1. Manuals
  2. Brands
  3. Utimaco Manuals
  4. Server
  5. Bind 9
  6. Integration manual

Utimaco Bind 9 Integration Manual

Linux 3.19, microsoft windows server 2008
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Integration Guide
Bind 9
Linux 3.19, Microsoft Windows Server 2008

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Bind 9 and is the answer not in the manual?

Questions and answers

Related Manuals for Utimaco Bind 9

Summary of Contents for Utimaco Bind 9

  • Page 1 Integration Guide Bind 9 Linux 3.19, Microsoft Windows Server 2008...
  • Page 2 No part of this documentation may be reproduced in any form (printing, photocopy or according to any other process) without the written approval of Utimaco IS GmbH or be processed, reproduced or distributed using electronic systems. Utimaco IS GmbH reserves the right to modify or amend the documentation at any time without prior notice.

  • Page 3: Table Of Contents

    Contents 1 Introduction 1.1 Concepts ..........2 Requirements 2.1 Supported Operating Systems .

  • Page 4: Introduction

    This paper provides an integration guide explaining how to integrate a Hardware Security Module (HSM) - CryptoServer - with the BIND 9.10 server on a Linux or Microsoft Windows operating system platform. Configuration details - especially to domain name system configuration - that goes beyond normal configuration for the integration of hardware security module are not explained in this docu-...

  • Page 5: Requirements

    2 Requirements Ensure that you have a copy of the CryptoServer Administration Guide [?] and the CryptoServer PKCS#11 Interface [?]. You should also have prepared an installed Linux operating system (for this guide, Ubuntu 15.04). If you are using PCI(e) card also compile and install the necessary driver for that card. This guide assumes that a Ubuntu based Linux distribution or Microsoft Windows Server 2008 is used.

  • Page 6: Installation

    Integration Guide: Bind 9 3 Installation The installation of the CryptoServer in preparation for integration with Bind consists of two parts: • Install CryptoServer Hardware • Install CryptoServer Software 3.1 Install CryptoServer Hardware For more information on commonly installing and setting up CryptoServer PCI or LAN, see the docu- mentation CryptoServer CryptoServer PCI / (LAN) Installation &...

  • Page 7: Procedures

    4 Procedures The steps to integrate the CryptoServer in BIND with Linux or Microsoft Windows are a little different. In places where the description of the integration steps may differ, the individual steps are explained in separate chapters. To integrate the CryptoServer with BIND domain name server (named) in context of DNSSEC secured environment you need follow these steps: 1.

  • Page 8: Test Pkcs#11 Environment

    Integration Guide: Bind 9 cs_pkcs11_R2.cfg with an editor of your choice and find the device parameter of the CryptoServer sec- tion. Change the value to one of these values in accordance to your CryptoServer hardware. • IP address of your device (e.g.

  • Page 9: Patch And Build Openssl

    ./bind-9.10.2-P1/bin/pkcs11/openssl-1.0.1j-patch the OpenSSL directory and running the command # patch -p1 < path-to/openssl-1.0.1j-patch 2. Configure OpenSSL on 32 bit machine # ./Configure linux-generic32 -m32 -pthread \ --pk11-libname=/usr/lib/cryptoserver/libcs2_pkcsll.so \ --pk11-flavor=crypto-accelerator \ --prefix=/opt/openssl-p11 OpenSSL - http://www.openssl.org/source/ Bind 9 - http://www.isc.org/software/bind Page 9...

  • Page 10: Microsoft Windows

    Integration Guide: Bind 9 If you are on a 64 bit machine configure OpenSSL via # ./Configure linux-x86_64 \ --pk11-libname=/usr/lib/cryptoserver/libcs2_pkcsll.so \ --pk11-flavor=crypto-accelerator \ --prefix=/opt/openssl-p11 The given pk11-libname parameter points to the path of the PKCS#11 library, pk11-flavor de- termines which kind of PKCS#11 engine (provided by the patch) is used - sign-only or crypto- accelerator and the prefix parameter points to the directory where the libraries are located after...
  • Page 11 3. Additionally Microsoft Visual Studio is required to build OpenSSL and BIND. Microsoft Visual Studio 2005 (Visual Studio 8) with Service Pack 1 and Service Pack 1 Update for Windows Vista is used here. 4. Set necessary environment variables for running Visual Studio from the command line, run the following command from the command line: ”C:\Program Files\Microsoft\Visual Studio 8\Common7\ Tools\vsvars32.bat”...

  • Page 12: Install Bind Domain Name Server

    Integration Guide: Bind 9 4.4 Install BIND Domain Name Server Besides to have OpenSSL compiled from sources it is also mandatory to compile BIND from it’s source files. This will enable BIND to use PKCS#11 enabled hardware for cryptographic operations. Since it is determined during the configuration of BIND where the OpenSSL and PKCS#11 libraries are located,...
  • Page 13 2. Build BIND binaries BuildAll.bat Among others it prepares the contents of Build\Release directory for BIND installation with mod- ified OpenSSL libraries. 3. Install BIND from the Build\Release folder Further steps usually concern general configuration of DNS and are not a part of the document. Page 13...

  • Page 14: Generate Keys And Sign A Domain Zone

    The parameter -l specifies the label again and after -f follows the key flag. The key files are generated for a specific zone which in this case is ”utimaco.com”. Now you should find the cor- responding key files in the current directory which are composed of K<zone name>.+<numeric representation of the key file>+<key identifier>.(key|private).

  • Page 15: Resigning Domain Zones

    # dnssec-signzone -S -o <zone name> <zone file> Microsoft # dnssec-signzone -E pkcs11 -S -o <zone name> <zone file> You don’t need to specify the key files here because ”smart signing” is activated with the -S parameter which enables automatic search for key files. The signed domain zone file is now located in the current folder.

  • Page 16: Further Information

    Integration Guide: Bind 9 6 Further Information This document forms a part of the information and support which is provided by the Utimaco IS GmbH. Additional documentation can be found on the product CD in the documentation directory. All CryptoServer product documentation is also available at the Utimaco IS GmbH website: http://hsm.utimaco.com...
  • Page 17 Page 17...
  • Page 18 Integration Guide: Bind 9 Page 18...
  • Page 19 Page 19...
  • Page 20 Contact Utimaco IS GmbH Germanusstraße 4 D - 52080 Aachen Germany phone +49 241 1696 - 200 +49 241 1696 - 199 https://hsm.utimaco.com email support-cs@utimaco.com...

Table of Contents