ucl root_ca -o ./root_ca.pem

2. Create a JKSA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. file (root_ca.jks) and import to it the certificate:

keytool -importcert -file ./root_ca.pem -keystore root_ca.jks -storepass 123456

Key Takeaways

We created / announced the following

• <keystore name>_ks_client.p12 and its password. Let's assume that it is Password1!.
• root_ca.jks and its password 123456.
• The HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent shall be receiving CORE requests at https://192.168.0.15:8888.

We will use these items to configure the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing Connect agent.