March 30, 2011

System Engineering HSM

Utimaco Integration Guide

Bind 9.7 with SafeGuard CryptoServer

(Linux 2.6)

Utimaco Safeware AG, Germany

Utimaco Safeware AG

Germanusstr. 4

D-52080 Aachen

Germany

Tel +49 241 1696 200

Fax +49 241 1696 199

E-Mail hsm@utimaco.de

Date March 30, 2011

Author System Engineering HSM

March 30, 2011

System Engineering HSM

Contents

1 Introduction 5

1.1 Concepts 5

2 Requirements 6

3 Supported Operating Systems 6

4 Procedures 7

4.1 Install SafeGuard® CryptoServer hardware 7

4.2 Install SafeGuard® CryptoServer software 7

4.3 Configure PKCS#11 7

4.3.1 Adjust the Configuration File 7

4.3.2 Test PKCS#11 Configuration with P11Tool 8

4.4 Patch and Build OpenSSL 8

4.5 Install BIND Domain Name Server 9

4.6 Generate Keys and Sign a Zone 10

4.6.1 Re-signing Zones 11

5 Further Information 12

4

March 30, 2011

System Engineering HSM

5

March 30, 2011

System Engineering HSM

1 Introduction

This paper provides an integration guide explaining how to integrate a Hardware Security Module

(HSM) – SafeGuard® CryptoServer – with the BIND 9.7 server on a Linux operating system platform.

Configuration details – especially to domain name system configuration – that go beyond normal

configuration for the integration of hardware security module are not explained in this document. For

further information to configure and setup BIND for a domain name system, it is referred to the

documents and information of ISC1.

1.1 Concepts

The Domain Name System (DNS) is a hierarchical naming system built on a distributed database for

computers, services, or any resource connected to the Internet or a private network. Most importantly, it

translates domain names meaningful to human-readable identifiers into the numerical identifiers

associated with networking equipment for the purpose of locating and addressing these devices

worldwide. Often the Domain Name System is compared with the phone book of the worldwide internet.

The original design of the Domain Name System did not include any security. Instead, it was developed

as a simple scalable distributed system. The Domain Name System Security Extensions (DNSSEC)

attempts to add security, while maintaining backwards compatibility to the existing Domain Name

System. The RFC 3833 attempts to document some of the known threats to the DNS and how DNSSEC

tries to responds to those threats. DNSSEC was designed to protect Internet resolvers from forged DNS

data, such as that created by e.g. DNS cache poisoning. All answers from DNSSEC enabled domain

name system are digitally signed. By verifying the digital signature, a DNS resolver is able to check if the

information is correct and complete to the information on the authoritative domain name server. While

protecting IP addresses is the immediate concern for many users, DNSSEC can protect other

information such as general-purpose cryptographic certificates too. Basically cryptographic keys are

used to sign domain name related information’s. The keys require extensively protection against being

stolen or corrupted. A hardware security module is the best solution in maintaining highest security and

performance for the protection of those keys.

The SafeGuard® CryptoServer is a hardware security module developed by Utimaco Safeware AG,

i.e. a physically protected specialized computer unit designed to perform sensitive cryptographic tasks

and to securely manage cryptographic keys and data. In a SafeGuard CryptoServer security system

security-relevant actions can be executed and security relevant information can be stored. It can be used

as a universal, independent security component for heterogeneous computer systems.

1 ISC – http://www.isc.org

6

March 30, 2011

System Engineering HSM

2 Requirements

Ensure that you have a copy of the CryptoServer Administration Guide and the CryptoServer

PKCS#11 Interface. You should also have prepared an installed Linux operating system (kernel 2.6). If

you are using PCI(e) card also compile and install the necessary driver for that card. This guide assumes

that a Debian based Linux distribution is used.

Software- and Hardware requirements

HSM Model SafeGuard® CryptoServer CS-Series/S-Series/Se-Series PCI(e)

Smartcard reader reinerSCT cyberJack e-com

HSM Firmware SafeGuard® Security Server 2.30.2

Software SafeGuard® Security Server 2.30.2

Linux 2.6 (Debian 4.1.2-25)

3 Supported Operating Systems

For the interoperability of the SafeGuard® CryptoServer solution, operating systems, Bind and

OpenSSL have been tested successfully for the following combinations:

Operating System

SafeGuard

SecurityServer

Version

Bind

Version

OpenSSL

Version

PCI

Support

Ethernet

Support

Debian 4.1.2 x86 2.30.2 9.7.2-P3 0.9.8l Yes Yes

7

March 30, 2011

System Engineering HSM

4 Procedures

To integrate the SafeGuard® CryptoServer with BIND domain name server (named) in context of

DNSSEC secured environment, complete the following steps on Linux:

1. Install SafeGuard® CryptoServer hardware

2. Install SafeGuard® CryptoServer software

3. Configure PKCS#11

o Adjust the Configuration File

o Test PKCS#11 Configuration with P11Tool

4. Patch and Build OpenSSL

5. Install Bind Domain Name Server

6. Generate Keys and Sign a Zone

o Re-signing Zones

4.1 Install SafeGuard® CryptoServer hardware

For more information on commonly installing and setting up SafeGuard® CryptoServer PCI or LAN,

see the documentation SafeGuard® CryptoServer PCI / (LAN) Installation & Operating manual. There is

no need to install any software specific for running SafeGuard® CryptoServer. The SafeGuard®

CryptoServer comes with an already preinstalled set of firmware software.

