HSM Configuration
The sections below highlight the HSM configuration changes required for Securden PAM application, after the initial HSM setup (initial wizard, role setup, network settings, etc.).
Changing the HSM Security Policy requires Security Officer (SO) role priviledges: (SO) Cards m of n
For CloudHSM customers request the necessary configuration changes highlighted below.
Basic configuration
- XML Configuration File (export/import)
- HSM Console
- HSM User Interface
After initial on-prem HSM setup
- Export the HSMs Security Configuration
- Adapt the exported XML file *.sconfig according the highlighted sections below
- Apply the changes according to the Securden Integration Method (1-3)
- Import the modified Security Configuration
Activate the PKCS#11 process (if not already enabled):
<pkcs_process>
<active>enabled</active>
<port>2310</port>
<interface>1</interface>
</pkcs_process>
HSM Security Policy can be defined on the device or user specific, to provide different settings per partition. The example below references to the user specific configuration. Adapt the user configuration for this specific user:
...
<crypto_user state="enabled"> <!-- enabled=user config, disabled=device config -->
<user_name>YourPartitionName</user_name>
...
<import_keys>disabled</import_keys> <!-- disable key import on user -->
<export_keys>disabled</export_keys> <!-- disable key export on user -->
<extract_keys>disabled</extract_keys> <!-- disable wrapped key export on user -->
...
<session_objects>enabled</session_objects> <!-- enable session objects -->
<destroy_objects>enabled</destroy_objects> <!-- enable deletion of keystore objects -->
<use_objects>enabled</use_objects> <!-- enable usage of objects -->
...
<pkcs_password state="value"/> <!-- set partition pwd for PKCS#11, default=none -->
<client_api_access>enabled</client_api_access> <!-- allow access to user/partition -->
...
<pkcs_allowed>enabled</pkcs_allowed> <!-- enable PKCS#11, interface on partition -->
...
</crypto_user>
...
Adapt according to the XML changes. For details consult the corresponding HSM User Guide chapter 4.
Adapt according to the XML changes. For details consult the corresponding HSM User Guide chapter 4.
When enabling user configuration the user specific values might still be on default and differ from the device settings (e.g. empty PKCS#11 password).