Configure Keyfactor EJBCA Enterprise to use the Entrust nShield HSM

The configuration is done using the Keyfactor EJBCA Enterprise CLI.

Add the Keyfactor EJBCA Enterprise users to the nfast group
Verify that the PKCS #11 library is available
Configure Keyfactor EJBCA Enterprise to recognize the nShield PKCS#11 library

Add the Keyfactor EJBCA Enterprise users to the nfast group

Add the Keyfactor EJBCA Enterprise user to the nfast group.

$ sudo gpasswd -a ec2-user nfast
Adding user ec2-user to group nfast

Add the wildfly user to the nfast group.

$ sudo gpasswd -a wildfly nfast
Adding user wildfly to group nfast

Verify that the PKCS #11 library is available

If using OCS protection, present the OCS to the HSM.
Sign in to the Keyfactor EJBCA Enterprise CLI.

Run the ckcheckinst utility to test the library.

Enter the slot number corresponding to the protection method used.
Enter the OCS or Softcard passphrase when prompted.

$ ckcheckinst
PKCS#11 library interface version 2.40
                            flags 0
                   manufacturerID "nCipher Corp. Ltd               "
               libraryDescription "nCipher PKCS#11 13.9.3-334-66c0b"
           implementation version 13.09
         Loadsharing and Failover enabled

Slot  Status            Label
====  ======            =====
   0  Fixed token       "loadshared accelerator          "
   1  Fixed token       "testOCS                         "
   2  Soft token        "testSC                          "


No removable tokens present.
Please insert an operator card into at least one available slot and enter 'R' retry.
If you have not created an operator card or there are no physical slots,
 enter a fixed token slot number,
 or 'E' to exit this program and create a card set before continuing.

Enter a fixed token slot number, 'R'etry or 'E'xit: 1
Using slot number 1.

Please enter the passphrase for this token (No echo set).
Passphrase:

Test                      Pass/Failed
----                      -----------

1 Generate RSA key pair   Pass
2 Generate DSA key pair   Pass
3 Encryption/Decryption   Pass
4 Signing/Verification    Pass

Deleting test keys         ok

PKCS#11 library test successful.

Configure Keyfactor EJBCA Enterprise to recognize the nShield PKCS#11 library

Create a backup of the web.properties configuration file:

$ sudo cp /opt/ejbca_ee_9_4_2/conf/web.properties /opt/ejbca_ee_9_4_2/conf/web.properties.bak

Edit the web.properties configuration file by adding the path to the nShield PKCS #11 library.

See the /opt/ejbca_ee_9_4_2/conf/samples/web.properties.sample sample file for the path to the nShield PKCS #11 library.
```
$ sudo cat /opt/ejbca_ee_9_4_2/conf/web.properties
...
# Entrust nShield HSM
cryptotoken.p11.lib.40.name=nCipher
cryptotoken.p11.lib.40.file=/opt/nfast/toolkits/pkcs11/libcknfast.so
...
```
Comment out the paths to crypto libraries that are not installed.

Restart the EJBCA service:

$ sudo service wildfly restart
Redirecting to /bin/systemctl restart wildfly.service