4.2 Install SafeGuard® CryptoServer software

The SafeGuard CryptoServer software – this includes administrative and library software – has to be

installed on your computer system manually. To install the necessary PKCS#11 libraries it is referred to

the SafeGuard CryptoServer PKCS#11 Interface. Further configuration steps are explained next.

4.3 Configure PKCS#11

4.3.1 Adjust the Configuration File

After the installation of the libraries (we assume, that the PKCS#11 library is located at

/usr/lib/cryptoserver/libcs2_pkcs11.so), adjust the configuration file cs2_pkcs11.ini

accordingly to your hardware. Please check whether the environment variable CS2_PKCS11_INI points

to the configuration file cs2_pkcs11.ini (e.g. /etc/utimaco/cs2_pkcs11.ini). If it is not

available or it is not configured properly please adjust it right now before proceeding. This command

creates an environment variable using a bash shell:

8

March 30, 2011

System Engineering HSM

# export CS2_PKCS11_INI=/etc/utimaco/cs2_pcks11.ini

Primarily the device specifier has to be adjusted in your configuration file to use the PKCS#11 library.

Open the configuration cs2_pkcs11.ini with an editor of your choice and find the device parameter of

the CryptoServer section. Change the value to one of these possible values

IP-address of your device (e.g. 192.168.0.42)

This device specifier is used for network attached devices. Further details to setup the ip address

of your device can be found in SafeGuard CryptoServer LAN Operating & Installation Manual.

/dev/cs2

This device specifier addresses a local installed PCI or PCIe device. An installed device driver is

necessary to open a connection. Further details to setup the driver can be found in SafeGuard

CryptoServer PCI(e) Operating & Installation Manual.

You can check the logs while performing PKCS#11 operations in the next chapters. Those are located

in /tmp due to the default configuration of the cs2_pkcs11.ini file. For this purpose the Logging

parameter has to be adjusted: 15 is the highest log level while 0 is preventing logging at all.

4.3.2 Test PKCS#11 Configuration with P11Tool

The p11tool is an administration command line tool to administrate PKCS#11 related issue with the

SafeGuard CryptoServer and is located in the directory Software/PKCS11/bin/Linux-x86-32/ of

the Security Server package. Perform the following steps to initialize a PKCS#11 slot where the keys for

DNSSEC will be generated and stored:

1. First make the p11tool executable:

# chmod u+x p11tool

2. Now check, if the configuration of PKCS#11 was successful:

# p11tool listslots

3. And finally initialize a PKCS#11 slot:

# p11tool slot=0 InitToken=123456

# p11tool slot=0 LoginSO=123456 InitPin=utimaco123

Where the InitPin parameter determines the user pin of a PKCS#11 slot.

4.4 Patch and Build OpenSSL

To install OpenSSL libraries it is necessary to build the libraries from source code. Only building

libraries from source will enable necessary PKCS#11 support for BIND. BIND uses OpenSSL for its

cryptographic operations. Additionally a patch must be applied to OpenSSL sources, which enables

OpenSSL to interface with PKCS#11 libraries. This patch is bundled with the BIND source code.

9

March 30, 2011

System Engineering HSM

1. First download and extract the sources for OpenSSL-0.9.8l and Bind-9.7.2-P3. You can find

them at http://www.openssl.org/source/ and http://www.isc.org/software/bind.

2. Now apply the patch ./bind-9.7.2-P3/bin/pkcs11/openssl-0.9.8l-patch to

OpenSSL by switching to the OpenSSL directory and running the command:

# patch –p1 < path-to/openssl-0.9.8l-patch

3. Configure OpenSSL:

# ./Configure linux-generic32 –m32 –pthread \

--pk11-libname=/usr/lib/cryptoserver/libcs2_pkcsll.so \

--pk11-flavor=crypto-accelerator \

--prefix=/opt/openssl-p11

The given pk11-libname parameter points to the path of the PKCS#11 library, pk11-flavor

determines which kind of PKCS#11 engine (provided by the patch) is used – sign-only or

crypto-accelerator and the prefix parameter points to the directory where the libraries

are located after the installation.

4. Build and test OpenSSL:

# make

# make test

If some errors occur at this point, recheck the configuration.

5. Check the availability of the engine by running the command:

# apps/openssl engine pkcs11 -t

6. Finally run

# make install

to make the modified OpenSSL suite available in /opt/openssl-p11 as specified during the

configuration.

