Este conteúdo não está disponível no idioma selecionado.
8.2. Using Hardware Security Modules with Subsystems
			The Certificate System supports the nCipher nShield hardware security module (HSM) and Gemalto Safenet LunaSA HSM by default. Certificate System-supported HSMs are automatically added to the 
secmod.db database with the modutil command during the pre-configuration stage of the installation, if the PKCS #11 library modules are in the specified installation paths.
		Important
				Certain deployments require to setup their HSM to use FIPS mode.
			
8.2.1. Enabling the FIPS Mode on an HSM
Copiar o linkLink copiado para a área de transferência!
				To enable FIPS Mode on HSMs, please refer to your HSM vendor's documentation for specific instructions.
			
Important
- nCipher HSM
- On a nCipher HSM, the FIPS mode can only be enabled when generating the Security World, this cannot be changed afterwards. While there is a variety of ways to generate the Security World, the preferred method is always to use thenew-worldcommand. For guidance on how to generate a FIPS-compliant Security World, please follow the nCipher HSM vendor's documentation.
- LunaSA HSM
- Similarly, enabling the FIPS mode on a Luna HSM must be done during the initial configuration, since changing this policy zeroizes the HSM as a security measure. For details, please refer to the Luna HSM vendor's documentation.
8.2.2. Verifying if FIPS Mode is Enabled on an HSM
Copiar o linkLink copiado para a área de transferência!
				This section describes how to verify if FIPS mode is enabled for certain HSMs. For other HSMs, see the hardware manufacturer's documentation.
			
8.2.2.1. Verifying if FIPS Mode is Enabled on an nCipher HSM
Copiar o linkLink copiado para a área de transferência!
Note
						Please refer to your HSM vendor’s documentation for the complete procedure.
					
					To verify if the FIPS mode is enabled on an nCipher HSM, enter:
				
/opt/nfast/bin/nfkminfo
# /opt/nfast/bin/nfkminfo
					With older versions of the software, if the 
StrictFIPS140 is listed in the state flag, the FIPS mode is enabled. In newer vesions, it is however better to check the new mode line and look for fips1402level3. In all cases, there should also be an hkfips key present in the nfkminfo output.
				8.2.2.2. Verifying if FIPS Mode is Enabled on a Luna SA HSM
Copiar o linkLink copiado para a área de transferência!
Note
						Please refer to your HSM vendor’s documentation for the complete procedure.
					
					To verify if the FIPS mode is enabled on a Luna SA HSM:
				
- Open thelunashmanagement console
- Use thehsm showcommand and verify that the output contains the textThe HSM is in FIPS 140-2 approved operation mode.:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
8.2.3. Adding or Managing the HSM Entry for a Subsystem
Copiar o linkLink copiado para a área de transferência!
				During installation, when an HSM is selected as the default token where appropriate HSM-specific parameters are set in the configuration file passed to the 
pkispawn command, the following parameter is added to the /var/lib/pki/instance_name/conf/password.conf file for the HSM password:
			hardware-HSM_token_name=HSM_token_password
hardware-HSM_token_name=HSM_token_password8.2.4. Setting up SELinux for an HSM
Copiar o linkLink copiado para a área de transferência!
				If you want to install Certificate System with an Hardware Security Modules (HSM) and SELinux is running in 
enforcing mode, certain HSMs require that you manually update SELinux settings before you can install Certificate System.
			
				The following section describes the required actions for supported HSMs:
			
- nCipher nShield
- After you installed the HSM and before you start installing Certificate System:- Reset the context of files in the/opt/nfast/directory:restorecon -R /opt/nfast/ # restorecon -R /opt/nfast/Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Restart the nfast software./opt/nfast/sbin/init.d-ncipher restart # /opt/nfast/sbin/init.d-ncipher restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
 
- Gemalto Safenet LunaSA HSM
- No SELinux-related actions are required before you start installing Certificate System.
8.2.5. Installing a Subsystem Using nCipher nShield HSM
Copiar o linkLink copiado para a área de transferência!
				To install a subsystem instance that use nCipher nShield HSM, follow this procedure:
			
- Prepare an override file, which corresponds to your particular deployment. The followingdefault_hms.txtfile is an example of such an override file:Note This file serves only as an example of an nCipher HSM override configuration file -- numerous other values can be overridden including default hashing algorithms. Also, only one of the [CA], [KRA], [OCSP], [TKS], or [TPS] sections will be utilized depending upon the subsystem invocation specified on thepkispawncommand-line.Example 8.1. An Override File Sample to Use with nCipher HSM Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Use the configuration file as described in Section 7.7, “Two-step Installation”.- pkispawn -s CA -f ./default_hsm.txt -vvv - # pkispawn -s CA -f ./default_hsm.txt -vvv- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- pkispawn -s KRA -f ./default_hsm.txt -vvv - # pkispawn -s KRA -f ./default_hsm.txt -vvv- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- pkispawn -s OCSP -f ./default_hsm.txt -vvv - # pkispawn -s OCSP -f ./default_hsm.txt -vvv- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- pkispawn -s TKS -f ./default_hsm.txt -vvv - # pkispawn -s TKS -f ./default_hsm.txt -vvv- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- pkispawn -s TPS -f ./default_hsm.txt -vvv - # pkispawn -s TPS -f ./default_hsm.txt -vvv- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
8.2.6. Installing a Subsystem Using Gemalto Safenet LunaSA HSM
Copiar o linkLink copiado para a área de transferência!
				To install a subsystem instance that use Gemalto Safenet LunaSA HSM, follow the procedure detailed in Section 8.2.5, “Installing a Subsystem Using nCipher nShield HSM”. The override file should be similar to the sample provided in Example 8.1, “An Override File Sample to Use with nCipher HSM”, differing in values related to the particular deployment. The following example provides a sample LunaSA header that is to be substituted for the header of the nCipher override file and to be used with the [DEFAULT], [Tomcat], [CA], [KRA], [OCSP], [TKS], and [TPS] sections provided in the aforementioned nCipher example.
			
Example 8.2. A Sample of the LunaSA Override File Header