Skip to main content
Version: 3.14.x.x LTS

Gemalto GemEngine support

To set up the Gemalto GemEngine within nevisProxy, you have to proceed in a similar way as if you would set up Apache with a Gemalto engine.

The next steps (with a sample configuration) show how to proceed. For more information, see also the Gemalto documentation Apache HTTP Server, Document Number: 007-011228-001, Rev. H.

This setup was tested with the HSM model "SafeNet Luna SA 1700 (generation 5)", the OpenSSL engine GemEngine version 1.4, the library "Cryptoki" version 6.3.0 and the program "sautil" version 2.0.0. Other versions of these tools should be compatible. For integration support with your GemEngine, consult your Thales/Gemalto contact.

General configuration

  1. Copy the libgem.so (this is the GemEngine library, provided by Gemalto) to the openssl-engines directory (usually /usr/lib64/openssl/engines).

  2. Adapt the /etc/Chrystoki.conf using the OptimizeApache.sh script provided by Gemalto. Something like the following sample script will be added:

    Misc = {
    Apache = 0;
    }
    GemEngine = {
    LibPath = /usr/safenet/lunaclient/lib/libCryptoki2.so;
    LibPath64 = /usr/safenet/lunaclient/lib/libCryptoki2_64.so;
    EngineInit = 0:10:11;
    DisableRand = 1;
    DisableDsa = 1;
    DisableEcdsa = 1;
    DisableCheckFinalize = 0;
    EnableRsaGenKeyPair = 1;
    EnableDsaGenKeyPair = 0;
    EnablePkeyMeths = 0;
    IntermediateProcesses = 0;
    }

    Check that DisableCheckFinalize and IntermediateProcesses are set to 0, add these lines if necessary. The other settings may vary depending on your HSM configuration.

  3. Open a session to SafeNet Luna HSM using the sautil provided by Gemalto:

    sautil -v -s 0 -i 10:11 -o -q

  4. Generate a private key:

    sautil -v -s 0 -i 10:11 -g 2048 -f /var/opt/nevisproxy/<instance>/certs/gemKey.pem

  5. Generate a certificate:

    OPENSSL_ENGINES=/usr/lib64/openssl/engines openssl req -engine gem -new -nodes -key
    /var/opt/nevisproxy/<instance>/certs/gemKey.pem -out
    /var/opt/nevisproxy/<instance>/certs/gemCert.req -days 1000 -verify
    OPENSSL_ENGINES=/usr/lib64/openssl/engines openssl x509 -engine gem -req -days 1000 -in
    /var/opt/nevisproxy/<instance>/certs/gemCert.req -signkey
    /var/opt/nevisproxy/<instance>/certs/gemKey.pem -out
    /var/opt/nevisproxy/<instance>/certs/gemCert.pem

  6. Specify the following settings in the navajo.xml file:

    • In the <SSL> section:
     SSLCertificateFile="/var/opt/nevisproxy/<instance>/certs/gemCert.pem"
     SSLCertificateKeyFile="/var/opt/nevisproxy/<instance>/certs/gemKey.pem"
    • In the <Server> section:
     SSLCryptoDevice="gem"

  7. In env.conf file you have to set:

    OPENSSL_ENGINES=/usr/lib64/openssl/engines
    export OPENSSL_ENGINES

  8. Restart nevisProxy after you have made the previously described changes.

Gemalto GemEngine support for the HttpsConnectorServlet

To set up the Gemalto Engine for SSL-key verification on the HttpsConnectorServlet, proceed as follows:

  1. Generate a private key:

    sautil -v -s 0 -i 10:11 -g 2048 -f /var/opt/nevisproxy/<instance>/certs/gemClientKey.pem

  2. Sign the key with the CA of the backend. For example:

    cd /var/opt/nevisproxy/<instance>/certs
    OPENSSL_ENGINES=/usr/lib64/openssl/engines openssl req -engine gem -new -key gemClientKey.pem -out gemClient_req.pem
    OPENSSL_ENGINES=/usr/lib64/openssl/engines openssl ca -engine gem -days 365 -keyfile <yourCaKey>.pem -cert <yourCaCert>.pem -outdir . -in gemClient_req.pem -out gemClientCert.pem

    ::

  3. Set the signed certificate and key as the SSLClientCertificateFile and SSLClientKeyFileof the HttpsConnectorServlet:

    <servlet>
        <servlet-name>HttpsConnectorServlet</servlet-name>
        <servlet-class>ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet</servlet-class>
        <init-param>
            <param-name>InetAddress</param-name>
            <param-value><backendHost>:<backendPort></param-value>
        </init-param>
        <init-param>
            <param-name>SSLClientCertificateFile</param-name>
            <param-value>/var/opt/nevisproxy/<instance>/certs/gemClientCert.pem</param-value>
        </init-param>
        <init-param>
            <param-name>SSLClientKeyFile</param-name>
            <param-value>/var/opt/nevisproxy/<instance>/certs/gemClientKey.pem</param-value>
        </init-param>
        <init-param>
            <param-name>SSLCACertificateFile</param-name>
            <param-value><yourCaCert>.pem</param-value>
        </init-param>
    </servlet>

  4. Set the following bc-property in the bc.property file:

    bc.net.ssl.SSLCryptoDevice=gem

  5. In env.conf,specify the following setting:

    OPENSSL_ENGINES=/usr/lib64/openssl/engines
    export OPENSSL_ENGINES

  6. Restart nevisProxy after you have made the previously described changes.

Possible limitations

Depending on the engine, other HttpsConnectorServlets may no longer work correctly, if they use certificates that are not created by the engine itself.