Can do?

We hope to avoid buying expensive HSM hardware. So, I need to ask here:

We have the following scenario and wonder if we the NitroKey can handle it (we believe securing server is of essence here and not transactions):

Key Management System (KMS)

The key management system has to be implemented using SOA (Service Oriented Architecture ). The key management system will be deployed in J2EE container (Oracle WebLogic, JBOSS or equivalent )

The Key management system will be deployed in a domain with at least 2 clusters ( PKI_CLUSTER, HSM_CLUSTER ).The key management system enterprise application performs Role based access control using WS-Policy ( Web service security policy). The HSM (Hardware Security Module) Cryptoserver should be accessible over LAN using PKCS#11 interface.

The system must come with HSM and the creation of hard tokens (key pairs) has to be done using HSM ( Hardware Security Module) Cryptoserver. The HSM (Hardware Security Module) Cryptoserver is only accessible from local interface of PKI_CLUSTER and HSM_CLUSTER.

The system should be able to handle web service requests to create certificate authority (CA) for an organization using hard token. The system should be able to perform the life cycle management of a X.509 certificate & CVC (Card verifiable certificates) using CMP ( Certificate Management Protocol)The system should allow the status (revoked/expired) verification of X.509 certificates & CVC (Card verifiable certificates) over internet using OCSP (Online Certificate Status Protocol)The system should provide web service interface to make certificate signing request ( CSR ) for a public key using PKCS#10 standard. The system should be able to publish X.509 certificates and CVC (Card verifiable certificates) using LDAP ( Lightweight Directory Access Protocol)

To query the LDAP server for X.509 certificates & CVC (Card verifiable certificates). The key management system should provide Admin Web Interface to perform certificate related administrative tasks

changes / additions:

The wordings “Key Management System (KMS). The key management system has to be … certificate related administrative tasks.” has been replaced by the wordings “Key Management System (KMS)

  1. The key management system has to be implemented using SOA (Service Oriented Architecture).
  2. The key management system will be deployed in J2EE container (Oracle WebLogic, JBOSS or equivalent).
  3. The Key management system will be deployed in a domain with at least 2 clusters (PKI_CLUSTER, HSM_CLUSTER).
  4. The system should be able to handle web service requests to create certificate authority (CA) for an organization using soft token.
  5. The system should be able to perform the life cycle management of a X.509 certificate & CVC (Card verifiable certificates) using CMP (Certificate Management Protocol).
  6. The system should allow the status (revoked/expired) verification of X.509 certificates & CVC (Card verifiable certificates) over internet using OCSP (Online Certificate Status Protocol).
  7. The system should provide web service interface to make certificate signing request (CSR) for a public key using PKCS#10 standard.
  8. The system should be able to publish X.509 certificates and CVC (Card verifiable certificates) using LDAP (Lightweight Directory Access Protocol).
  9. To query the LDAP server for X.509 certificates & CVC (Card verifiable certificates).
  10. The key management system should provide Admin Web Interface to perform certificate related administrative tasks.

In general you can use Nitrokey HSM in a system which fulfills your requirements. We don’t provide an overall key management software but Nitrokey HSM is a hardware which could be integrated in potentially any software systems. For this purpose we provide a SDK which makes integration easy. Most of your stated requirements are related to software level (e.g. OCSP, CMP, LDAP, SOA) which would need to be fulfilled by your chosen key management software.

PKCS#11 is not a network protocol and our HSM has a USB but not a network interface. I believe you mean that the HSM will be integrated into your local key management software via PKCS#11 “driver”. Your key management software will be accessible over LAN (e.g. webservice). Yes, that’s absolutely possible.

This is an incredible nice answer I was looking for, especially since there seems to be the requirement for clustering. Possible solution on clustering is being described here:
smartcard-hsm.com/2015/11/20/Building-a-SmartCard-HSM-Cluster.html

As for the Key Management Software, it seems software like StrongKey (i.e. CryptoCabinet) could do the job:
sourceforge.net/projects/skcc/ or cryptocabinet.strongauth.com

IBM also has an Open Source solution detailed here based on Java: ibm.com/developerworks/library/se-kmip4j/

Source:
stackoverflow.com/questions/13384443/open-source-key-management-solution

Again, thank you for your answer and I know now what to write to the potential client of ours!