Keeper SSO Connect integrates with on-premise and cloud-based Gemalto HSM devices for key protection and storage.
In the SSO Connect installation folder is a
data/ directory. Inside the data directory there are several files. Two of the files contain secret keys generated on the server that must be protected and are utilized to encrypt and decrypt the end-user's auto-generated master passwords. There is also a
.sql file which contains a local cache of encrypted data. It is critical that access to this data folder is restricted.
You can add an extra layer of security by utilizing an HSM (Hardware Security Module) as described below. When an HSM is available, an encryption key is generated for each SSO Connect instance and stored securely in the HSM. The encryption key is used to encrypt the critical property files in the
The Gemalto HSM must be running Luna firmware 6.2 or higher.
Port TCP/443 open, stateful outbound from Keeper SSO Connect to www.keepersecurity.com
Port TCP/22 open, stateful outbound from the HSM management terminal to the HSM system
Port TCP/22 open, inbound to the Keeper SSO Connect server for CLI configuration
Port TCP/1792 open, bidirectional to/from the HSM system
Port TCP/8080 open, inbound from a Keeper Admin workstation to Keeper SSO Connect for admin GUI access (optional)
$ telnet www.keepersecurity.com 443Trying 18.104.22.168Connected to www.keepersecurity.com.Escape character is '^]'.$ telnet push.services.keepersecurity.com 443Trying 22.214.171.124...Connected to push.services.keepersecurity.com.Escape character is '^]'.$ ssh <ip address of the HSM>password: <admin-password>
CentOS 6 or 7 is preferred, but the software can run on Ubuntu with the following additions:
UBUNTU only:$ sudo apt-get install zip unzip # used by the Luna installer$ sudo apt-get install alien # used by the Luna installer to convert .rpm files$ sudo apt-get install gcc-multilib # Because some Luna programs are 32-bit
/lib/ld-linux.so.2 exists, go to the next section
If /lib/ld-linux.so.2 doesn't exist:if /usr/lib/ld-linux.so.2 exists:$ sudo ln -s /usr/lib/ld-linux.so.2 /lib/ld-linux.so.2if /lib32/ld-linux.so.2 exists:$ sudo ln -s /lib32/ld-linux.so.2 /lib/ld-linux.so.2otherwise (Ubuntu):$ sudo yum install gcc-multilib # use yum or apt-getIf you are on Red Hat (CentOS), do this:$ sudo yum install glibc-devel.i686
The Luna client must be installed and properly configured before Keeper SSO Connect can use the Luna HSM.
Copy the LunaClient software to the SSO Connect server. The file usually has a name like
Login to the SSO Connect server.
Run the Luna Client installer:
$ tar xzf LunaClient_7.3.0-165.Linux.tar.gz$ cd LunaClient_7.3.0-165_Linux/64$ sudo sh install.sh- Select Luna Network HSM- Select (N)ext- Select Luna JSP (Java)- Select (I)nstall$ sudo gpasswd --add <username> hsmusers- type 'groups' to verify group membership- You might need to create a new shell to recognize the new groupYou might want to add this useful alias to your "~/.bash_profile" file.alias luna='sudo /usr/safenet/lunaclient/bin/lunacm'
a. find the list of security providers.
c. Save the file.
the IP address or hostname of the HSM machine.
The admin password (also known as the Security Officer password).
A unique string, such as the IP address of your current machine, or your name, etc.
The password for the Crypto Officer for the partition.
The partition name where you will store keys (this should be already configured).
NOTE: If you haven't set up a partition yet, use the 'lunash' program and login as admin. See the Gemalto Luna documentation.
Start the Luna Client:
$ lunalunacm (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.lunacm:> clientconfig deploy -n <hsm-ip-address> -c <unique-string> -par <partition-name> -ur admin -pw <hsm-admin-password> -v... make sure it finishes successfullyAvailable HSMs:Slot Id -> 0Label -> [your-partition-name]Serial Number -> 12345678987654321Model -> LunaSA 7.3.0Firmware Version -> 7.3.0Configuration -> Luna User Partition With SO (PW) Key Export With Cloning ModeSlot Description -> Net Token SlotCurrent Slot Id: 0lunacm:>role login -n coenter password: crypto-officer-passwordCommand Result : No Errorlunacm:>par con # display contents of partitionlunacm:>exit
In addition to the normal SSO Connect configuration questions there are some HSM-specific questions as shown below.
