#9273 [RFE] Support IPA CA installation on an HSM
Closed: fixed 8 months ago by rcritten. Opened 2 years ago by rcritten.

Request for enhancement

A hardware security module (HSM) is a physical device that provides physical protection for generating and storing keys, encryption and decryption, etc. The private keys generated on the device cannot be retrieved, providing strong protection.

PKCS#11 libraries are used to communicate with them: signing operations, generate a key, install a certificate, etc.

The request is to provide general support for using an HSM device to store the CA and KRA private keys and certificates.

dogtag, the CA that IPA uses, supports using an HSM for storing keys.


Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1405935

2 years ago

master:

  • 8316191 Support tokens and optional password files when opening an NSS db

ipa-4-10:

  • 1de3f6c Support tokens and optional password files when opening an NSS db

master:

  • a7b58b3 doc: Design for HSM support

ipa-4-10:

  • 2aa8ec1 doc: Design for HSM support

Metadata Update from @abbra:
- Custom field changelog adjusted to FreeIPA CA can now be deployed with a hardware security module as a CA storage device. Supported use case details can be found in HSM design document: https://freeipa.readthedocs.io/en/ipa-4-10/designs/hsm.html

2 years ago

master:

  • cba3094 Support the certmonger nss-user option
  • e6078c6 Don't generate a cafile on HSM instalations
  • 34f28f0 Add token support to installer certificate handling
  • 73d52a6 Only generate kracert.p12 when not installing with HSM
  • e323470 Don't move KRA keys when key backup is disabled
  • f658a26 doc: Add token-password-file to HSM design, set new OID
  • d9efa72 Add LDAP attribute ipaCaHSMConfiguration to store HSM state
  • 82c0b19 Add HSM configuration options to installer scripts
  • a99091a Add attribute ipacahsmconfiguration to the "Read CAs" ACI
  • 7ad3b48 Update SELinux policy to allow certmonger to PKI config files
  • 9362200 Add token support to the renew_ca_cert certmonger helper
  • d0c489e If HSM is configured add the token name to config-show output
  • 0708f60 renew_ca_cert: skip removing non-CA certs, fix nickname
  • b89aa91 renew_ca_cert: set peer trust on the KRA audit certificate
  • 06a8791 tests: helper to copy files from one host to another
  • 36dbc6b ipatests: test software HSM installation with server & replica
  • 6b894f2 After installing a KRA, copy the updated token to other machines
  • 31d66ba Validate the HSM token library path and name during installation
  • c6dd21f Remove caSigningCert from list of certs to renew
  • 87ecca0 Add SELinux subpackage for nCipher nfast HSM support
  • f8798b3 Add SELinux subpackage for Thales Luna HSM support
  • 1ec875c ipatests: test software HSM installation with server & replica
  • b63103c tests: Fix failing test test_testconfig.py with missing token variables
  • c6f2d02 dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs
  • 31fda79 Prompt for token password if not provided in replica/ipa-ca-install
  • b9ec2fb KRA: force OAEP for some HSM-based installations
  • ea0bf40 After an HSM replica install ensure all certs are visible
  • bcd8d2d Require certmonger 0.79.17+ for required HSM changes
  • 879a937 Include the HSM tests in the nightlies
  • 6b6c187 Call hsm_validator on KRA installs and validate the HSM password
  • c861ce5 Add SELinux module checking to hsm_validator
  • 6af8577 docs: Add a section on SELinux modules to the HSM design

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

8 months ago

Log in to comment on this ticket.

Metadata