From: Evan Hunt Date: Sat, 10 Jan 2015 19:40:01 +0000 (-0800) Subject: [master] revise pkcs11 doc X-Git-Tag: v9.11.0a1~1124 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=6124e803cf8cb30dbd412b8c64667206c50e1976;p=thirdparty%2Fbind9.git [master] revise pkcs11 doc --- diff --git a/doc/arm/pkcs11.xml b/doc/arm/pkcs11.xml index 6ef112bdb9d..f38b68333b9 100644 --- a/doc/arm/pkcs11.xml +++ b/doc/arm/pkcs11.xml @@ -1,6 +1,6 @@ ]> + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" + []> Building OpenSSL for the AEP Keyper on Linux - The AEP Keyper is a highly secure key storage device, - but does not provide hardware cryptographic acceleration. It - can carry out cryptographic operations, but it is probably - slower than your system's CPU. Therefore, we choose the - 'sign-only' flavor when building OpenSSL. + The AEP Keyper is a highly secure key storage device, + but does not provide hardware cryptographic acceleration. It + can carry out cryptographic operations, but it is probably + slower than your system's CPU. Therefore, we choose the + 'sign-only' flavor when building OpenSSL. - The Keyper-specific PKCS#11 provider library is - delivered with the Keyper software. In this example, we place - it /opt/pkcs11/usr/lib: + The Keyper-specific PKCS#11 provider library is + delivered with the Keyper software. In this example, we place + it /opt/pkcs11/usr/lib: $ cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so - This library is only available for Linux as a 32-bit - binary. If we are compiling on a 64-bit Linux system, it is - necessary to force a 32-bit build, by specifying -m32 in the - build options. + This library is only available for Linux as a 32-bit + binary. If we are compiling on a 64-bit Linux system, it is + necessary to force a 32-bit build, by specifying -m32 in the + build options. - Finally, the Keyper library requires threads, so we - must specify -pthread. + Finally, the Keyper library requires threads, so we + must specify -pthread. $ cd openssl-0.9.8zc $ ./Configure linux-generic32 -m32 -pthread \ - --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ - --pk11-flavor=sign-only \ - --prefix=/opt/pkcs11/usr + --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ + --pk11-flavor=sign-only \ + --prefix=/opt/pkcs11/usr - After configuring, run "make" - and "make test". If "make - test" fails with "pthread_atfork() not found", you forgot to - add the -pthread above. + After configuring, run "make" + and "make test". If "make + test" fails with "pthread_atfork() not found", you forgot to + add the -pthread above. Building OpenSSL for the SCA 6000 on Solaris - The SCA-6000 PKCS#11 provider is installed as a system - library, libpkcs11. It is a true crypto accelerator, up to 4 - times faster than any CPU, so the flavor shall be - 'crypto-accelerator'. + The SCA-6000 PKCS#11 provider is installed as a system + library, libpkcs11. It is a true crypto accelerator, up to 4 + times faster than any CPU, so the flavor shall be + 'crypto-accelerator'. - In this example, we are building on Solaris x86 on an - AMD64 system. + In this example, we are building on Solaris x86 on an + AMD64 system. $ cd openssl-0.9.8zc $ ./Configure solaris64-x86_64-cc \ - --pk11-libname=/usr/lib/64/libpkcs11.so \ - --pk11-flavor=crypto-accelerator \ - --prefix=/opt/pkcs11/usr + --pk11-libname=/usr/lib/64/libpkcs11.so \ + --pk11-flavor=crypto-accelerator \ + --prefix=/opt/pkcs11/usr - (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.) + (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.) - After configuring, run - make and - make test. + After configuring, run + make and + make test. @@ -294,17 +299,16 @@ $ ./Configure solaris64-x86_64-cc \ ) which provides a PKCS#11 interface to a virtual HSM, implemented in the form of - a SQLite3 database on the local filesystem. SoftHSM can be - configured to use either OpenSSL or the Botan library for - encryption, and SQLite3 for data storage. Though less secure - than a true HSM, it can allow you to experiment with PKCS#11 - when an HSM is not available. + a SQLite3 database on the local filesystem. SoftHSM uses + the Botan library to perform cryptographic functions. Though + less secure than a true HSM, it can allow you to experiment + with PKCS#11 when an HSM is not available. - The SoftHSM cryptographic store must be installed and - initialized before using it with OpenSSL, and the SOFTHSM_CONF - environment variable must always point to the SoftHSM configuration - file: + The SoftHSM cryptographic store must be