Install CipherMail HSM module

Copy the file djigzo-hsm-*.noarch.rpm to the CipherMail appliance

Install HSM module

sudo yum install djigzo-hsm-*.noarch.rpm

nCipher

This section explains how to integrate an nCipher HSM with the CipherMail gateway.

Note

The nCipher support software should already be installed according to the nCipher installation instructions.

Configure nCipher tools

The Linux user which runs the CipherMail back-end (which is by default the user djigzo), should be allowed to access the nCipher kmdata directory. The djigzo user should therefore be added to the nfast Linux group.

On RedHat/CentOS:

sudo usermod -a -G nfast djigzo

Configure PKCS#11

The CipherMail integration module uses PKCS#11 to interface with the nCipher HSM.

A symlink to the PKCS#11 configuration files should be added to the CipherMail configuration directory:

cd /usr/share/djigzo/conf/
sudo ln -s /usr/share/djigzo-hsm/conf/hsm/

Make sure the required PKCS#11 lib files are loaded at startup:

cd /usr/share/djigzo/lib/lib.d
sudo ln -s /usr/share/djigzo-hsm/lib/ hsm

Configure CipherMail gateway to use the HSM:

cd /usr/share/djigzo/conf/spring/spring.d
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-iaik.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-pgp.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-watchdog.xml

Note

The HSM watchdog will create a test key the first time it is activated and will periodically check (by default every 30 seconds) whether the HSM can be accessed and whether it is functional. If problem with the HSM is detected, the back-end will automatically restart itself.

Configure nCipher

Configure the PKCS11 library to use the nCipher HSM:

cd /usr/share/djigzo/conf/hsm/
sudo ln -s iaik-pkcs11-config.properties.ncipher iaik-pkcs11-config.properties

Note

The file iaik-pkcs11-config.properties.ncipher contains HSM specific settings like for example the slot ID. If a different slot ID should be used, change the setting.

To allow module protected keys, the following line should be added to the nCipher configuration file /opt/nfast/cknfastrc:

CKNFAST_FAKE_ACCELERATOR_LOGIN=1

sudo vi /opt/nfast/cknfastrc

Restart

nCipher daemon and CipherMail back-end should be restarted for the changes to take effect:

sudo /etc/init.d/nc_hardserver restart
sudo systemctl restart ciphermail-gateway-backend

Check CipherMail back-end logs to see if the back-end starts correctly:

tail -f /var/log/ciphermail-gateway-backend.log

SafeNet ProtectServer

This section explains how to integrate a SafeNet ProtectServer HSM with the CipherMail gateway.

Note

The SafeNet ProtectServer software should already be installed according to the installation documentation.

Configure PKCS#11

The CipherMail integration module uses PKCS#11 to interface with the SafeNet ProtectServer HSM.

A symlink to the PKCS#11 configuration files should be added to the CipherMail configuration directory:

cd /usr/share/djigzo/conf/
sudo ln -s /usr/share/djigzo-hsm/conf/hsm/

Make sure the required PKCS#11 lib files are loaded at startup:

cd /usr/share/djigzo/lib/lib.d
sudo ln -s /usr/share/djigzo-hsm/lib/ hsm

Configure CipherMail gateway to use the HSM:

cd /usr/share/djigzo/conf/spring/spring.d
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-iaik.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-pgp.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-watchdog.xml

Note

The HSM watchdog will create a test key the first time it is activated and will periodically check (by default every 30 seconds) whether the HSM can be accessed and whether it is functional. If problem with the HSM is detected, the back-end will automatically restart itself.

Configure ProtectServer

Initialize Admin Token SO and the Administrator PIN and initialize slot 0. The slot must be initialized as the Linux user that runs the CipherMail back-end (by default user djigzo):

Note

The -fc option sets the No Public Crypto flag to make sure that for each token the CKF_LOGIN_REQUIRED flag is set and that either the USER or SO must be logged in.

sudo su djigzo -s /bin/bash
export LD_LIBRARY_PATH=/opt/PTK/lib
/opt/PTK/bin/ctconf -fc
/opt/PTK/bin/ctkmu t -s0 -ldjigzo
exit

Configure the PKCS11 library to use the ProtectServer HSM:

cd /usr/share/djigzo/conf/hsm/
sudo ln -s iaik-pkcs11-config.properties.safenet iaik-pkcs11-config.properties

Note

The file iaik-pkcs11-config.properties.safenet contains HSM specific settings like for example the slot ID and user PIN. If a different slot ID or PIN should be used, change the setting.

Restart

The CipherMail back-end should be restarted for the changes to take effect:

sudo systemctl restart ciphermail-gateway-backend

Check CipherMail back-end logs to see if the back-end starts correctly:

tail -f /var/log/ciphermail-gateway-backend.log

SafeNet Luna

This section explains how to integrate a SafeNet Luna HSM with the CipherMail gateway.

Note

The SafeNet Luna software should already be installed according to the installation documentation.

