On-premises
On-premises connectivity details showcase general details for:
- Primus HSM X or E or CyberVault series connectivity details
- Transaction Security Broker connectivity details
Primus HSM
Setting up and configuring the Primus HSM hardware is not described in this section. Please refer to the corresponding Primus HSM User Guides downloadable from the Securosys Support Portal.
Ensure the APIs to be used are included in your HSM license. For license upgrades please contact Securosys.
Default Configuration
The on-premises Primus HSM can be reached through the default ports (listed in the table below) unless they have been configured differently by your HSM administrator. Refer to Primus User Guide for more details.
HSM URL/IP | TCP Port JCE/JCA | TCP Port PKCS#11 | TCP Port MS CNG | TCP Port High Availability | TCP Port Decanus | Partition Decanus |
---|---|---|---|---|---|---|
The Transaction Security Broker (TSB) and REST API are using the JCE API port.
Setup Password & Permanent Secret
To establish a valid connection to the HSM an application will require a valid setup password, which can be issued as follows:
- Primus HSM User Interface and Decanus
- Primus HSM Console
ROLES → USER → NEW SETUP PASSWORD
hsm_sec_new_setup_pass
The setup password has limited time validity and should be used to obtain or update a permanent secret as soon as possible, not as a permanent solution.
As the Setup password will expire (by default in 72 hours), you should fetch the permanent secret. See the respective documentation for each API on how fetch the permanent secret:
- Java Cryptography Extension (JCE) - Login Sample,
- PKCS#11 (Crpytoki) - Permanent Secret Fetching,
- PKCS#11 password (configured by your HSM administrator) is required to fetch the permanent secret, see PKCS#11 (Crpytoki) - Preparing the PKCS#11 Password (PIN) for more details.
- MSCNG - Configuring CNG/KSP Provider.
Decanus Terminal
Decanus is the tamper-protected remote administration terminal for the Primus HSM.
The Decanus Terminal must be enabled in the HSM configuration before use. The Decanus Terminal must be paired initially with the HSM, to establish a secure connection.
Decanus may comprise different firmware variants and applications, e.g.:
-
Primus HSM Device Administration
- Enabling remote administration of up to 64 Primus HSM devices, by extending the user interface, card slots, and USB slot in a secure manner.
- Connects over an IP network to the configured HSM management interface and TCP port, see Default Configuration for default values.
-
Primus HSM Partition Administration and Auditing
- Enabling remote administration and audit of up to 64 single Primus HSM partitions (Partition SO)
- Connects to one of the configured Primus HSM API interfaces and port (on HA Master device), see Default Configuration for default values.
For more details refer to Decanus Terminal User Guide, downloadable from the Securosys Support Portal.
High Availability
High availability is configured by HSM administrators and requires multiple Primus HSM devices.
Devices of a cluster, for which the high-availability option “HA” is enabled, are synchronized in a timely manner to ensure load balancing without the need for manual cloning each time a user key or object is generated or modified.
By default, a Clone tries to establish a connection with the Master using the configured Master URLs and tries to synchronize with the Master. After pairing, these devices will synchronize themselves via Ethernet as long as they are able to connect to the network.
For more details on HA refer to Primus User Guide - High-Availability Remote Cloning.
Transaction Security Broker
Connectivity details for on-premises Transaction Security Broker (TSB) with different deployment versions of Securosys HSMs.
TSB Service | Description | Authentication | Endpoint(s) |
---|---|---|---|
HSMaaS | HSMaaS with onPremise TSB-Deployment, hsm.host=HSMaaS-Hostname and hsm.port=2300 default (JCE/JCA) Port | any | HSMaaS - Hostname(s) |
Dedicated (Platinum) | TSB bound to CloudHSM PLA partition | mutualTLS | dedicated domain-name as <dedicated>.cloudshsm.com |
OnPremise (HSM) | hsm.host=<IP> of HSM (Data-Interface), hsm.port=2300 default (JCE/JCA) Port | any | http://localhost:8080 |