Prerequisites
To install CyberVault KMS, you need:
- A Securosys Primus HSM or CloudHSM
- With firmware version 3.2.11 (or later).
- With a license that includes all the features that you want to use (see the HSM Configuration below).
- A Transaction Security Broker (TSB) instance to provide a REST API connection.
- Docker Engine and Docker Compose plugin
System Requirements
Every container in the Key Manager (excluding the auth container) has the following minimum requirements:
- CPU: 0.5
- RAM: 256 MB
The auth container has higher requirements because it caches more runtime state in memory:
- CPU: 1 (recommended 2)
- RAM: 2048 MB
Related components
- For the TSB (REST API), see TSB System Requirements.
- For the KMIP Server, see KMIP System Requirements.
Configuring the HSM
The below steps are only needed for on-premise Primus HSM setups.
If you are using CloudHSM, you can skip this step because the HSM is managed by Securosys.
First, make sure that the Root Key Store is set up.
In the User Security Configuration of your Partition, enable User Configuration, JCE, and REST API.
- PSO
- UI
- Console
User Config -> Edit -> (setting)
Enable:
- User Configuration
- JCE
- REST API
Setup -> Configuration -> Security -> User Security -> (User) -> (setting)
Enable:
- User Configuration
- JCE
- REST API
hsm_user_enter_config
hsm_user_set_config use_usr_cnf=true
hsm_user_set_config jce=true
hsm_user_set_config rest_api=true
hsm_user_list_config jce
hsm_user_exit_config
Additionally, if you use one of the following feature, enable the following configuration options:
| Feature | Config Option |
|---|---|
| Enhanced Authentication Subscription | KM System |
| KMIP Server | KMI Protocol |
| Smart Key Attributes (SKA) | Key Authorization, optionally TSB Workflow Engine |