Creating the GREP11 container

The GREP11 virtual server supports the Schnorr signature. The Schnorr algorithm can be used as a signing scheme to generate digital signatures. It is proposed as an alternative algorithm to the Elliptic Curve Digital Signature Algorithm (ECDSA) for cryptographic signatures in the Bitcoin system. The Schnorr signature is known for the simplicity and efficiency.

The GREP11 virtual server supports the Ed25519 public-key signature system. Ed25519 provides various advantages such as fast single and batch-signature verification, signing ability, key generation, and compact signatures and keys.

The GREP11 virtual server supports BIP32. BIP32 defines how to derive private and public keys of a wallet from a binary master seed (m) and an ordered set of indices.

The GREP11 virtual server also supports SLIP-0010. SLIP-0010 describes how to derive private and public key pairs for curve types different from secp256k1.

You can connect to your (Enterprise PKCS #11) EP11 instantiation using a gRPC (GREP11) container on the Secure Service Container partition, and then use the Hardware Security Module (HSM) to perform numerous cryptographic operations, such as generating asymmetric (public and private) key pairs for digital signing and verification, or generating symmetric keys for encrypting data as needed by the deployed applications. For more information, see EP11.

This procedure is intended for users with the role cloud administrator.

Before you begin

  • Refer to the checklist that you prepared for the Hyper Protect Virtual Server on this topic Planning for the environment.
  • Check with your system administrator that the crypto express domain is configured in the EP11 mode. For more information, see Chapter 8 - Using the Crypto Module Notebook to administer EP11 crypto modules in the Cryptographic Services ICSF Trusted Key Entry Workstation (TKE) User's Guide. If the link does not work, you can copy and paste the URL in your internet browser: https://www.ibm.com/servers/resourcelink/svc00100.nsf/pages/zOSV2R4SC147511.
  • Check with your system administrator that the master key is initialized. For more information, see Trusted Key Entry (TKE) CCA Playlist Introduction, and the Reviewing and changing current logical partition cryptographic controls topic in the Processor Resource/Systems Manager Planning Guide.
  • Check that you have installed the cli tool on your x86 or Linux on IBM Z/LinuxONE (i.e., s390x architecture) management server as a part of the Setting up the environment by using the setup script.
  • ONLY CEX8P and CEX7P card supports ED25519. This is applicable if you want to use ED25519 to sign or encrypt data.
  • The CEX8P, CEX7P and CEX6P cards supports BIP32 and SLIP-0010. This is applicable if you want to use BIP32 and SLIP-0010. If you want to use BIP32 or SLIP-0010 features, then you must complete the following configuration procedures.
    • Contact IBM support to install the EP11 firmware update on the EP11 crypto module. For the z16 systems, the MCL version is P30751.003, and the CEX8P card with EP11 Level 5.8.17-1. For the z15 systems, the MCL version is P46647.010, and the CEX7P card with EP11 Level 4.7.22-4. For the z14 systems the MCL version is P41459.007, or later, and the CEX6P card with EP11 Level 3.6.18.1, or later.
    • To enable the new control point (bit 66) in the absence of TKE catcher program support, you can zeroize and re-initialize the domain (or domain group). The EP11 firmware update changes the zeroized state of the new control point from off (disabled) to on (enabled).
  • The CEX8P, CEX7P and CEX6P cards supports Schnorr signature. This is applicable if you want to use Schnorr signature. If you want to use Schnorr signature, then you must complete the following configuration procedures.
    • Contact IBM support to install the EP11 firmware update on the EP11 crypto module. For the z16 systems, the MCL version is P30751.003, and the CEX8P card with EP11 Level 5.8.17-1. For the z15 systems, the MCL version is P46647.012, and the CEX7P card with EP11 Level 4.7.24-1. For the z14 systems the MCL version is P41459, and the CEX6P card with EP11 Level 3.7.14-1.
    • To enable the new control point (bit 67) in the absence of TKE catcher program support, you can zeroize and re-initialize the domain (or domain group). The EP11 firmware update changes the zeroized state of the new control point from off (disabled) to on (enabled).

Procedure

On your x86 or Linux on IBM Z/LinuxONE (i.e., s390x architecture) management server, complete the following steps with root user authority.