$ java -jar SSOConnect.jar -config... normal SSO Connect configuration questions...Configure Secure Key Storage (y/N): yIMPORTANT: Make sure that this server is already connected to a networked HSM or other secure key storage device.Type of Secure Key Storage (Gemalto SafeNet Luna HSM): <return>Secure storage device access parameters (slot,password): <return>slot: 0password: crypto-officer-passwordA certificate chain is required in order to store an encryption key.You may use the SSL certificate file entered previously, or use a different one.Certificate chain file (/home/ubuntu/keeperSSO/data/sso_keystore.jks): <return>Certificate chain file password (none): <return>1 certificates foundEnable Secure Key Storage (Y/n): y
Verify that the server is appropriate. CentOS 6 or 7 is preferred. We do not support Windows at this time.
$ rpm -q centos-releasecentos-release-7-6.1810.2.el7.centos.x86_64$ cat /etc/centos-releaseCentOS Linux release 7.6.1810 (Core)
Verify that the Luna client is correctly installed on the server. Run the Luna client and login as the Crypto Officer to verify that you can successfully login and display the contents of the partition.
$ sudo /usr/safenet/lunaclient/bin/lunacmluna> role login -n co(enter password)luna> par conIf this HSM has been used with Keeper before, there will be an existing key with a name like Keeper SSO Properties 514320201573
Verify that Java 1.8 or Java 11 is available.
$ java -versionjava version "1.8.0_201"Java(TM) SE Runtime Environment (build 1.8.0_201-b09)Java HotSpot(TM) 64-Bit Server VM (build 25.201-b09, mixed mode)
Verify that the Luna libraries are available.
$ ls sso_connect/*Luna*libLunaAPI.so LunaProvider.jar
Verify that the correct ports are open The firewall must allow both inbound and outbound connections to/from ports 22 and 1792.
If the firewall is local, use:$ iptables -xvn -L
Verify that the user is a member of the hsmusers group:
$ whoamicentos$ groupscentos adm wheel systemd-journal hsmusers** The Luna software requires that the user accessing the Luna libraries be a member of the hsmusers group.$ sudo gpasswd --add centos hsmusersYou will need to open a new shell to see that this command worked correctly.
Verify that SSOconnect is installed on the machine.
Usually there is a folder called
KeeperSSO, or some similar name. The folder will contain many jar files.
Verify that you don't have a partial configuration.
If you previously tried and failed to configure KeeperSSO, it is
safe to delete the
KeeperSSO/data folder and start over.
Verify that the app has read/write permissions to the
$ ls -ld datadrwxrwxr-x 2 centos centos 181 Feb 4 19:42 data
Check the log file for errors. The Secure Key Storage subsystem of SSOconnect will print an ERROR line to the log if it encounters a problem.
$ more logs/ssoconnect.log
The error will be a variation of "Unable to use Secure Key Storage". This indicates one of the following problems:
a. Network problem accessing the HSM- Perform Step 2 of "Troubleshooting the Configuration" to verify access to the HSM.b. data/sks.properties is missing- if data/sks.properties is missing you will need to re-configure SSOConnect.c. The encrypted property files are missing- Check for data/instance.encp and data/shared.encp.d. The encryption key is missing from the HSM- Did somebody clear the HSM partition? You will need to re-configure SSOConnect.e. The server may be out of disk space- clear some disk space.f. The encryption algorithm used is not supported on the HSM- The algorithm is AES/GCM/NoPadding. Check with the device provider.g. The file data/sso-keystore.jks is missing- The program cannot store a key in the HSM without the certificate chain from the sso_keystore.jks file.Find the file and ensure that it is in the data folder.