用于aws的enigma桥python实用程序
ebaws.p的Python项目详细描述
用于PKI的EnigmaBridge Amazon EC2实用程序
此cli在ec2实例上设置新的ejbca(pki)安装 使用新的EnigmaBridge标识。 EnigmaBridge与ejbca集成为 一个新的pkcs 11密码令牌,您可以开始使用它来安全地存储 你的根ca键。
cli如下所示:
-------------------------------------------------------------------------------- Enigma Bridge AWS command line interface (v0.0.14) usage - shows simple command list init - initializes the key management system More info: https://enigmabridge.com/amazonpki -------------------------------------------------------------------------------- $>
需要特定的ami-安装了jboss eap&ejbca。更多 有关图像设置的信息,请参见 IMG-INSTALL 第页。
有关安装期间网络通信流的信息 请参照 connections 第页。
功能
- EJBCA 6.3.1.1
- JBoss EAP 6.4
- SoftHSMV1 EnigmaBridge PKCS 11适配器
- AWS的EnigmaBridge动态DNS
SoftHSMV1 EnigmaBridge PKCS 11适配器
SoftHSMv1-EB是 用于EnigmaBridge的pkcs 11接口 服务。使用此适配器,可以使用我们的服务 pkcs 11接口,无需修改软件。
就像在ejbca案例中一样,不需要修改 支持pkcs 11,只需将适配器插入即可开始工作。
例如,可以通过pkcs 11适配器生成rsa密钥并调用 对其进行加密、解密、签名、验证操作。钥匙很安全 存储在EnigmaBridge服务器的安全硬件中。这个 加密操作本身在 透明的方式。
动态dns
amazon从ip池向ec2实例提供ip地址。这个 类地址在实例关闭后重新分配。之后 下一步它将得到一个新的IP地址。
通常使用静态IP很方便,因此您可以将其映射到 域名或放入配置文件、手册等…你可以购买 即使在实例重启或 您可以使用我们的EnigmaBridge动态dns AWS的功能。
在初始化过程中,我们会为您的运行分配一个新域 例如,sunderland1.pki.enigmabridge.com。它有记录 指向您当前的IP地址。
重新启动实例后,我们的脚本将启动。它连接到 我们的DNS服务器并以安全的方式更新您域的A记录 -请求是用创建域时生成的密钥签名的。
记录的生存时间为600秒,因此在重新启动后 主机名将在10分钟内更新。
这样,即使您的IP更改,您也将获得静态DNS名称。
要求
通常,主机需要为letsencrypt域打开tcp端口443 验证。否则,您将无法为您的 CA域,您将无法访问 以安全的方式安装ejbca。
ejbca本身在tcp端口8443上运行。这取决于你如何设置 它。它不一定非得对世界开放得很好。够了 如果你能以某种方式访问它。例如,可以访问ejbca管理 通过ssh隧道。ssh -L 8443:localhost:8443 ami_ip
初始值
init命令启动新的安装。如果以前的 存在安装,它询问用户是否继续,备份旧的 安装数据库和配置文件并安装新的数据库和配置文件。
安装过程如下:
-------------------------------------------------------------------------------- Enigma Bridge AWS command line interface (v0.0.14) usage - shows simple command list init - initializes the key management system More info: https://enigmabridge.com/amazonpki -------------------------------------------------------------------------------- $> init Going to install PKI system and enrol it to the Enigma Bridge FIPS140-2 encryption service. We need your email address for: a) identity verification in case of a recovery / support b) LetsEncrypt certificate registration It's optional but we highly recommend to enter a valid e-mail address (especially on a production system) Please enter your email address [empty]: tester@enigmabridge.com Is this email correct? 'tester@enigmabridge.com' (Y/n):y Checking if port 443 is open for LetsEncrypt, ip: 52.212.77.52 New domains registered for this host: - sunderland1.pki.enigmabridge.com - sr1.pki.enigmabridge.com New configuration was written to: /etc/enigma/config.json SoftHSMv1 configuration has been backed up to: None New SoftHSMv1 configuration has been written to: /etc/softhsm.conf SoftHSMv1 previous token database moved to: /var/lib/softhsm.old/softhsm_0018 SoftHSMv1 initialization: The token has been initialized. Going to install PKI system This may take 15 minutes or less. Please, do not interrupt the installation and wait until the process completes. - Updating settings - Restarting application server, please wait... ......... - Preparing environment for application server ................... - Restarting application server, please wait... ... - Deploying the PKI system ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ - Installing the PKI system ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... PKI installed successfully. Going to generate EnigmaBridge keys in the crypto token: .................. EnigmaBridge tokens generated successfully You can use these newly generated keys for your CA or generate another ones with: sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 2048 signKey 0 sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 2048 defaultKey 0 sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 1024 testKey 0 Adding an EnigmaBridge crypto token to your PKI instance: . EnigmaBridgeToken added to the PKI instance Installing LetsEncrypt certificate for: sunderland1.pki.enigmabridge.com, sr1.pki.enigmabridge.com .... Publicly trusted certificate installed (issued by LetsEncrypt -------------------------------------------------------------------------------- [OK] System installation is completed -------------------------------------------------------------------------------- Please setup your computer for secure connections to your PKI key management system: Download p12 file: /home/ec2-user/ejbca-admin.p12 scp -i <your_Amazon_PEM_key> ec2-user@sunderland1.pki.enigmabridge.com:/home/ec2-user/ejbca-admin.p12 . Key import password is: g5Bkg79Lvk3Q8jVC The following page can guide you through p12 import: https://enigmabridge.com/support/aws13076 Once you import the p12 file to your computer browser/keychain you can connect to the PKI admin interface: https://sunderland1.pki.enigmabridge.com:8443/ejbca/adminweb/ https://sr1.pki.enigmabridge.com:8443/ejbca/adminweb/
故障排除
安装依赖项(加密,pyopenssl)时出错: sorry, but this version only supports 100 named groups [100-named-groups]
解决方案:安装降级版本的pycparser和pyopenssl:
pip install pycparser==2.13 pip install pyOpenSSL==0.13 pip install cryptography
您可能需要为python包安装一些dep
yum install gcc g++ openssl-devel libffi-devel dialog
python上的sni<;2.7.9
在python中添加了tls sni支持。对于早期版本,sni需要 添加到请求网络库。
pip install urllib3 pip install pyopenssl pip install ndg-httpsclient pip install pyasn1
Mac OSX安装
对于新的osx版本(el capitan和更高版本),默认的系统python 不能用标准方法修改安装。有一些 解决方法,但也可以为pip使用--user开关。
pip install --user cryptography