Este contenido no está disponible en el idioma seleccionado.
6.11. Setting Up Server-side Key Generation
Server-side key generation means that keys are generated by a Key Recovery Authority (KRA), an optional Certificate System subsystem. Generating keys by the KRA is necessary to allow recovery of keys on lost or damaged tokens, or key retrieval in the case of external registration. This section describes how to configure server-side key generation in TMS.
During TPS installation you are asked to specify whether you want to use key archival. If you confirm, setup will perform automatic basic configuration, specifically the following parameters:
- TPS connector parameters for the KRA:
tps.connector.kra1.enable=true tps.connector.kra1.host=host1.EXAMPLE.com tps.connector.kra1.maxHttpConns=15 tps.connector.kra1.minHttpConns=1 tps.connector.kra1.nickName=subsystemCert cert-pki-tomcat tps.connector.kra1.port=8443 tps.connector.kra1.timeout=30 tps.connector.kra1.uri.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair tps.connector.kra1.uri.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery
- TPS profile-specific parameters for server-side key generation:
op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=kra1 op.enroll.userKey.keyGen.encryption.serverKeygen.enable=true
Set theserverKeygen.enable=true
option forserverKeygen.archive
to take effect.Important
The LunaSA HSM does not support a smaller key size than 2048 bits for RSA encryption.For example, to configure a key size of 2048 bits, set the following parameter in the/var/lib/pki/instance_name/tps/conf/CS.cfg
file:op.enroll.userKey.keyGen.encryption.keySize=2048
- TKS configuration:
- The following configures the nickname of the transport certificate used for communication between the TKS and KRA (via TPS):
tks.drm_transport_cert_nickname=transportCert cert-pki-tomcat KRA
The referenced transport certificate must also exist in the TKS instance security module. For example:transportCert cert-pki-tomcat KRA u,u,u
- KRA configuration
- Depending on the PKCS#11 token, parameters
kra.keygen.temporaryPairs
,kra.keygen.sensitivePairs
, andkra.keygen.extractablePairs
can be customized for key generation options. These parameters are all set tofalse
by default.The following values for these parameters have been tested with some of the security modules supported by Red Hat Certificate System:- NSS (when in FIPS mode):
kra.keygen.extractablePairs=true
- nCipher nShield Connect 6000 (works by default without specifying):
- For specifying RSA keys:
kra.keygen.temporaryPairs=true
(Do not specify any other parameters.)For generating ECC keys:kra.keygen.temporaryPairs=true kra.keygen.sensitivePairs=false kra.keygen.extractablePairs=true
- LunaSA CKE - Key Export Model (non-FIPS mode):
kra.keygen.temporaryPairs=true kra.keygen.sensitivePairs=true kra.keygen.extractablePairs=true
Note
Gemalto SafeNet LunaSA only supports PKI private key extraction in its CKE - Key Export model, and only in non-FIPS mode. The LunaSA Cloning model and the CKE model in FIPS mode do not support PKI private key extraction.
Note
When LunaSA CKE – Key Export Model is in FIPS mode, pki private keys cannot be extracted.