000026080 - DSM: How to configure Data Security Manager 1.1 with RSA Key Manager Server

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026080
Applies ToBSAFE/Data Security Manager
RSA Key Manager Server
IssueDSM: How to configure Data Security Manager 1.1 with RSA Key Manager Server

Symptom 1: Error during SPE Manager startup: 15074 (Error Failed to read service)

Running one of the DSM samples such as sym_encrypt_decrypt produces this output:

C:\Program Files\RSA Data Security Manager\1.1\win32\samples\c\bin>sym_encrypt_decrypt.exe
Starting SPE Manager...
Error during SPE Manager startup: 15074 (Error Failed to read service)

Shutting down engines...
done.
Shutting down SPE Manager...
done.


Symptom 2: Error 10001 (Failed)

Example 3: Encrypt data using managed key and store in iv-ct format.
-----------------------------------------------------------------------
Classification: sensitivity=high;distribution=iv-ct;purpose=sample
Input file: ../../sample_data/plain.txt

Encrypting input file.
Error during R_SPE_encrypt: 10001 (Failed)

Shutting down engines...
done.
Shutting down SPE Manager...
done.

CauseCause of Symptom 1: PATH environment variable not set correctly.
Cause of Symptom 2: address config value not set correctly.  The address to use for RKM Client 1.5.x, RKM Client 2.0.1, and DSM 1.1 to connect to RKM Server 2.x is https://localhost/KMS/provider.
(https://localhost/KMS/rpc/crow is only for RKM Client 2.1.x to connect to RKM Server 2.x.)
Resolution

The following instructions are for DSM 1.1 on Windows and RSA Key Manager Server 2.1.1 Trial.

Default <DSM installation directory> on Windows is C:\Program Files\RSA Data Security Manager\1.1\win32.
Installation directory for RKM 2.1.1 Trial Server is C:\rkm-2.1.1-trial.


1. Modify DSM's init.xml
========================

1a. Back up the existing init.xml file in <DSM installation directory>\conf\win32.  Copy the attached init.xml file to <DSM installation directory>\conf\win32.  It is a based on the init.xml from DSM 1.1, with added entries to get keys from RKM 2.1.1 Trial Server.


1b. Modify the RKM provider config values to match your RKM installation.  If you are not using RKM 2.1.1 Trial Server, you will want to modify these transport service values:

<config_entry name="clientTrustedRoots" value="C:/rkm-2.1.1-trial/certs/rt/rt.pem"/>
<config_entry name="clientCredentialFile" value="C:/rkm-2.1.1-trial/certs/sam.p12"/>
<config_entry name="clientCredentialPassword" value="Password1"/>
<config_entry name="address" value="https://localhost/KMS/provider"/>
<config_entry name="port" value="38443"/>


You may also modify these cache service values:

<config_entry name="persistentCacheFile" value="C:/Program Files/RSA Data Security Manager/1.1/win32/config/km.cache_file"/>
<config_entry name="cachePassword" value="Password1"/>

 

2. Re-sign DSM's init.xml
=========================

cd <DSM installation directory>\conf\win32
Run sign_spe.bat

Expected output:
All signatures verified successfully.

 

3. Set environment variables on DSM machine
===========================================
Set the KM_SUPPORT_LIB_PATH and R_SHLIB_LD_LIBRARY_PATH on the machine where DSM is installed.

For example, on Windows:
set KM_SUPPORT_LIB_PATH=<DSM installation directory>\library\lib\kmsvcshlib.dll
set R_SHLIB_LD_LIBRARY_PATH=<DSM installation directory>\library\lib (Optional: not used by RKM Client 2.0.1 or RKM provider in DSM 1.1)

 

Set the PATH to include DSM's library directory.  Make sure that the PATH does not include any other directories that contain Crypto-C ME libraries.  For example, if you installed RKM Client 2.1.0, you might have its library directory in the PATH, so delete it.

set PATH=<DSM installation directory>\library\lib;%PATH%

 

4. Create a Key Class on RKM Server
===================================
The following instructions are for creating a Key Class on RKM 2.1.1 Trial Server.  (If you are not using RKM 2.1.1 Trial Server, note that the key class name must match a mapping in policy.xml and the Identity Group must correspond to the client credentials.)

