Prerequisites

To use the Securosys Authorization App, you need:

• A Securosys HSM. Either an on-premise Primus HSM or a CloudHSM.
• A Transaction Security Broker (TSB).
• Appropriate licenses.
• Accounts for the approvers on the TSB.

All of the above need to be configured before your users can get started with the Authorization App. The configuration differs depending on which HSM setup you are using.

Get an HSM

CloudHSM

CloudHSM is a hosted offering from Securosys, where Securosys manages the HSMs for you in a geo-redundant cluster.

For testing purposes, CloudHSM offers a free 90-day trial.

Sign up to CloudHSM →

On-premise

Contact the Securosys Sales team to purchase a Primus HSM. There are various models available.

Your Primus HSM needs to be configured as follows:

• Device setup completed with the initial wizard
• Root Key Store set up
• Enabled features in the security config: Client API access, JCE, Key Authorization, REST API access, TSB Workflow Engine. Note that this needs to be enabled both on a device-level and on a partition-level.
• Created at least one user partition

See the TSB installation guide for step-by-step explanations.

Get a Transaction Security Broker

CloudHSM

CloudHSM offers TSB-as-a-service. Depending on the service package, the TSB option may be included or may need to be manually enabled.

On-premise

Follow the TSB documentation to install and configure the TSB on your infrastructure.

Check the licenses

Check that you have the following license options activated:

• REST_API
• TSB_ENGINE
• KEY_AUTH
• EXTENDED_KEY_ATTRIBUTES
• ROOT_KEY_STORE

CloudHSM

Call the GET /v1/licenseInfo endpoint of your CloudHSM instance to view your licenses. See the REST API base URLs. Make sure to include the JWT token in your request!

On-premise

To view the licenses that are activated on your HSM:

• UI: Sytem Diagnostics Device License
• Serial: hsm_diagnostics lic

Create approvers

Lastly, you need to create approver accounts for the people using the Securosys Authorization App:

1. Repeat the "Create Approver" tutorial for all accounts.
2. Provide the One Time Codes to your approvers, they will need them to register in the app.

More approver management tasks are described in the tutorials.

Approver accounts are created and stored in the Transaction Security Broker (TSB). The TSB centrally manages all approvers and backs up their keys. This allows the approver manager to recover the approver accounts, for example, when an approver loses their phone. For more details, see the SKA documentation.

Later when you create an SKA key you can reference the approvers in the policy of the SKA key. For details, see this tutorial.

Next steps

Now that you have an HSM and a TSB, and have configured your approver accounts, your users are ready to install the Authorization App and onboard as approvers.