Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

NGINX HTTP Server

Installing OpenSSL

search

Installing OpenSSL

OpenSSL provides the support of engine (basically, hardware devices) to store and secure the keys. The KeySecure Engine (Kengine) is essentially a library that makes crypto calls to the CipherTrust Manager using OpenSSL based on the trigger given by the third-party application (NGINX in this case) for key management/operations as required by the application.

Thales provides the OpenSSL toolkit to support Kengine that is used to communicate with the CipherTrust Manager.

The Kengine can be loaded either statically or dynamically to OpenSSL.

  • In OpenSSL installation for dynamic engine, the engine is built separately and loaded with OpenSSL. Refer to Install OpenSSL Dynamic Engine for installation steps.

  • In Static CipherTrust Manager, the engine is built with OpenSSL itself. Refer to Install OpenSSL Static Engine for installation steps.

You can choose either of the engine forms, based on the space and time factors affecting the application.

Before you start the installation, ensure that you have an appropriate C/C++ compiler (such as gcc and the make utility) installed.

Install OpenSSL Dynamic Engine

To configure the OpenSSL dynamic engine, client machine must have the OpenSSL development package installed. Moreover, kengine should be a part of OpenSSL. To do so:

  1. Extract the delivered tarball using the following command:

    tar -xvzf Safenet_Protectapp_Nginx_Dynamic_8.3.0.P01-001.tar.gz

    Extracted tarball contains all the libraries and sources for installation.

  2. Extract the OpenSSL tarball to your preferred directory (/opt in this case) using the following commands:

    cd Safenet_Protectapp_Nginx_Dynamic_8.3.0.P01-001
tar -xvzf openssl-1.0.1t.tar.gz -C /opt/

  3. Run the following engine_build script to configure OpenSSL using the --prefix option.

    ./engine_build config --prefix=<Directory to which OpenSSL has to be installed> --openssl-source=<Extracted OpenSSL source code path> --config-bits=<32 or 64 bit>

    Example

    ./engine_build config --prefix=/opt/openssl --openssl-source=/opt/openssl-1.0.1t --openssl-engines=/usr/lib64/openssl/engines --config-bits=64

  4. Compile and install OpenSSL using the following engine_build scripts:

    ./engine_build openssl-build
./engine_build openssl-install

  5. Compile and install the CipherTrust Manager dynamic engine (kengine) using the following scripts:

    ./engine_build engine-build
./engine_build engine-install

  6. Create a file Chrystoki.conf in the /etc directory using the following script. At this point, the configuration is not required, as kengine just checks the file presence at the specified location.

    touch /etc/Chrystoki.conf

  7. Run the following command to verify the kengine installation:

    /opt/openssl/ssl/bin/openssl engine kengine -v

    Output

    (kengine) CipherTrust Manager Engine Support
enginearg, openSession, closeSession, login, logout, engineinit,
CONF_PATH, ENGINE_INIT, ENGINE2_INIT, engine2init, DisableCheckFinalize,
SO_PATH, GET_HA_STATE, SET_FINALIZE_PENDING, SKIP_C_INITIALIZE,
IntermediateProcesses

Install OpenSSL Static Engine

  1. Extract the OpenSSL tarball to your preferred directory (/opt in this case).

    cd Safenet_Protectapp_Nginx_Dynamic_8.3.0.P01-001
tar -xvzf openssl-1.0.1t.tar.gz -C /opt/

  2. Run the following engine_build script to configure OpenSSL using the --prefix option.

    ./engine_build config --prefix=<Directory to which OpenSSL is to be installed> --openssl-source=<Extracted OpenSSL source code path> --config-bits=<32 or 64 bit>

    Example

    ./engine_build config --prefix=/opt/openssl --openssl-source=/opt/openssl-1.0.1t --config-bits=64

  3. Compile and install OpenSSL using the following engine_build script.

    ./engine_build openssl-build
./engine_build openssl-install

    Before performing the next step, add the openssl path to bash_profile or export the $PATH.

  4. Run the following command to verify the kengine installation.

    /opt/openssl/ssl/bin/openssl engine kengine -v

    Output

    (kengine) CipherTrust Manager Engine Support
enginearg, openSession, closeSession, login, logout, engineinit,
CONF_PATH, ENGINE_INIT, ENGINE2_INIT, engine2init, DisableCheckFinalize,
SO_PATH, GET_HA_STATE, SET_FINALIZE_PENDING, SKIP_C_INITIALIZE,
IntermediateProcesses

On this page