Create Key Class
 
Name: AES_128_CBC
Identity Group: Hardware Retail Group
Check "Activated Keys Have Duration".
Leave "Duration From A Crypto Policy" unchecked.
Click Next.
 

Algorithm: AES
Key Size: 128
Mode: CBC

Duration: 1 Day

Type: Use Current Key
Check "Allow Auto-Generation"
Click Next.


Class Attributes page
Click Next.

Attributes Specifications page
Click Next.

Review page
Click Finished.


init.xml file:

  <?xml version="1.0" encoding="utf-8" ?>
- <!--
  Configuration settings used for initialization of the Security  
-->
- <!--
  Protection Engine.  
-->
- <!--
  Generated by ./build/script/init.sh version $Id: init.sh,v 1.1.2.14 2007/01/31 10:46:13 ltran Exp $  
-->
- <initxmlns="http://www.rsasecurity.com/2006/01/rsa-dsm"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"name="RSA Data Security Manager Sample Initialization File"version="1.0"guid="097dd502-b228-11dc-b82c-e23885309bd9"xsi:schemaLocation="http://www.rsasecurity.com/2006/01/rsa-dsm init.xsd">
- <!--
  Engine Manager log configurations  
-->
  <logging audit="on"error="on"warning="on" />
- <!--
  Maximum number of security descriptors  
-->
  <security_descriptor max="10" />
- <!--
  DSM libraries  
-->
- <dsm_libraries>
  <lib path="../../library/lib/spec.dll"location="relative"signature="HSspWFIufZqE+rWl8ClK4s3GtQevH+gjW/jRuAurruqpP4VNFbMDFYlp4Go5Md8e+DDAst5zx0ZtrHiaZBJUrlMjtoq9thkSSSeAsmMdWpUU9mPQKKhJrKmTKVXEsskVFrE1gd/7+OfMYGJrUi0lGwpU8lfk6lNdqifp2bD+G4c=" />
  </dsm_libraries>
- <!--
  Policy File locations  
-->
- <policies>
- <policy name="DEFAULT">
  <file path="../policy.xml"location="relative"signature="OVYYVEUWgVLjCU+xvffZdrezKfAgNX3m9Btx650AGUd3wShgXAVo+4H3klxe6l/K6v8SbFCYHBn5ZyNFQUKuqfGO9wvIUxkIrh8yxemw17JanhiGfHMroLk/H/lvFq1Tz8XoxZSURmiJyiw5pfEIWriGuNwpcO3S7N5oGgp0nLY=" />
  <chunksize value="10000" />
  </policy>
- <policy name="policy_sample_managed">
  <file path="../policy_sample_managed.xml"location="relative"signature="NXv44gz0iEsZWyaK0e0Wo6jMzN29dfnCXntxE/6LTwbI6LQ7iXuTCQC674El734lLPdtkU9yF2/K5E7J4iox+bnD0Xylrs7OzGoVqRGlOgnKkvbo4KDvF2CIFFxy/pz8anDU4q+5V+eufyhtskf3fSaZUt2+s4mxJts7VcbK/fA=" />
  <chunksize value="10000" />
  </policy>
- <policy name="policy_sample_unmanaged">
  <file path="../policy_sample_unmanaged.xml"location="relative"signature="VEM1vKucIbyY//cxuyM1gjI9zRa0Kw0uirfgoiDvu6IRzZDtNCcXkNcgHPNx38si4ZA4rFo6NJj0CrZmConWRA1bRaGCC5Jl7niWjRXEHNzysBUdFDNhdF4tDiov7/9aNJC9CzTCQQRRu1kqYMwhiJOB8ZmMKzD2MNf4Ld9j7No=" />
  <chunksize value="10000" />
  </policy>
  </policies>
- <!--
  Cryptographic Module  
-->
  <crypto name="cryptocme"path="../../library/lib/cryptocme2.dll"location="relative" />
- <!--
  Providers  
-->
- <providers>
- <!--
  libxml2 provider - XML parsing and XPATH 
-->
