用于aws的enigma桥python实用程序
ebaws.p的Python项目详细描述
用于PKI的EnigmaBridge Amazon EC2实用程序
此cli在ec2实例上设置新的ejbca(pki)安装 使用新的EnigmaBridge标识。 EnigmaBridge与ejbca集成为 一个新的pkcs 11密码令牌,您可以开始使用它来安全地存储 你的根ca键。
cli如下所示:
--------------------------------------------------------------------------------
Enigma Bridge AWS command line interface (v0.0.14)
usage - shows simple command list
init - initializes the key management system
More info: https://enigmabridge.com/amazonpki
--------------------------------------------------------------------------------
$>
需要特定的ami-安装了jboss eap&ejbca。更多 有关图像设置的信息,请参见 IMG-INSTALL 第页。
有关安装期间网络通信流的信息 请参照 connections 第页。
功能
- EJBCA 6.3.1.1
- JBoss EAP 6.4
- SoftHSMV1 EnigmaBridge PKCS 11适配器
- AWS的EnigmaBridge动态DNS
SoftHSMV1 EnigmaBridge PKCS 11适配器
SoftHSMv1-EB是 用于EnigmaBridge的pkcs 11接口 服务。使用此适配器,可以使用我们的服务 pkcs 11接口,无需修改软件。
就像在ejbca案例中一样,不需要修改 支持pkcs 11,只需将适配器插入即可开始工作。
例如,可以通过pkcs 11适配器生成rsa密钥并调用 对其进行加密、解密、签名、验证操作。钥匙很安全 存储在EnigmaBridge服务器的安全硬件中。这个 加密操作本身在 透明的方式。
动态dns
amazon从ip池向ec2实例提供ip地址。这个 类地址在实例关闭后重新分配。之后 下一步它将得到一个新的IP地址。
通常使用静态IP很方便,因此您可以将其映射到 域名或放入配置文件、手册等…你可以购买 即使在实例重启或 您可以使用我们的EnigmaBridge动态dns AWS的功能。
在初始化过程中,我们会为您的运行分配一个新域 例如,sunderland1.pki.enigmabridge.com。它有记录 指向您当前的IP地址。
重新启动实例后,我们的脚本将启动。它连接到 我们的DNS服务器并以安全的方式更新您域的A记录 -请求是用创建域时生成的密钥签名的。
记录的生存时间为600秒,因此在重新启动后 主机名将在10分钟内更新。
这样,即使您的IP更改,您也将获得静态DNS名称。
要求
通常,主机需要为letsencrypt域打开tcp端口443 验证。否则,您将无法为您的 CA域,您将无法访问 以安全的方式安装ejbca。
ejbca本身在tcp端口8443上运行。这取决于你如何设置 它。它不一定非得对世界开放得很好。够了 如果你能以某种方式访问它。例如,可以访问ejbca管理 通过ssh隧道。ssh -L 8443:localhost:8443 ami_ip
初始值
init命令启动新的安装。如果以前的 存在安装,它询问用户是否继续,备份旧的 安装数据库和配置文件并安装新的数据库和配置文件。
安装过程如下:
--------------------------------------------------------------------------------
Enigma Bridge AWS command line interface (v0.0.14)
usage - shows simple command list
init - initializes the key management system
More info: https://enigmabridge.com/amazonpki
--------------------------------------------------------------------------------
$> init
Going to install PKI system and enrol it to the Enigma Bridge FIPS140-2 encryption service.
We need your email address for:
a) identity verification in case of a recovery / support
b) LetsEncrypt certificate registration
It's optional but we highly recommend to enter a valid e-mail address (especially on a production system)
Please enter your email address [empty]: tester@enigmabridge.com
Is this email correct? 'tester@enigmabridge.com' (Y/n):y
Checking if port 443 is open for LetsEncrypt, ip: 52.212.77.52
New domains registered for this host:
- sunderland1.pki.enigmabridge.com
- sr1.pki.enigmabridge.com
New configuration was written to: /etc/enigma/config.json
SoftHSMv1 configuration has been backed up to: None
New SoftHSMv1 configuration has been written to: /etc/softhsm.conf
SoftHSMv1 previous token database moved to: /var/lib/softhsm.old/softhsm_0018
SoftHSMv1 initialization: The token has been initialized.
Going to install PKI system
This may take 15 minutes or less. Please, do not interrupt the installation
and wait until the process completes.
- Updating settings
- Restarting application server, please wait...
.........
- Preparing environment for application server
...................
- Restarting application server, please wait...
...
- Deploying the PKI system
................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
- Installing the PKI system
.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
PKI installed successfully.
Going to generate EnigmaBridge keys in the crypto token:
..................
EnigmaBridge tokens generated successfully
You can use these newly generated keys for your CA or generate another ones with:
sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 2048 signKey 0
sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 2048 defaultKey 0
sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 1024 testKey 0
Adding an EnigmaBridge crypto token to your PKI instance:
.
EnigmaBridgeToken added to the PKI instance
Installing LetsEncrypt certificate for: sunderland1.pki.enigmabridge.com, sr1.pki.enigmabridge.com
....
Publicly trusted certificate installed (issued by LetsEncrypt
--------------------------------------------------------------------------------
[OK] System installation is completed
--------------------------------------------------------------------------------
Please setup your computer for secure connections to your PKI key management system:
Download p12 file: /home/ec2-user/ejbca-admin.p12
scp -i <your_Amazon_PEM_key> ec2-user@sunderland1.pki.enigmabridge.com:/home/ec2-user/ejbca-admin.p12 .
Key import password is: g5Bkg79Lvk3Q8jVC
The following page can guide you through p12 import: https://enigmabridge.com/support/aws13076
Once you import the p12 file to your computer browser/keychain you can connect to the PKI admin interface:
https://sunderland1.pki.enigmabridge.com:8443/ejbca/adminweb/
https://sr1.pki.enigmabridge.com:8443/ejbca/adminweb/
故障排除
安装依赖项(加密,pyopenssl)时出错: sorry, but this version only supports 100 named groups [100-named-groups]
解决方案:安装降级版本的pycparser和pyopenssl:
pip install pycparser==2.13 pip install pyOpenSSL==0.13 pip install cryptography
您可能需要为python包安装一些dep
yum install gcc g++ openssl-devel libffi-devel dialog
python上的sni<;2.7.9
在python中添加了tls sni支持。对于早期版本,sni需要 添加到请求网络库。
pip install urllib3 pip install pyopenssl pip install ndg-httpsclient pip install pyasn1
Mac OSX安装
对于新的osx版本(el capitan和更高版本),默认的系统python 不能用标准方法修改安装。有一些 解决方法,但也可以为pip使用--user开关。
pip install --user cryptography
欢迎加入QQ群-->: 979659372
