Install CipherMail HSM module
Copy the file djigzo-hsm-*.noarch.rpm to the CipherMail appliance
Install HSM module
sudo yum install djigzo-hsm-*.noarch.rpm
nCipher
This section explains how to integrate an nCipher HSM with the CipherMail gateway.
Note
The nCipher support software should already be installed according to the nCipher installation instructions.
Configure nCipher tools
The Linux user which runs the CipherMail back-end (which is by default the user djigzo), should be allowed to access the nCipher kmdata directory. The djigzo user should therefore be added to the nfast Linux group.
On RedHat/CentOS:
sudo usermod -a -G nfast djigzo
Configure PKCS#11
The CipherMail integration module uses PKCS#11 to interface with the nCipher HSM.
A symlink to the PKCS#11 configuration files should be added to the CipherMail configuration directory:
cd /usr/share/djigzo/conf/
sudo ln -s /usr/share/djigzo-hsm/conf/hsm/
Make sure the required PKCS#11 lib files are loaded at startup:
cd /usr/share/djigzo/lib/lib.d
sudo ln -s /usr/share/djigzo-hsm/lib/ hsm
Configure CipherMail gateway to use the HSM:
cd /usr/share/djigzo/conf/spring/spring.d
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-iaik.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-pgp.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-watchdog.xml
Note
The HSM watchdog will create a test key the first time it is activated and will periodically check (by default every 30 seconds) whether the HSM can be accessed and whether it is functional. If problem with the HSM is detected, the back-end will automatically restart itself.
Configure nCipher
Configure the PKCS11 library to use the nCipher HSM:
cd /usr/share/djigzo/conf/hsm/
sudo ln -s iaik-pkcs11-config.properties.ncipher iaik-pkcs11-config.properties
Note
The file iaik-pkcs11-config.properties.ncipher contains HSM specific settings like for example the slot ID. If a different slot ID should be used, change the setting.
To allow module protected keys, the following line should be added to the nCipher configuration file /opt/nfast/cknfastrc:
CKNFAST_FAKE_ACCELERATOR_LOGIN=1
sudo vi /opt/nfast/cknfastrc
Restart
nCipher daemon and CipherMail back-end should be restarted for the changes to take effect:
sudo /etc/init.d/nc_hardserver restart
sudo systemctl restart ciphermail-gateway-backend
Check CipherMail back-end logs to see if the back-end starts correctly:
tail -f /var/log/ciphermail-gateway-backend.log
SafeNet ProtectServer
This section explains how to integrate a SafeNet ProtectServer HSM with the CipherMail gateway.
Note
The SafeNet ProtectServer software should already be installed according to the installation documentation.
Configure PKCS#11
The CipherMail integration module uses PKCS#11 to interface with the SafeNet ProtectServer HSM.
A symlink to the PKCS#11 configuration files should be added to the CipherMail configuration directory:
cd /usr/share/djigzo/conf/
sudo ln -s /usr/share/djigzo-hsm/conf/hsm/
Make sure the required PKCS#11 lib files are loaded at startup:
cd /usr/share/djigzo/lib/lib.d
sudo ln -s /usr/share/djigzo-hsm/lib/ hsm
Configure CipherMail gateway to use the HSM:
cd /usr/share/djigzo/conf/spring/spring.d
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-iaik.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-pgp.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-watchdog.xml
Note
The HSM watchdog will create a test key the first time it is activated and will periodically check (by default every 30 seconds) whether the HSM can be accessed and whether it is functional. If problem with the HSM is detected, the back-end will automatically restart itself.
Configure ProtectServer
Initialize Admin Token SO and the Administrator PIN and initialize slot 0. The slot must be initialized as the Linux user that runs the CipherMail back-end (by default user djigzo):
Note
The -fc option sets the No Public Crypto flag to make sure that for each token the CKF_LOGIN_REQUIRED flag is set and that either the USER or SO must be logged in.
sudo su djigzo -s /bin/bash
export LD_LIBRARY_PATH=/opt/PTK/lib
/opt/PTK/bin/ctconf -fc
/opt/PTK/bin/ctkmu t -s0 -ldjigzo
exit
Configure the PKCS11 library to use the ProtectServer HSM:
cd /usr/share/djigzo/conf/hsm/
sudo ln -s iaik-pkcs11-config.properties.safenet iaik-pkcs11-config.properties
Note
The file iaik-pkcs11-config.properties.safenet contains HSM specific settings like for example the slot ID and user PIN. If a different slot ID or PIN should be used, change the setting.
Restart
The CipherMail back-end should be restarted for the changes to take effect:
sudo systemctl restart ciphermail-gateway-backend
Check CipherMail back-end logs to see if the back-end starts correctly:
tail -f /var/log/ciphermail-gateway-backend.log
SafeNet Luna
This section explains how to integrate a SafeNet Luna HSM with the CipherMail gateway.
Note
The SafeNet Luna software should already be installed according to the installation documentation.
