Skip to main content
Skip table of contents

SoftHSM2 integration in Kubernetes

ENTERPRISE

The SoftHSM2 sidecar container enables integrating the application container to a network attached Thales Luna. The following covers how to set up the integration in Kubernetes.

Prerequisites

Create a persistentVolumeClaim or pvc to persist the token data or key material of the SoftHSM.

BASH
kubectl create pvc softhsm-pvc --access-mode=ReadWriteOnce \
                        --resources=requests.storage=100Mi

Parameters

Name

Description

Comments

tokenPersistentVolumeClaim

Name of the Persistent Volume Claim to store token data or key material. Otherwise, an ephemeral instance is created.

Default: None
Required: False

logLevel

Configure the logging level in HSM sidecar

Default: INFO
Required: False

Configure Deployment

Add the following to the values.yaml file:

YAML
hsm:
  enabled: true
  softhsm:
    enabled: true
    logLevel: "INFO"
    tokenPersistentVolumeClaim: softhsm-pvc

Create and verify HSM crypto token

To create a crypto token and then test the HSM key, do the following:

  1. In the EJBCA menu, click CA Functions > Crypto Tokens.

  2. Click Create new and specify the following on the New Crypto Token page:

    • Name: Specify a name for the crypto token.

    • Type: Select PKCS#11 NG.

    • Auto-activation: Select use to allow EJBCA to save the password and reapply it after a restart so that the CA is always available.

    • For PKCS#11 : Reference Type, select Slot/Token Label.

    • For PKCS#11 : Reference, select one of the listed slots available in the HSM i.e. Token-1 to Token-5.

    • Authentication Code: Enter the password foo123 for auto-activation, the same as provided for the slot or token in the HSM.

    • Click Save to create the crypto token.

  3. Once created, you can generate new key pairs or view any existing key pairs on the HSM.

  4. To verify that the HSM key is operational, click Test.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.