Installing Multiple CNG/KSP Provider Instances
Starting from CNG/KSP Provider version 1.40, multiple provider instances can be installed.
These can only be installed using procedures based on the KspCfg.ini configuration file.
The number of provider instances can only be changed via the installation procedure.
Installation Steps
-
Adapt the
KspCfg.inisample file, located within the setup folder. The sectionPROVIDERSof theKspCfg.iniconfiguration file defines how many provider instances will be installed including their naming:[PROVIDERS]
PROVIDER_1 = Securosys Primus HSM Key Storage Provider 1
PROVIDER_2 = Securosys Primus HSM Key Storage Provider 2
PROVIDER_3 = Securosys Primus HSM MyPartition
PROVIDER_4 = Customer ABC -
Delete further sections in case you configure the provider instances via the graphical Securosys "Key Storage Provider Configuration" tool.
-
To configure the provider during the installation procedure (e.g. Active Directory), define the other sections with the necessary configuration parameters per provider instance. See
KspCfg.inisample file for explanations.The following example shows the configuration for a provider using a developer account and a second provider using a CloudHSM Sandbox (SBX) partition:
[PROVIDERS]
PROVIDER_1 = Primus Dev MY-PARTITION
PROVIDER_2 = Primus Sandbox TEST-PARTITION
[PROVIDER_1.HSM_1]
ID = Grimsel_MY-Partition
HOSTNAME = grimsel.securosys.ch
PORTNUMBER = 2320
PRIORITY = 0
HSM_USERNAME = MY-PARTITION
HSM_PASSWORD = KC5b2-VX5NZ-…-8CbGZ-1NCre
[PROVIDER_2.HSM_1]
ID = CloudHSM-Sandbox_TEST-PARTITION
HOSTNAME = a-api.cloudshsm.com
PORTNUMBER = 2320
PRIORITY = 0
HSM_USERNAME = TEST-PARTITION
HSM_PASSWORD = KC5b2-VX5NZ-…-8CbGZ-1NCre
PROXY_USERNAME = myServiceUserName
PROXY_PASSWORD = ivd0rra…s4mpgb7
[PROVIDER_2.HSM_2]
ID = CloudHSM-Sandbox_TEST-PARTITION
HOSTNAME = b-api.cloudshsm.com
PORTNUMBER = 2320
PRIORITY = 0
HSM_USERNAME = TEST-PARTITION
HSM_PASSWORD = KC5b2-VX5NZ-…-8CbGZ-1NCre
PROXY_USERNAME = myServiceUserName
PROXY_PASSWORD = ivd0rra…s4mpgb7
Steps to Increase Provider Instances
The number of provider instances can only be changed by reinstalling the providers. We suggest the following procedure (requiring administrator rights, but no new setup password):
-
First, update to CNG/KSP Provider V1.41+, the regular way (if an older version is installed).
-
Open a CMD shell with administrator rights and export the current configuration with the following command. Note this file is sensitive as it contains blinded secrets.
"%ProgramFiles%\Securosys\PrimusHsmKsp\kspcfgcons.exe" ExportCfg OldConfig.ini -
Copy this configuration file OldConfig.ini to
KspCfg.iniwithin your setup folder. -
Adapt the configuration, section
PROVIDERS, by adding the providers according to your needs (quantity and provider naming). Add the new configuration parameters as shown in this section or configure them later via the GUI.Example:
[PROVIDERS]
PROVIDER_1 = Securosys Primus HSM Key Storage Provider
PROVIDER_2 = Securosys Primus HSM New Partition
[PROVIDER_1.HSM_1]
ID = Grimsel Internal
DEVICENAME = GRIMSEL
HOSTNAME = grimsel.securosys.ch
PORTNUMBER = 2320
PRIORITY = 0
CLI = C91C506A5C34BDE8889372FB332A…EC81BD43033915DA486D7C549C261CA79CF6D9F137
CLS = C61C563490E894930BFB202A29F879…0FC42DC39D1798E653C13E57F7983ECE4E12FF99
CLC = 2077E78A123096DA4F588BEAD395…1B691D095E2C9B606215762D8AF2A5CA20F4FD52A5
… -
Uninstall the current CNG/KSP Provider
-
Install the CNG/KSP Provider again by applying the following command, using the configuration file
KspCfg.inilocated within your setup folder:MsiExec /quiet /i setup_x64.msi INSTALLCFG=1Error WarningPlease note that any errors in the
KspCfg.inifile will result in a failed installation of the providers.