Installation
This guide explains how to integrate ownCloud with a Primus HSM or CloudHSM through the ownCloud HSM daemon and the Primus PKCS#11 Provider.
Step 1: Install the Primus PKCS#11 Provider
Begin by installing and configuring the Primus PKCS#11 Provider on your ownCloud server.
- For on-premise Primus HSMs: Configure the HSM
- For CloudHSM, this is not required, as Securosys manages the HSM for you.
- Contact your organization's HSM administrator for details.
- Download the Primus PKCS#11 provider
- Follow the Installation guide
To check that the provider is properly installed, you can list the available PKCS#11 slots using pkcs11-tool
On Debian, pkcs11-tool is provided by the opensc-pkcs11 package.
$ pkcs11-tool --module /usr/local/primus/lib/libprimusP11.so --list-slots
Available slots:
Slot 0 (0x0): OWNCLOUDPARTITION
token label : OWNCLOUDPARTITION
token manufacturer : Securosys SA
token model : Primus HSM
token flags : login required, rng, token initialized, PIN initialized, other flags=0x60
hardware version : 3.2
firmware version : 2.62
serial num : c7debb5d11f60ffb
pin min/max : 0/32
You should now have the following:
- Path to PKCS#11 module, e.g.
/usr/local/primus/lib/libprimusP11.so - PKCS#11 user name (partition name), e.g.
OWNCLOUDPARTITION - PKCS#11 password ("User PIN")
Use the following command to test that the credentials are correct and that you can log into the HSM:
pkcs11-tool --module /usr/local/primus/lib/libprimusP11.so --list-objects --slot 0 --login
Step 2: Install the ownCloud HSM Daemon
Download the hsmdaemon from the ownCloud customer portal.
Follow the ownCloud installation guide to install the daemon on the same server as ownCloud.
Step 3: Configure the ownCloud HSM Daemon
Edit the /etc/hsmdaemon/hsmdaemon.toml config file to tell the daemon how to connect to the Primus PKCS#11 Provider.
Use the parameters that you obtained earlier.
[pkcs11]
# Primus HSM
module = "/usr/local/primus/lib/libprimusP11.so"
pin = "replace_me"
slot = 0
Step 4: Test the Connection
To test the successful installation and configuration, you can test key generation:
sudo hsmdaemon genkey test
Id: 9bac3719-2b8d-11e9-aeab-0242b5ece4c3, label: test
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl1BO4vsI+xDk+x0nccl7
HQhMR/hwfa0+N8fyYNI8yzTTmYDqz9aaF20qG48+mjC0AUEt2kfKo94xM3UeEw4c
st4j1dpRJtmAJThcuN8OH3sa+3MeXWgGuWxjB1lxEEOqax2A6XzllDlbDsogwkOL
hSkUU9AaMRBtF8fASJGtJDP+iXwdb7OsFg78PS1wBAISYSUwk06xY7LwWIxge+hY
4oU+5x4itusdO6rz6kbcJtmUyDUb8DhKnN6OdkhnifUZLBG9HQyTa5OM+BAabbFZ
mTM2gZlUnGKXN7c4kaBPFt1IfjjVYu7pvj3B2uxUf4GywuSuWGWnAy89FqeXteRV
jwIDAQAB
-----END PUBLIC KEY-----
You can also test key listing:
sudo hsmdaemon showkey 9bac3719-2b8d-11e9-aeab-0242b5ece4c3
For more hsmdaemon testing commands see the ownCloud documentation.
Step 5: Configure ownCloud
After successfully installing and configuring the hsmdaemon, make sure to configure your ownCloud as well.
See Configure ownCloud for a detailed guide.