Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Enabling KAE Encryption and Decryption

The following describes how to enable KAE encryption and decryption without modifying the existing service code.

  1. Modify the Java security configuration file.
    1. Open the $JAVA_HOME/jre/lib/security/java.security file. 
      1
      		 
      vi $JAVA_HOME/jre/lib/security/java.security
    2. Press i to enter the insert mode and comment out the following content: 
      1
2
3
4
5
6
7
8
9
      		 
      security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
      Add the following content to add KAE Provider and set the highest priority for it: 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
      		 
      security.provider.1=org.openeuler.security.openssl.KAEProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
security.provider.11=sun.security.mscapi.SunMSCAPI

      See the result:

    3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
  2. Enable KAE encryption and decryption based on the KAE Provider feature of the BiSheng JDK.
    1. Configure the KAE environment variables.
      1. Open the /etc/profile file. 
        1
        		 
        vi /etc/profile
      2. Press i to enter the insert mode and add the following content to the file: 
        1
        		 
        export OPENSSL_ENGINES=/usr/local/lib/engines-1.1
      3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
      4. Make the configuration take effect. 
        1
        		 
        source /etc/profile
    2. Configure KAE Provider.
      1. Open the $JAVA_HOME/jre/lib/kaeprovider.conf file. 
        1
        		 
        vi $JAVA_HOME/jre/lib/kaeprovider.conf
      2. Press i to enter the insert mode and add the following content to enable RSA hardware-based acceleration: 
        1
2
3
4
        		 
        kae.rsa=true
kae.log=true
kae.rsa.useKaeEngine=true
kae.libcrypto.useGlobalMode=true
      3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
  3. Build and start the Spring Boot web service.
    1. Open the /home/tomcat-test-01/src/main/resources/application.properties file. 
      1
      		 
      vi /home/tomcat-test-01/src/main/resources/application.properties
    2. Press i to enter the insert mode and add the following SSL settings: 
      1
2
3
4
5
6
7
8
      		 
      server.port=8443  # Specifies the port number to 8443.
server.ssl.enabled=true  # Enables the HTTPS protocol.
server.ssl.key-store=classpath:server.p12 # Specifies the certificate path.
server.ssl.key-store-type=PKCS12   # Specifies the certificate type.
server.ssl.key-store-password=123456    # Specifies the certificate password.
server.ssl.ciphers=ECDHE-RSA-AES256-GCM-SHA384
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2
    3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
    4. Build an executable JAR file. 
      1
2
      		 
      cd /home/tomcat-test-01
mvn clean package -Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true
    5. Start the Spring Boot web service. 
      1
      		 
      java -jar target/tomcat-test-01-0.0.1-SNAPSHOT.jar
  4. Verify that the KAE hardware-based acceleration is in use.
    1. Check KAE logs. 
      1
2
      		 
      cd /home/tomcat-test-01
cat kae.log

      If the log shows that KAE has been used, the KAE hardware-based acceleration is used by Tomcat successfully.

    2. Check KAE hardware queues. 
      1
      		 
      watch -d cat /sys/class/uacce/hisi_*/available_instances

      Use a browser to access the IP address and port (HTTPS, port 8443) of the Tomcat server and check whether there are changes in the command output. If there are changes, Tomcat has used the KAE hardware-based acceleration.

      After the IP address is accessed, the number of available instances in a hardware queue decreases from 256 to 255.