Hyperledger fabric 2.2v - Adding HSM to an existing network/application

Question

This is a pre-implementation question.

We have a working fabric(2.2) application with an org containing 2 peers, an intermediate CA with TLS enabled and are now planning to implement HSM to store org related private keys. I read from official doc and other articles that to use HSM we need to have PKCS11 enabled docker centOS images and the setup requires a complete rebuild of the binaries and network.

1. Can we setup HSM w/o disturbing the existing network?
2. Does peer's couchDB container requires to be reconfigured as well if the answer for Q1 is "yes"?
3. How do we transfer the available private keys from local MSP keystore to HSM slots?
4. What are the points to take care while implementing HSM along with TLS/TLS enable existing keys?
5. Do we have a ready script for this operation in any samples (I did not find it so far)?

(removed point 6 and rearranged)

6. I have seen very few people talking about implementing HSM with HLF, is there any major issue of usage.

Also please do provide a "take care" points before starting this operation.

Answer 1

PKCS11 is a standard interface, not a standard protocol. Each HSM vendor has its own protocol (usually over TCP). They provide a library that speaks their proprietary protocol that you install in your application.

So a HSM is "just" another TCP based service running outside your cluster. To some extent, you connect to an HSM the same way you would connect to a LDAP server:

1. Get a PIN to the HSM (similar to a password) and store it... somewhere
2. Install a library (ex: hsm-provider.so) and its configuration file in your environment
3. Open any firewall, SecurityGroup, VPC and whatnot to ensure TCP/IP connectivity
4. Let you application talk natively to the device as it would connect to any other serivce.

The specifics (especially local configuration) depend on the HSM provider. Here is a script that configures an HSM emulated in software for Hashicorp Vault. YMMV but this software emulator separates the HSM part from the networking part.

Once you figure out the HSM part, I suggest you look into Utimaco HSM emulator (registration required). You connect to the emulator via a TCP/IP connection, making it as real as can be from Hyperledger's point of view.

Answer 2

1. Yes, if you have enough peers or orderers running. You will need to restart the peer or order to use HSM one-by-one after setting the environment variable or the yaml file (Or even rebuild the binary with PKCS11). Since you do it one-by-one, other nodes that are running will keep the network alive.

2. Nope.

3. Depends on the HSM provider. They will provide you a binary to do that either by GUI or command line, which usually import pkcs12 (cert, public and private key). After import into the HSM, you may remove the private keys from MSP keystore as the Orderer and Peer binary will use the HSM for private key operation. (Of course you should backup them somewhere else)

4. Key for TLS server or client has to be stored locally. HSM is not supported for TLS yet.

5. No.

6. I assume this is same question as number 3

7. Ya, there exist some issues like the Java Chaincode does not have HSM support and you will need to write the PKCS11 implementation yourself and override the cryptoPrimitive.java.