|
Packit |
8681c6 |
CCA TOKEN
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Overview
|
|
Packit |
8681c6 |
--------
|
|
Packit |
8681c6 |
The CCA token is a secure key token.
|
|
Packit |
8681c6 |
A Secure key - key value does not exist in the clear outside of the HSM
|
|
Packit |
8681c6 |
(secure, tamper-resistent boundary of the card). It is a clear key wrapped
|
|
Packit |
8681c6 |
with the appropriate MasterKey that has been installed into the secure hardware.
|
|
Packit |
8681c6 |
A clear key is generated in the hardware, wrapped with the appropriate
|
|
Packit |
8681c6 |
master key that has been installed into the hardware. The wrapped key is then
|
|
Packit |
8681c6 |
passed back to the invoker. Upon an encryption and/or decryption request,
|
|
Packit |
8681c6 |
the wrapped key and the data to be encrypted are passed into the hardware.
|
|
Packit |
8681c6 |
The wrapped key is verified, and the clear key is used to encrypt and/or
|
|
Packit |
8681c6 |
decrypt the data. All this is done in the CCA hardware.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Within openCryptoki, this wrapped key value is stored in the CKA_IBM_OPAQUE
|
|
Packit |
8681c6 |
attribute rather than the CKA_VALUE attribute.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Pre-requisites:
|
|
Packit |
8681c6 |
The CCA token requires cca library, libcsulcca.so, which is part of the
|
|
Packit |
8681c6 |
csulcca rpm.
|
|
Packit |
8681c6 |
It also requires proper configuration and installation of the MK keys into
|
|
Packit |
8681c6 |
the hardware which is outside the scope of this document.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Configuration
|
|
Packit |
8681c6 |
-------------
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
To use the CCA token a slot entry must be defined in the
|
|
Packit |
8681c6 |
opencryptoki.conf configuration file that sets the stdll attribute to
|
|
Packit |
8681c6 |
libcsulcca.so.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The CCA token also requires that the appropriate master keys have
|
|
Packit |
8681c6 |
been installed into the hardware. The corresponding driver must also be
|
|
Packit |
8681c6 |
loaded, i.e. modprobe z90crypt.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CCA Token Objects
|
|
Packit |
8681c6 |
-------------------------
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
openCryptoki stores token objects on disk. Public token objects are not
|
|
Packit |
8681c6 |
encrypted. Private token objects are encrypted.
|
|
Packit |
8681c6 |
Versions of openCryptoki prior to version 3, used a CCA generated secure key
|
|
Packit |
8681c6 |
(des3 key) and the crypto adapter to encrypt the private token object's data.
|
|
Packit |
8681c6 |
In version 3, a clear key (des3 key) and software crypto (openssl) are used
|
|
Packit |
8681c6 |
to encrypt this data.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Migration Information
|
|
Packit |
8681c6 |
---------------------
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Migrating version 2 private token objects to version 3 is ONLY required if
|
|
Packit |
8681c6 |
the system will run openCryptoki version 3 and will use private token
|
|
Packit |
8681c6 |
objects saved or preserved from version 2.
|
|
Packit |
8681c6 |
Note, public token objects do not need to be migrated.
|
|
Packit |
8681c6 |
If there are no private token objects from version 2, then the version 3
|
|
Packit |
8681c6 |
does not require any migrating.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
In version 2 private token objects are encrypted and decrypted with a secure
|
|
Packit |
8681c6 |
key in the crypto adapter. In version 3, this encryption and decryption is
|
|
Packit |
8681c6 |
done with a clear key using software crypto. Therefore, openCryptoki
|
|
Packit |
8681c6 |
version 3, will not successfully decrypt a version 2 private token object.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Version 2 private token objects must be "migrated" to version 3 so that
|
|
Packit |
8681c6 |
openCryptoki version 3 can access these objects. This migration will
|
|
Packit |
8681c6 |
decrypt the objects using the CCA call, CSNBDEC and the current
|
|
Packit |
8681c6 |
openCryptoki key stored in MK_USER. The objects will then be re-encrypted
|
|
Packit |
8681c6 |
using software crypto. The key bits that are stored in MK_USER will then be
|
|
Packit |
8681c6 |
used as a clear key.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Once the migration has completed, these private token objects should then be
|
|
Packit |
8681c6 |
accessible to version 3.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Migration Steps
