Upload
phamhanh
View
216
Download
0
Embed Size (px)
Citation preview
March 30, 2011
System Engineering HSM
Utimaco Integration Guide
Bind 9.7 with SafeGuard CryptoServer
(Linux 2.6)
Utimaco Safeware AG, Germany
Utimaco Safeware AG
Germanusstr. 4
D-52080 Aachen
Germany
Tel +49 241 1696 200
Fax +49 241 1696 199
E-Mail [email protected]
Date March 30, 2011
Author System Engineering HSM
March 30, 2011
System Engineering HSM
Contents
1 Introduction 5
1.1 Concepts 5
2 Requirements 6
3 Supported Operating Systems 6
4 Procedures 7
4.1 Install SafeGuard® CryptoServer hardware 7
4.2 Install SafeGuard® CryptoServer software 7
4.3 Configure PKCS#11 7
4.3.1 Adjust the Configuration File 7
4.3.2 Test PKCS#11 Configuration with P11Tool 8
4.4 Patch and Build OpenSSL 8
4.5 Install BIND Domain Name Server 9
4.6 Generate Keys and Sign a Zone 10
4.6.1 Re-signing Zones 11
5 Further Information 12
4
March 30, 2011
System Engineering HSM
5
March 30, 2011
System Engineering HSM
1 Introduction
This paper provides an integration guide explaining how to integrate a Hardware Security Module
(HSM) – SafeGuard® CryptoServer – with the BIND 9.7 server on a Linux operating system platform.
Configuration details – especially to domain name system configuration – that go beyond normal
configuration for the integration of hardware security module are not explained in this document. For
further information to configure and setup BIND for a domain name system, it is referred to the
documents and information of ISC1.
1.1 Concepts
The Domain Name System (DNS) is a hierarchical naming system built on a distributed database for
computers, services, or any resource connected to the Internet or a private network. Most importantly, it
translates domain names meaningful to human-readable identifiers into the numerical identifiers
associated with networking equipment for the purpose of locating and addressing these devices
worldwide. Often the Domain Name System is compared with the phone book of the worldwide internet.
The original design of the Domain Name System did not include any security. Instead, it was developed
as a simple scalable distributed system. The Domain Name System Security Extensions (DNSSEC)
attempts to add security, while maintaining backwards compatibility to the existing Domain Name
System. The RFC 3833 attempts to document some of the known threats to the DNS and how DNSSEC
tries to responds to those threats. DNSSEC was designed to protect Internet resolvers from forged DNS
data, such as that created by e.g. DNS cache poisoning. All answers from DNSSEC enabled domain
name system are digitally signed. By verifying the digital signature, a DNS resolver is able to check if the
information is correct and complete to the information on the authoritative domain name server. While
protecting IP addresses is the immediate concern for many users, DNSSEC can protect other
information such as general-purpose cryptographic certificates too. Basically cryptographic keys are
used to sign domain name related information’s. The keys require extensively protection against being
stolen or corrupted. A hardware security module is the best solution in maintaining highest security and
performance for the protection of those keys.
The SafeGuard® CryptoServer is a hardware security module developed by Utimaco Safeware AG,
i.e. a physically protected specialized computer unit designed to perform sensitive cryptographic tasks
and to securely manage cryptographic keys and data. In a SafeGuard CryptoServer security system
security-relevant actions can be executed and security relevant information can be stored. It can be used
as a universal, independent security component for heterogeneous computer systems.
1 ISC – http://www.isc.org
6
March 30, 2011
System Engineering HSM
2 Requirements
Ensure that you have a copy of the CryptoServer Administration Guide and the CryptoServer
PKCS#11 Interface. You should also have prepared an installed Linux operating system (kernel 2.6). If
you are using PCI(e) card also compile and install the necessary driver for that card. This guide assumes
that a Debian based Linux distribution is used.
Software- and Hardware requirements
HSM Model SafeGuard® CryptoServer CS-Series/S-Series/Se-Series PCI(e)
Smartcard reader reinerSCT cyberJack e-com
HSM Firmware SafeGuard® Security Server 2.30.2
Software SafeGuard® Security Server 2.30.2
Linux 2.6 (Debian 4.1.2-25)
3 Supported Operating Systems
For the interoperability of the SafeGuard® CryptoServer solution, operating systems, Bind and
OpenSSL have been tested successfully for the following combinations:
Operating System
SafeGuard
SecurityServer
Version
Bind
Version
OpenSSL
Version
PCI
Support
Ethernet
Support
Debian 4.1.2 x86 2.30.2 9.7.2-P3 0.9.8l Yes Yes
7
March 30, 2011
System Engineering HSM
4 Procedures
To integrate the SafeGuard® CryptoServer with BIND domain name server (named) in context of
DNSSEC secured environment, complete the following steps on Linux:
1. Install SafeGuard® CryptoServer hardware
2. Install SafeGuard® CryptoServer software
3. Configure PKCS#11
o Adjust the Configuration File
o Test PKCS#11 Configuration with P11Tool
4. Patch and Build OpenSSL
5. Install Bind Domain Name Server
6. Generate Keys and Sign a Zone
o Re-signing Zones
4.1 Install SafeGuard® CryptoServer hardware
For more information on commonly installing and setting up SafeGuard® CryptoServer PCI or LAN,
see the documentation SafeGuard® CryptoServer PCI / (LAN) Installation & Operating manual. There is
no need to install any software specific for running SafeGuard® CryptoServer. The SafeGuard®
CryptoServer comes with an already preinstalled set of firmware software.