  1. Generate certificates for the secure communication between the Hyper Protect GREP11 container and the grep11 client. For more information on generating the certificates, see Creating OpenSSL certificates for GREP11 virtual servers. Copy the keys to the <$HOME/hpvs>/config/grep11/keys directory on your x86 or Linux on IBM Z/LinuxONE (i.e., s390x architecture) management server.

  2. Check the available crypto domains on the HSM by using the hpvs crypto list command. For more information about the crypto commands, see Commands in IBM Hyper Protect virtual servers.

     hpvs crypto list

    The command might show the following output indicating the crypto domain status.

    +---------------+--------+
| CRYPTO.DOMAIN | STATUS |
+---------------+--------+
| 07.0000       | online |
| 07.0007       | online |
| 07.0009       | online |
| 09.0000       | online |
| 09.0007       | online |
| 09.0009       | online |
| 09.0007       | in use |
+---------------+--------+

    Note:

    • Use the crypto domain that is online. In this example it is "EP11SERVER_EP11CRYPTO_DOMAIN":"07.0007".

  3. Choose one of the options to provision the instance:

By using the yaml configuration file and hpvs deploy command

This is the recommended option to provision the instance because of it's ease of use and is also an easier method of creating multiple instances quickly.

  1. Update the template file $HOME/hpvs/config/templates/virtualserver.template.yml based on the networking configuration of the Hyper Protect Virtual Server instance if necessary. The vs_grep11.yml that has the configuration details for the virtual server refers to the corresponding sections of the virtualserver.template.yml when you run the hpvs deploy command. For example, the network: ref value refers to the networktemplates definition in the template file.

    version: v1
type: virtualserver-template
networktemplates:
-  name: external_network
   subnet: "10.20.4.0/22"
   gateway: "10.20.4.1"
   parent: encf900
   driver: macvlan
-  name: internal_network
   subnet: "192.168.40.0/24"
   gateway: "192.168.40.1"
   parent: encf900
   driver: bridge
quotagrouptemplates:
# Passthrough quotagroup templates - A quotagroup will be dynamically created based
# on the template and attached as single volume mount point to the virtual server.
# Allowed filesystem types for the passthrough type quogagroup are btrfs, ext4, xfs
-  name: p-small
   size: 20GB
   filesystem : ext4
   passthrough: true
-  name: p-medium
   size: 50GB
   filesystem : ext4
   passthrough: true
-  name: p-large
   size: 100GB
   filesystem : ext4
   passthrough: true
-  name: p-xlarge
   size: 200GB
   filesystem : ext4
   passthrough: true
-  name: p-xxlarge
   size: 400GB
   filesystem : ext4
   passthrough: true
# Non passthrough quotagroup definitions - This quotagroups can be shared by
# creating multiple volume mountpoints with the same virtual server or multiple
# virtual server.  A non passthrough quotagroup will be dynamically created based
# on the template and attached as volume mount points to the virtual server.
# Only brtfs filesystem is supported in non passthrough quotagroups
# mount points attached to virtual server can have filesystem btrfs, ext4, xfs
-  name: np-small
   size: 20GB
   passthrough: false
-  name: np-medium
   size: 50GB
   passthrough: false
-  name: np-large
   size: 100GB
   passthrough: false
-  name: np-xlarge
   size: 200GB
   passthrough: false
-  name: np-xxlarge
   size: 400GB
   passthrough: false
resourcedefinitiontemplates:
-  name: default
   cpu: 1
   memory: 1024
-  name: small
   cpu: 2
   memory: 2048
-  name: large
   cpu: 4
   memory: 4096
-  name: xl
   cpu: 8
   memory: 8192
-  name: xxl
   cpu: 12
   memory: 12288

  2. Create the configuration yaml file $HOME/hpvs/config/grep11/demo_grep11.yml for the instance by referring to the example file $HOME/hpvs/config/grep11/vs_grep11.yml.

    The following is an example of a vs_grep11.yml file that uses port mapping for the network.

