Articles

EzSign Thales nCipher HSM - Using Module Keys

Print

Thales HSMs support Module protection as well as Operator Card protection

The latter involves creating an Operator Cardset and assigning a Passphrase to the cards.  Objects stored on the HSM are then protected by the Module as well as this Cardset and applications that wish to make use of these objects not only must have access to the HSM but must also supply the Operator Cardset Passphrase

Thus, access to objects such as private keys require the user to be logged on to the HSM, providing the Passphrase before access is granted

If Module only protection is used then objects are still stored protected by the module's internal master keys, but can be accessed by any application (that has access to the HSM) without the need to log on to the HSM with a passphrase

Within EzSign, the Operator Cardset Passphrase is provided as the Token Password.  This is encrypted by the Master Password.  The server may be started by supplying the Master Password but sensitive operations such as CSR generation and the import of certificates require that the Token password is also entered.  This prevents operational staff (responsible for managing the server) from also having the ability to perform sensitive operations.  Another team (e.g. Security) can own the Token/Operator Cardset password.  It is therefore, recommended that an Operator Cardset be created when using Thales HSMs

However, if other security controls are in place which restrict an application's access to an HSM and there is no need to restrict the operational user from performing sensitive operations, then Module-Only protection can be enabled as follows:

 

Edit the EzSign Server Configuration

The server properties file must be updated for the channel that wishes to make use of Module protection only.  The following property must be set:

    channel.N.token.useModuleProtection=true

Where 'N' is the channel number e.g.

    channel.1.token.useModuleProtection=true

 

The entry for the following property:

     channel.N.token.password

 

Can then be left empty and no Token password needs to be set via the Management Utility.  When generating CSRs or importing certificates via the Management Utility, when asked for the Token password, just hit return, as it is not required

 

 

Run the Server

The server can be started in the normal way but on starting the following warning will be output to the logs:

2017-09-14 10:06:26.085 [main] WARN  EzSignLog - Module protection is enabled.  This means that no password is required to access the keys on the Token/HSM.  Ensure that other sufficient security controls are in place to prevent unauthorised access

 

When a CSR is generated, the private key will not require a passphrase for access

 

 

Viewing Object's Protection Level

To verify what protection each object within the HSM is under, from the nFast bin directory, run the following command:

    nfkminfo -l

 

This will display all items (together with the label) sorted by protection e.g.:

Keys with module protection:
key_pkcs11_ua114f29785ea013fd5eca7e6cd7614c796bc24a06 `15e7f5e09ff2030'
key_pkcs11_ua1df56ecd5514769c92c361e2e3c799745bfd0b96 `nopassword'

...

Keys protected by cardsets:
key_pkcs11_uc725e1d27135c1b5dbb296f63be079fa827cf65fd-0317f899c8a6737e8506278850b57bf1b7b29e9e `OTP_SEED_SYM_KEY'
key_pkcs11_uc725e1d27135c1b5dbb296f63be079fa827cf65fd-49b37b070741ea08fccdafffcd3298e01306806e `15ab7ef2ff43176'

...