Configure the plugin
Configure the plugin for accessing the Securosys Primus HSM or CloudHSM.
Required attributes:
Attribute | Description |
---|---|
auth | Attribute defines the authorization type to TSB. Values for this attribute can be TOKEN , CERT or NONE |
restapi | REST API URL to access the REST/TSB endpoint (available from your Security Officer or for CloudHSM service see CloudHSM - TSB Connectivity Details. |
Define additional attributes based on the selected authorization type auth
:
Authorization Type | Additional Attributes |
---|---|
TOKEN | Add the attribute bearertoken with the JWT token |
CERT | Setup certpath with local PATH to the certificate and keypath with local PATH to the key. |
NONE | No additional attributes required. |
Command to write the configuration to the plugin
$ vault write securosys-hsm/config {config_attributes}
curl --location --request PUT '<server_addr>/v1/securosys-hsm/config' \
--header 'X-Vault-Token: <vault_access_token>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode '{config_attribute_key}={config_attribute_value}' \
Example for disabled authorization
$ vault write securosys-hsm/config
auth="NONE"
restapi="https://primusdev.cloudshsm.com"
curl --location --request PUT '<server_addr>/v1/securosys-hsm/config' \
--header 'X-Vault-Token: <vault_access_token>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'auth=NONE' \
--data-urlencode 'restapi=https://primusdev.cloudshsm.com'
Example for JWT token authorization
$ vault write securosys-hsm/config
auth="TOKEN"
bearertoken="jwt token string"
restapi="https://primusdev.cloudshsm.com"
curl --location --request PUT '<server_addr>/v1/securosys-hsm/config' \
--header 'X-Vault-Token: <vault_access_token>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'auth=TOKEN' \
--data-urlencode 'bearertoken=jwt token string' \
--data-urlencode 'restapi=https://primusdev.cloudshsm.com'
Example for Certificate authorization
$ vault write securosys-hsm/config
auth="CERT"
certpath="local_absolute_path_to_certificate.pem"
keypath="local_absolute_path_to_private.key"
restapi="https://primusdev.cloudshsm.com"
curl --location --request PUT '<server_addr>/v1/securosys-hsm/config' \
--header 'X-Vault-Token: <vault_access_token>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'auth=CERT' \
--data-urlencode 'certpath=local_absolute_path_to_certificate.pem' \
--data-urlencode 'keypath=local_absolute_path_to_private.pem' \
--data-urlencode 'restapi=https://primusdev.cloudshsm.com'
Tip
On any changes of the configuration, the plugin will try to reach out the defined TSB using the provided configuration. If the connection was successful, the plugin will write/overwrite the configuration, otherwise the previous configuration remains unchanged.