Configuration

• First adapt the configuration file /etc/primus/primus.cfg (or %ProgramFiles%\Securosys\Primus P11) as described below.

• In case you are using a service proxy (CloudHSM) configure the service proxy details.

• After that, establish HSM connectivity, fetching the HSM permanent secret using the ppin command line tool.

Configuration Files

Unix

primus.cfg

Possible configuration locations:

1. /etc/primus/primus.cfg

   The primary location lookup when initializing the PKCS#11 library. The configuration file name is labeled 'primus.cfg', in lower case. When not found, the configuration initialization falls back to the fallback location. Initially the directory and files don't exist. Add the directory and copy the files from the fallback location and adjust the access rights. It is recommended to use the primary location.

2. /usr/local/primus/etc/primus.cfg

   The fallback location¹ lookup when initializing the PKCS#11 library. The configuration file name is labeled 'primus.cfg', in lower case. Note, that a provider update will overwrite the file!

3. SECUROSYS_PKCS11_CONF

   The environment variable pointing to the fully qualified configuration file name. When set, the environment variable supersedes the primary and fallback configuration locations.

If the file cannot be located, the initialization fails and returns an initialization error.

.secrets.cfg

Possible configuration locations:

1. /etc/primus/.secrets.cfg

   The primary location lookup when accessing the permanent secrets information. The file name is labelled '.secrets.cfg', in lower case. When not found, the initialization falls back to the fallback location.

   Initially the directory and file don't exist. Add the directory and copy the files from the fallback location and adjust the access rights. It is recommended to use the primary location.

2. /usr/local/primus/etc/.secrets.cfg

   The fallback¹ location lookup when accessing the permanent secrets information. The file name is labeled '.secrets.cfg', in lower case. Note, that a provider update will overwrite the file!

3. SECUROSYS_SECRETS_CONF

   The environment variable pointing to the fully qualified permanent secrets file name. When set, the environment variable supersedes the primary and fallback configuration locations.

If the file cannot be located, the initialization fails and returns an initialization error.

syslog

Configure 'rsyslog.conf' and 'logrotate' to log the Primus PKCS#11 events. Add the lines in /etc/rsyslog.conf:

# Save primus messages also to primus.log
syslog.* /var/log/primus.log

And add the line in /etc/logrotate.d/syslog:

/var/log/primus

Restart the syslog daemon.

Microsoft Windows

primus.cfg

Possible configuration locations:

1. HKCU\Software\Primus\configFilename

   • The primary location lookup when initializing the PKCS#11 library. Contains the complete pathname of the configuration file. When not found, the configuration initialization falls back to HKLM\Software\Primus\configFilename

2. HKLM\Software\Primus\configFilename

   • The secondary location lookup when initializing the PKCS#11 library. Contains the complete pathname of the configuration file.

3. %ProgramFiles%\Securosys\Primus P11\primus.cfg

   • The fallback location² lookup when initializing the PKCS#11 library. The configuration file name is labeled 'primus.cfg', in lower case. Note, that a provider update will overwrite the file!

4. SECUROSYS_PKCS11_CONF

   • The environment variable² pointing to the fully qualified configuration file name. When set, the environment variable supersedes the primary, secondary, and fallback configuration locations.

If the file cannot be located, the initialization fails and returns an initialization error.

secrets.cfg

Possible configuration locations:

1. HKCU\Software\Primus\secretsConfigFilename

   • The primary location lookup when accessing the permanent secrets information. Contains the complete pathname of the configuration file. When not found, the configuration initialization falls back to HKLM \Software\Primus\secretsConfigFilename

2. HKLM\Software\Primus\secretsConfigFilename

   • The secondary location lookup when accessing the permanent secrets information. Contains the complete pathname of the configuration file.

3. %ProgramFiles%\Securosys\Primus P11\.secrets.cfg

   • The fallback location² lookup when initializing the PKCS#11 library. The configuration file name is labeled '.secrets.cfg', in lower case. Note, that a provider update will overwrite the file!

4. SECUROSYS_SECRETS_CONF

   • The environment variable² pointing to the fully qualified permanent secrets file name. When set, the environment variable supersedes the primary, secondary, and fallback configuration locations.

If the file cannot be located, the initialization fails and returns an initialization error.

"primus.cfg" Configuration File Parameters

Configure your specific HSM connection details within the configuration file primus.cfg. Adapt the colored parameters according to your HSM setup (cluster configuration). Default HSM connection details (hostnames, ports) can be found at the bottom, if not provided by your security officer. For setting up your CloudHSM, have a look at the example on how to configure the CloudHSM access.

