Netty with HSM(Hardware Security Module)
31 views
Skip to first unread message
Akash Maharana
Jun 6, 2023, 10:14:13 AM6/6/23
to Netty discussions
Hi Team
I am currently working on the Thales Network HSM integration. Our application is built on top of Netty framework. For establishing the TLS session we are currently stored the customer uploaded certificates in the server and add that to the Netty's SSL context through JAVA libraries. But to avoid any security glitch we want to put those certificates in a HSM and use this certificate for establishing the TLS session.
I have tried multiple ways to achieve this but no luck. There are ways to do this with NGINX or Apache server but for Netty it's hard to find.
Please let me know if you have any leads to solve this use case or anything similar to this you have solved before.
Waiting for your response. Any leads will be appreciated.
Thanks
Akash
Norman Maurer
Jun 6, 2023, 10:18:00 AM6/6/23
to ne...@googlegroups.com
Hi Akash,
Can you point me to how you would do this with NGINX or Apache Server ? I might miss something but are you sure you need / want todo this with the certificates and not the “private key” that is used for key-signing ?
If we are talking about key-signing you could implement your own OpenSslPrivateKeyMetthod and hook it into netty. Here is a unit-test that demonstrate this:
 | |
Bye
Norman
--
You received this message because you are subscribed to the Google Groups "Netty discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netty+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netty/2854d657-1ec3-4228-84eb-5af93d823f2an%40googlegroups.com.
Norman Maurer
Jun 6, 2023, 10:18:57 AM6/6/23
to ne...@googlegroups.com, akashma...@gmail.com
Forgot to add CC…
Akash Maharana
Jun 6, 2023, 2:21:54 PM6/6/23
to Netty discussions
Hi Norman
Apologies for giving the wrong context.
We want to store the private key in HSM. Once we have a private key on the HSM, we can export a fake PEM private key file. This file does not contain the actual key data, but it allows the OpenSSL Dynamic Engine to identify the private key on the HSM. For this fake private key can be used to create a certificate signing request (CSR) and sign the CSR to create the certificate.
We are looking for a way to configure Netty's SSLContext to be managed by openssl so that the fake private key and generated certificate can be configured to interact with HSM (via Openssl Dynamic engine).
We are looking for a way to configure Netty's SSLContext to be managed by openssl so that the fake private key and generated certificate can be configured to interact with HSM (via Openssl Dynamic engine).
I am attaching a reference from Amazon CloudHSM documentation for configuring with NGNIX or Apache.
Please let me know if you need any other inputs from my end.
Thanks
Akash
Reply all
Reply to author
Forward
0 new messages