Key Management with WSOP

Security World keys in the Web Services Option Pack environment are managed by using the Web Services Option Pack REST API. Non-confidential key data which exists and can be accessed outside the HSM is stored in a database management system. For details about the key storage in the database management system, see the Database chapter.

Security World keys are identified using an appname and an ident. The appnames supported by Web Services Option Pack are simple, wspkcs11 and pkcs11. simple keys can be generated and used through the WSOP API. simple keys can also be migrated into WSOP if the algorithm is supported. PKCS #11 keys can be generated and used through the WSOP PKCS #11 library. PKCS #11 keys can also be migrated into WSOP if the algorithm is supported by the WSOP PKCS #11 library. wspkcs11 designates keys which have been generated through the WSOP PKCS #11 library and pkcs11 are legacy PKCS #11 keys which have been migrated into WSOP. The ident can only contain digits and lowercase letters. It cannot contain spaces, underscores (_), or hyphens (-).

Protection Domains

Web Services Option Pack provides support for Softcards through the concept of Protection Domains. A single Protection Domain is available for each Softcard, in addition to a "Module" Protection Domain which is the set of all HSM-protected keys.

A Protection Domain can be "activated" and "deactivated", which is equivalent to loading and unloading a Softcard.

The Module Protection Domain is always activated and cannot be deactivated.

Once a Protection Domain is activated all Key Groups that are protected by the active domains are able to load and create keys for use, until that Protection Domain is deactivated.

A Protection Domain does not need to be activated to load the public half of an asymmetric key or delete a key.

Well-Known Protection Domain

The "Well-Known" Protection Domain can only be used for public key import, key generation is not allowed. It exhibits the same properties as the Module Protection Domain in that it is created by default, is always active, and it cannot be deactivated.

Key Groups

Key Groups hold a collection of keys that are linked by a single common Protection Domain. All Security World keys belong to exactly one Key Group. A Key Group is created automatically for each available Protection Domain.

Client segregation

The Web Services Option Pack (WSOP) introduces the concept of WSOP client segregation, making possible for the keys protected by Softcards to be used only after each client presents the authentication passphrase (associated with the particular Protection Domain).

WSOP provides client segregation at the Protection Domain level only when TLS Client Authentication is enabled. Individual clients are identified by the client TLS certificate issuer and subject fields, and each WSOP client (with a unique combination issuer and subject), will have to individually activate the Protection Domains they want to use.

As the activated state of a Protection Domain is specific to a WSOP client, any commands that require the Protection Domain to be activated will only be successful if the TLS client certificate can be successfully validated, and this certificate contains the correct issuer and subject fields.

When client segregation is in operation, any key or token handles loaded in the HSM will be loaded in a separate client space to other Web Services Option Pack clients and nShield applications.

The keys are visible to all clients and they can still be listed and deleted regardless the Protection domain activated state.
The access and usage of the public keys are not restricted by the client segregation, therefore any client is able to use the public part of an asymmetric key.