Configure CipherMail
Some additional library files are required.
cd /usr/share/djigzo/lib/lib.d
sudo ln -s /usr/share/djigzo-hsm/lib/djigzo-hsm.jar
sudo ln -s /usr/share/djigzo-hsm/lib/luna/LunaProvider.jar
sudo ln -s /usr/safenet/lunaclient/jsp/lib/libLunaAPI.so
Configure CipherMail gateway to use the Luna HSM:
cd /usr/share/djigzo/conf/spring/spring.d
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/safenet/hsm-safenet-luna-pgp.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/safenet/hsm-safenet-luna-security-factory.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/safenet/hsm-safenet-luna-settings.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/safenet/hsm-safenet-luna.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-watchdog.xml
Note
The HSM watchdog will create a test key the first time it is activated and will periodically check (by default every 30 seconds) whether the HSM can be accessed and whether it is functional. If problem with the HSM is detected, the back-end will automatically restart itself.
Configure Luna settings
The password and slot should be configured in the file:
/usr/share/djigzo-hsm/conf/spring/hsm/safenet/hsm-safenet-luna-settings.xml
Restart
The CipherMail back-end should be restarted for the changes to take effect:
sudo systemctl restart ciphermail-gateway-backend
Check CipherMail back-end logs to see if the back-end starts correctly:
tail -f /var/log/ciphermail-gateway-backend.log
Utimaco CryptoServer
This section explains how to integrate an Utimaco CryptoServer HSM with the CipherMail gateway.
Note
The Utimaco CryptoServer software should already be installed according to the installation documentation.
Configure CryptoServer
A configuration file for CryptoServer should be stored in /opt/utimaco/cs_pkcs11_R2.cfg. The cs_pkcs11_R2.cfg file should at least contain the device to be used.
The following example shows a minimal config file for a CryptoServer Lan accessible on IP address 192.168.1.34 port 3001:
[Global]
Timeout = 5000
Logging = 0
Logpath = /tmp
[CryptoServer]
Device = TCP:3001@192.168.1.34
Timeout = 600000
AppTimeout = 864000
SlotCount = 100
Note
The AppTimeout setting should be set to a high value (for example 864000).
The location of the Utimaco config file should be configured using an environment variable. Add the following line to the file /etc/default/djigzo:
export CS_PKCS11_R2_CFG=/opt/utimaco/cs_pkcs11_R2.cfg
Configure PKCS#11
The CipherMail integration module uses PKCS#11 to interface with the Utimaco CryptoServer HSM.
A symlink to the PKCS#11 configuration files should be added to the CipherMail configuration directory:
cd /usr/share/djigzo/conf/
sudo ln -s /usr/share/djigzo-hsm/conf/hsm/
Make sure the required PKCS#11 lib files are loaded at startup:
cd /usr/share/djigzo/lib/lib.d
sudo ln -s /usr/share/djigzo-hsm/lib/ hsm
Configure CipherMail gateway to use the HSM:
cd /usr/share/djigzo/conf/spring/spring.d
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-iaik.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-pgp.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-watchdog.xml
Note
The HSM watchdog will create a test key the first time it is activated and will periodically check (by default every 30 seconds) whether the HSM can be accessed and whether it is functional. If problem with the HSM is detected, the back-end will automatically restart itself.
Configure CryptoServer
Configure the PKCS11 library to use the CryptoServer HSM:
cd /usr/share/djigzo/conf/hsm/
sudo ln -s iaik-pkcs11-config.properties.utimaco iaik-pkcs11-config.properties
Note
The file iaik-pkcs11-config.properties.utimaco contains HSM specific settings like for example the PIN and the slot ID. If a different PIN or slot ID should be used, change the setting.
Additional CipherMail settings
Some Utimaco specific settings are required.
Add the following line to file /usr/share/djigzo/wrapper/wrapper-additional-parameters.conf:
-Dciphermail.crypto.cms.mustProduceEncodableUnwrappedKey=true
Restart
The CipherMail back-end should be restarted for the changes to take effect:
sudo systemctl restart ciphermail-gateway-backend
Check CipherMail back-end logs to see if the back-end starts correctly:
tail -f /var/log/ciphermail-gateway-backend.log
Securosys Primus
This section explains how to integrate a Securosys Primus HSM with the CipherMail gateway.
Note
The Securosys Primus software should already be installed according to the installation documentation.
Configure CipherMail
Some additional library files are required.
cd /usr/share/djigzo/lib/lib.d
sudo ln -s /usr/share/djigzo-hsm/lib/djigzo-hsm.jar
sudo ln -s /usr/share/djigzo-hsm/lib/securosys/primusX.jar
Configure CipherMail gateway to use the Primus HSM:
cd /usr/share/djigzo/conf/spring/spring.d
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/securosys/hsm-securosys-primus-pgp.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/securosys/hsm-securosys-primus-security-factory.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/securosys/hsm-securosys-primus-settings.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm/securosys/hsm-securosys-primus.xml
sudo ln -s /usr/share/djigzo-hsm/conf/spring/hsm-watchdog.xml
Note
The HSM watchdog will create a test key the first time it is activated and will periodically check (by default every 30 seconds) whether the HSM can be accessed and whether it is functional. If problem with the HSM is detected, the back-end will automatically restart itself.
Configure Primus settings
The URL, port, username and password for the HSM connection should be configured in the file:
/usr/share/djigzo-hsm/conf/spring/hsm/securosys/hsm-securosys-primus-settings.xml
Restart
The CipherMail back-end should be restarted for the changes to take effect:
sudo systemctl restart ciphermail-gateway-backend
Check CipherMail back-end logs to see if the back-end starts correctly:
tail -f /var/log/ciphermail-gateway-backend.log