Merge pull request #228331 from msmbaldwin/dhsm-misc

Added Azure Managed HSM TLS Offload Library article

Author: Maggiemouse1

articles/key-vault/managed-hsm/tls-offload-library.md

@@ -0,0 +1,244 @@
+---
+title: Azure Managed HSM TLS Offload Library
+description: Azure Managed HSM TLS Offload Library
+services: key-vault
+author: msmbaldwin
+ms.service: key-vault
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 02/25/2023
+ms.author: mbaldwin
+---
+
+# Azure Managed HSM TLS Offload Library
+
+Azure Managed HSM offers a TLS Offload library, which is compliant with PKCS#11 version 2.40. Azure Managed HSM doesn't support all  functions listed in the PKCS#11 specification; instead, the TLS Offload library supports a limited set of mechanisms and interface functions for SSL/TLS Offload with F5 (BigIP) and Nginx only, primarily to generate TLS server certificate keys and generate digital signatures during TLS handshakes.
+
+For more information, see [Azure Managed HSM TLS Offload Library GitHub](https://github.com/microsoft/AzureManagedHsmTLSOffload).
+
+The TLS Offload Library internally uses the Azure Key Vault REST API to interact with Azure Managed HSM.
+
+## Get started
+
+### PKCS#11 attributes
+
+To properly integrate with PKCS#11, generating keys (via C_GenerateKeyPair) and locating key objects (via C_FindObjectsInit/C_FindObjects) requires a solution for storing PKCS#11 attributes on the Azure Key Vault key object. The TLS Offload Library converts these necessary PKCS#11 attributes into Azure Key Vault Tags.
+
+These "Attribute Tags" have a special prefix:
+- p11_pri_{P11 Attribute Name} - Private Key Attributes
+- p11_pub_{P11 Attribute Name} - Public Key Attributes
+
+The TLS Offload library properly sets the Azure Key Vault Key Operations and Key Lifetime attributes so the service can properly enforce these restrictions on the generated keys. These attributes are also stored as tags like other PKCS#11 attributes to support query capabilities.  
+
+Applications that use the TLS Offload Library use one or more PKCS#11 attributes to locate and use the key objects.
+
+> [!WARNING]
+> Keys generated by the TLS Offload Library and their Tags are accessible over Azure Key Vault REST API. Manipulating these P11 Attribute Tags using Azure Key Vault REST API may break the TLS Offload Library applications.
+
+### Key generation
+
+The TLS Offload Library includes a key creation tool, mhsm_p11_create_key. Running the tool without any command line arguments shows the correct usage of the tool.
+
+The key creation tool requires a service principal, which is assigned to the "Managed HSM Crypto User" role at the "/keys" scope.
+
+The key creation tool reads the service principal credentials from the environment variables MHSM_CLIENT_ID and MHSM_CLIENT_SECRET.
+- MHSM_CLIENT_ID – must be set to the service principal's application (client) ID
+- MHSM_CLIENT_SECRET – must be set to the service principal's password (client secret)
+
+The key creation tool randomly generates a name for the key at the time of creation. The full Azure Key Vault key ID and the key name are printed to the console for your convenience.
+
+```azurepowershell
+MHSM_CLIENT_ID="<service-principal-application-id>" \
+MHSM_CLIENT_SECRET="<service-principal-password>" \
+mhsm_p11_create_key --RSA 4K --label tlsKey
+
+Key is generated successfully. \
+Managed HSM Key ID: https://myhsm.managedhsm.azure.net/keys/p11-6a2155dc40c94367a0f97ab452dc216f/92f8aa2f1e2f4dc1be334c09a2639908 \
+Key Name: p11-6a2155dc40c94367a0f97ab452dc216f
+```
+
+The `--label` argument to the key creation tool specifies the desired CKA_LABEL for the private and public keys generated. These attributes are typically required to configure supported TLS Offload solutions (for example, the nginx SSL configuration setting `ssl_certificate_key').
+
+You need the key name for any role assignment changes via the Azure CLI.
+
+### Access control
+
+The TLS Offload Library translates the C_FindObjectsInit into an Azure Key Vault REST API call, which operates at the /keys scope. The MHSM service requires the Read permission at this scope for the TLS Offload Library User to authorize the find operation for the keys created via the key creation tool.
+
+For more information on Azure Managed HSM local RBAC, see:
+
+- [Azure Managed HSM local RBAC built-in roles](built-in-roles.md)
+- [Azure Managed HSM role management](role-management.md)
+
