Configure Database Protection in Kubernetes

Enterprise

EJBCA allows signed database entries, including audit logs, configured in the databaseprotection.properties file. For more information, refer to the EJBCA documentation on Integrity Protected Security Audit Log and EJBCA Security.

The following sections focus on how to configure database protection in Kubernetes using the Helm chart.

Configure database protection in Kubernetes

To configure database protection in Kubernetes using the Helm chart, follow these steps:

1. Generate a key pair in your HSM: Use your preferred Hardware Security Module (HSM) to create a key pair and note down the following:

   • Slot Label: The label of the slot where the key is created <slot-label>

   • Slot or Token Password: The password for the slot or token <slot-password>

   • Key Label or Name: The label or name of the key <key-label>

2. Create the databaseprotection.properties file with the following content:

   databaseprotection.enablesign = true
   databaseprotection.enableverify = true
   databaseprotection.keyid = 1
   databaseprotection.keyid.0 = 1
   databaseprotection.keylabel.0 = <key-label>
   databaseprotection.classname.0 = org.cesecore.keys.token.p11ng.cryptotoken.Pkcs11NgCryptoToken
   databaseprotection.properties.0 = sharedLibrary=/opt/keyfactor/p11proxy-client/p11proxy-client.so, slotLabelType=SLOT_LABEL, slotLabelValue=<slot-label>
   databaseprotection.tokenpin.0 = <slot-password>
   

   Replace the placeholders (<key-label>, <slot-label>, <slot-password>) with the corresponding values from step 1.
   Multiple crypto tokens can be defined by using databaseprotection.xx.1, databaseprotection.xx.2,and so on, where the keyid is an integer defined by you. This makes it possible to start using a new crypto token with new keys, while still being able to verify previously protected rows.

3. Create a Kubernetes secret with the databaseprotection.properties file:

   kubectl create secret generic ejbca-config-files -n ejbcans \
       --from-file=databaseprotection.properties=databaseprotection.properties
   

4. Modify the values.yaml to mount the databaseprotection.properties file in EJBCA.
   Note that if there are existing entries in ejbca.volumes or ejbca.volumeMounts, these entries need to appended.

   ejbca:
     volumes:   
       - name: databaseprotection
         secret:
           secretName: ejbca-config-files
           items:
             - key: "databaseprotection.properties"
               path: "databaseprotection.properties"
     volumeMounts:
       - name: databaseprotection
         mountPath: /opt/keyfactor/ejbca/conf/databaseprotection.properties
         subPath: databaseprotection.properties
   

5. After updating the values.yaml file, deploy EJBCA using the Helm chart.