Key Management with WSOP

Security World keys in the Web Services Option Pack environment are managed by using the Web Services Option Pack REST API. Non-confidential key data which exists and can be accessed outside the HSM is stored in a database management system. For details about the key storage in the database management system, see the Database chapter.

Security World keys are identified using an appname and an ident. The appnames supported by Web Services Option Pack are simple, wspkcs11 and pkcs11. simple keys can be generated and used through the WSOP API. simple keys can also be migrated into WSOP if the algorithm is supported. PKCS #11 keys can be generated and used through the WSOP PKCS #11 library. PKCS #11 keys can also be migrated into WSOP if the algorithm is supported by the WSOP PKCS #11 library. wspkcs11 designates keys which have been generated through the WSOP PKCS #11 library and pkcs11 are legacy PKCS #11 keys which have been migrated into WSOP. The ident can only contain digits and lowercase letters. It cannot contain spaces, underscores (_), or hyphens (-).

Protection domains

Web Services Option Pack provides support for Softcards through the concept of protection domains. A single protection domain is available for each Softcard, in addition to a "Module" protection domain which is the set of all HSM-protected keys.

A protection domain can be "activated" and "deactivated", which is equivalent to loading and unloading a Softcard.

The "Module" protection domain is always activated and cannot be deactivated.

Once a protection domain is activated all key groups that are protected by the active domains are able to load and create keys for use, until that protection domain is deactivated.

A protection domain does not need to be activated to load the public half of an asymmetric key or delete a key.

"Well-Known" protection domain

The "Well-Known" protection domain can only be used for public key import, key generation is not allowed. It exhibits the same properties as the "Module" protection domain in that it is created by default, is always active, and it cannot be deactivated.

Consistent requests across multiple WSOP instances

WSOP supports consistent requests across multiple instances. This means that attempts to activate the Softcard protection domain only occur if they are necessary as part of cryptographic or key creation requests. It provides the ability to load balance multiple instances of WSOP, which improves performance and horizontal scaling. It also eliminates stateful behaviour, facilitating the implementation of cloud-friendly architects.

Key groups

Key groups hold a collection of keys that are linked by a single common protection domain. All Security World keys belong to exactly one key group and each protection domain can have multiple key groups. A key group is created automatically for each available protection domain. Key group names are non-unique.

Management of multiple key groups

Key group management provides the ability to create and delete groups within protection domains.

You can assign protection domains and groups to virtual partitions to control which users can see and use them, see Virtual Partitioning. If you assign a protection domain to a virtual partition, all of its groups and their keys inherit that virtual partition. If a group has not inherited a virtual partition from its protection domain, you can assign one to the group and it will be inherited by the group’s keys.

In a public protection domain (one that does not require a passphrase), any user can see and use the groups and their keys. To restrict access to a group in a public protection domain, you can assign that group to a virtual partition. This means that even though the protection domain is public, access to the group and its keys depends on the virtual partition settings.

Client segregation

The Web Services Option Pack (WSOP) introduces the concept of WSOP client segregation, making it possible for the keys protected by Softcards to be used only after each client presents the authentication passphrase (associated with the particular protection domain).

WSOP provides client segregation at the protection domain level only when TLS Client Authentication is enabled. Individual clients are identified by the unique combination of the client issuer and subject fields. Each WSOP client has to activate individually the protection domains they want to use.

As the activated state of a protection domain is specific to a WSOP client, any commands that require the protection domain to be activated will only be successful if the client identity information can be successfully validated, and this identity information contains the correct issuer and subject fields.

When client segregation is in operation, any key or token handles loaded in the HSM will be loaded in a separate client space to other Web Services Option Pack clients and nShield applications.

Client segregation does not restrict the visibility of keys to clients. They can still be listed and deleted regardless of the protection domain activated state. To restrict the visibility of keys to particular clients see Virtual Partitioning.
The access and usage of the public keys are not restricted by the client segregation, therefore any client is able to use the public part of an asymmetric key.