Skip to main content


On-premises connectivity details showcase general details for:

Primus HSM

Setting up and configuring the Primus HSM hardware is not described in this section. Please refer to the corresponding Primus HSM User Guides downloadable from the Securosys Support Portal.


Ensure the APIs to be used are included in your HSM license. For license upgrades please contact Securosys.

Default Configuration

The on-premises Primus HSM can be reached through the default ports (listed in the table below) unless they have been configured differently by your HSM administrator. Refer to Primus User Guide for more details.

TCP Port
TCP Port
TCP Port
High Availability
TCP Port
Partition Decanus
Provided by your HSM administrator.
If enabled uses JCE, PKSC11, MSCNG ports.

The Transaction Security Broker (TSB) and REST API are using the JCE API port.

Setup Password & Permanent Secret

To establish a valid connection to the HSM an application will require a valid setup password, which can be issued as follows:


The setup password has limited time validity and should be used to obtain or update a permanent secret as soon as possible, not as a permanent solution.

As the Setup password will expire (by default in 72 hours), you should fetch the permanent secret. See the respective documentation for each API on how fetch the permanent secret:

Decanus Terminal

Decanus is the tamper-protected remote administration terminal for the Primus HSM.


The Decanus Terminal must be enabled in the HSM configuration before use. The Decanus Terminal must be paired initially with the HSM, to establish a secure connection.

Decanus may comprise different firmware variants and applications, e.g.:

  • Primus HSM Device Administration

    • Enabling remote administration of up to 64 Primus HSM devices, by extending the user interface, card slots, and USB slot in a secure manner.
    • Connects over an IP network to the configured HSM management interface and TCP port, see Default Configuration for default values.
  • Primus HSM Partition Administration and Auditing

    • Enabling remote administration and audit of up to 64 single Primus HSM partitions (Partition SO)
    • Connects to one of the configured Primus HSM API interfaces and port (on HA Master device), see Default Configuration for default values.

For more details refer to Decanus Terminal User Guide, downloadable from the Securosys Support Portal.

High Availability


High availability is configured by HSM administrators and requires multiple Primus HSM devices.

Devices of a cluster, for which the high-availability option “HA” is enabled, are synchronized in a timely manner to ensure load balancing without the need for manual cloning each time a user key or object is generated or modified.

By default, a Clone tries to establish a connection with the Master using the configured Master URLs and tries to synchronize with the Master. After pairing, these devices will synchronize themselves via Ethernet as long as they are able to connect to the network.

For more details on HA refer to Primus User Guide - High-Availability Remote Cloning.

Transaction Security Broker

Connectivity details for on-premises Transaction Security Broker (TSB) with different deployment versions of Securosys HSMs.

TSB ServiceDescriptionAuthenticationEndpoint(s)
HSMaaSHSMaaS with onPremise TSB-Deployment, and hsm.port=2300 default (JCE/JCA) PortanyHSMaaS - Hostname(s)
Dedicated (Platinum)TSB bound to CloudHSM PLA partitionmutualTLSdedicated domain-name as <dedicated>
OnPremise (HSM)<IP> of HSM (Data-Interface),
hsm.port=2300 default (JCE/JCA) Port