Activation Process
CloudHSM services can be subscribed to either through in-person sales or online via Cloud Console. The onboarding procedure varies depending on the purchase channel.
- In-Person Purchase
- Online - Cloud Console
1. CloudHSM Service Order Form
Upon customer confirmation of the service quotation or upon receiving customer's purchase order the subscriber will be requested to fill out and return the CloudHSM Service Order Form.
The CloudHSM Service Order Form is a technical document that allows you to specify the configuration parameters and options for Securosys to deploy your CloudHSM partition. Of course, only quoted/ordered options may be selected.
How do you fill in the CloudHSM Service Order Form:
- Enter the offer or purchase order reference.
- Select the service start date. Note, that the service activation can take up to 72 hours.
- Select the HSMaaS Service Package and corresponding HSM Cluster location, and if applicable select the supplementary services for TSBaaS and RESTaaS.
- Select the API.
- Select the Optional partition features, e.g.:
- Smart Key Attributes for HSM-enforced multi-signature schemes.
- Crypto Currencies supporting Blockchain Algorithms.
- Partition Remote Administration.
- Designate users and their Support Portal User Role who will have access to the Support Portal, and who are allowed to place support tickets, or to receive service credentials. For Privileged Users, it is mandatory to provide a mobile number, as the provisioning of service credentials requires a TAN sent via SMS.
- IP Access Control Lists restrict access to the CloudHSM partition to a list of whitelisted source IP addresses. IP whitelisting is exclusively available for the native APIs, e.g., JCE, MS-CNG and PKCS11, and not on supplementary services for TSB and REST unless they are operated as a dedicated instance.
- Select the Partition Security Policy Settings for the HSM partition, which will be used by Securosys during partition initialization.
- Provide the delivery address details for the shipment of Partition Administration Decanus Terminal if it will be used.
- Company Name
- Full Address (Street/No., ZIP Code, City, County, Country)
- Contact Name
- Phone number
- Provide any additional information if required.
- Complete, sign and email the CloudHSM Service Order Form to your Securosys sales representative.
2. Order processing by Securosys
Upon receipt of the CloudHSM Service Order Form, the Securosys CloudHSM operation team will register the support portal users on the Support Portal, initialize the HSM partition and provide the registered Privileged Support User (Clouds) with the service credentials required to access the HSM partition.
3. Support Portal User Registration
Every registered support portal user on the CloudHSM Service Order Form gets an account on the Securosys Support Portal, and receives a "Welcome" email with the login user to the Securosys Support Portal.
Activate your account by following the instructions How to activate a new support portal account. When you log in for the first time, complete your profile.
This account will be needed to download resources and communicate with the support team.
4. CloudHSM Service Credentials
The Securosys CloudHSM operation team initializes subscribers' partition on the HSM cluster according to the CloudHSM Service Order Form. During this process, a Service-User and a Technical-User with their corresponding passwords, or in the case of multi-tenant TSB subscription a JWT-token are created, and are provided to the registered Privileged Support User (Clouds) through independent channels.
Authentication to dedicated TSB (Platinum) instances is based on mutual TLS (mTLS). The setup is performed according REST-API - Configure mTLS in close cooperation between customer and Securosys Support Team.
You receive for every CloudHSM Service Credentials set a SecureSafe link to your per e-mail. The files are protected by a password (Secure Code) sent via text message to your phone.
Please also check your spam folder for these messages.
Service-User
The Service-User is used to authenticate the CloudHSM subscriber on the service level. Only after successful authentication the network gateway proxy lets the session through to the HSM cluster.
The Service-User credentials are referred to in the Primus API Provider configurations as "Proxy-User"/"Proxy-Password".
The registered Privileged Support User receives a link to access the Service-User credentials, provided a mobile phone number is registered as the download is protected by a security code which will be sent via an SMS text message.
The Service-User credential file is relevant for SBX, ECO, ECO-CC, Platinum subscriptions and contains:
- Name and password to authenticate with reverse proxies.
Service User Name: ... # Reverse proxy Service-User name
Service User Password: ... # Reverse proxy Service-User password
HSM User Name: ... # Reference to HSM user/partition name
Technical-User
The Technical-User credentials are used when connecting for the first time with your HSM cluster partition. This setup password will be disposed of and replaced with a user secret. The user secret will never be revealed on display.
The Technical-User credentials are referred to in the Primus API Provider configurations as "HSM-User"/"HSM-Password".
