Este contenido no está disponible en el idioma seleccionado.

6.11. Setting Up Server-side Key Generation


Server-side key generation means that keys are generated by a Key Recovery Authority (KRA), an optional Certificate System subsystem. Generating keys by the KRA is necessary to allow recovery of keys on lost or damaged tokens, or key retrieval in the case of external registration. This section describes how to configure server-side key generation in TMS.
During TPS installation you are asked to specify whether you want to use key archival. If you confirm, setup will perform automatic basic configuration, specifically the following parameters:
TPS connector parameters for the KRA:
tps.connector.kra1.enable=true
tps.connector.kra1.host=host1.EXAMPLE.com
tps.connector.kra1.maxHttpConns=15
tps.connector.kra1.minHttpConns=1
tps.connector.kra1.nickName=subsystemCert cert-pki-tomcat
tps.connector.kra1.port=8443
tps.connector.kra1.timeout=30
tps.connector.kra1.uri.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair
tps.connector.kra1.uri.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery
TPS profile-specific parameters for server-side key generation:
op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true
op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=kra1
op.enroll.userKey.keyGen.encryption.serverKeygen.enable=true
Set the serverKeygen.enable=true option for serverKeygen.archive to take effect.

Important

The LunaSA HSM does not support a smaller key size than 2048 bits for RSA encryption.
For example, to configure a key size of 2048 bits, set the following parameter in the /var/lib/pki/instance_name/tps/conf/CS.cfg file:
op.enroll.userKey.keyGen.encryption.keySize=2048
TKS configuration:
The following configures the nickname of the transport certificate used for communication between the TKS and KRA (via TPS):
tks.drm_transport_cert_nickname=transportCert cert-pki-tomcat KRA
The referenced transport certificate must also exist in the TKS instance security module. For example:
transportCert cert-pki-tomcat KRA                            u,u,u
KRA configuration
Depending on the PKCS#11 token, parameters kra.keygen.temporaryPairs, kra.keygen.sensitivePairs, and kra.keygen.extractablePairs can be customized for key generation options. These parameters are all set to false by default.
The following values for these parameters have been tested with some of the security modules supported by Red Hat Certificate System:
NSS (when in FIPS mode):
kra.keygen.extractablePairs=true
nCipher nShield Connect 6000 (works by default without specifying):
For specifying RSA keys:
kra.keygen.temporaryPairs=true
(Do not specify any other parameters.)
For generating ECC keys:
kra.keygen.temporaryPairs=true
kra.keygen.sensitivePairs=false
kra.keygen.extractablePairs=true
LunaSA CKE - Key Export Model (non-FIPS mode):
kra.keygen.temporaryPairs=true
kra.keygen.sensitivePairs=true
kra.keygen.extractablePairs=true

Note

Gemalto SafeNet LunaSA only supports PKI private key extraction in its CKE - Key Export model, and only in non-FIPS mode. The LunaSA Cloning model and the CKE model in FIPS mode do not support PKI private key extraction.

Note

When LunaSA CKE – Key Export Model is in FIPS mode, pki private keys cannot be extracted.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.