|
|
Packit |
8681c6 |
---------------
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
1. Either update or install version 3.
|
|
Packit |
8681c6 |
a. Update to openCryptoki version 3. In most Linux distributions, an update
|
|
Packit |
8681c6 |
from version 2 to version 3 will preserve the contents of the CCA data-store.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
b. Install openCryptoki version 3. In most distributions, an install will
|
|
Packit |
8681c6 |
remove the contents of the CCA data-store. You will essentially be starting
|
|
Packit |
8681c6 |
from the beginning and have to initialize the CCA token.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
In this scenario, if a prior version of openCryptoki had been running on the
|
|
Packit |
8681c6 |
system, and you wanted to preserve your token objects, you will have saved
|
|
Packit |
8681c6 |
or backed them up somewhere.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. Backup the CCA data-store before migrating. It is always a good idea to
|
|
Packit |
8681c6 |
back up the data in case the migration is unsuccessful or data is corrupted.
|
|
Packit |
8681c6 |
The data-store is the directory in which the CCA token information is stored
|
|
Packit |
8681c6 |
on disk. In most distributions it can be found in /var/lib/opencryptoki/ccatok.
|
|
Packit |
8681c6 |
Within this directory there is,
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
MK_USER: The des3 key used for internal on-disk encryption, encrypted
|
|
Packit |
8681c6 |
under the USER's PIN by software routines
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
MK_SO: The des3 key used for internal on-disk encryption, encrypted
|
|
Packit |
8681c6 |
under the SO's PIN by software routines
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
NKTOK.DAT: Token information.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
TOK_OBJ: The directory in which token objects are stored.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
TOK_OBJ/OBJ.IDX: A list of current token objects.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
**NOTE: MK_USER and MK_SO contain the same key, encrypted under
|
|
Packit |
8681c6 |
different PINs
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
3. Ensure no openCryptoki processes are running. Stop the pkcsslotd daemon
|
|
Packit |
8681c6 |
if it is running.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
4. Run the pkcscca tool to perform the migration.
|
|
Packit |
8681c6 |
For example,
|
|
Packit |
8681c6 |
pkcscca -m v2objectsv3 -v
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Note that the "-v" option will allow you to see which objects did and did not
|
|
Packit |
8681c6 |
get migrated. Specify the "-d" flag if you wish to migrate CCA token objects
|
|
Packit |
8681c6 |
stored in a data-store different from the default, /var/lib/opencryptoki/ccatok.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
5. (Optional) Removing shared memory may be required to pick up
|
|
Packit |
8681c6 |
the newly migrated objects.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CCA token's shared memory segment tracks its token objects.
|
|
Packit |
8681c6 |
Token objects stored on disk are only loaded into shared memory
|
|
Packit |
8681c6 |
when the shared memory is created. The shared memory is usually
|
|
Packit |
8681c6 |
created after a reboot, an install, or an update of the openCryptoki package.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
If another openCryptoki process accessed the CCA token after install
|
|
Packit |
8681c6 |
or update, then openCryptoki will have loaded all the token objects into
|
|
Packit |
8681c6 |
shared memory, except for the private token objects requiring migration,
|
|
Packit |
8681c6 |
since they will have failed decryption. Subsequent calls to the
|
|
Packit |
8681c6 |
openCryptoki api will not find these objects since they have not
|
|
Packit |
8681c6 |
been loaded into shared memory. openCryptoki won't read the
|
|
Packit |
8681c6 |
objects from disk and load into shared memory again until the next time
|
|
Packit |
8681c6 |
shared memory is created.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
So, in this case, shared memory must be removed and created again so
|
|
Packit |
8681c6 |
that openCryptoki can successfully load all the token objects including the
|
|
Packit |
8681c6 |
newly migrated private token objects into CCA token's shared memory segment.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Remove shared memory if,
|
|
Packit |
8681c6 |
- after updating or installing, any openCryptoki processes or tools tried
|
|
Packit |
8681c6 |
to access the CCA token before migrating CCA token's private token
|
|
Packit |
8681c6 |
objects. For example, the pkcsconf command was run.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The pre-migrated objects will have failed decryption and not
|
|
Packit |
8681c6 |
been loaded into shared memory. A reboot or removing shared memory
|
|
Packit |
8681c6 |
will cause the token to create shared memory again and load the newly
|
|
Packit |
8681c6 |
migrated private token objects into it.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CCA's shared memory can be removed two ways.
