diff --git a/doc/arm/pkcs11.xml b/doc/arm/pkcs11.xml index 0b229a0811..6688e35479 100644 --- a/doc/arm/pkcs11.xml +++ b/doc/arm/pkcs11.xml @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + PKCS #11 (Cryptoki) support @@ -159,36 +159,74 @@ $ ./Configure solaris64-x86_64-cc \ After configuring, run make and make test. - Once you have built OpenSSL, run - "apps/openssl engine pkcs11" to confirm - that PKCS #11 support was compiled in correctly. The output - should be one of the following lines, depending on the flavor - selected: + + + + Building OpenSSL for SoftHSM + SoftHSM is a software library provided by the OpenDNSSEC + project (http://www.opendnssec.org) which provides a PKCS#11 + interface to a virtual HSM, implemented in the form of encrypted + data on the local filesystem. It uses the Botan library for + encryption and SQLite3 for data storage. Though less secure + than a true HSM, it can provide more secure key storage than + traditional key files, and can allow you to experiment with + PKCS#11 when an HSM is not available. + The SoftHSM cryptographic store must be installed and + initialized before using it with OpenSSL, and the SOFTHSM_CONF + environment variable must always point to the SoftHSM configuration + file: +$ cd softhsm-1.3.0 +$ configure --prefix=/opt/pkcs11/usr +$ make +$ make install +$ export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf +$ echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF +$ /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm + + SoftHSM can perform all cryptographic operations, but + since it only uses your system CPU, there is no need to use it + for anything but signing. Therefore, we choose the 'sign-only' + flavor when building OpenSSL. + +$ cd openssl-0.9.8s +$ ./Configure linux-x86_64 -pthread \ + --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ + --pk11-flavor=sign-only \ + --prefix=/opt/pkcs11/usr + + After configuring, run "make" + and "make test". + + Once you have built OpenSSL, run + "apps/openssl engine pkcs11" to confirm + that PKCS #11 support was compiled in correctly. The output + should be one of the following lines, depending on the flavor + selected: + (pkcs11) PKCS #11 engine support (sign only) - Or: - + Or: + (pkcs11) PKCS #11 engine support (crypto accelerator) - Next, run - "apps/openssl engine pkcs11 -t". This will - attempt to initialize the PKCS #11 engine. If it is able to - do so successfully, it will report - [ available ]. - If the output is correct, run - "make install" which will install the - modified OpenSSL suite to - /opt/pkcs11/usr. - + Next, run + "apps/openssl engine pkcs11 -t". This will + attempt to initialize the PKCS #11 engine. If it is able to + do so successfully, it will report + [ available ]. + If the output is correct, run + "make install" which will install the + modified OpenSSL suite to + /opt/pkcs11/usr. Building BIND 9 with PKCS#11 When building BIND 9, the location of the custom-built OpenSSL library must be specified via configure. - - Configuring BIND 9 for Linux + + Configuring BIND 9 for Linux with the AEP Keyper To link with the PKCS #11 provider, threads must be enabled in the BIND 9 build. The PKCS #11 library for the AEP Keyper is currently @@ -203,8 +241,8 @@ $ ./configure CC="gcc -m32" --enable-threads \ - - Configuring BIND 9 for Solaris + + Configuring BIND 9 for Solaris with the SCA 6000 To link with the PKCS #11 provider, threads must be enabled in the BIND 9 build. @@ -220,10 +258,22 @@ $ ./configure CC="cc -xarch=amd64" --enable-threads \ same as the --prefix argument to the OpenSSL Configure). + + + Configuring BIND 9 for SoftHSM + +$ cd ../bind9 +$ ./configure --enable-threads \ + --with-openssl=/opt/pkcs11/usr \ + --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so + + After configuring, run "make", "make test" and "make install". + (Note: If "make test" fails in the "pkcs11" system test, you may + have forgotten to set the SOFTHSM_CONF environment variable.) PKCS #11 Tools