Primus HSM - Management
The Primus HSM can be managed locally using the built-in touch display or console or the Decanus Terminal. Management can be restricted to specific users (partitions) using the Decanus Terminal with Partition Administration.
Only one management channel can be active at a time. Logging in through another channel will terminate any existing session.
Detailed information about device management such as the menu tree, command references and more is documented in the Primus HSM User Guide
Front Panel (UI)
Some Primus HSM devices allow management via the front panel built-in user interface:
- X2/S2-Series come with a color touch display
- X/S-Series feature an LC Display with the keypad apart
- E2/E-Series do not support management via front panel
The front panel allows direct management and configuration of the HSM, as well as running diagnostics to monitor the device and its services. Logging in with the device password is required, see Roles and Access Control - Device Access. When logged in, navigation through the menu tree can be done via either the touch or keypad buttons, depending on the device. Some functions also require authentication such as Security Officer and/or Genesis Role.
Console via Serial Port
All Primus HSM devices can be managed via command line interface (CLI) through the Console serial port by using a VT100 terminal emulator (e.g. Putty or iTerm).
The type of physical console serial connection on the HSM varies based on the hardware model:
- RJ45 socket, requiring RJ45 plug – DB9 female Console cable (Cisco compatible)
- DB9 male socket, requiring a serial connection with Null-Modem cable (DB9F–DB9F; a normal gender changer does not work).
Since many computers no longer include a serial interface, a USB-to-Serial adapter may be necessary. For details and recommendations see Serial connection, what USB adapter to use and serial port settings.
All authentications and authorization mechanisms operate independently of the management channel.
If 2FA is enabled (X2/S2/X/S-Series), physical access to the device is required to insert cards into the device card slots. See Authentication Mode for more information.
Remote Management - Decanus Terminal
Decanus is a tamper protected remote terminal for the Primus HSM. Decanus may comprise different firmware variants and applications, e.g.
- HSM Device Administration
- Enabling remote administration of up to 64 Primus HSM devices. Remote Administration (UI) requires the same authentication as with Front Panel (UI) and provides access to the same Menu Tree.
- Restrictions: Power up of HSM, Initial Wizard execution.
- HSM Partition Administration and Auditing
- Enabling remote administration and audit of up to 64 single Primus HSM partitions (PSO, PAU)
- Customer specific firmware applications
View the Decanus Terminal User Guide for a thorough walk-through and step-by-step guide on how to setup and use the Decanus Terminal.
HSM Device Administration
The Decanus Terminal in Device Administration mode communicates over a network using the configured Primus HSM management interface and TCP port (default: 2340).
The Decanus Terminal must first be paired with the Primus HSM to establish a secure connection. Enable remote administration in the Primus HSM configuration before use (requires appropriate licensing).
Pairing can be done for a single Decanus Terminal via the CLI or front panel. For bulk pairing, a Decanus configuration file can be loaded from a USB stick into the HSM. The HSM will generate a unique pairing key file for each terminal and automatically append the corresponding pairing information to the configuration file. File-based pairing can also be done during the initial setup wizard.
A blinking Access LED on the HSM indicates that the Decanus is successfully connected. Removing a paired Decanus Terminal can be done via the Primus HSM UI or CLI management.
HSM Partition Administration and Auditing
Pairing the Decanus Terminal in Partition Administration mode with an HSM requires:
- enabling management on the Partition (user specific configuration)
- creating a Partition Management Password for Decanus (requires additional licensing).
The Decanus Terminal Partition Administration mode connects to one of the configured Primus HSM API interfaces and corresponding ports (JCE/JCA, PKCS#11, MS CNG).
See Security Configuration for more information
how to enable User specific configuration.
See Roles for more information about Partition Security Officer and Partition Auditor roles.