Configure the HSM
The Fireblocks Key Link Agent needs to be explicitly enabled in the User Security configuration of the HSM partition that Fireblocks will use. This guide shows how to do that.
This guide assumes that you have done the basic setup of the HSM, have completed the Initial Wizard, and have Security Officer (SO) roles configured, and a partition created to use for Fireblocks.
The steps in this guide can be performed:
- Either as a (Device) Security Officer (DSO, aka. SO), via any of the three administrative interfaces (console, device front panel, Decanus Terminal).
- Or as a Partition Security Officer (PSO), via the Decanus Terminal.
Log In as SO/PSO
Before you start, log in to the HSM via one of its administrative interfaces (console, device front panel, Decanus Terminal) using the SO or PSO role.
- PSO
- UI
- Console
Connect ➜ (HSM tile) ➜ (Enter PSO cards + PINs)
SO Activate
so
Enable the Fireblocks Integration
Enable the per-partition settings ("User Configuration"), which will override the device-wide settings. See also Section 3.9 "Individual Configuration" in the Primus HSM User Guide.
Next, enable the Fireblocks feature in the User Security Configuration, as well as the features that Fireblocks depends on.
- PSO
- UI
- Console
User Config ➜ Edit ➜ (setting)
Enable the following settings:
- User Configuration
- JCE
- REST API access
- Fireblocks
When using Smart Key Attributes (SKA), also enable:
- TSB Workflow Engine
- Key Authorization
Setup ➜ Configuration ➜ Security ➜ User Security ➜ (User) ➜ (setting)
Enable the following settings:
- User Configuration
- JCE
- REST API access
- Fireblocks
When using Smart Key Attributes (SKA), also enable:
- TSB Workflow Engine
- Key Authorization
hsm_user_enter_config
hsm_user_set_config use_usr_cnf=true
hsm_user_set_config jce=true
hsm_user_set_config rest_api=true
hsm_user_set_config fireblocks=true
# When using SKA
hsm_user_set_config key_auth=true
hsm_user_set_config tsb_engine=true
hsm_user_exit_config