Re: [Ejbca-develop] About new PKCS#11 interface and nCipher

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Bruno,

I think that the way nCipher works is the same between 3.5 and 3.8,
perhaps the documentation changed? The new think I guess is that we
recommend to use the PKCS#11 provider for all HSMs now, instead of the
NFastCAToken etc.
Did you use the PKCS#11 or java nCipher provider in 3.5? If you used the
java provider before you must stick with it, otherwise you have to
re-target the keys in nCipher using nCipher-tools.

The purposes of the keyLabels are documented
http://ejbca.org/manual.html#Hardware%20Security%20Modules%20(HSM).

Only defaultKey works fine as Leonardo says:
-----
defaultKey defaultRoot
pin dummy
slotListIndex 1
sharedLibrary /opt/nfast/toolkits/pkcs11/libcknfast.so
-----
As long as the defaultRoot key works good it will be used for every purpose.

You should be able to use the NFastCAToken without problem also in EJBCA
3.8.

The pros with using PKCS#11 is that it's one standardized provider for
all different HSMs. Easier to maintain and well tested.
Usually the HSM vendors implements the latest stuff in the pkcs#11
provider, but the java provider lags behind. For example you can not use
SHA256 using the NFastCAToken, but you can do it using PKCS#11.

Cheers,
Tomas

Leonardo L. P. da Mata wrote:
> The idea is to split the usage for the keys. For instance, if you
> enable only the default key, it will be used for every procedures that
> ejbca does with the keys.
> 
> It depends on the security needs that you need :-)
> 
> makes sense?
> 
> On Thu, Apr 9, 2009 at 11:51 AM, Bruno Bonfils <as...@as...> wrote:
>> Hello folks,
>>
>> I recently upgrade EJBCA from 3.5 to 3.8, and I discover today that the
>> procedure to create a CA using keys managed by a nCipher device have
>> changed. So, I have few questions:
>>
>> The documentation says:
>>
>> --8<--
>> defaultKey defaultRoot
>> testKey test
>> keyEncryptKey cryptRoot
>> hardTokenEncrypt cryptRoot
>> pin dummy
>> slotListIndex 1
>> sharedLibrary /opt/nfast/toolkits/pkcs11/libcknfast.so
>> --8<--
>>
>> I'm not sure to understand correctly the goal of testkey, keyEncryptKey
>> and hardTokenEncrypt. Why I need three keys? I tried to specifly only
>> one key (the defaultKey) but it doesn't work. I just want to understand
>> the meaning of ther keys. Lars, can you explain them? :P
>>
>> Another question is about existing CAs created in EJBCA 3.5 (before the
>> upgrade) using the NFastCAToken CA Token Type. I hope I'm still able
>> to activate such CA?
>>
>> And a last question, what are pros/confs of standard PKCS#11 verus
>> NFastCAToken types?
>>
>> Thanks
>>
>> --
>> http://asyd.net/home/    - Home Page
>> http://guses.org/home/   - French Speaking (Open)Solaris User Group
>> http://netvibes.com/asyd - Portal
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> High Quality Requirements in a Collaborative Environment.
>> Download a free trial of Rational Requirements Composer Now!
>> http://p.sf.net/sfu/www-ibm-com
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
> 
> 
> 