Skip to main content
Skip table of contents

Configure Database Protection in Kubernetes

ENTERPRISE

EJBCA allows signed database entries, including audit logs, configured in the databaseprotection.properties file. For more information, refer to the EJBCA documentation on Integrity Protected Security Audit Log and EJBCA Security.

The following sections focus on how to configure database protection in Kubernetes using the Helm chart.

Configure database protection in Kubernetes

To configure database protection in Kubernetes using the Helm chart, follow these steps:

  1. Generate a key pair in your HSM: Use your preferred Hardware Security Module (HSM) to create a key pair and note down the following:

    • Slot Label: The label of the slot where the key is created <slot-label>

    • Slot or Token Password: The password for the slot or token <slot-password>

    • Key Label or Name: The label or name of the key <key-label>

  2. Create the databaseprotection.properties file with the following content:

    CODE 
    databaseprotection.enablesign = true
databaseprotection.enableverify = true
databaseprotection.keyid = 1
databaseprotection.keyid.0 = 1
databaseprotection.keylabel.0 = <key-label>
databaseprotection.classname.0 = org.cesecore.keys.token.p11ng.cryptotoken.Pkcs11NgCryptoToken
databaseprotection.properties.0 = sharedLibrary=/opt/keyfactor/p11proxy-client/p11proxy-client.so, slotLabelType=SLOT_LABEL, slotLabelValue=<slot-label>
databaseprotection.tokenpin.0 = <slot-password>

    Replace the placeholders (<key-label>, <slot-label>, <slot-password>) with the corresponding values from step 1.
    (info) Multiple crypto tokens can be defined by using databaseprotection.xx.1, databaseprotection.xx.2,and so on, where the keyid is an integer defined by you. This makes it possible to start using a new crypto token with new keys, while still being able to verify previously protected rows.

  3. Create a Kubernetes secret with the databaseprotection.properties file:

    CODE 
    kubectl create secret generic ejbca-config-files -n ejbcans \
    --from-file=databaseprotection.properties=databaseprotection.properties

  4. Modify the values.yaml to mount the databaseprotection.properties file in EJBCA.
    (info) Note that if there are existing entries in ejbca.volumes or ejbca.volumeMounts, these entries need to appended.

    CODE 
    ejbca:
  volumes:   
    - name: databaseprotection
      secret:
        secretName: ejbca-config-files
        items:
          - key: "databaseprotection.properties"
            path: "databaseprotection.properties"
  volumeMounts:
    - name: databaseprotection
      mountPath: /opt/keyfactor/ejbca/conf/databaseprotection.properties
      subPath: databaseprotection.properties

  5. After updating the values.yaml file, deploy EJBCA using the Helm chart.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close