Standalone HSM with one partition

#-----------------------------
# Primus PKCS#11 configuration
#-----------------------------
version = "1.0";

/* This example configuration template contains 1 slot:                    */
/* hsm0: standalone hsm with one partition (slot id 0)                     */ 

/*--- GLOBAL CONFIGURATION SECTION ----------------------------------------*/
primus:
{
  wait_delay = 250; /* in ms*/
  wait_max_tries = 5;
  connect_on_init = false;

  /*--- HSM CONFIGURATION SECTION -----------------------------------------*/
  hsms:
  {
     /*--- HSM0, e.g. standalone hsm with one partition, slot id 0 */
     hsm0:
     {
        host = "HSM0_HostnameOrIpOrProxyURL";
        port = "2310";
        slots:
        {
           slot0:
           {
              client_id = "Client_ID0";
              user_name = "PARTITION_NAME0";
              id = 0;
           }; /* end slot0 */
        }; /* end slots */
     }; /* end hsm0 */
  }; /* end hsms */

  /*--- LOG CONFIGURATION SECTION -----------------------------------------*/
  log:
  {
#    file = "/tmp/primus.log";    /* optional for unix, logs to LOCAL1 syslog */
#    file = "%PUBLIC%\Securosys\Primus P11\primus.log";  /* for windows */
    trace_linenumber    = false;    /* true or false */
    trace_timestamp     = true;     /* true or false */
    trace_function      = true;     /* true or false */
    trace_inout         = false;    /* true or false */
    trace_pid           = true;     /* true or false */
    trace_filename      = false;    /* true or false */
    trace_mask          = 0x00;
    trace_level         = 4;        /* 0-7 log level details */
  }; /* end log */

}; /* end primus */

Cluster with two partitions

#-----------------------------
# Primus PKCS#11 configuration
#-----------------------------
version = "1.0";

/* This example configuration template contains 3 slots:                   */
/* hsm1,hsm2: redundant hsm cluster with each two partitions (slot id 1+2) */
/*            e.g. for CloudHSM service                                   */

/*--- GLOBAL CONFIGURATION SECTION ----------------------------------------*/
primus:
{
  wait_delay = 250; /* in ms*/
  wait_max_tries = 5;
  connect_on_init = false;

  /*--- HSM CONFIGURATION SECTION -----------------------------------------*/
  hsms:
  {
      /*--- HSM1, e.g. redundant CloudHSM cluster with two partitions (slot id 1+2) */
      hsm1:
      {
         host = "a-api.cloudshsm.com";
         port = "2310";
         slots:
         {
            slot0:
            {
              client_id  = "Client_ID1";
              user_name  = "PARTITION_NAME1";
              proxy_user = "SERVICE_USER";            /* if proxy in use */
              /* proxy_password = "SERVICE_PASSWORD";    optional */
              id = 1;
            }; /* end slot0 */

            slot1:
            {
              client_id  = "Client_ID2";
              user_name  = "PARTITION_NAME2";
              proxy_user = "SERVICE_USER";            /* if proxy in use */
              id = 2;
            }; /* end slot1 */
         }; /* end slots */
      }; /* end hsm1 */
    
      /*--- HSM2 of redundant CloudHSM cluster with two partitions (slot id 1+2) */
      hsm2:
      {
         host = "b-api.cloudshsm.com";
         port = "2310";
         priority = 1; /* Optional priority. Default 0, which is highest priority */
         slots:
         {
            slot0:
            {
              client_id  = "Client_ID1";
              user_name  = "PARTITION_NAME1";
              proxy_user = "SERVICE_USER";            /* if proxy in use */
              id = 1;
            }; /* end slot0 */

            slot1:
            {
              client_id  = "Client_ID2";
              user_name  = "PARTITION_NAME2";
              proxy_user = "SERVICE_USER";            /* if proxy in use */
              id = 2;
            }; /* end slot1 */
         }; /* end slots */
      }; /* end hsm2 */

  }; /* end hsms */

  /*--- LOG CONFIGURATION SECTION -----------------------------------------*/
  log:
  {
#    file = "/tmp/primus.log";    /* optional for unix, logs to LOCAL1 syslog */
#    file = "%PUBLIC%\Securosys\Primus P11\primus.log";  /* for windows */
    trace_linenumber    = false;    /* true or false */
    trace_timestamp     = true;     /* true or false */
    trace_function      = true;     /* true or false */
    trace_inout         = false;    /* true or false */
    trace_pid           = true;     /* true or false */
    trace_filename      = false;    /* true or false */
    trace_mask          = 0x00;
    trace_level         = 4;        /* 0-7 log level details */
  }; /* end log */

}; /* end primus */

The version = "1.0"; line indicates the configuration file version. ³

The top-level primus:{ ... }; block contains the fields:

Attributes	Content description
wait_delay	Duration to wait when incomplete data received [ms]. (default: 250 [ms])
wait_max_tries	Number of tries when waiting for data completion and fallback3 to next cluster HSM (default: 5) net.ipv4.tcp_syn_retries is reduced (=2) via socket options to reduce failover times
connect_on_init	Connect to configured HSM(s) on library initialization resulting in shorter connection setup times (default: false)
hsms	List of HSMs, in hsms:{ ... }; block.

Section 'hsms'

The hsmx:{ ... }; block contains the HSM connection and partition definitions, where x is indexed from 0..n.

