Password handling

Passwords, used to protect private keys of soft certificates or needed to log in into a HSM (hardware security module), usually need to be automatically available for reinitialization purposes or at host boot time. nevisProxy in its default deployment form uses a prefetching mechanism to acquire passwords. As these passwords are used by components that are not directly accessible, the passwords are passed to the nevisProxy as environment variables.

For the presetting of such environment variables or to disable the prefetching mechanism used by password-prefetching callbacks, the following rules apply:

• pkcs11 URLs without pinenv: Set PKCS11_PIN
• pkcs11 URLs with pinenv=MY_PIN: Set MY_PIN
• Soft certificate /some/softcert.pem: Set _some_softcert_pemReplacing slashes and points by underscores

These variables are kept in a configuration file env.conf, which should be readable only for 'root'. As soon as these environment variables are consumed by the component that uses the configured key material, the environment is cleared.

We recommend to either not store passwords on the host and manually startup nevisProxy or to use password getters, which offer more protection than the mechanism described above. File-based, generated passphrase protection is for example offered by the nevisKeybox component.

To replace this mechanism, passphrase getters may be configured. There are 3 subsystems in nevisProxy, and for each subsystem (containing its own TLS instance) a passphrase getter may be configured. These subsystems are:

• apache/mod_ssl (configure SSLPassPhraseDialog in navajo.xml)
• ISI (configure SSLPassPhraseFile in isi.ini)
• nevisProxy connectors (configure bc.security.PassPhraseDialog in bc.properties)

The configured passphrase getter receives (as first argument) the name of the object (filename or URL) the passphrase is required for. It should implement a corresponding dispatcher if more than one passphrase is used. See the nevisKeybox reference guide for related information about this topic.