installed and + initialized before using it with OpenSSL, and the SOFTHSM_CONF + environment variable must always point to the SoftHSM configuration + file: $ cd softhsm-1.3.7 @@ -316,21 +320,21 @@ $ echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF $ /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm - SoftHSM can perform all cryptographic operations, but - since it only uses your system CPU, there is no advantage to using - it for anything but signing. Therefore, we choose the 'sign-only' - flavor when building OpenSSL. + SoftHSM can perform all cryptographic operations, but + since it only uses your system CPU, there is no advantage to using + it for anything but signing. Therefore, we choose the 'sign-only' + flavor when building OpenSSL. $ cd openssl-0.9.8zc $ ./Configure linux-x86_64 -pthread \ - --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \ - --pk11-flavor=sign-only \ - --prefix=/opt/pkcs11/usr + --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \ + --pk11-flavor=sign-only \ + --prefix=/opt/pkcs11/usr - After configuring, run "make" - and "make test". + After configuring, run "make" + and "make test". @@ -341,11 +345,11 @@ $ ./Configure linux-x86_64 -pthread \ selected: - (pkcs11) PKCS #11 engine support (sign only) + (pkcs11) PKCS #11 engine support (sign only) Or: - (pkcs11) PKCS #11 engine support (crypto accelerator) + (pkcs11) PKCS #11 engine support (crypto accelerator) Next, run @@ -363,42 +367,42 @@ $ ./Configure linux-x86_64 -pthread \ Configuring BIND 9 for Linux with the AEP Keyper - To link with the PKCS#11 provider, threads must be - enabled in the BIND 9 build. + To link with the PKCS#11 provider, threads must be + enabled in the BIND 9 build. - The PKCS#11 library for the AEP Keyper is currently - only available as a 32-bit binary. If we are building on a - 64-bit host, we must force a 32-bit build by adding "-m32" to - the CC options on the "configure" command line. + The PKCS#11 library for the AEP Keyper is currently + only available as a 32-bit binary. If we are building on a + 64-bit host, we must force a 32-bit build by adding "-m32" to + the CC options on the "configure" command line. $ cd ../bind9 $ ./configure CC="gcc -m32" --enable-threads \ - --with-openssl=/opt/pkcs11/usr \ - --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so + --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so Configuring BIND 9 for Solaris with the SCA 6000 - To link with the PKCS#11 provider, threads must be - enabled in the BIND 9 build. + To link with the PKCS#11 provider, threads must be + enabled in the BIND 9 build. $ cd ../bind9 $ ./configure CC="cc -xarch=amd64" --enable-threads \ - --with-openssl=/opt/pkcs11/usr \ - --with-pkcs11=/usr/lib/64/libpkcs11.so + --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/usr/lib/64/libpkcs11.so (For a 32-bit build, omit CC="cc -xarch=amd64".) - If configure complains about OpenSSL not working, you - may have a 32/64-bit architecture mismatch. Or, you may have - incorrectly specified the path to OpenSSL (it should be the - same as the --prefix argument to the OpenSSL - Configure). + If configure complains about OpenSSL not working, you + may have a 32/64-bit architecture mismatch. Or, you may have + incorrectly specified the path to OpenSSL (it should be the + same as the --prefix argument to the OpenSSL + Configure). @@ -407,8 +411,8 @@ $ ./configure CC="cc -xarch=amd64" --enable-threads \ $ cd ../bind9 $ ./configure --enable-threads \ - --with-openssl=/opt/pkcs11/usr \ - --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so + --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so @@ -612,13 +616,13 @@ $ dnssec-signzone -E '' -S example.net Sample openssl.cnf: - openssl_conf = openssl_def - [ openssl_def ] - engines = engine_section - [ engine_section ] - pkcs11 = pkcs11_section - [ pkcs11_section ] - PIN = <PLACE PIN HERE> + openssl_conf = openssl_def + [ openssl_def ] + engines = engine_section + [ engine_section ] + pkcs11 = pkcs11_section + [ pkcs11_section ] + PIN = <PLACE PIN HERE> This will also allow the dnssec-* tools to access the HSM @@ -635,9 +639,9 @@ $ dnssec-signzone -E '' -S example.net - Placing the HSM's PIN in a text file in this manner may reduce the - security advantage of using an HSM. Be sure this is what you want to - do before configuring the system in this way. + Placing the HSM's PIN in a text file in this manner may reduce the + security advantage of using an HSM. Be sure this is what you want to + do before configuring the system in this way.