4.2 Install SafeGuard® CryptoServer software
The SafeGuard CryptoServer software – this includes administrative and library software – has to be
installed on your computer system manually. To install the necessary PKCS#11 libraries it is referred to
the SafeGuard CryptoServer PKCS#11 Interface. Further configuration steps are explained next.
4.3 Configure PKCS#11
4.3.1 Adjust the Configuration File
After the installation of the libraries (we assume, that the PKCS#11 library is located at
/usr/lib/cryptoserver/libcs2_pkcs11.so), adjust the configuration file cs2_pkcs11.ini
accordingly to your hardware. Please check whether the environment variable CS2_PKCS11_INI points
to the configuration file cs2_pkcs11.ini (e.g. /etc/utimaco/cs2_pkcs11.ini). If it is not
available or it is not configured properly please adjust it right now before proceeding. This command
creates an environment variable using a bash shell:
8
March 30, 2011
System Engineering HSM
# export CS2_PKCS11_INI=/etc/utimaco/cs2_pcks11.ini
Primarily the device specifier has to be adjusted in your configuration file to use the PKCS#11 library.
Open the configuration cs2_pkcs11.ini with an editor of your choice and find the device parameter of
the CryptoServer section. Change the value to one of these possible values
IP-address of your device (e.g. 192.168.0.42)
This device specifier is used for network attached devices. Further details to setup the ip address
of your device can be found in SafeGuard CryptoServer LAN Operating & Installation Manual.
/dev/cs2
This device specifier addresses a local installed PCI or PCIe device. An installed device driver is
necessary to open a connection. Further details to setup the driver can be found in SafeGuard
CryptoServer PCI(e) Operating & Installation Manual.
You can check the logs while performing PKCS#11 operations in the next chapters. Those are located
in /tmp due to the default configuration of the cs2_pkcs11.ini file. For this purpose the Logging
parameter has to be adjusted: 15 is the highest log level while 0 is preventing logging at all.
4.3.2 Test PKCS#11 Configuration with P11Tool
The p11tool is an administration command line tool to administrate PKCS#11 related issue with the
SafeGuard CryptoServer and is located in the directory Software/PKCS11/bin/Linux-x86-32/ of
the Security Server package. Perform the following steps to initialize a PKCS#11 slot where the keys for
DNSSEC will be generated and stored:
1. First make the p11tool executable:
# chmod u+x p11tool
2. Now check, if the configuration of PKCS#11 was successful:
# p11tool listslots
3. And finally initialize a PKCS#11 slot:
# p11tool slot=0 InitToken=123456
# p11tool slot=0 LoginSO=123456 InitPin=utimaco123
Where the InitPin parameter determines the user pin of a PKCS#11 slot.
4.4 Patch and Build OpenSSL
To install OpenSSL libraries it is necessary to build the libraries from source code. Only building
libraries from source will enable necessary PKCS#11 support for BIND. BIND uses OpenSSL for its
cryptographic operations. Additionally a patch must be applied to OpenSSL sources, which enables
OpenSSL to interface with PKCS#11 libraries. This patch is bundled with the BIND source code.
9
March 30, 2011
System Engineering HSM
1. First download and extract the sources for OpenSSL-0.9.8l and Bind-9.7.2-P3. You can find
them at http://www.openssl.org/source/ and http://www.isc.org/software/bind.
2. Now apply the patch ./bind-9.7.2-P3/bin/pkcs11/openssl-0.9.8l-patch to
OpenSSL by switching to the OpenSSL directory and running the command:
# patch –p1 < path-to/openssl-0.9.8l-patch
3. Configure OpenSSL:
# ./Configure linux-generic32 –m32 –pthread \
--pk11-libname=/usr/lib/cryptoserver/libcs2_pkcsll.so \
--pk11-flavor=crypto-accelerator \
--prefix=/opt/openssl-p11
The given pk11-libname parameter points to the path of the PKCS#11 library, pk11-flavor
determines which kind of PKCS#11 engine (provided by the patch) is used – sign-only or
crypto-accelerator and the prefix parameter points to the directory where the libraries
are located after the installation.
4. Build and test OpenSSL:
# make
# make test
If some errors occur at this point, recheck the configuration.
