Skip to main content

Primus HSM Configuration

To setup the Primus HSM please follow the steps in the Primus HSM User Guide chapter 3.

Overview

Primus HSM configuration can be performed via different user interfaces (Device frontpanel, command-line Console, Decanus Terminal, XML configuration file).

Security configuration parameters can be applied at either the global device level or scoped to individual partitions (user), both requiring security officer role. The table below outlines the corresponding command differences. For comprehensive guidance, refer to the Primus HSM User Guide.

  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPTO POLICY ...

Below illustrated security configuration parameters refer to global device security configuration (for firmware v3.x). In case you have individual user/partition settings, enter into partition configuration and use the commands analogous on the specific partition (as shown above).

Verify network configuration

Assert that the HSM has a proper network configuration and can be reached from the computer having the PKCS#11 library installed. The API will be reachable under the default port unless configured differently. Note that the service may be assigned freely to a specific network interface.

  • SETUP CONFIGURATION NETWORK SERVICES PKCS#11 INTERFACES: 1
  • SETUP CONFIGURATION NETWORK SERVICES PKCS#11 TCP PORT: 2310

Make sure you have SO privileges for the steps below (security configuration):

  • SO ACTIVATE
    (or in some older releases: - ROLE ACTIVATION SO ACTIVATE)

Setup Password

If a new user is setup, note down the user's setup password. It is required to setup the HSM connection and retrieving the permanent user secret with the ppin command.

In case you need a new setup password for the ppin command, on the HSM acquire SO privileges and execute the following command (the setup password has a limited lifetime, default 3 days from first usage onwards):

  • ROLES USER NEW SETUP PW

Enable PKCS#11 API

In order to use the PKCS#11 Provider, the Client API and PKCS#11 access needs to be enabled on the HSM. Set the respective security configuration in

  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPTO POLICY CLIENT API ACCESS
  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPTO POLICY PKCS#11

Preparing the PKCS#11 Password (PIN)

PKCS#11 operates in two modes: Public object mode and logged-in mode, where private key operations can be performed. On the Primus HSM, access to the HSM is granted with permanent user secret. The additional password1 for the PKCS#11 login command must be set using the SO role, per device or partition specific.

In case you have to set a PKCS#11 password:

  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPTO POLICY PKCS#11 PASSWORD

Using HSM Session Objects

Use of session objects (CKA_TOKEN = FALSE) requires HSM firmware v2.8.20/v2.9.2 or later and session objects enabled.
(Up to version 2.10 the parameter was called "External Storage").

Recommendation

Most applications require session objects enabled.

SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY SESSION OBJECTS

Export / Import Settings

caution

Secure operation requires import, export, and extract to be disabled.

Following policies define key import/export allowance (see HSM User Guide for details):

  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY KEY IMPORT
  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY KEY EXPORT
  • SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY KEY EXTRACT

Key Invalidation

Activated Key Invalidation creates a shadow copy of the key when it is deleted. This prevents creation of a new key with the same key name and key id and some later mentioned tests may fail. To check if Key Invalidation is disabled:

SETUP CONFIGURATION SECURITY DEVICE SECURITY CRYPO POLICY KEY INVALIDATION

User Log via PKCS#11 API

To fetch the user log from the HSM via PKCS#11 API or ppin tool, enable log fetching:

SETUP CONFIGURATION SECURITY DEVICE SECURITY MANAGEMENT POLICY CLIENT API USER LOG

Device and User specific configuration

Above configuration parameters are shown for device level. If user specific configuration is activated, they have to be configured on the specific user partition! See section Overview.

info
  • Primus HSM in FIPS mode requires PKCS#11 Provider 2.0 or newer to connect.
  • It is recommended to use HSM firmware v2.8 or later.

Footnotes

  1. See PKCS#11 Password Restrictions