  <provider name="RSPXML"path="../../library/lib/rspxml.dll"location="relative"signature="My07efEK09B7042MoIJGepah/GWH4sW7pVF6RVgDk8dy763EL2l9dx4HpWC9v4SifVvbDyp1V9VG0VSh8PbwZTJR7Unmk5vbB3tJfBS9Fgz3icqHFAsxSwHOnNOd2+2GJD3CCTwtmxKsl6ib0Jf5qRZ56qxZoBg1cnZUnVwIZ3s=" />
  <provider name="CERT"path="../../library/lib/rspcert.dll"location="relative"signature="MeKneyQH8BxWZpphg9PMRu7CYutkgjknJBLXLPCgDGNcjRjRiDPmlpuohH6A7ykqTNJdheSKqtcp6RiJXfzRNv2HVd9kq3F3DIg3snw1IcbYjHeSNKhLLmkVaQKpQtPM5SHketTC2xaCPvYAJgcGUFwD3WiIaBglg4HnVvkK4Mg=" />
  <provider name="FILEDB"path="../../library/lib/rspfiledb.dll"location="relative"signature="FeOHsWXGVmgEEGU/7dUBJeHDAPFBo6KQrwTyXtieK1pCwzk08HIcX5UcHIUNcpOcOS6XZzqdWL8Eokh6g1qdfzlJkeyG8E9l4Ydg/o0AQ4yH5SmWyaqoc78W0x7Yvna6JeWt05XkIHDX99FUmfYJi4k2sD9lJcS+jaQz9bK0tew=" />
- <provider name="KM"path="../../library/lib/rspkm.dll"location="relative"signature="UPX+re6SxXO3ss/LUDOwmdZTFxTiSt9EqOZj+w8YhaXtGNVbvSfWwAYwrk+8VMXNNC2WYy92azv8Mm9+GjqRKm9BICGiKPEK8O+V6DarVNs8zmwx0Ww7l0uzefTHjMEDU2GPoIZH0NnRDHbVTQKmmcPxnRd4f9VtSKqSN1jdcUY=">
- <configuration name="GLOBAL">
  <config_entry name="svcType"value="transportSvc" />
  <config_entry name="configName"value="https_cfg_1" />
  <config_entry name="clientTrustedRoots"value="C:/rkm-2.1.1-trial/certs/rt/rt.pem" />
  <config_entry name="clientCredentialFile"value="C:/rkm-2.1.1-trial/certs/sam.p12" />
  <config_entry name="clientCredentialPassword"value="Password1" />
  <config_entry name="address"value="https://localhost/KMS/provider" />
  <config_entry name="port"value="38443" />
  <config_entry name="FIPSMode"value="false" />
  <config_entry name="svcType"value="cacheSvc" />
  <config_entry name="configName"value="cache_cfg_1" />
  <config_entry name="nonPersistentCache"value="true" />
  <config_entry name="persistentCacheFile"value="C:/Program Files/RSA Data Security Manager/1.1/win32/config/km.cache_file" />
  <config_entry name="cachePassword"value="Password1" />
  <config_entry name="busyRetries"value="3" />
  <config_entry name="applicationId"value="1" />
  <config_entry name="cacheTimeToLive"value="60" />
  <config_entry name="maxCacheEntries"value="50" />
  <config_entry name="FIPSMode"value="false" />
  <config_entry name="svcType"value="logSvc" />
  <config_entry name="configName"value="log_cfg_1" />
  <config_entry name="error"value="true" />
  <config_entry name="warning"value="true" />
  <config_entry name="audit"value="true" />
  <config_entry name="FIPSMode"value="false" />
  </configuration>
  </provider>
  </providers>
- <!--
  Services  
-->
- <services>
- <spe_services>
  <service name="xml"provider="RSPXML" />
  <service name="uri"provider="RSPXML" />
  </spe_services>
- <engine_services policy="DEFAULT">
  <service name="xml"provider="RSPXML" />
  <service name="uri"provider="RSPXML" />
- <service name="km"provider="KM">
  <configuration name="RKM_CFG" />
  </service>