+The following section describes different approaches to implement access control for the TLS Offload Library service principal.
+
+#### TLS Offload service principal
+
+The TLS Offload service principal is used by the application that uses TLS Offload Library to access keys, and should have at minimum the following permission via role assignments:
+- KeyRead permission to all the keys in the managed HSM
+- KeySign permission to the keys necessary for TLS offloading
+
+#### Admin User
+
+The Admin User will create a custom role definition and role assignments. Hence, the Admin User should be assigned to one of the following Built-in roles at the "/" scope:
+- Managed HSM Crypto Officer
+- Managed HSM Policy Administrator
+- Managed HSM Administrator
+
+#### Key generation service principal
+
+The key generation service principal is used with the key creation tool (mhsm_p11_create_key) to generate TLS offload keys. This service principal should be assigned to the "Managed HSM Crypto User" role at the "/keys" scope.
+
+#### Azure CLI
+
+Azure CLI can be used to perform tasks such as role assignment.
+
+### Permissive approach
+
+The permissive approach is simpler, and suitable when the Azure Managed HSM is exclusively used for TLS offloading.
+
+Assign the Crypto User role to TLS Offload service principal at the "/keys" scope. This gives the TLS Offload service principal the permission to generate keys and find them for TLS Offloading.
+
+```azurecli
+az keyvault role assignment create --hsm-name ContosoMHSM \
+--role "Managed HSM Crypto User"  \
+--assignee [email protected]  \
+--scope /keys
+```
+
+### Granular approach
+
+The granular approach implements fine grained access control. It requires two service principals (TLS Offload service principal and Key Generation service principal) and an Admin User.
+
+The objective is to restrict the TLS Offload service principal's permissions to support the minimum required for TLS offload. The user must have the Read permission for other keys to support the library's C_FindObject* function.
+
+#### TLS Offload Library User Read role
+
+The first step in implementing the granular approach is to create a custom role. This operation only needs to be done once.
+
+The Admin User (with Managed HSM Crypto Officer or Managed HSM Administrator or Managed HSM Policy Administrator role) creates a custom "TLS Library User Read Role" role definition:
+
+```azurecli
+az keyvault role definition create --hsm-name ContosoMHSM --role-definition '{ \
+"roleName": "TLS Library User Read Role", \
+"description": "Grant Read access to keys", \
+"actions": [], \
+"notActions": [], \
+"dataActions": ["Microsoft.KeyVault/managedHsm/keys/read/action"], \
+"notDataActions": [] \
+}'
+```
+
+#### Generate keys
+
+Keys can be generated using the Key Generation service principal with the key creation tool (mhsm_p11_create_key).
+
+#### Grant permission
+
+The Admin User assigns the following roles to the TLS Offload service principal.
+- Assign "TLS Library User Read Role" role at the "/keys" scope
+- Assign "Managed HSM Crypto User" role at the "/keys/{key name}" scope
+
+In the following example, the key name is "p11-6a2155dc40c94367a0f97ab452dc216f".
+
+```azurecli
+az keyvault role assignment create --hsm-name ContosoMHSM  \
+--role "TLS Library User Read Role"  \
+--assignee [email protected]  \
+--scope /keys
+
+az keyvault role assignment create --hsm-name ContosoMHSM  \
+--role "Managed HSM Crypto User"  \
+--assignee [email protected]  \
+--scope /keys/p11-6a2155dc40c94367a0f97ab452dc216f
+```
+
+## Using the TLS Offload Library
+
+### Generate keys
+
+The TLS Offload Library includes a key creation tool, mhsm_p11_create_key. Running the tool without any command line arguments shows the correct usage of the tool.
+
+The key creation tool requires a service principal, which is assigned to the "Managed HSM Crypto User" role at the "/keys" scope.
+
+The key creation tool reads the service principal credentials from the environment variables MHSM_CLIENT_ID and MHSM_CLIENT_SECRET.
+- MHSM_CLIENT_ID – must be set to the service principal's application (client) ID
+- MHSM_CLIENT_SECRET – must be set to the service principal's password (client secret)
+
+The key creation tool randomly generates a name for the key at the time of creation. The full Azure Key Vault Key ID and the Key Name are printed to the console for your convenience.
+
+```azurepowershell
+MHSM_CLIENT_ID="<service-principal-application-id>" \
