Login
    Contenu x
    Secure Auditing With Thales ProtectServer
    • 27 Dec 2024
    • 1 Minute à lire
    • Sombre
      Lumière
    • PDF
    Contenu

    Secure Auditing With Thales ProtectServer

    • Mis à jour le 27 Dec 2024
    • 1 Minute à lire
    • Sombre
      Lumière
    • PDF
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    The ctcert tool provided with the Thales ProtectServer software is used to apply the required configuration to the HSM for secure auditing. For more information about ctcert, refer to the ProtectTookit C Administration Guide supplied with the HSM.

    To enable secure auditing on the HSM, the master audit key pair must be created. Use ctcert to create the master audit key pair and then export the public certificate from the device.

    A master audit key pair requires an attributes file. This file contains details of the issuer, subject, and key usage for this certificate. The minimum key usage required is:

    keyusage { digitalSignature, nonRepudiation }

    The following is an example of the contents of an attributes file:

    label { MasterAuditCertificate }

serialnumber { 1234 }

issuer {
  CN=MasterAudit,
  OU=Identikey,
  O=VASCO,
  C=US
}

subject {
  CN=MasterAudit,
  OU=Identikey,
  O=VASCO,
  C=US
}

keyusage {
  digitalSignature,
  nonRepudiation,
  keyCertSign
}

    After configuring an attributes file, create a master audit key pair certificate for Thales ProtectServer.

    To create the master audit keypair certificate

    1. Generate the self signed certificate using the ctcert tool. An example of the ctcert command is:

      ctcert c -t ec -Csecp256r1 -d1825d -k -lMasterAuditKey -s0 -xattributes.txt

      where:

      • ec means create an elliptic curve key.
      • -Csecp256r1 means to create the key using this type of elliptic curve
      • 1825d creates a certificate which has a validity period of 1825 days from the date this command is run.
      • MasterAuditKey will be the label of the private key created on the HSM device.
      • -s0 means create this keypair /certificate on the HSM slot 0.
      • attributes.txt is the attributes file previously created.
      • You will be prompted to enter the user PIN for the specified slot (i.e. slot 0 in this case).

    2. Extract the public certificate from the device and save it to a PEM file:

      ctcert x -lMasterAuditCertificate -s0 -faudit_cert.pem

      where:

      • MasterAuditCertificate is the name of the certificate created in the previous step, from the label field in the sample attributes.txt file.
      • -s0 specifies the slot where the certificate is located.
      • audit_cert.pem is the PEM file that will contain the public certificate.

    Secure auditing for OneSpan Authentication Server Appliance only supports elliptic curve keys that are NIST P-256 compliant and stored in PKCS#12 format.

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle