I'm trying to use Google HSM encryption keys for my ForgeRock DS server in linux environment.
When I try to start the ds server. It is throwing error: The Directory Server has started the shutdown process. The shutdown was initiated by an instance of class org.opends.server.core.DirectoryServer and the reason provided for the shutdown was An error occurred while attempting to bootstrap the Directory Server: The master key with alias 'Key1' does not exist in the 'GoogleHSM' key manager. Please check that the correct key manager has been configured and that it contains the specified master keys
The steps I did below:
Created a project with key and other details in Google HSM. They keyname is Key1
Set variables below: export KMS_PKCS11_CONFIG="/app/libkmsp11-1.1-linux-amd64-fips/pkcs11-config.yaml" export PKCS11_MODULE_PATH="/app/libkmsp11-1.1-linux-amd64-fips/libkmsp11.so"
Used Cloud KMS Library for PKCS#11 so I updated pkcs11-config.yaml to define the key ring. Sample below:
tokens:
- key_ring: projects//locations//keyRings/
In ForgeRock config.ldif, I created new Key Manager Provider and updated Crypto Manager to point to the new Key Manager Provider
dn: cn=GoogleHSM,cn=Key Manager Providers,cn=config objectClass: top objectClass: ds-cfg-key-manager-provider objectClass: ds-cfg-pkcs11-key-manager-provider cn: GoogleHSM ds-cfg-java-class: org.opends.server.extensions.PKCS11KeyManagerProvider
dn: cn=Crypto Manager,cn=config objectClass: top objectClass: ds-cfg-crypto-manager cn: Crypto Manager ds-cfg-master-key-alias: Key1 ds-cfg-key-manager-provider: cn=GoogleHSM,cn=Key Manager Providers,cn=config