SoftHSM2 integration in Kubernetes
ENTERPRISE
The SoftHSM2 sidecar container enables integrating the application container to a network attached Thales Luna. The following covers how to set up the integration in Kubernetes.
Prerequisites
Create a persistentVolumeClaim
or pvc
to persist the token data or key material of the SoftHSM.
kubectl create pvc softhsm-pvc --access-mode=ReadWriteOnce \
--resources=requests.storage=100Mi
Parameters
Name | Description | Comments |
---|---|---|
tokenPersistentVolumeClaim | Name of the Persistent Volume Claim to store token data or key material. Otherwise, an ephemeral instance is created. | Default: None |
logLevel | Configure the logging level in HSM sidecar | Default: INFO |
Configure Deployment
Add the following to the values.yaml
file:
hsm:
enabled: true
softhsm:
enabled: true
logLevel: "INFO"
tokenPersistentVolumeClaim: softhsm-pvc
Create and verify HSM crypto token
To create a crypto token and then test the HSM key, do the following:
In the EJBCA menu, click CA Functions > Crypto Tokens.
Click Create new and specify the following on the New Crypto Token page:
Name: Specify a name for the crypto token.
Type: Select PKCS#11 NG.
Auto-activation: Select use to allow EJBCA to save the password and reapply it after a restart so that the CA is always available.
For PKCS#11 : Reference Type, select Slot/Token Label.
For PKCS#11 : Reference, select one of the listed slots available in the HSM i.e.
Token-1
toToken-5
.Authentication Code: Enter the password
foo123
for auto-activation, the same as provided for the slot or token in the HSM.Click Save to create the crypto token.
Once created, you can generate new key pairs or view any existing key pairs on the HSM.
To verify that the HSM key is operational, click Test.