Again, the registered Privileged Support User receives a link to access the Technical-User credentials, provided a mobile phone number is registered as the download is protected by a security code which will be sent via an SMS text message.
The Technical-User credential file is relevant for SBX, ECO, ECO-CC, Platinum subscriptions and contains:
- Name and setup password to access the HSM partition and PKCS#11 secret.
HSM User Name: ... # HSM user/partition name
HSM User Setup Password: ... # HSM user/partition initial password
PKCS#11 password : ... # if PKCS#11 API ordered
The Technical-User HSM Setup Password has a limited lifetime of 7 days from first usage. If you don’t accomplish to setup your application and connect to the HSM cluster within that time you have to contact Securosys through the Support Portal to renew the HSM Setup Password.
IMPORTANT: In ECO-CC the lifetime is limited to 7 days from the date of issuance.
JWT-Token
The JSON Web Token (JWT) serves as an authentication mechanism for CloudHSM subscribers within the multi-tenant TSBaaS environment. It enables secure communication with the CloudHSM HSM partition via Transaction Security Broker (REST-API).
The registered Privileged Support User (Clouds) receives a link to access the JWT-token, provided a mobile phone number is registered as the download is protected by a security code which will be sent via an SMS text message.
The JWT-Token credential file is relevant only for multi-tenant TSBaaS subscriptions and contains:
- JSON Web Token to authenticate on Transaction Security Broker (TSB) and RESTful-API.
- Details for Restful-API & Transaction Security Broker:
API-Endpoint: https://<service-url>.cloudshsm.com
JWT-TOKEN: ...
Documentation available at: https://<service-url>.cloudshsm.com/swagger-ui/index.html
- Select the 'Authorize' button and insert the JWT token if you wish to try out some commands on the Swagger-UI.
- You may also test connectivity using the following curl command:
curl -X GET 'https://sbx-rest-api.cloudshsm.com/v1/versionInfo' -H 'Authorization: Bearer <YOUR_JWT_TOKEN_HERE>
5. Partition Initialization
Following the receipt of your CloudHSM Access Credentials, the subscriber can proceed with the API Provider Setup Instructions to install the Primus API Provider on the application host, after which the CloudHSM service is ready for use.
6. (Optional) Download Additional Resources
If your CloudHSM service is meant to be used with other applications such as AWS BYOK, CyberArk PAM, HashiCorp Vault or others, follow the instructions provided by email or in the documentation of the Use Cases.
Contact our support team for further assistance.
1. Activate your Account for the Support Portal
Upon subscription, an account for the Support Portal is pre-created for you. This account will be needed to download resources and communicate with the support team.
Activate your account by following the instructions. When you log in for the first time, complete your profile.
2. Download the CloudHSM Service Credentials
Upon subscription, you will receive a one-time PIN code by email once your service is created and ready. While you will be able to use the service immediately, it may take up to 72 hours until your service will be fully parametrized according your selection.
Click on the Download button in the email and enter the 6-characters-long one-time PIN code to download the access credentials. In case the Download button is not visible in the email, download the images first.
The CloudHSM credential files downloaded from Cloud Console contains:
- Details for Native-API (JCE, PKCS#11, MS CNG)
HSM User Name: ... # HSM user/partition name
HSM User Setup Password: ... # HSM user/partition initial password
Service (Proxy) User Name: ... # Reverse proxy Service-User name
Service (Proxy) User Password: ... # Reverse proxy Service-User password
PKCS#11 password : ... # if PKCS#11 API ordered
- Details for Restful-API & Transaction Security Broker:
JWT-TOKEN for Restful-API & Transaction Security Broker: ...
Not all credentials may be necessary for your service subscription.
The Technical-User HSM Setup Password has a limited lifetime of 7 days from first usage. If you don’t accomplish to setup your application and connect to the HSM cluster within that time you have to contact Securosys through the Support Portal to renew the secret.
IMPORTANT: In ECO-CC the lifetime is limited to 7 days from the date of issuance.
3. Setup the Primus API Provider(s)
Once you have the CloudHSM Service Credentials, please proceed with the installation of the Primus API Provider on the application host.
4. (Optional) Download Additional Resources
If your CloudHSM service is meant to be used with other applications such as AWS BYOK, CyberArk PAM, HashiCorp Vault or others, follow the instructions provided by email or in the documentation of the Use Cases.
Contact our support team for further assistance.