|
|
Packit |
8681c6 |
1. a reboot
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. remove the shared memory file,
|
|
Packit |
8681c6 |
i.e. "rm /dev/shm/var.lib.opencryptoki.ccatok"
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Notes: (1). Ensure that no openCryptoki processes are running
|
|
Packit |
8681c6 |
before removing the shared memory. Otherwise, you risk corrupting
|
|
Packit |
8681c6 |
any running openCryptoki processes.
|
|
Packit |
8681c6 |
(2). If you have installed openCryptoki manually (not via a distro
|
|
Packit |
8681c6 |
rpm) the CCA token shared memory segment may be named
|
|
Packit |
8681c6 |
usr.local.var.lib.opencryptoki.ccatok.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The next openCryptoki process to run will cause openCryptoki to create
|
|
Packit |
8681c6 |
a shared memory segment for the token and load the newly migrated objects
|
|
Packit |
8681c6 |
as well as any other token objects for the token.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
6. After a successful migration, the CCA private token objects should be
|
|
Packit |
8681c6 |
encrypted and ready to be accessed by openCryptoki version 3.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
TroubleShooting:
|
|
Packit |
8681c6 |
1. If version 3 cannot find the newly migrated CCA private token objects,
|
|
Packit |
8681c6 |
reboot or remove the shared memory file. This will cause token to create
|
|
Packit |
8681c6 |
shared memory again and load the newly migrated private token objects
|
|
Packit |
8681c6 |
into shared memory.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Key Migration Information
|
|
Packit |
8681c6 |
-------------------------
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
There may be situations when CCA master keys must be changed. All CCA secret
|
|
Packit |
8681c6 |
and private keys are enciphered (wrapped) with a master key (MK). After a CCA
|
|
Packit |
8681c6 |
master key is changed, the keys wrapped with an old master key need to be
|
|
Packit |
8681c6 |
re-enciphered with the new master key. Only openCryptoki keys with attribute
|
|
Packit |
8681c6 |
CKA_EXTRACTABLE=TRUE can be migrated.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Key Migration Steps
|
|
Packit |
8681c6 |
-------------------
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The key migration tool pkcscca can be used to perform the migration of the
|
|
Packit |
8681c6 |
old CCA master key to the new master key. After a new master key is loaded
|
|
Packit |
8681c6 |
and set, perform the following steps:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
1. Stop all processes that are currently using openCryptoki with the
|
|
Packit |
8681c6 |
CCA token.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. Make sure pkcsslotd is running.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
3. Back up the token object repository of the CCA token. For example, you can
|
|
Packit |
8681c6 |
use the following commands:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
cd /var/lib/opencryptoki/cca/
|
|
Packit |
8681c6 |
tar -cvzf ~/cca/TOK_OBJ_backup.tgz TOK_OBJ
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
4. Migrate the keys of the CCA token object repository with the pkcscca
|
|
Packit |
8681c6 |
migration tool.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcscca -m keys -s <slotid> -k <aes|apka|asym|sym>
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The following parameters are mandatory:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
-s
|
|
Packit |
8681c6 |
- slot number for the CCA token
|
|
Packit |
8681c6 |
-k
|
|
Packit |
8681c6 |
- master key type to be migrated: aes, apka, asym, or sym
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
All the specified token objects representing extractable keys that are
|
|
Packit |
8681c6 |
found for the CCA token, are re-encrypted and ready for use. Keys with an
|
|
Packit |
8681c6 |
attribute CKA_EXTRACTABLE=FALSE are not migratable.The keys that failed to
|
|
Packit |
8681c6 |
migrate are displayed to the user.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
5. Re-start the previously stopped openCryptoki processes.
|