Configure the HSM

info

This step is only needed for on-premise Primus HSM setups. Skip this step if you are using CloudHSM.

This page explains how to configure a Primus HSM to be used for eIDAS use cases. For more details, see the Primus HSM User Guide, in particular Section 14.1.5 "User Policy".

This guide assumes that you have done the basic setup of the HSM, have completed the Initial Wizard, and have Security Officer (SO) roles configured.

The following configuration changes need to be made on the device-level. The Partition-level changes will be done in the next step.

Before you start, log in to the HSM via one of its administrative interfaces (console, device front panel, Decanus Terminal). Then activate SO:

UI

SO Activate

Console

so

Enable JCE

In a cluster: must be done on the Master.

Make sure that the JCE API is enabled:

UI

Setup ➜ Configuration ➜ Security ➜ Device Security ➜ Crypto Policy ➜ JCE

Console

hsm_sec_list_config jce
hsm_sec_set_config jce=true

Also set up your network configurations to enable the JCE port.

Initialize the Root Key Store

In a cluster: must be done on every device.

The Root Key Store (RKS) needs to be installed and set up. To find out whether this has already been done on a device, check that the Root Key Store is shown as "active":

UI

System ➜ Diagnostics Device ➜ Firmware

Console

hsm_diagnostics fw

If the Root Key Store is not yet set up, run the following commands. The HSM may prompt you to insert an USB stick with your license file.

UI

System ➜ Root Key Element ➜ Install Root Key Element

System ➜ Root Key Element ➜ Setup Root Key Store

Console

hsm_sec_install_rke
hsm_sec_setup_rks

warning

This will delete any previously installed Root Key Store! This step only needs to be done once per HSM. Skip this step if you have already set up the Root Key Store before.

Create a Partition

In a cluster: must be done on the Master.

A "Partition" (from the HSM's perspective also called a "User") is a dedicated space on the HSM, with a separate key store and separate security settings. This allows isolating environments on the HSM, as a form of multi-tenancy.

Create a new Partition to use for your eIDAS application:

UI

Roles ➜ User ➜ Create

Console

hsm_sec_create_user

Best Practices

• Set up a cluster of HSMs, for increased uptime and to prevent data loss (since syncing to another HSM is also a form of backup).

• Take regular backups and store them safely. Ideally, take a device backup (as SO), but at least a partition backup (as PSO).

• Note down the Restore Encryption PIN (REP). Keep it safe and confidential. The REP is needed to restore a device backup on a different HSM. See Section 5.1.4 "Display Restore Encryption PIN from Genesis Card" in the Primus HSM User Guide.

  UI

  Roles ➜ Genesis ➜ Display REP

  Console

  hsm_display_rep