Client Access

CloudHSM provides secure and reliable access to your cryptographic resources, enabling subscribers to leverage the power of hardware-based security for their critical applications. Whether subscribers choose a Primus API Provider for direct connectivity or the REST API option for remote access, CloudHSM ensures the highest levels of security and availability.

CloudHSM simplified System Overview

Primus API Providers

To connect to a partition on CloudHSM, subscribers need to install the Primus API Provider, which serves as a bridge between subscribers application servers and the HSMs. A Primus API Provider is available for the following programming interfaces:

• Java Cryptographic Extension: Integrates seamlessly with Java applications using JCE/JCA interfaces for secure cryptographic operations.
• Microsoft CNG: Facilitate secure cryptographic operations in Microsoft .NET applications using the Microsoft CNG interface.
• PKCS#11: Support PKCS#11-compliant applications, ensuring compatibility and interoperability.

Between the Primus API Provider (client-side software component) and the HSM in the CloudHSM service, a secure AES-256-GCM end-to end encrypted connection is established. The authentication takes place in two phases with distinct credentials. First, the subscriber is authenticated on the gateway. In this step, access can optionally be limited to only whitelisted client IP addresses. It is only after this step when end-to-end encrypted communication to the HSM is granted by the gateway.

Connection establishment sequence:

1. The API Provider sends Hello to HSM (randomly selected from Reverse-Proxy list obtained from DNS)
2. Reverse-Proxy requests service authentication
3. Crypto-Provider answers Hello with service credentials
4. Reverse-Proxy sends request authorization to directory service
5. Directory service grants authorization
6. Reverse-Proxy sends Hello authentication responds, mutual authentication to Reverse-Proxy
7. The API Provider sends Hello to HSM
8. HSM sends Hello authentication response, mutual authentication to HSM

Connection Overview

note

The connection between the Primus API Provider and the HSM in the CloudHSM service is encrypted end-to-end. The encryption is not terminated or interrupted for the service authentication by the reverse-proxy.

REST API Server (TSBaaS, RESTaaS)

TSBaaS and RESTaaS are supplementary services to CloudHSM.
In this subscription type the REST API middleware is managed by Securosys.

In addition to the REST API, TSBaaS provides a workflow engine for multi-authorization schemes based on the HSM enforced Smart Key Attribute (SKA) feature. The TSBaaS middleware is also manged by Securosys.

In difference to the other APIs, the communication to the REST middleware is protected by TLS and access is authenticated and authorized using a JSON Web Token (bearer token) issued to the subscriber in a multi-tenant TSBaaS setup, or alternatively through mutual TLS for a dedicated TSBaaS instance.