We hope to avoid buying expensive HSM hardware. So, I need to ask here:
We have the following scenario and wonder if we the NitroKey can handle it (we believe securing server is of essence here and not transactions):
Key Management System (KMS)
The key management system has to be implemented using SOA (Service Oriented Architecture ). The key management system will be deployed in J2EE container (Oracle WebLogic, JBOSS or equivalent )
The Key management system will be deployed in a domain with at least 2 clusters ( PKI_CLUSTER, HSM_CLUSTER ).The key management system enterprise application performs Role based access control using WS-Policy ( Web service security policy). The HSM (Hardware Security Module) Cryptoserver should be accessible over LAN using PKCS#11 interface.
The system must come with HSM and the creation of hard tokens (key pairs) has to be done using HSM ( Hardware Security Module) Cryptoserver. The HSM (Hardware Security Module) Cryptoserver is only accessible from local interface of PKI_CLUSTER and HSM_CLUSTER.
The system should be able to handle web service requests to create certificate authority (CA) for an organization using hard token. The system should be able to perform the life cycle management of a X.509 certificate & CVC (Card verifiable certificates) using CMP ( Certificate Management Protocol)The system should allow the status (revoked/expired) verification of X.509 certificates & CVC (Card verifiable certificates) over internet using OCSP (Online Certificate Status Protocol)The system should provide web service interface to make certificate signing request ( CSR ) for a public key using PKCS#10 standard. The system should be able to publish X.509 certificates and CVC (Card verifiable certificates) using LDAP ( Lightweight Directory Access Protocol)
To query the LDAP server for X.509 certificates & CVC (Card verifiable certificates). The key management system should provide Admin Web Interface to perform certificate related administrative tasks
changes / additions:
The wordings “Key Management System (KMS). The key management system has to be … certificate related administrative tasks.” has been replaced by the wordings “Key Management System (KMS)
- The key management system has to be implemented using SOA (Service Oriented Architecture).
- The key management system will be deployed in J2EE container (Oracle WebLogic, JBOSS or equivalent).
- The Key management system will be deployed in a domain with at least 2 clusters (PKI_CLUSTER, HSM_CLUSTER).
- The system should be able to handle web service requests to create certificate authority (CA) for an organization using soft token.
- The system should be able to perform the life cycle management of a X.509 certificate & CVC (Card verifiable certificates) using CMP (Certificate Management Protocol).
- The system should allow the status (revoked/expired) verification of X.509 certificates & CVC (Card verifiable certificates) over internet using OCSP (Online Certificate Status Protocol).
- The system should provide web service interface to make certificate signing request (CSR) for a public key using PKCS#10 standard.
- The system should be able to publish X.509 certificates and CVC (Card verifiable certificates) using LDAP (Lightweight Directory Access Protocol).
- To query the LDAP server for X.509 certificates & CVC (Card verifiable certificates).
- The key management system should provide Admin Web Interface to perform certificate related administrative tasks.