Hyperledger Fabric nShield HSM Integration Guide

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction
Procedures

Introduction

This document describes how to integrate the Hyperledger Fabric with the Entrust nshield Container Option Pack (nSCOP). This utilizes Entrust nshield hardware security module (HSM) as a Root of Trust for storage encryption, to protect the private keys and meet FIPS 140-2 Level 2 and 3 criteria.

Product configurations

Entrust has successfully tested nshield HSM integration with Hyperledger Fabric in the following configurations:

Product	Version
Fabric CA	1.5.2
Docker CE	20.10.12
Go	1.16.12
Host OS	Red Hat Enterprise Linux 8
Container OS	Ubuntu Bionic

Supported nshield hardware and software versions

Entrust has successfully tested with the following nshield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module
12.80.4	12.50.11	12.80.4	✓	✓	✓

Connect +

Security World Software	Firmware	Image	OCS	Softcard	Module
12.80.4	12.50.8	12.80.4	✓	✓	✓

Supported nshield HSM functionality

Feature	Support
Module-only key	Yes
OCS cards	Yes
Softcards	Yes
nSaaS	Yes
FIPS 140-2 Level 3	Yes

Requirements

Familiarize yourself with:

Hyperledger Fabric documentation: Hyperledger Fabric CA User’s Guide .
The nshield HSM: Installation Guide and User Guide .
Your organizational Certificate Policy and Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:
- The number and quorum of administrator cards in the Administrator Card Set (ACS), and the policy for managing these cards.
- The number and quorum of operator cards in the Operator Card Set (OCS), and the policy for managing these cards.
- The keys protection method: Module, Softcard, or OCS.
- The level of compliance for the Security World, FIPS 140-2 Level 3.
- Key attributes such as key size, time-out, or need for auditing key usage.

Procedures

Prerequisites:

Install the Entrust nshield HSM using the instructions in the Installation Guide for the HSM.
Configure the Entrust nshield HSM to have the IP address of your container host machine as a client.
Install the Entrust nshield Security World Software, and configure the Security World as described in the User Guide for the HSM. The Security World and module files will be copied to the container. Instructions for this are detailed later in this guide.
Edit or create the cknfastrc file located in /opt/nfast/ :
- If using Module protection:
  CKNFAST_FAKE_ACCELERATOR_LOGIN=1
- If using OCS or Softcard protection:
  CKNFAST_NO_ACCELERATOR_SLOTS=1 CKNFAST_LOADSHARING=1
Install Git, cURL, Go, and Docker. See the Hyperledger Fabric documentation for more information on the prerequisites.
Get the Hyperledger Fabric repositories. The following installs both the fabric-ca-server and fabric-ca-client binaries in $GOPATH/bin :
```
go get -u github.com/hyperledger/fabric-ca/cmd/...
```

Install nSCOP on the host machine

The following is an example installation of nSCOP. See nshield Container Option Pack User Guide for more details.

Set up the nSCOP working directory:

% mkdir -p /opt/nscop

% tar xf nscop-1.1.1.tar -C /opt/nscop

Mount the Security World:

% mkdir SecWorld-12.80.4

% mount -o loop SecWorld_Lin64-12.80.4.iso SecWorld-12.80.4

Set up the hardserver image:

% cd /opt/nscop

% ./make-nshield-hwsp SecWorld-12.80.4

Configure nshield-hwsp :

Set up the hardserver configuration file and directory:

% mkdir -p /opt/nscop/config1

% ./make-nshield-hwsp-config --output /opt/nscop/config1/config <hsm ip address>

% cat /opt/nscop/config1/config

Create a new socket so that application containers can use the hardserver:
```
% docker volume create socket1
```

Run the nshield-hwsp container:

% docker run -d -v /opt/nscop/config1:/opt/nfast/kmdata/config:ro -v socket1:/opt/nfast/sockets nshield-hwsp:12.80.4

Check the status of nshield-hwsp using the enquiry command:

% NFAST_SERVER=/var/lib/docker/volumes/socket1/_data/nserver /opt/nfast/bin/enquiry

Build Hyperledger with PKCS #11 enabled

The default Dockerfile that comes with the Hyperledger Fabric CA software makes an image containing Alpine Linux. nSCOP does not currently support Alpine Linux. The Dockerfile will need to be changed to make an image with a supported Operating System.

Edit the Dockerfile . For example (Ubuntu):

% vi /root/go/pkg/mod/github.com/hyperledger/[email protected]/images/fabric-ca/Dockerfile

ARG GO_VER
ARG ALPINE_VER
FROM ubuntu:bionic
ARG GO_LDFLAGS
ARG GO_TAGS

RUN apt-get update
RUN apt-get install -y curl gcc git musl-dev
RUN rm -rf /var/lib/apt/lists/*

ENV GOLANG_VERSION 1.13.2
RUN curl -sSL https://storage.googleapis.com/golang/go$GOLANG_VERSION.linux-amd64.tar.gz | tar -v -C /usr/local -xz
ENV PATH /usr/local/go/bin:$PATH
RUN mkdir -p /go/src /go/bin && chmod -R 777 /go
ENV GOROOT /usr/local/go
ENV GOPATH /go
ENV PATH /go/bin:$PATH
ADD . $GOPATH/src/github.com/hyperledger/fabric-ca
RUN go install -tags "${GO_TAGS}" -ldflags "${GO_LDFLAGS}" \
        github.com/hyperledger/fabric-ca/cmd/fabric-ca-server \
        && go install -tags "${GO_TAGS}" -ldflags "${GO_LDFLAGS}" \
        github.com/hyperledger/fabric-ca/cmd/fabric-ca-client

