Crypto Source
ADSS Server can process cryptographic keys within its internal cryptographic software module or within a tamper-resistant hardware device. ADSS Server supports PKCS#11 Hardware Security Modules, EN 419 221-5 Common Criteria certified Utimaco CryptoServer CP5 HSMs, AWS CloudHSM, Azure Key Vault and MS CAPI/CNG, which are capable of storing one or several cryptographic keys; and smart cards or USB tokens that often only store one or two keys and certificates. ADSS Server can support multiple hardware devices at the same time. When a specific key is required it automatically connects with the cryptographic module that was registered as holding that the key. PKCS#11 gives much more flexibility than MS CAPI/CNG because ADSS Server cannot generate keys on an HSM via CAPI/CNG because there is no option to specify the CSP to use. This is a limitation of the standard Java to CAPI/CNG interface.
Typically HSMs from industry leaders are used for server-side keys; these are available as internal PCIe or external network based devices. HSMs from Thales SafeNet, nCipher nShield and Utimaco are tested while other HSMs should work if the standard PKCS#11 interface standard has been followed.
Cloud service providers AWS and Azure provide a cost-effective solutions because there is no outlay on physical devices.
Note ADSS Server only supports AWS CloudHSM when deployed on Linux platforms. This is due to a limitation of the Java libraries required.
It is highly recommended to run the "test_pkcs11" utility as described here before configuring a hardware crypto source. The test utility will perform over 200 tests to ensure all required aspects are available.
The following screen shows how these details are configured:
The above screen is described as below:
| Item | Description |
| Make Default |
Select a Software or Hardware profile using the radio button and click on 'Make Default' to mark the profile as the default. Default profile is selected automatically in the Keystore drop-down on the key generation page and certification profile. The current default profile is indicated in the Profile Friendly Name column and is the one that will be used when generating keys etc. An appropriately authorised operator can change this setting at any time. |
| Test Connection | Tests the connection with the crypto device for the selected profile. HSMs or tokens may become disconnected and this button can check that the ADSS Server can communicate with the device or not. |
| Import Existing Keys | An HSM may already contain cryptographic key material which needs to be used within the ADSS Server (e.g. for signing documents). To import the public keys from the selected device click the Import Existing Keys button. The private key remains secure within the device and is not revealed to ADSS Server. The public key information is stored in the ADSS Server database for use within the relevant service modules and also to reference the private key in crypto module. |
| New | Register a new crypto profile in ADSS Server. |
| Edit | Edit the selected crypto profiles. |
| Delete | Used to delete a crypto profile. Note: The default "Software" profile cannot be deleted. |
When a new crypto profile is added, the record is shown with orange highlighting meaning it is not currently available.
To make it available click on the Server Manager link then click on the button Restart all Instances. When configuring HSMs for use within high availability / multi-server systems then the same HSM configuration must be available on each server (e.g. all servers MUST be able to access the same network HSM or local PCI HSM)
See also