- <service name="cert_storage_service"provider="CERT">
  <configuration name="FIPS_CERT_CFG" />
- <uses name="filedb"provider="FILEDB">
  <configuration name="FILEDB_CFG" />
  </uses>
  </service>
  </engine_services>
- <engine_services policy="policy_sample_unmanaged">
  <service name="xml"provider="RSPXML" />
  <service name="uri"provider="RSPXML" />
- <service name="cert_storage_service"provider="CERT">
  <configuration name="FIPS_CERT_CFG" />
  </service>
  </engine_services>
- <engine_services policy="policy_sample_managed">
  <service name="xml"provider="RSPXML" />
  <service name="uri"provider="RSPXML" />
- <service name="km"provider="KM">
  <configuration name="RKM_CFG" />
  </service>
- <service name="cert_storage_service"provider="CERT">
  <configuration name="FIPS_CERT_CFG" />
  </service>
  </engine_services>
  </services>
- <!--
  Configurations  
-->
- <configurations>
- <configuration name="FIPS_CERT_CFG">
  <config_entry name="crypto_lib_mode"value="fips" />
- <!--
             <config_entry name="crl_source" value="file://../../../test/data/ca1/ca1.crl"/>             <config_entry name="crl_source" value="file://../../../test/data/ca2/ca2.crl"/>              
-->
  <config_entry name="allow_app_validation"value="false" />
- <!--
  config_entry name="cert_validation" value="chain,signature,time,revocation,extension"/  
-->
  <config_entry name="cert_validation"value="no_check" />
  <config_entry name="cert_and_key_validation"value="no_check" />
- <!--
  config_entry name="cert_and_key_validation" value="chain,time,revocation"/  
-->
  <config_entry name="any_validation"value="chain,time,revocation,signature" />
  </configuration>
- <configuration name="FILEDB_CFG">
  <config_entry name="max_size_kbyte"value="100" />
  <config_entry name="starting_dir"value="../../../test/data" />
  <config_entry name="query_template"value="identity_template=%identity_template%" />
  <config_entry name="query_template"value="p12_template=pkcs12/other/%p12_template%.p12" />
  <config_entry name="cert_prefix"value="" />
  <config_entry name="cert_suffix"value="" />
  <config_entry name="cert_and_pkey_prefix"value="" />
  <config_entry name="cert_and_pkey_suffix"value="" />
  <config_entry name="search_alias_list"value="file;london;paris" />
  </configuration>
- <configuration name="RKM_CFG">
  <config_entry name="transportSvc"value="https_cfg_1" />
  <config_entry name="logSvc"value="log_cfg_1" />
  <config_entry name="cacheSvc"value="cache_cfg_1" />
  </configuration>
  </configurations>
- <!--
  Key for verifying signatures  
-->
  <public_key value="MIGJAoGBAKz9FryB0pF9ORANntp4daRY5DC7F0bPJj3wxlX035xzku1FWctx92tYYBr5i47JM1oggMDkd5yDRRiLFsMMMnN5ZDkRtbZHlAR255UmMdNkjDGmhtHQHGbpQokoErAxYQB4y2q68WfeACEoIL6uRGr+zu/kPJj83J/domg+Z5O7AgMBAAE=" />
  </init>
Legacy Article IDa38196

Attachments

    Outcomes