cssadmin
cssadmin
creates a key in a Security World.
This key is first wrapped by wrapping key, and only then exported for use outside of the Security World.
cssadmin
requires at least three parameters to be specified:
provider |
The name of the provider. |
keyName |
The name of the Security World key (an existing key can be specified, however, it must have first been created by |
wrapKey |
The name of the cloud service provider’s wrapping key. |
For AWS, Google Compute Engine and Salesforce, the following parameter must also be specified:
wrapAlg |
The wrapping algorithm. |
For Microsoft Azure, the following parameter must also be specified:
—azure-kek |
The key identifier of the Microsoft Key Exchange Key. |
If multiple HSMs exist in the Security World you can, optionally, specify a specific HSM to be used.
For AWS, Google Compute Engine and Salesforce, the generated key is a 256-bit AES key. For Microsoft Azure and Google Cloud Key Management (Google KMS), you can choose from a list of available key types using a command line argument.
Run cssadmin
To run cssadmin on Windows:
"%NFAST_HOME%\python\python.exe" –m cssadmin
To run cssadmin on Linux:
/opt/nfast/python/bin/python –m cssadmin
Usage and options
usage: cssadmin.py [-h] [--version] [-m MODULE] [-O CARDSET | -S SOFTCARD | -M] [-a AZUREKEK] [-k KEYTYPE] provider keyName wrapKey [wrapAlg]
Help
Export a key from a Security World to be used outside, by a provider.
If the key does not exist, a new one is generated. By default, the key is module protected.
positional arguments:
provider The provider for which to export the key.
One of ['aws', 'google-compute-engine',
'google-cloud-key-management', 'microsoft-azure', 'salesforce']
keyName The name of the key to export/generate
wrapKey The filename of the key to use for wrapping (DER
encoded)
wrapAlg The wrapping algorithm (required for aws, google-compute-engine or salesforce).
One of ['RSAES_OAEP_SHA_256', 'RSAES_OAEP_SHA_1', 'RSAES_PKCS1_V1_5']
optional arguments:
-h, --help show this help message and exit
--version show program’s version number and exit
-m MODULE, --module MODULE
Specify a module to use
-O CARDSET, --ocs CARDSET
Select OCS protection
-S SOFTCARD, --softcard SOFTCARD
Select softcard protection
-M, --module-protection Select module protection (default)
Microsoft Azure:
-a AZUREKEK, --azure-kek AZUREKEK The full URL key identifier of the Microsoft Azure wrapping key.
Typically a URI i.e. https://myvault.vault.azure.net/keys/mykey/version
Microsoft Azure and Google KMS:
-k KEYTYPE, --key-type KEYTYPE The type of the target key.
One of ['AES-256', 'EC-NISTP256', 'EC-NISTP384', 'EC-NISTP521', EC-SECP256K1', 'RSA-2048', 'RSA-3072', 'RSA-4096'] Will default to RSA-2048 if not supplied
The key type option represents the possible key types for both Microsoft Azure and Google KMS as there are common types. An error message will be printed if the type is not supported by the specified provider. Microsoft Azure supports: 'RSA-2048', 'RSA-3072', 'RSA-4096', 'EC-NISTP256', EC-NISTP384', 'EC-NISTP521', 'EC-SECP256K1' Google Cloud Key Management supports: 'RSA-2048', 'RSA-3072', 'RSA-4096', 'EC-NISTP256', 'EC-NISTP384', 'AES-256' |