Configure the Partition
This page explains how to configure a Partition to be used for eIDAS use cases. These steps can be performed:
- Either as a Device Security Officer (DSO, aka. SO), via any of the three administrative interfaces (console, device front panel, Decanus Terminal).
- Or as a Partition Security Officer (PSO), via the Decanus Terminal.
- For details, see the Decanus Terminal User Guide.
In CloudHSM, you can request PSO access to your Partition. This requires the purchase of a Decanus Terminal. If you have PSO access you can perform these steps yourself. Otherwise, Securosys will perform them for you.
This page starts by describing how to do nearly all configurations manually via the UI or the console. This is done for clarity, to make it easier to follow step-by-step, and to give explanations for each step.
However, the CA certificates can only be loaded via XML import. Therefore, you may want to do the entire configuration via XML.
Enable User Configuration
Enable User Configuration. This will apply the per-partition settings, which override the device-wide settings. See also Section 3.9 "Individual Configuration" in the Primus HSM User Guide.
- PSO
- UI
- Console
This can only be done by the device SO.
Setup ➜ Configuration ➜ Security ➜ User Security ➜ (User) ➜ User Configuration
hsm_sec_enter_user_config
hsm_user_set_config use_usr_cnf=true
Enable the foundational API features
Next, enable the foundational API features on the Partition.
- PSO
- UI
- Console
User Config ➜ Edit ➜ (setting)
For the following settings:
- JCE
- Key Authorization
- REST API access
- TSB Workflow Engine
Setup ➜ Configuration ➜ Security ➜ User Security ➜ (User) ➜ (setting)
For the following settings:
- JCE
- Key Authorization
- REST API access
- TSB Workflow Engine
hsm_user_set_config jce=true
hsm_user_set_config key_auth=true
hsm_user_set_config rest_api=true
hsm_user_set_config tsb_engine=true
Activate SAM Mode
Next, activate SAM mode on the Partition. When SAM mode is enabled, the HSM will:
- Reject SKA policies that contain public keys. Approver keys must be specified using certificates.
- Require that Approver key certificates have a valid certificate chain leading to one of the CA certificates (configured in the next step).
- Automatically set the
sam-approved=truekey attribute on SKA keys that fulfill the above conditions.
- PSO
- UI
- Console
User Config ➜ Edit ➜ Signature Act. Module
Setup ➜ Configuration ➜ Security ➜ User Security ➜ (User) ➜ Signature Act. Module
hsm_user_set_config sam=true
This setting only applies to the selected Partition. Other non-SAM partitions can co-exist on the same HSM and are unaffected. In particular, other partitions can continue to use normal, non-SAM SKA keys.
Load the CA Certificates
You need to load the certificates of the CAs that you plan to use for identifying users. The HSM will later use these CA certificates as a root of trust when verifying the approver certificates on the SKA keys. These approver certificates will grant access to using the SKA keys that are used to create Qualified Electronic Signatures (QES) and similar.
The certificates can only be loaded via XML import. The export/edit/import steps are described below.
Edit the user config file to contain your CA certificates in the <sam_certificate id="1"> fields.
As a value, set the PEM-encoded certificate, but remove the ------BEGIN----- and ------END----- lines and all line breaks.
Configure via XML
The entire configuration can also be done by importing a prepared XML file. The format looks as follows:
<?xml version="1.0" encoding="UTF-8"?>
<crypto_user state="enabled">
<user_name>EIDAS-1</user_name>
<jce_allowed>enabled</jce_allowed>
<key_authorization>enabled</key_authorization>
<rest_api>enabled</rest_api>
<tsb_engine>enabled</tsb_engine>
<signature_activation>enabled</signature_activation>
<sam_certificate id="1">
MIIDazCCAl ... PEM-encoded CA certificate, without BEGIN and END headers, without newlines.
</sam_certificate>
<!-- other settings omitted -->
</crypto_user>
The recommended steps are:
- Export the current user config.
- This will write an
.uconfigfile to your USB stick or WebDAV storage. - The file is formatted as XML, despite the custom file extension.
- You may archive this file for your reference.
- This will write an
- Manually edit the config file.
- Import the new config file.
To export the user config:
- PSO
- UI
- Console
User Config ➜ Export
Setup ➜ Configuration ➜ Import/Export ➜ User Config Export
hsm_user_export_config
To import the user config:
- PSO
- UI
- Console
User Config ➜ Import
Setup ➜ Configuration ➜ Import/Export ➜ User Config Import
hsm_user_import_config
See also Section 5.5.12 "User Configuration Export/Import" in the Primus HSM User Guide.
Best Practices
- Take regular backups and store them safely. Ideally, take a device backup (as SO), but at least a partition backup (as PSO).
- Note that SKA keys cannot be exported, not even in wrapped form.
In other words, they always have the key attribute
extractable=falseset.