Attributes	Content description
host	The hostname or IP address of the HSM or the service proxy.
port	The port of the PKCS#11 API on the HSM or service proxy, as a string.
priority4	Optional: Priority in selecting a redundant HSM. The smaller the value, the higher priority. Round-robin for equal priority. Values: 0-127, default priority value is 0 (=highest priority).
pin	Optional, not recommended: The setup password for the connection with the HSM. If present, the PKCS#11 Provider will use it to connect to the HSM partition. This setup password has a limited time validity. Use the 'ppin' utility to fetch the partition permanent secret.
slots	List of enumerated slots of the HSM.

Clustered HSMs (having the same PKCS#11 Slot ID, see id in Section slots) are redundant. The first connection is selected randomly from the highest priority pool (=lowest value) and after that round-robin from the same pool. If no HSM of this priority pool is reachable, the next lower priority pool is considered in the same manner until all pools are exhausted. In this case the provider returns a CKR_TOKEN_NOT_PRESENT error.

Section slots⁵

The slots:{ ... }; block contains sub-blocks slotx:{ ... }; which each define a slot (partition) with the following fields:

Attributes	Content description
user_name	The name of the HSM user (partition). It is assumed that identical user_names on same or different HSMs refer to a redundant partition (cluster), assigning automatically the same user credentials. Therefore not redundant partitions must have different partition names!
client_id	An ID string chosen by the client to identify itself or the application. It is a part of the complete user Id received and logged on the HSM (partially hashed): myApplication@hash(machine_name@ipd_adress@mac_address) Example: myApplication@d1172dac ...
proxy_user	CloudHSM only: the name of the service user (proxy), as provided by Securosys.
proxy_password	CloudHSM only: the password for the service user (proxy)
id	PKCS#11 Slot ID assigned to the HSM partition, e.g. id=0

A network HSM differs slightly compared to a card reader (=slot) with an inserted card (=token):

• A connected HSM partition corresponds to a PKCS#11 slot with inserted token, both having the name of the partition.

• Different PKCS#11 Slot IDs have to be assigned for different partitions on same and multiple HSMs.

• Same PKCS#11 Slot ID has to be assigned for redundant partitions (cluster). Cluster redundancy is not visible for the applications; partition name and serial number are identical on all redundant partitions.

• A partition may be addressed via multiple slots (using different PKCS#11 Slot IDs) to parallelize access (performance optimization).

• The provider assumes that partitions with the same user_name are redundant and use the same credentials.

• A service proxy (CloudHSM) autonomously distributes new connections to different redundant HSMs in the cluster.

Section log

The log info is written to the syslog channel for Unix and to the debug channel on Windows. The log:{ ... }; block contains the fields:

Attributes	Content description
file	Complete pathname to an optional file where a copy of the log information is written.
trace_linenumber	Add the source line number to the message <false|true>
trace_timestamp	Add a timestamp to the message6 <false|true>
trace_function	Add the function name to the message <false|true>
trace_inout	Add function's entry/exit messages <false|true>
trace_pid	Add process name/id to the message <false|true>
trace_filename	Add source filename to the message <false|true>
trace_mask	Allow trace messages: 0x00 None 0x01 log input of each p11 function 0x02 log protocol serialization information 0x04 log received TCP data information (avail. Bytes, bytes read)
trace_level	The maximum level of detail allowed in messages (0-7)

The trace_level have the following meaning:

trace_level	Label	Severity	Description
0	LOG_EMERG	Emergency	system is unusable
1	LOG_ALERT	Alert	action must be taken immediately
2	LOG_CRIT	Critical	critical conditions
3	LOG_ERR	Error	error conditions
4	LOG_WARNING	Warning	warning conditions
5	LOG_NOTICE	Notice	normal but significant condition
6	LOG_INFO	Informational	informational messages
7	LOG_DEBUG	Debug	debug-level messages

On Unix: optionally write log information to 'file' in addition to syslog, default /tmp/primus.log.

On Windows: write log information to 'file'; default %PUBLIC%\Securosys\Primus P11\primus.log⁶

Please check, that the user has read/write access to this log-file.

Default Connection Parameters of the PKCS#11 API

The table below shows the default configuration values, if not specified differently by your Security Officer (SO):

	Hostname or IP Address	Port Number	Using Proxy
Standard HSM	as setup by your SO	2310	no
Developer program	grimsel.securosys.ch	2410	no
	nufenen.securosys.ch	2411	no
	oberalp.securosys.ch	2412	yes
CloudHSM CH	a-api.cloudshsm.com	2310	yes
	b-api.cloudshsm.com	2310	yes

For other CloudHSM clusters see the application note CloudHSM - Connectivity details.

Footnotes

1. Versions prior to v1.5 have primary and fallback configuration location swapped. ↩ ↩²

2. Environment variable support and default file location fallback were introduced with v1.8.4+ ↩ ↩² ↩³ ↩⁴

3. In version 0.9.xxx the fallback mechanism is disabled. ↩ ↩²

4. Introduced with v1.7 ↩

5. Version prior to v1.0.3 use a different notation for slots block and slot id. ↩

6. Versions prior to v1.5 do not support timestamp on Linux nor environment variable on Windows ↩ ↩²