Security: Configuring a Thales DPoD
You can configure a Hardware Security Module (HSM) to store and protect your cryptographic keys. Optionally, you can use the software-based SoftHSM implementation for demonstration or testing purposes.
We recommend uploading the Thales DPoD from a zip file using a driver.
Versions v10.2.0-111 and v10.4.0 have been thoroughly tested. If you choose to upload a zip. file that does not have its own driver, we use v10.2.0-111 by default.
The following describes how to configure a Thales DPoD for the Software Appliance by registering the Software Appliance and connecting it to the HSM.
Configuring an HSM for the Software Appliance is irrevocable. To change an HSM configuration, you must reset the Software Appliance.
To configure a Thales DPoD for your Software Appliance, follow the steps below.
Connect the Software Appliance with the Thales DPoD
To connect the Software Appliance with the HSM:
- Log in to your Software Appliance and open the Security page or click Configure HSM in the Overview.
In the HSM Configuration section, select Thales DPoD to access the Configuration fields.
- Upload your DPoD service client.zip file.
- Finalize with Save HSM Configuration.
A warning appears to inform you that after saving HSM configuration you can no longer switch to a different HSM.
To change the HSM configuration, you need to reset your EJBCA Software Appliance. Proceed by clicking Activate. Finalize with Activate.
After the DPoD file is successfully uploaded, there is an option to modify the already uploaded DPoD file. The checksum of the service client and the partition serial number of the uploaded DPod zip file are additionally displayed. Click Remove Service Client to upload a new zip file.
On the Security page of the application, the status of the HSM Driver will change from Not Connected to Connected as soon as the configuration is completed.
On the Overview page of the application, the status in the HSM Overview also changes to Connected as soon as the configuration is completed. During configuration, the appliance is in the Restarting status. During this time, it is not available.
Once EJBCA is running again, you can proceed with adding a crypto token.
Add a Crypto Token in EJBCA Enterprise
To create a crypto token:
- On the Overview page of the Software Appliance, click Admin Web for EJBCA in the Application Overview column.
- The EJBCA Enterprise page opens.
Check whether the Create new CA checkbox is selected. - Open the CA Functions drop-down menu in the top menu.
- In the CA Functions section, select Crypto Tokens.
- On the Manage Crypto Tokens page, click Create New...
The individual configuration of the Crypto Token depends on the configuration of the HSM! For detailed Information please see managing crypto tokens.
HSM Troubleshooting
In the section HSM Driver Controls the current HSM Driver Status is displayed.
In case of HSM problems, the HSM driver can be restarted via the Restart button.