+MHSM_CLIENT_SECRET="<service-principal-password>" \
+mhsm_p11_create_key --RSA 4K --label tlsKey
+
+Key is generated successfully.
+Managed HSM Key ID: https://myhsm.managedhsm.azure.net/keys/p11-6a2155dc40c94367a0f97ab452dc216f/92f8aa2f1e2f4dc1be334c09a2639908 \
+Key Name: p11-6a2155dc40c94367a0f97ab452dc216f
+```
+
+The `--label` argument to the key creation tool specifies the desired CKA_LABEL for the private and public keys generated. These attributes are typically required to configure supported TLS Offload solutions (for example, the nginx SSL configuration setting `ssl_certificate_key').
+
+The key name is required if you're planning to implement granular access to keys.
+
+### Implement keyless TLS
+
+There are two approaches to generating a key and using the key for the Key Less TLS: a simpler, more permissive approach, and a granular approach, which offers better security. The approaches differ in implementation effort and security enforcement.
+
+#### Simpler approach
+
+1. Create a service principal for the TLS Offload Library (for example, TLSOffload ServicePrincipal)
+2. Assign "Managed HSM Crypto User" role to the TLS Offload service principal at the "/keys" scope.
+    ```azurecli
+    az keyvault role assignment create --hsm-name ContosoMHSM \
+    --role "Managed HSM Crypto User"  \
+    --assignee [email protected]  \
+    --scope /keys
+    ```
+3. Generate key with required label following the steps in [How to generate keys using the TLS Offload Library](#generate-keys).
+4. Configure the TLS server to use the Managed HSM TLS Offload Library as the PKCS#11 interface library
+5. Configure the TLS server (for example, the nginx SSL configuration setting `ssl_certificate_key') with the key label and the TLS Offload service principal credentials
+
+#### Granular approach
+
+1. Create an Admin User (for example, TLSOffloadAdminUser) with the following role:
+    - "Managed HSM Crypto Officer" role at the "/" scope
+1. Create a Key Generation service principal (for example, TLSOffloadKeyGenServicePrincipal) for the TLS Offload Key generation and assign the following role:
+    - "Managed HSM Crypto User" role at the "/keys" scope.
+1. Create a service principal for the TLS Offloading (for example, TLSOffload   ServicePrincipal)
+1. The Admin User creates the following custom role definition:
+    ```azurecli
+    az keyvault role definition create --hsm-name ContosoMHSM --role-definition '{ \
+    "roleName": "TLS Library User Read Role", \
+    "description": "Grant Read access to keys", \ 
+    "actions": [], \
+    "notActions": [], \
+    "dataActions": ["Microsoft.KeyVault/managedHsm/keys/read/action"], \
+    "notDataActions": []
+    }'
+    ```
+1. Generate a key with required label following "How to generate keys using the TLS Offload Library". Use the Key Generation service principal (for example, TLSOffloadKeyGenServicePrincipal) while generating keys. Note down the Key Label and Key Name. For example:
+    - Key Label: tlsKey
+    - Key Name: p11-6a2155dc40c94367a0f97ab452dc216f  
+1. Admin User assigns the following roles to the TLS Offload service principal
+    - "TLS Library User Read Role" role at the "/keys" scope
+    - "Managed HSM Crypto User" role at the "/keys/{key name}" scope
+    ```azurecli
+    az keyvault role assignment create --hsm-name ContosoMHSM  \
+    --role " TLS Library User Read Role"  \
+    --assignee TLSOffloadServicePrincipal @contoso.com  \
+    --scope /keys
+    
+    az keyvault role assignment create --hsm-name ContosoMHSM  \
+    --role "Managed HSM Crypto User"  \
+    --assignee [email protected]  \
+    --scope /keys/p11-6a2155dc40c94367a0f97ab452dc216f
+    ```
+1. Configure the TLS server to use the Azure Managed HSM TLS Offload Library as the PKCS#11 interface library
+1. Configure the TLS server (for example, the nginx SSL configuration setting `ssl_certificate_key') with the key label and the TLS Offload service principal credentials
+
+## Next steps
+
+- [Azure Managed HSM overview](overview.md)
+- [Azure Managed HSM local RBAC built-in roles](built-in-roles.md)
+- [Azure Managed HSM role management](role-management.md)

articles/key-vault/managed-hsm/toc.yml

@@ -71,6 +71,8 @@ items:
   items:
   - name: Secure key release policy grammar 
     href: policy-grammar.md
+  - name: TLS offload library
+    href: tls-offload-library.md
   - name: Key management in Azure
     href: ../../security/fundamentals/key-management.md
   - name: Azure PowerShell