SoftHSM2 integration in Kubernetes

Enterprise

The SoftHSM2 sidecar container enables integrating the application container to a network attached Thales Luna. The following covers how to set up the integration in Kubernetes.

Prerequisites

Create a persistentVolumeClaim or pvc to persist the token data or key material of the SoftHSM.

Bash

kubectl create pvc softhsm-pvc --access-mode=ReadWriteOnce \
                        --resources=requests.storage=100Mi

Parameters

Name	Description	Comments
tokenPersistentVolumeClaim	Name of the Persistent Volume Claim to store token data or key material. Otherwise, an ephemeral instance is created.	Default: None Required: False
logLevel	Configure the logging level in HSM sidecar	Default: INFO Required: False

Configure Deployment

Add the following to the values.yaml file:

YAML

hsm:
  enabled: true
  softhsm:
    enabled: true
    logLevel: "INFO"
    tokenPersistentVolumeClaim: softhsm-pvc

Create and verify HSM crypto token

To create a crypto token and then test the HSM key, do the following:

In the EJBCA menu, click CA Functions > Crypto Tokens.
Click Create new and specify the following on the New Crypto Token page:
- Name: Specify a name for the crypto token.
- Type: Select PKCS#11 NG.
- Auto-activation: Select use to allow EJBCA to save the password and reapply it after a restart so that the CA is always available.
- For PKCS#11 : Reference Type, select Slot/Token Label.
- For PKCS#11 : Reference, select one of the listed slots available in the HSM i.e. Token-1 to Token-5.
- Authentication Code: Enter the password foo123 for auto-activation, the same as provided for the slot or token in the HSM.
- Click Save to create the crypto token.
Once created, you can generate new key pairs or view any existing key pairs on the HSM.
To verify that the HSM key is operational, click Test.