ENV FABRIC_CA_HOME /etc/hyperledger/fabric-ca-server
EXPOSE 7054
CMD fabric-ca-server start -b admin:adminpw

Build the container image:

% cd /root/go/pkg/mod/github.com/hyperledger/[email protected]

% GO_TAGS=pkcs11 make docker

The following images will be generated:

% docker images

REPOSITORY              TAG             IMAGE ID       CREATED        SIZE
hyperledger/fabric-ca   1.5.2           42c3a53f293f   2 hours ago   832MB
hyperledger/fabric-ca   amd64-1.5.2     42c3a53f293f   2 hours ago   832MB
hyperledger/fabric-ca   latest          42c3a53f293f   2 hours ago   832MB

Run the make-nshield-application (nSCOP) script to build the final image. For example:

% cd /opt/nscop

% ./make-nshield-application --from hyperledger/fabric-ca:amd64-1.5.2 --tag hyperpkcs11nshield:amd64 --java /opt/nfast/SecWorld-12.80.4

In this example:

--from	This is the Docker images container that you want a source image.
--tag	This is the new image name that will appear in the list of Docker images.
--java	This is an option to install Java, it is optional for this integration.
/mnt	This is where your Security World ISO is mounted.

Configure and start the Hyperledger Fabric CA server

The volumes that will be used in the docker run command are: In the following steps, fabric-ca-server-config.yaml will be generated and then edited within the container. This file can also be created beforehand to simplify these steps.

The volumes that will be used in the docker run command are:

-v /opt/nfast/sockets.hwsp:/opt/nfast/sockets

Required for hardserver communication.

-v /opt/nfast/kmdata/local:/opt/nfast/kmdata/local:rw

Used to share kmdata\local between Security World and the app container.

-v /opt/nfast/cknfastrc:/opt/nfast/cknfastrc

File used when selecting PKCS #11 key protection type.

Run the container interactively with a bash prompt:

% docker run -it \
       -v socket1:/opt/nfast/sockets \
       -v /opt/nfast/kmdata/local:/opt/nfast/kmdata/local:rw \
       -v /opt/nfast/cknfastrc:/opt/nfast/cknfastrc \
       hyperpkcs11nshield:amd64-java

Run enquiry and nfkminfo within the container. The output should show a usable module and Security World.
```
% /opt/nfast/bin/enquiry

% /opt/nfast/bin/nfkminfo
```
Run fabric-ca-server to generate a new config file to edit. Then, type Control-C or X multiple times to exit.
```
% fabric-ca-server start -b root:root
```

Edit the fabric-ca-server-config.yaml file:

% cd /etc/hyperledger/fabric-ca-server

% vi fabric-ca-server-config.yaml

Find the "bccsp" section and add the PKCS #11 settings. For example:
```
bccsp:
    default: PKCS11
    pkcs11:
        Library: /opt/nfast/toolkits/pkcs11/libcknfast.so
        Pin: 123456
        label: fabric
        hash: SHA2
        security: 256
```
In this example:
- The name of the Softcard or OCS is "fabric" and the pin is "123456".
- If using module protection, the label will be "accelerator".
- If using module protection with loadsharing=1 in the cknfastrc file, the label will be "loadshared accelerator".
- The pin can be left empty if using module protection.
Delete any keystore in /etc/hyperledger/fabric-ca-server such as the msp directory and the old .pem file so that new ones are generated with the HSM when the server is started.
Start the server:
```
% fabric-ca-server start
```

The new HSM protected PKCS #11 key can be found at /opt/nfast/kmdata/local . The cert is in the Hyperledger directory as ca-cert.pem .

Enroll and register a Fabric CA client

Edit the fabric-ca-server-config.yaml file and change the identity section as needed.
Start the server if it is not currently running. It needs to be running for the enroll command to work.

Create a directory environment variable:

% export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin

Enroll under the identity in the server YAML file:
```
% fabric-ca-client enroll -u http://root:root@localhost:7054
```
This was done to generate a client YAML file to edit. The client is not yet enrolled through the HSM.
Edit the client YAML file in your home directory environment path.
Delete the msp directory and edit the YAML file in the home directory you exported.
Edit the "bccsp" section and mirror the server YAML BCCSP for the HSM.

Run the enroll command again with the server identity:

% fabric-ca-client enroll -u http://root:root@localhost:7054

% fabric-ca-client register --id.name ica.example --id.type client --id.secret root --csr.names C=es,ST=madrid,L=Madrid,O=example.com --csr.cn ica.example -m ica.example --id.attrs '"hf.IntermediateCA=true"' -u http://localhost:7054 --loglevel debug

Peers and ordering nodes

To set up peers and ordering nodes with the Entrust nshield HSM:

Edit one more YAML file for each node. Use the same PKCS #11 BCCSP template as shown above. This will be the core.yaml file for a peer node and the orderer.yaml file for a ordering node.
Run the enrollment lines from the peer or ordering nodes to the main fabric CA server to enroll it.

See the Hyperledger Fabric documentation for more information.

Table of Contents
Introduction
Procedures

RESOURCES

Integration Guide
Hyperledger Fabric nShield HSM Integration Guide

Table of Contents