Skip to main content

Activation Process

CloudHSM services can be subscribed to either through in-person sales or online via the Cloud Console. The onboarding procedure varies depending on the purchase channel.

1. CloudHSM Service Order Form

Upon customer confirmation of the service quotation or upon receiving customer's purchase order the subscriber will be requested to fill out and return the CloudHSM Service Order Form.

The CloudHSM Service Order Form is a technical document that allows you to specify the configuration parameters and options for Securosys to deploy your CloudHSM partition. Of course, only quoted/ordered options may be selected.

How do you fill in the CloudHSM Service Order Form:

  1. Enter the offer or purchase order reference.
  2. Select the service start date. Note, that the service activation can take up to 72 hours .
  3. Select the HSMaaS Service Package and corresponding HSM Cluster location, and if applicable select the supplementary services for TSBaaS and RESTaaS.
  4. Select the API.
  5. Select the Optional partition features, e.g.:
    1. Smart Key Attributes for HSM-enforced multi-signature schemes.
    2. Crypto Currencies supporting Blockchain Algorithms.
    3. Partition Remote Administration.
    Please remember that all optional partition features must be explicitly listed on the quotation and subscribed to in order to avoid onboarding processing delays.
  6. Designate users and their Support Portal User Role who will have access to the Support Portal, and who are allowed to place support tickets, or to receive service credentials. For Privileged Users, it is mandatory to provide a mobile number, as the provisioning of service credentials requires a TAN sent via SMS.
  7. IP Access Control Lists restrict access to the CloudHSM partition to a list of whitelisted source IP addresses. IP whitelisting is exclusively available for the native APIs, e.g., JCE, MS-CNG and PKCS11, and not on supplementary services for TSB and REST unless they are operated as a dedicated instance.
  8. Select the Partition Security Policy Settings for the HSM partition, which will be used by Securosys during partition initialization.
  9. Provide the delivery address details for the shipment of Partition Administration Decanus Terminal if it will be used.
    1. Company Name
    2. Full Address (Street/No., ZIP Code, City, County, Country)
    3. Contact Name
    4. Phone number
  10. Provide any additional information if required.
  11. Complete, sign and email the CloudHSM Service Order Form to your Securosys sales representative.

2. Order processing by Securosys

Upon receipt of the CloudHSM Service Order Form, the Securosys CloudHSM operation team will register the support portal users on the Support Portal, initialize the HSM partition and provide the registered Privileged Support User (Clouds) with the service credentials required to access the HSM partition.

3. Support Portal User Registration

Every registered support portal user on the CloudHSM Service Order Form gets an account on the Securosys Support Portal, and receives a "Welcome" email with the login user to the Securosys Support Portal.

Activate your account by following the instructions How to activate a new support portal account. When you log in for the first time, complete your profile.

This account will be needed to download resources and communicate with the support team.

4. CloudHSM Service Credentials

The Securosys CloudHSM operation team initializes subscribers' partition on the HSM cluster according to the CloudHSM Service Order Form. During this process, a Service-User and a Technical-User with their corresponding passwords, or in the case of multi-tenant TSB subscription a JWT-token are created, and are provided to the registered Privileged Support User (Clouds) through independent channels.

note

Authentication to dedicated TSB (Platinum) instances is based on mutual TLS (mTLS). The setup is performed according REST-API - Configure mTLS in close cooperation between customer and Securosys Support Team.

You receive for every CloudHSM Service Credentials set a SecureSafe link to your per e-mail. The files are protected by a password (Secure Code) sent via text message to your phone.

note

Please also check your spam folder for these messages.

CloudHSM Service Credentials Provisioning

Service-User

The Service-User is used to authenticate the CloudHSM subscriber on the service level. Only after successful authentication the network gateway proxy lets the session through to the HSM cluster.

note

The Service-User credentials are referred to in the Primus API Provider configurations as "Proxy-User"/"Proxy-Password".

The registered Privileged Support User receives a link to access the Service-User credentials, provided a mobile phone number is registered as the download is protected by a security code which will be sent via an SMS text message.

The Service-User credential file is relevant for SBX, ECO, ECO-CC, Platinum subscriptions and contains:

  • Name and password to authenticate with reverse proxies.
<company>_<svc>_service_<user>_<date>.txt
Service User Name: ...              # Reverse proxy Service-User name
Service User Password: ... # Reverse proxy Service-User password
HSM User Name: ... # Reference to HSM user/partition name

Technical-User

The Technical-User credentials are used when connecting for the first time with your HSM cluster partition. This setup password will be disposed of and replaced with a user secret. The user secret will never be revealed on display.

note

The Technical-User credentials are referred to in the Primus API Provider configurations as "HSM-User"/"HSM-Password".

Again, the registered Privileged Support User receives a link to access the Technical-User credentials, provided a mobile phone number is registered as the download is protected by a security code which will be sent via an SMS text message.

The Technical-User credential file is relevant for SBX, ECO, ECO-CC, Platinum subscriptions and contains:

  • Name and setup password to access the HSM partition and PKCS#11 secret.
<company>_<svc>_hsm_<user>_<date>.txt
HSM User Name: ...                  # HSM user/partition name
HSM User Setup Password: ... # HSM user/partition initial password
PKCS#11 password : ... # if PKCS#11 API ordered
note

The Technical-User HSM Setup Password has a limited lifetime of 7 days from first usage. If you don’t accomplish to setup your application and connect to the HSM cluster within that time you have to contact Securosys through the Support Portal to renew the HSM Setup Password.

IMPORTANT: In ECO-CC the lifetime is limited to 7 days from the date of issuance.

JWT-Token

The JSON Web Token (JWT) serves as an authentication mechanism for CloudHSM subscribers within the multi-tenant TSBaaS environment. It enables secure communication with the CloudHSM HSM partition via Transaction Security Broker (REST-API).

The registered Privileged Support User (Clouds) receives a link to access the JWT-token, provided a mobile phone number is registered as the download is protected by a security code which will be sent via an SMS text message.

The JWT-Token credential file is relevant only for multi-tenant TSBaaS subscriptions and contains:

  • JSON Web Token to authenticate on Transaction Security Broker (TSB) and RESTful-API.
<organization>_<svc>_jwt_<user>_<date>.txt
- Details for Restful-API & Transaction Security Broker:
    API-Endpoint: https://<service-url>.cloudshsm.com
   JWT-TOKEN: ...

   Documentation available at: https://<service-url>.cloudshsm.com/swagger-ui/index.html
   - Select the 'Authorize' button and insert the JWT token if you wish to try out some commands on the Swagger-UI.
   - You may also test connectivity using the following curl command:
      curl -X GET 'https://sbx-rest-api.cloudshsm.com/v1/versionInfo' -H 'Authorization: Bearer <YOUR_JWT_TOKEN_HERE>

5. Partition Initialization

Following the receipt of your CloudHSM Access Credentials, the subscriber can proceed with the API Provider Setup Instructions to install the Primus API Provider on the application host, after which the CloudHSM service is ready for use.

6. (Optional) Download Additional Resources

If your service is meant to be used with other applications such as AWS BYOK, Hashicorp Vault, CyberArk, or others follow the instructions provided by email or in the documentation of the Use Cases.

tip

Need help? Feel free to contact the support team.