This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GoogleHSM and ForgeRock DS Integration

Posted on 07-26-2023 09:29 PM
francisden
New Member
Reply posted on --/--/---- --:-- AM

We are trying to integrate GoogleHSM and ForgeRock DS. Version below:

  • Java version "11.0.18"
  • Forgerock DS Version "7.1.2"
  • Google KMS library version "1.1"
  • CentOS Linux release version "7.9.2009"

Steps:

  • Export the master key from ForgeRock DS. Command below:

./dskeymgr export-master-key-pair --deploymentKey ANVf1IB6DQwDEWLBrcZyEaZeCAJELg5CBVN1bkVDAO_0yFO7vuBmCQjs --deploymentKeyPassword Hkare123 > /app/opendj/ldif/master-key.pem

  • Convert the master key to PKCS#8 format and be DER decoded. Command below:

openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in /app/opendj/ldif/master-key.pem -out /app/opendj/ldif/master-key

  • Setup project in Google KMS (location, key-ring, keys, key version etc.) and create import job for the key.
  • Import the master key to the key version. Command below:

gcloud kms keys versions import --import-job KeyImport --location global --keyring HSM-POC1 --key Key1 --algorithm rsa-decrypt-oaep-3072-sha256 --target-key-file /app/opendj/ldif/master-key --project operating-day-390409

  • Update config.ldif to add new Key Manager Provider and set the new Key Manager Provider in Crypto Manager.

This master key was successfully imported to Google HSM via import job. After importing the key, we are able to see the import key in Google HMS as Key1.

Upon starting the ds, the ds can find the key but eventually the key is being ignored with the following message:

pkcs11keystore: did not find match for private key with CKA_ID [projects/operating-day-390409/locations/global/keyRings/HSM-POC1/cryptoKeys/Key1/cryptoKeyVersions/2] (ignoring entry)

Looks like the java SunPKCS11 (sun.security.pkcs11.SunPKCS11) will ignore the private key (CKO_PRIVATE_KEY) if a corresponding certificate (CKO_CERTIFICATE) is not found. See reference below.

Reference: https://docs.oracle.com/en/java/javase/11/security/pkcs11-reference-guide1.html#GUID-F068390B-EB41-4...

0 2 512
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Roderick
Staff
Reply posted on --/--/---- --:-- AM

Hey @francisden,

Thanks for your question! I am not an expert in this area, but I have some ideas as to what might be going on. 

The error message you are getting is because the Java SunPKCS11 provider ignores private keys that do not have a corresponding certificate. This is because the SunPKCS11 provider only supports storing private keys in keystores that are associated with a certificate chain.

In order to fix this, you will need to create a certificate for the private key that you imported into Google HSM. You can do this using the Google KMS API. Once you have created the certificate, you will need to update the config.ldif file to include the certificate for the private key.

Here are the steps on how to create a certificate for the private key and update the config.ldif file:

  1. Create a certificate signing request (CSR) for the private key. You can do this using the gcloud kms keys create-csr command.
  2. Sign the CSR using a certificate authority (CA). You can use a public CA, or you can create your own CA.
  3. Import the signed certificate into Google KMS. You can do this using the gcloud kms keys import command.
  4. Update the config.ldif file to include the certificate for the private key.

Once you have updated the config.ldif file, you should be able to start the ds without any errors.

Here is an example of how to update the config.ldif file to include the certificate for the private key:

dn: cn=Key1,ou=keys,o=forgerock
objectClass: top
objectClass: keypair
objectClass: sunPKCS11KeystoreEntry
cn: Key1
...
certificate: <base64-encoded certificate>
...

Once you have updated the config.ldif file, you can start the ds and the private key should be loaded without any errors.

I hope this helps!

0 Likes

Posted on --/--/---- --:-- AM
francisden
New Member
Reply posted on --/--/---- --:-- AM

Hi Roderick,

Thanks for the response. I have couple clarifications:

1. In step 3, we will import the signed certificate into Google KMS. But gcloud kms keys import has no command to import certificate. It only supports symmetric keys for encryption, symmetric keys for signing, and asymmetric keys for encryption or signing. Reference below:

https://cloud.google.com/kms/docs/key-import

2. I check config.ldif and there's no objectClass sunPKCS11KeystoreEntry or any object related to PKCS11 Keystore Entry. We are using ForgeRock DS 7.1.2. What we have is a new Key Manager Provider for GoogleHSM with objectClass ds-cfg-pkcs11-key-manager-provider

Best Regards,
Francis

0 Likes
Top Labels in this Space