Prerequisites

Make sure to adhere to the prerequisites before continuing with integrating Securosys Primus HSM or CloudHSM with Salesforce Cache-Only Keys.

Salesforce Organization Configuration

You need to set up your Salesforce Organization before being able to use the Salesforce Cache-Only Key Service. This includes:

• Salesforce account with Enterprise, Performance, or Unlimited Edition subscription with Salesforce Shield enabled,
• Access to either Salesforce Classic or Lightning Experience,
• Salesforce User Permissions Manage Encryption Keys, Manage Certificates and Customize Application,
  • See the Salesforce Cache-Only Keys and Bring Your Own Key documentation.

info

For a detailed Salesforce prerequisites listing, please review Salesforce's Cache-Only Key Service documentation.

warning

If the connection between Salesforce and the Primus HSM is severed (for example, because the Cache-Only Key Proxy is unreachable), Salesforce will not be able to decrypt its data after it removed the key from its cache (which can happen every 24 hours). To avoid availability issues, make sure that your Cache-Only Key Proxy and your Securosys HSM are operated in a highly available production setup.

HSM Configuration

On-Premise

For on-premise Primus HSMs, the following setup steps are required:

1. Complete the Initial Wizard to get the HSM into a basic operational state.
2. Make sure that the HSM is running v2.8.21/v3.2.3 or higher.
3. Create an HSM Partition where Salesforce will store its keys.
4. Note down the Setup Password of your Partition (or create a new one).
5. Make sure that the following config options are enabled, both on the device-level and on the partition-level:
   • JCE API
   • Key export
   • Key extraction

For detailed instructions on how to perform these tasks, please see the Primus HSM User Guide.

CloudHSM

CloudHSM Economy (ECO) and Sandbox (SBX) are already pre-configured for Salesforce Cache-Only Keys.

No further action needed. Only make sure that you have your HSM Partition connectivity information and credentials ready.

Docker Installation

You need a place to deploy the Cache-Only Key Proxy as a Docker container. For example, this can be a Kubernetes cluster. In this guide, we will use a basic local setup using Docker Compose.

Ensure that Docker is installed on the system where you plan to deploy the Cache-Only Key Proxy. Please follow the Docker installation guide.