This document provides information regarding the configuration of Apache Tomcat with our HSMs and how TLS handshake offloading works. For additional questions related to your HSM, see the relevant user guide.

From the Apache Tomcat website: The Apache Tomcat software is an open source implementation of the Java Servlet, Java Server Pages, Java Expression Language, and Java Web Socket technologies. Apache Tomcat software powers numerous large-scale, mission-critical web application across a diverse range of industries and organizations.

In this integration, you create Tomcat Web Server Certificates, which are required for client application connections with the webserver, by using the Keytool feature embedded in Java. Using Keytool, you can create the RSA Key pair and the certificate for the Tomcat server. The private key for this certificate is stored in the HSM by using 

 PKCS #11 (FXPKCS11) libraries and the Java SunPKCS11 provider. The connection between the PKCS #11 library and the HSM should be a TLS connection. You must create TLS/SSL certificates (by using OpenSSL or an external CA) to provide certificates for the HSM and the server where the PKCS #11 library is running.

 introduces mission-critical viability to core cryptographic infrastructure, including:

, including PKCS #11 and CNG configuration.

Before you start

Install Futurex PKCS #11 (FXPKCS11)

Install Excrypt Manager (If using Windows)

Install Futurex Command Line Interface (FXCLI)

Configuring environment variables for Apache Tomcat

Configure SunPKCS11 to use the Futurex PKCS #11 module

Connect to the HSM through the front USB port

Required features in the HSM

Configure the network (Set the HSM IP address)

Load major keys

Configure a transaction processing connection and create an application partition

Create a new identity and associate it with the new application partition

Configure TLS authentication

Configure the Vectera Plus

Edit the Futurex PKCS #11 Configuration file

Create a Java KeyStore

Configure Tomcat and test the server

Appendix: Set up Tomcat server by using a third-party (external) CA

Apache Tomcat

Configure FxPKCS11 as a pkcs11-provider in OpenSSL

Generate an HAProxy server certificate for testing

Configure HAProxy

HAProxy

TLS offloading

CHTools

Permission to call a specific international command.

International_cmd

International_cmd_license

fpe_license

PIN Processing restricts PIN processing commands when clear PIN commands are enabled.

FX_RESTRICT_PIN_PROC_license

master_key_distribution_license

BYOK

Host_card_emulation

cvv_management

Allows the HSM to use Multibanco commands.

Multibanco

Multibanco_license

Enables PIN and key printing functionality.

PIN_Key_printing

PIN_Key_printing_license

Period

Perm_check_license

Checks specific perm inside each function in combination with other restrictions based on tags

Perm_check

pin_printing

FX_Restrict_Print

FX_Restrict_Print_license

CHDirect

CHAppliance

Enables legacy POS device key injection for use in a Key Injection Facility.

Clear_Keyload

clear_keyload_license

Variable_Length_PVV

variable_length_pvv_license

host_card_emulation_license

emv_issuing_license

post_quantum_cryptography_license

clear_shared_secret_license

p2pe_and_tokenization_license

hsm_key_distribution_license

financial_processing_license

excrypt_ui_license

australian_command_set_license

general_purpose_license

clear_pin_license

format-preserving_encryption_license

emv_acquiring_license

ecc_license

key_strength_bypass_license

rsa_license

Enables Format-preserving Encryption (FPE) functionality.

Format-preserving_encryption

colon

permission_utility

comma

ampersand

exclamation_mark

binary_val

diebold

tr-34_rkl

mac_hash

Enabled by default on all Vectera Series HSMs and available as an add-on license for Excrypt Series

general_purpose

data_encrypt

mobile_payment

Supports domestic and int'l message formats for PIN translation, verification, and key management

Excrypt_ui

p2pe

Equal_sign

Enabled on all Futurex HSMs, regardless of their license or mode.

Core_license

Number_sign

utility

card_verification

authentication

key_management

RKMS3

SKI3

Ambiguous_PIN

Enables protecting a stronger key with a weaker key.

Key_Strength_Bypass

Enables payments-related commands per the AS2805 messaging standard, as defined by AusPayNet.

Australian_Command_Set

Enables the Europay Mastercard Visa (EMV) issuance command set.

EMV_Issuing

Enables Format Preserving Encryption (FPE) FF1 functionality.

FPEFF1

Enables Point-to-Point Encryption (P2PE) functionality. 

P2PE

Enabled by default on all Excrypt Series HSMs and as an add-on license for Vectera Series HSMs.

Financial_Processing

Allows the HSM to use host card emulation commands.

Host_Card_Emulation

Allows the HSM to support commands that will directly output the clear shared secret value.

Clear_Shared_Secret

Enables a host HSM to distribute allowed keys to another HSM.

HSM_key_distribution

Only required if using a Clear PIN rather than a PIN Block.

CPIN

Enables Format Preserving Encryption (FPE) functionality.

Enables Post-Quantum Cryptography (PQC) commands and functionality.

Enables commands requiring Elliptic Curve Cryptography (ECC) functionality.

Enables the Europay Mastercard Visa (EMV) acquiring command set. 

EMV_Acquiring

Enables commands requiring RSA functionality.

key_slot_index

Tilde

Asterisk

HSM Integration Guides

HSM integration guides overview

Edit the Futurex PKCS #11 configuration file

Install Dogtag Certificate System  and deploy the subsystem

Dogtag Certificate System

Configure the EJBCA server

Test the EJBCA server

EJBCA

ISC - Linux

ISC - Windows

CertAgent integrations

Install Futurex CNG and FXCLI by using FXTools

Install Excrypt Manager

Edit the Futurex CNG configuration file

Install and configure Active Directory Certificate Services

AD CS operations with FXCNG

Appendix: Migrate an existing CA key from software storage to the HSM

Microsoft ADCS

Install RHCS and deploy the subsystem

Red Hat Certificate System (RHCS)

Certificate Authority

Generate a key pair and certificate on the Vectera Plus

Import certificates into Windows Certificate Store and associate them with the private keys

Appendix: Migrate a key from software storage to the Vectera Plus

Microsoft Windows Certificate Store

Install Excrypt Manager (If using windows)

Configure Venafi TPP to use the Vectera Plus

View the keys and certificates that Venafi TPP created on the HSM

Venafi Control Plane for Machine Identities

Certificate management

Install Axway Server and configure Futurex PKCS #11 Library with Axway VA Server

Test CRL signing

Axway VA

Certificate validation

Configure the JAVA_HOME environment variable

Edit the Futurex PKCS #11 Configuration File

Create a Java keystore

Sign APKs with Android APKSigner by using Futurex PKCS #11

Android APKSigner

Create Java KeyStore

Jarsigner command examples

Java Jarsigner

Installing Excrypt Manager

Create a code-signing certificate

Import certificates into Windows Certificate Store

Associate a private key with a certificate

Test Microsoft SignTool commands

Microsoft SignTool

Code signing

Configure the Futurex PKCS #11 library in vSEC:CMS

Create an Operator Service Key Store in an HSM

Appendix: Generate a new master key and restore or migrate keys to a new HSM

Versasec vSEC:CMS

Credential management

Install and configure OpenSSL engine

Configure Apache HTTP Server

Apache HTTP Server

Configure Nginx Server

NGINX

Test OpenSSL engine

OpenSSL Engine

Steps to configure the Futurex PKCS #11 Library with the Protegrity Data Security Platform