    version: v1
type: virtualserver
virtualservers:
- name: test-grep11
  host: SSC_LPAR_NAME
  repoid: hpcsKpGrep11_runq
  imagetag: 1.2.7.9
  hostname: grep11.example.com
  imagefile: hpcsKpGrep11_runq.tar.gz
  imagecache: true
  crypto:
     crypto_matrix:
      - 07.0007
  networks:
   - ref:  external_network
     ipaddress: 10.20.4.12
  environment:
   - key: EP11SERVER_EP11CRYPTO_DOMAIN
     value: "07.0007"
   - key: EP11SERVER_EP11CRYPTO_CONNECTION_TLS_CERTFILEBYTES
     value: "@/root/hpvs/config/grep11/keys/server.pem"
   - key: EP11SERVER_EP11CRYPTO_CONNECTION_TLS_KEYFILEBYTES
     value: "@/root/hpvs/config/grep11/keys/server-key.pem"
   - key: EP11SERVER_EP11CRYPTO_CONNECTION_TLS_CACERTBYTES
     value: "@/root/hpvs/config/grep11/keys/ca.pem"
   - key: EP11SERVER_EP11CRYPTO_CONNECTION_TLS_ENABLED
     value: "true"
   - key: EP11SERVER_EP11CRYPTO_CONNECTION_TLS_MUTUAL
     value: "true"
   - key: TLS_GRPC_CERTS_DOMAIN_CRT
     value: "\\n"
   - key: TLS_GRPC_CERTS_DOMAIN_KEY
     value: "\\n"
   - key: TLS_GRPC_CERTS_ROOTCA_CRT
     value: "\\n"

    You must access the GREP11 service via port 9876. In this example, the network definition is for an external network. For more information on other network configurations, see Network requirements for Hyper Protect Virtual Server.

  3. Create the instance by using the configurations in the yaml file.

    hpvs deploy --config $HOME/hpvs/config/grep11/demo_grep11.yml

    Note:

    • You can use the hpvs undeploy command to delete this virtual server. For more information, see Undeploying virtual servers.
    • You can update the resources or configuration of a virtual server after the completion of the deploy operation by using the -u, or the --update flag of the hpvs deploy command. For more information, see Updating virtual servers.

By using the hpvs vs create command

  1. Upload the GREP11 image to the Secure Service Container partition by using the hpvs image load command.

     hpvs image load --file $HOME/hpvs/config/grep11/images/hpcsKpGrep11_runq.tar.gz

  2. Create the grep11_env.json file as shown below.

     {
  "EP11SERVER_EP11CRYPTO_DOMAIN":"07.0007",
  "EP11SERVER_EP11CRYPTO_CONNECTION_TLS_CERTFILEBYTES":"@/$HOME/hpvs/config/grep11/keys/server.pem",
  "EP11SERVER_EP11CRYPTO_CONNECTION_TLS_KEYFILEBYTES":"@/$HOME/hpvs/config/grep11/keys/server-key.pem",
  "EP11SERVER_EP11CRYPTO_CONNECTION_TLS_CACERTBYTES":"@/$HOME/hpvs/config/grep11/keys/ca.pem",
  "EP11SERVER_EP11CRYPTO_CONNECTION_TLS_ENABLED":true,
  "EP11SERVER_EP11CRYPTO_CONNECTION_TLS_MUTUAL":true,
  "EP11SERVER_EP11CRYPTO_ENABLED":"true",
  "TLS_GRPC_CERTS_DOMAIN_CRT":"\\n",
  "TLS_GRPC_CERTS_DOMAIN_KEY":"\\n",
  "TLS_GRPC_CERTS_ROOTCA_CRT":"\\n"
 }

    Note: The "server.pem", "server-key.pem", and "ca.pem" files are created as a part of the generation of certificates for the secure communication between the Hyper Protect GREP11 container and the grep11 client.

  3. Create the external network for the GREP11 virtual server.

    hpvs network create --name external_net --driver macvlan --parent encf900 --subnet 10.20.4.0/22 --gateway 10.20.4.1

    For more information about the hpvs network command, see Commands in IBM Hyper Protect Virtual Servers. For more information about the network in IBM Hyper Protect Virtual Servers, see Network requirements for Hyper Protect Virtual Server.

  4. Create the GREP11 container by running the hpvs vs create command.

    hpvs vs create --name grep11container --repo hpcsKpGrep11_runq --tag 1.2.7.9 --crypto_matrix=07.0007 --cpu 2 --ram 2048 --envjsonpath /Users/username/hpvs_config/crypto/grep11_env.json --network "{name = external_network, ip = 10.20.4.12}"

    Note: You can update the resources or configuration of a virtual server after the virtual server is created by using the hpvs vs update command. For more information, see Updating Hyper Protect Virtual Server containers.

For more information about the TKE, check out the video on YouTube - TKE Introduction Videos 1 Introduction to TKE.

Next

You can update your application to use the asymmetric key pairs provided by the GREP11 containers.