Document proxy for AWS CloudHSM#2
Document proxy for AWS CloudHSM#2mastersingh24 wants to merge 1 commit intoIBM-Blockchain:masterfrom
Conversation
|
@pamandrejko - can you take a look? still need to add a Kubernetes section, but wanted to get something out. I know you will not be able to actually test, but hopefully this makes sense |
| - An environment variable named **`PKCS11_PROXY_SOCKET`** must be set to a URL of the form `tcp://${HOSTIP}:2345` where `${HOSTIP}` represents the routable address for a running PKCS#11 proxy container. | ||
| - The `bccsp` section of the configuration file for each peer (`core.yaml`), orderer (`orderer.yaml`) and/or CA (`fabric-ca-server-config.yaml`) must be configured to use the `pkcs11` cryptographic provider as follows: | ||
| ``` | ||
| BCCSP: |
There was a problem hiding this comment.
Can you confirm that the Immutable parameter is not needed for AWS HSM?
AWS-CloudHSM/README.md
Outdated
| # User PIN | ||
| Pin: ${HSM_USER}:${HSM_PASSWORD} | ||
| ``` | ||
| Where `${ALT_ID}` is the PKCS#11 label for the key and `${HSM_USER}` and `${HSM_PASSWORD}` are the credentials for an HSM user with the CU role. No newline at end of file |
There was a problem hiding this comment.
For the AltId, Fabric docs say Create a long secure string outside of Fabric and assign it to the AltId parameter. But you say it is the label for the key. Which is correct?
There was a problem hiding this comment.
In our Fabric doc, we probably need to tell them that for AWS CloudHSM the Pin is the combination of the ${HSM_USER} and ${HSM_PASSWORD} ? That's the first I've heard of this.
There was a problem hiding this comment.
Configuration in IBP UI requires 3 things:
- Proxy end point - URL from line 58.
- Label - value of the AltId
- Pin - ${HSM_USER}:${HSM_PASSWORD}
BUT, I think they also would have to use the IBP node override anyways to replace the BCCSP section with the parms you list above. The parms that IBP defaults to (which would not work in this case) are :
"BCCSP": {
"Default": "PKCS11",
"PKCS11": {
"Label": "fabric",
"Pin": "18283838"
}
}
So technically they should just skip the IBP HSM UI and paste in the JSON? Seems like it would be less error prone to just paste in the JSON than to try to edit it in the UI.
There was a problem hiding this comment.
Also the Fabric docs include two more BCCSP parameters:
hash: SHA2
security: 256
Are these optional? Should they be included here?
| @@ -0,0 +1,71 @@ | |||
| # PKCS#11 proxy deployment instructions for AWS CloudHSM | |||
| In order for your IBM Blockchain Platform (IBP) nodes to leverage an AWS CloudHSM to manage their enrollment private keys, they must be configured to communicate with the PKCS#11 interface provided by the AWS CloudHSM. While you can modify the Docker images provided by IBP to include the appropriate PKCS#11 library, this README describes how to build a PKCS#11 proxy image which communicates with the AWS CloudHSM. IBP nodes include the PKCS#11 library required to communicate with the PKCS#11 proxy. The path to this library within each container image is `/usr/local/lib/libpkcs11-proxy.so`. | |||
There was a problem hiding this comment.
Ash told me to use PKCS #11. I can make the edits after you fill in the k8s section.
| docker login ${REGISTRY_URL} | ||
| docker push ${REGISTRY_URL}/pkcs11-proxy-cloudhsm |
There was a problem hiding this comment.
Is the second docker login ${REGISTRY_URL} required?
| docker run -e "CLOUDHSM_ENI_IP=10.0.0.2" -v $PWD/customerCA.crt:/opt/cloudhsm/etc/customerCA.crt ${REGISTRY_URL}/pkcs11-proxy-cloudhsm | ||
| ``` |
There was a problem hiding this comment.
Should we replace ${REGISTRY_URL} with an actual value since this is an example?
| The IBM Blockchain peer, orderer and CA images include built-in support for connecting to the PKCS#11 proxy. The PKCS#11 driver used to communicate with the proxy is installed in each image in the following location: `/usr/local/lib/libpkcs11-proxy.so`. | ||
|
|
||
| In order to communicate with the PKCS#11 proxy, two items must be configured when launching a peer, orderer and/or CA container: | ||
| - An environment variable named **`PKCS11_PROXY_SOCKET`** must be set to a URL of the form `tcp://${HOSTIP}:2345` where `${HOSTIP}` represents the routable address for a running PKCS#11 proxy container. |
There was a problem hiding this comment.
Will it be obvious to them how to get the value of the ${HOSTIP}?
Signed-off-by: Gari Singh <gari.r.singh@gmail.com>
2 participants
Signed-off-by: Gari Singh gari.r.singh@gmail.com