5. Check the availability of the engine by running the command:
# apps/openssl engine pkcs11 -t
6. Finally run
# make install
to make the modified OpenSSL suite available in /opt/openssl-p11 as specified during the
configuration.
4.5 Install BIND Domain Name Server
Besides OpenSSL it is also mandatory to compile BIND from the sources. Only this action will enable
BIND to use PKCS#11 enabled hardware for cryptographic operations. Since it is determined during the
configuration of BIND where the OpenSSL and PKCS#11 libraries are located, you have to provide the
location of the OpenSSL libraries created in chapter 4.4. To do so, perform the following steps:
1. Configure BIND:
# ./configure CC=”gcc –m32” –enable-threads \
--with-openssl=/opt/openssl-p11 \
--with-pkcs11=/usr/lib/cryptoserver/libcs2_pkcs11.so
The parameters point to the paths of the libraries as already mentioned.
2. Now set the environment variable LD_LIBRARY_PATH to the path of the PKCS#11 library:
10
March 30, 2011
System Engineering HSM
# export LD_LIBRARY_PATH=/usr/lib/cryptoserver
3. Build and install BIND:
# make
# make install
Further steps usually concern general configuration of DNS and are not a part of the document.
4.6 Generate Keys and Sign a Zone
In this chapter we generate a zone-signing key (ZSK) and a key-signing key (KSK) using the tools
pkcs11-keygen and dnssec-keyfromlabel provided by BIND and use them to sign a domain zone.
The first tool is used to actually generate the keys in HSM and the second tool generates the key files for
BIND containing a public key and an identifier of the actual private key. Since slot 0 is the only one we
initialized in chapter 4.3.2 so far, we will choose this for BIND configuration now.
1. Run the following commands to generate a zone-signing key and a key-signing key in the
SafeGuard CryptoServer:
# pkcs11-keygen –b 2048 –l ksk
# pkcs11-keygen –b 1024 –l zsk
The parameter -b specifies the key size and -l the label of the key pair. Since the library path
was exported, it is not necessary to specify it using the parameter -m (module) any more.
2. Switch to the default folder for zone files and generate the key files for BIND:
# dnssec-keyfromlabel –l ksk –f KSK utimaco.com
# dnssec-keyfromlabel –l zsk utimaco.com
The parameter –l specifies the label again and after –f follows the key flag. The key files are
generated for a specific zone which in this case is “utimaco.com”. Now you should find the
corresponding key files in the current directory which are composed of
K<zone name>.+<numeric representation of the key file>+<key identifier>.(key|private). It is not
necessary to add the –E (engine) parameter here because BIND was build with the –with-
pkcs11 option in the first place. This sets the SafeGuard CryptoServer PKCS11 engine to
default.
3. Before you can sign a zone, it is necessary to add the contents of both K*.key files or to include
them by reference using the file names to the zone master file. Open the zone file and add the
following lines e.g.:
$include Kutimaco.com.+005+35677.key
$include Kutimaco.com.+005+63263.key
4. Finally sign the zone:
# dnssec-signzone -S -o <zone name> <zone file>
11
March 30, 2011
System Engineering HSM
You don’t need to specify the key files here because “smart signing” is activated with the –S parameter
which enables automatic search for key files. The signed domain zone file is now located in the current
folder.
4.6.1 Re-signing Zones
In the previous chapter you have seen how to manually sign a domain zone. This also includes
generating necessary keys. These keys have to be periodically changed. Normally this will make manual
intervention necessary. BIND is also able to automatically resign domain zones. You can configure
named to dynamically re-sign zones or new records inserted via nsupdate. Therefore named requires
access to the private key unattended from user interaction. For PKCS#11 you have to provide the user
pin of the PKCS#11 slot to access private key. To get automatically access to the private key, configure
OpenSSL in this purpose. Edit the file located at /opt/openssl-p11/ssl/openssl.cnf and adjust it
as follows:
openssl_conf = openssl_def
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
PIN = utimaco123
The location of the file can be overridden by setting the environment variable OPENSSL_CONF. The pin
has been entered during the initialization of the PKCS#11 slot in chapter 4.3.2. This will also enable
dnssec-* tools to work without user interaction with entering user pin.
12
March 30, 2011
System Engineering HSM
5 Further Information
This guide forms one part of the information and support provided by Utimaco Safeware. Additional
documentation produced to support your SafeGuard® CryptoServer product can be found in the
document directory of the product CD-ROM for that product. All SafeGuard® CryptoServer product
documentation is available from the Utimaco web site at: http://hsm.utimaco.com
13
March 30, 2011
System Engineering HSM
March 30, 2011
System Engineering HSM
Utimaco Safeware AG, Germany
Utimaco Safeware AG
Germanusstr. 4
D-52080Aachen
Germany
Tel +49 241 16 96 200
Fax +49 241 16 96 199
E-Mail [email protected]