4.5 Install BIND Domain Name Server

Besides OpenSSL it is also mandatory to compile BIND from the sources. Only this action will enable

BIND to use PKCS#11 enabled hardware for cryptographic operations. Since it is determined during the

configuration of BIND where the OpenSSL and PKCS#11 libraries are located, you have to provide the

location of the OpenSSL libraries created in chapter 4.4. To do so, perform the following steps:

1. Configure BIND:

# ./configure CC=”gcc –m32” –enable-threads \

--with-openssl=/opt/openssl-p11 \

--with-pkcs11=/usr/lib/cryptoserver/libcs2_pkcs11.so

The parameters point to the paths of the libraries as already mentioned.

2. Now set the environment variable LD_LIBRARY_PATH to the path of the PKCS#11 library:

10

March 30, 2011

System Engineering HSM

# export LD_LIBRARY_PATH=/usr/lib/cryptoserver

3. Build and install BIND:

# make

# make install

Further steps usually concern general configuration of DNS and are not a part of the document.

4.6 Generate Keys and Sign a Zone

In this chapter we generate a zone-signing key (ZSK) and a key-signing key (KSK) using the tools

pkcs11-keygen and dnssec-keyfromlabel provided by BIND and use them to sign a domain zone.

The first tool is used to actually generate the keys in HSM and the second tool generates the key files for

BIND containing a public key and an identifier of the actual private key. Since slot 0 is the only one we

initialized in chapter 4.3.2 so far, we will choose this for BIND configuration now.

1. Run the following commands to generate a zone-signing key and a key-signing key in the

SafeGuard CryptoServer:

# pkcs11-keygen –b 2048 –l ksk

# pkcs11-keygen –b 1024 –l zsk

The parameter -b specifies the key size and -l the label of the key pair. Since the library path

was exported, it is not necessary to specify it using the parameter -m (module) any more.

2. Switch to the default folder for zone files and generate the key files for BIND:

# dnssec-keyfromlabel –l ksk –f KSK utimaco.com

# dnssec-keyfromlabel –l zsk utimaco.com

The parameter –l specifies the label again and after –f follows the key flag. The key files are

generated for a specific zone which in this case is “utimaco.com”. Now you should find the

corresponding key files in the current directory which are composed of

K<zone name>.+<numeric representation of the key file>+<key identifier>.(key|private). It is not

necessary to add the –E (engine) parameter here because BIND was build with the –with-

pkcs11 option in the first place. This sets the SafeGuard CryptoServer PKCS11 engine to

default.

3. Before you can sign a zone, it is necessary to add the contents of both K*.key files or to include

them by reference using the file names to the zone master file. Open the zone file and add the

following lines e.g.:

$include Kutimaco.com.+005+35677.key

$include Kutimaco.com.+005+63263.key

4. Finally sign the zone:

# dnssec-signzone -S -o <zone name> <zone file>

11

March 30, 2011

System Engineering HSM

You don’t need to specify the key files here because “smart signing” is activated with the –S parameter

which enables automatic search for key files. The signed domain zone file is now located in the current

folder.

4.6.1 Re-signing Zones

In the previous chapter you have seen how to manually sign a domain zone. This also includes

generating necessary keys. These keys have to be periodically changed. Normally this will make manual

intervention necessary. BIND is also able to automatically resign domain zones. You can configure

named to dynamically re-sign zones or new records inserted via nsupdate. Therefore named requires

access to the private key unattended from user interaction. For PKCS#11 you have to provide the user

pin of the PKCS#11 slot to access private key. To get automatically access to the private key, configure

OpenSSL in this purpose. Edit the file located at /opt/openssl-p11/ssl/openssl.cnf and adjust it

as follows:

openssl_conf = openssl_def

[ openssl_def ]

engines = engine_section

[ engine_section ]

pkcs11 = pkcs11_section

[ pkcs11_section ]

PIN = utimaco123

The location of the file can be overridden by setting the environment variable OPENSSL_CONF. The pin

has been entered during the initialization of the PKCS#11 slot in chapter 4.3.2. This will also enable

dnssec-* tools to work without user interaction with entering user pin.

12

March 30, 2011

System Engineering HSM

5 Further Information

This guide forms one part of the information and support provided by Utimaco Safeware. Additional

documentation produced to support your SafeGuard® CryptoServer product can be found in the

document directory of the product CD-ROM for that product. All SafeGuard® CryptoServer product

documentation is available from the Utimaco web site at: http://hsm.utimaco.com

13

March 30, 2011

System Engineering HSM

March 30, 2011

System Engineering HSM

Utimaco Safeware AG, Germany

Utimaco Safeware AG

Germanusstr. 4

D-52080Aachen

Germany

Tel +49 241 16 96 200

Fax +49 241 16 96 199

E-Mail hsm@utimaco.de