Configure CipherMail

Some additional library files are required.

cd /usr/share/djigzo/lib/lib.d
sudo ln -s /usr/share/djigzo-hsm/lib/djigzo-hsm.jar
sudo ln -s /usr/share/djigzo-hsm/lib/luna/LunaProvider.jar
sudo ln -s /usr/safenet/lunaclient/jsp/lib/libLunaAPI.so

Configure CipherMail gateway to use the Luna HSM:

cd /usr/share/djigzo/conf/spring/spring.d
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/safenet/hsm-safenet-luna-pgp.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/safenet/hsm-safenet-luna-security-factory.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/safenet/hsm-safenet-luna-settings.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/safenet/hsm-safenet-luna.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-watchdog.xml

Note

The HSM watchdog will create a test key the first time it is activated and will periodically check (by default every 30 seconds) whether the HSM can be accessed and whether it is functional. If problem with the HSM is detected, the back-end will automatically restart itself.

Configure Luna settings

The password and slot should be configured in the file: /usr/share/djigzo-hsm/conf/spring/hsm/safenet/hsm-safenet-luna-settings.xml

Restart

The CipherMail back-end should be restarted for the changes to take effect:

sudo systemctl restart ciphermail-gateway-backend

Check CipherMail back-end logs to see if the back-end starts correctly:

tail -f /var/log/ciphermail-gateway-backend.log

Utimaco CryptoServer

This section explains how to integrate an Utimaco CryptoServer HSM with the CipherMail gateway.

Note

The Utimaco CryptoServer software should already be installed according to the installation documentation.

Configure CryptoServer

A configuration file for CryptoServer should be stored in /opt/utimaco/cs_pkcs11_R2.cfg. The cs_pkcs11_R2.cfg file should at least contain the device to be used.

The following example shows a minimal config file for a CryptoServer Lan accessible on IP address 192.168.1.34 port 3001:

[Global]
Timeout = 5000
Logging = 0
Logpath = /tmp

[CryptoServer]
Device     = TCP:3001@192.168.1.34
Timeout    = 600000
AppTimeout = 864000
SlotCount  = 100

Note

The AppTimeout setting should be set to a high value (for example 864000).

The location of the Utimaco config file should be configured using an environment variable. Add the following line to the file /etc/default/djigzo:

export CS_PKCS11_R2_CFG=/opt/utimaco/cs_pkcs11_R2.cfg

Configure PKCS#11

The CipherMail integration module uses PKCS#11 to interface with the Utimaco CryptoServer HSM.

A symlink to the PKCS#11 configuration files should be added to the CipherMail configuration directory:

cd /usr/share/djigzo/conf/
sudo ln -s /usr/share/djigzo-hsm/conf/hsm/

Make sure the required PKCS#11 lib files are loaded at startup:

cd /usr/share/djigzo/lib/lib.d
sudo ln -s /usr/share/djigzo-hsm/lib/ hsm

Configure CipherMail gateway to use the HSM:

cd /usr/share/djigzo/conf/spring/spring.d
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-iaik.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-pgp.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-watchdog.xml

Note

The HSM watchdog will create a test key the first time it is activated and will periodically check (by default every 30 seconds) whether the HSM can be accessed and whether it is functional. If problem with the HSM is detected, the back-end will automatically restart itself.

Configure CryptoServer

Configure the PKCS11 library to use the CryptoServer HSM:

cd /usr/share/djigzo/conf/hsm/
sudo ln -s iaik-pkcs11-config.properties.utimaco iaik-pkcs11-config.properties

Note

The file iaik-pkcs11-config.properties.utimaco contains HSM specific settings like for example the PIN and the slot ID. If a different PIN or slot ID should be used, change the setting.

Additional CipherMail settings

Some Utimaco specific settings are required.

Add the following line to file /usr/share/djigzo/wrapper/wrapper-additional-parameters.conf:

-Dciphermail.crypto.cms.mustProduceEncodableUnwrappedKey=true

Restart

The CipherMail back-end should be restarted for the changes to take effect:

sudo systemctl restart ciphermail-gateway-backend

Check CipherMail back-end logs to see if the back-end starts correctly:

tail -f /var/log/ciphermail-gateway-backend.log

Securosys Primus

This section explains how to integrate a Securosys Primus HSM with the CipherMail gateway.

Note

The Securosys Primus software should already be installed according to the installation documentation.

Configure CipherMail

Some additional library files are required.

cd /usr/share/djigzo/lib/lib.d
sudo ln -s /usr/share/djigzo-hsm/lib/djigzo-hsm.jar
sudo ln -s /usr/share/djigzo-hsm/lib/securosys/primusX.jar

Configure CipherMail gateway to use the Primus HSM:

cd /usr/share/djigzo/conf/spring/spring.d
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/securosys/hsm-securosys-primus-pgp.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/securosys/hsm-securosys-primus-security-factory.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/securosys/hsm-securosys-primus-settings.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/securosys/hsm-securosys-primus.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-watchdog.xml

Note

The HSM watchdog will create a test key the first time it is activated and will periodically check (by default every 30 seconds) whether the HSM can be accessed and whether it is functional. If problem with the HSM is detected, the back-end will automatically restart itself.

Configure Primus settings

The URL, port, username and password for the HSM connection should be configured in the file: /usr/share/djigzo-hsm/conf/spring/hsm/securosys/hsm-securosys-primus-settings.xml

Restart

The CipherMail back-end should be restarted for the changes to take effect:

sudo systemctl restart ciphermail-gateway-backend

Check CipherMail back-end logs to see if the back-end starts correctly:

tail -f /var/log/ciphermail-gateway-backend.log