Prerequisites
To use the Securosys Authorization App, you need:
- A Securosys HSM. Either an on-premise Primus HSM or a CloudHSM.
- A Transaction Security Broker (TSB).
- Appropriate licenses.
- Accounts for the approvers on the TSB.
All of the above need to be configured before your users can get started with the Authorization App. The configuration differs depending on which HSM setup you are using.
Get an HSM
- CloudHSM
- On-premise
CloudHSM is a hosted offering from Securosys, where Securosys manages the HSMs for you in a geo-redundant cluster.
For testing purposes, CloudHSM offers a free 90-day trial.
Sign up to CloudHSM
Contact the Securosys Sales team to purchase a Primus HSM. There are various models available.
Your Primus HSM needs to be configured as follows:
- Device setup completed with the initial wizard
- Root Key Store set up
- Enabled features in the security config:
Client API access
,JCE
,Key Authorization
,REST API access
,TSB Workflow Engine
. Note that this needs to be enabled both on a device-level and on a partition-level. - Created at least one user partition
See the TSB installation guide for step-by-step explanations.
Get a Transaction Security Broker
- CloudHSM
- On-premise
CloudHSM offers TSB-as-a-service. Depending on the service package, the TSB option may be included or may need to be manually enabled.
Follow the TSB documentation to install and configure the TSB on your infrastructure.
Check the licenses
Check that you have the following license options activated:
REST_API
TSB_ENGINE
KEY_AUTH
EXTENDED_KEY_ATTRIBUTES
ROOT_KEY_STORE
- CloudHSM
- On-premise
Call the GET /v1/licenseInfo
endpoint of your CloudHSM instance to view your licenses.
See the REST API base URLs.
Make sure to include the JWT token in your request!
To view the licenses that are activated on your HSM:
- UI: Sytem Diagnostics Device License
- Serial:
hsm_diagnostics lic
Create approvers
Lastly, you need to create approver accounts for the people using the Securosys Authorization App:
- Repeat the "Create Approver" tutorial for all accounts.
- Provide the One Time Codes to your approvers, they will need them to register in the app.
More approver management tasks are described in the tutorials.
Approver accounts are created and stored in the Transaction Security Broker (TSB). The TSB centrally manages all approvers and backs up their keys. This allows the approver manager to recover the approver accounts, for example, when an approver loses their phone. For more details, see the SKA documentation.
Later when you create an SKA key you can reference the approvers in the policy of the SKA key. For details, see this tutorial.
Next steps
Now that you have an HSM and a TSB, and have configured your approver accounts, your users are ready to install the Authorization App and onboard as approvers.