PKCS#11 provider
The PKCS#11 provider component (aws.greengrass.crypto.Pkcs11Provider) enables you to configure the
AWS IoT Greengrass Core software to use a hardware security module (HSM) through the PKCS#11 interface
To provision a Greengrass core device that stores its certificate and private key in an HSM, you must specify this component as a provisioning plugin when you install the AWS IoT Greengrass Core software. For more information, see Install AWS IoT Greengrass Core software with manual resource provisioning.
AWS IoT Greengrass provides this component as JAR file that you can download to specify as a provisioning
plugin during installation. You can download the latest version of the component's JAR file as
the following URL: https://d2s8p88vqu9w66.cloudfront.net/releases/Pkcs11Provider/aws.greengrass.crypto.Pkcs11Provider-latest.jar
Versions
This component has the following versions:
-
2.0.x
Type
This component is a plugin component
(aws.greengrass.plugin). The Greengrass
nucleus runs this component in the same Java Virtual Machine (JVM) as the nucleus. The
nucleus restarts when you change this component's version on the core device.
This component uses the same log file as the Greengrass nucleus. For more information, see Monitor AWS IoT Greengrass logs.
For more information, see Component types.
Operating system
This component can be installed on Linux core devices only.
Requirements
This component has the following requirements:
-
A hardware security module that supports the PKCS#1 v1.5
signature scheme and RSA keys with an RSA-2048 key size (or larger) or ECC keys. Note
To use a hardware security module with ECC keys, you must use Greengrass nucleus v2.5.6 or later.
To use a hardware security module and secret manager, you must use a hardware security module with RSA keys.
-
A PKCS#11 provider library that the AWS IoT Greengrass Core software can load at runtime (using libdl) to invoke PKCS#11 functions. The PKCS#11 provider library must implement the following PKCS#11 API operations:
-
C_Initialize -
C_Finalize -
C_GetSlotList -
C_GetSlotInfo -
C_GetTokenInfo -
C_OpenSession -
C_GetSessionInfo -
C_CloseSession -
C_Login -
C_Logout -
C_GetAttributeValue -
C_FindObjectsInit -
C_FindObjects -
C_FindObjectsFinal -
C_DecryptInit -
C_Decrypt -
C_DecryptUpdate -
C_DecryptFinal -
C_SignInit -
C_Sign -
C_SignUpdate -
C_SignFinal -
C_GetMechanismList -
C_GetMechanismInfo -
C_GetInfo -
C_GetFunctionList
-
-
The hardware module must be resolvable by slot label, as defined in the PKCS#11 specification.
-
You must store the private key and certificate in the HSM in the same slot, and they must use the same object label and object ID, if the HSM supports object IDs.
-
The certificate and private key must be resolvable by object labels.
-
The private key must have the following permissions:
-
sign -
decrypt
-
-
(Optional) To use the secret manager component, you must use version 2.1.0 or later, and the private key must have the following permissions:
-
unwrap -
wrap
-
-
(Optional) If you are using the TPM2 library and running the Greengrass core as a service, you must provide an environment variable with the location of the PKCS#11 store. The following example is a systemd service file with the required environment variable:
[Unit] Description=Greengrass Core After=network.target [Service] Type=simple PIDFile=/var/run/greengrass.pid Environment=TPM2_PKCS11_STORE=/path/to/store/directoryRemainAfterExit=no Restart=on-failure RestartSec=10 ExecStart=/bin/sh /greengrass/v2/alts/current/distro/bin/loader [Install] WantedBy=multi-user.target
Dependencies
When you deploy a component, AWS IoT Greengrass also deploys compatible versions of its dependencies. This means that you must meet the requirements for the component and all of its dependencies to successfully deploy the component. This section lists the dependencies for the released versions of this component and the semantic version constraints that define the component versions for each dependency. You can also view the dependencies for each version of the component in the AWS IoT Greengrass console
For more information about component dependencies, see the component recipe reference.
Configuration
This component provides the following configuration parameters that you can customize when you deploy the component.
name-
A name for the PKCS#11 configuration.
library-
The absolute file path to the PKCS#11 implementation's library that the AWS IoT Greengrass Core software can load with libdl.
slot-
The ID of the slot that contains the private key and device certificate. This value is different than the slot index or slot label.
userPin-
The user PIN to use to access the slot.
Example: Configuration merge update
{ "name": "softhsm_pkcs11", "library": "/usr/lib/softhsm/libsofthsm2.so", "slot": 1, "userPin": "1234" }
Local log file
This component uses the same log file as the Greengrass nucleus component.
To view this component's logs
-
Run the following command on the core device to view this component's log file in real time. Replace
/greengrass/v2C:\greengrass\v2with the path to the AWS IoT Greengrass root folder.
Changelog
The following table describes the changes in each version of the component.
|
Version |
Changes |
|---|---|
|
2.0.9 |
Version updated for Greengrass nucleus version 2.14.0 release. |
|
2.0.8 |
Version updated for Greengrass nucleus version 2.13.0 release. |
|
2.0.7 |
Version updated for Greengrass nucleus version 2.12.0 release. |
|
2.0.6 |
Version updated for Greengrass nucleus version 2.11.0 release. |
|
2.0.5 |
Version updated for Greengrass nucleus version 2.10.0 release. |
|
2.0.4 |
Version updated for Greengrass nucleus version 2.9.0 release. |
|
2.0.3 |
Version updated for Greengrass nucleus version 2.8.0 release. |
|
2.0.2 |
Version updated for Greengrass nucleus version 2.7.0 release. |
|
2.0.1 |
Version updated for Greengrass nucleus version 2.6.0 release. |
|
2.0.0 |
Initial version. |
