Skip to main content

Primus HSM Configuration

To setup the Primus HSM please follow the steps in the Primus HSM User Guide chapter 3.

This text refers to global device security settings. In case you have individual user/partition settings, use them analogous per partition (hsm_sec_enter_user_config, hsm_user_...).
The console commands have to be adapted to

  • list parameters: hsm_net_list_config, hsm_sec_list_config, hsm_user_list_config
  • change parameters: hsm_net_set_config, hsm_sec_set_config, hsm_user_set_config

Next assert that the HSM has a proper network configuration and can be reached from the computer having the PKCS#11 library installed. The API will be reachable under the default port unless configured differently. Note that the service may be assigned freely to a specific network interface.

  • SETUP CONFIGURATION NETWORK SERVICES PKCS#11 INTERFACES: 1
  • SETUP CONFIGURATION NETWORK SERVICES PKCS#11 TCP PORT: 2310

Make sure you have SO privileges for the steps below (security configuration):

SO ACTIVATE
(or in some older releases: ROLE ACTIVATION SO ACTIVATE)

If a new user is setup, note down the user's setup password. It is required to setup the HSM connection and retrieving the permanent user secret with the ppin command.

Generate a New Setup Password

In case you need a new setup password for the ppin command, on the HSM acquire SO privileges and execute the following command (the setup password has a limited lifetime, default 3 days from first usage onwards):

ROLES USER NEW SETUP PW

Enable PKCS#11 API

In order to use the PKCS#11 Provider, the Client API and PKCS#11 access needs to be enabled on the HSM. Set the respective security configuration in

  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPTO POLICY CLIENT API ACCESS

  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPTO POLICY PKCS#11

Preparing the PKCS#11 Password (PIN)

PKCS#11 operates in two modes: Public object mode and logged-in mode, where private key operations can be performed. On the Primus HSM, access to the HSM is granted with permanent user secret. The additional password for the PKCS#11 login command must be set1 using the SO role per device or partition specific.

SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY PKCS#11 PASSWORD

Using HSM Session Objects

Use of session objects (CKA_TOKEN = FALSE) requires HSM firmware v2.8.20/v2.9.2 or later and session objects enabled.
(Up to version 2.10 the parameter was called "External Storage").

Recommendation

Most applications require session objects enabled.

SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY SESSION OBJECTS

Export / Import Settings

caution

Secure operation requires import, export, and extract to be disabled.

Following policies define key import/export allowance (see HSM User Guide for details):

  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY KEY IMPORT

  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY KEY EXPORT

  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY KEY EXTRACT

Key Invalidation

Activated Key Invalidation creates a shadow copy of the key when it is deleted. This may prevent creation of a new key with the same key name and key id and some later mentioned tests may fail. To check if Key Invalidation is active:

SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY KEY INVALIDATION

User Log via PKCS#11 API

To fetch the user log from the HSM via PKCS#11 API or ppin tool, enable log fetching:

SETUP CONFIGURATION SECURITY DEVICE SECURITY MANAGEMENT POLICY CLIENT API USER LOG

Device and User specific configuration

Above configuration parameters are shown for device level. If user specific configuration is activated, they have to be configured on the specific user partition!

info
  • Primus HSM in FIPS mode requires PKCS#11 Provider 2.0 or newer to connect.
  • It is recommended to use HSM firmware v2.8 or later.

Footnotes

  1. https://support.securosys.com/external/knowledge-base/article/22