Skip to main content

HSM Configuration

The sections below highlight the HSM configuration changes required for Securden PAM application, after the initial HSM setup (initial wizard, role setup, network settings, etc.).

Reminder

Changing the HSM Security Policy requires Security Officer (SO) role priviledges: (SO) Cards m of n

For CloudHSM customers request the necessary configuration changes highlighted below.

Basic configuration

After initial on-prem HSM setup

  • Export the HSMs Security Configuration
  • Adapt the exported XML file *.sconfig according the highlighted sections below
  • Apply the changes according to the Securden Integration Method (1-3)
  • Import the modified Security Configuration

Activate the PKCS#11 process (if not already enabled):

<pkcs_process>
    <active>enabled</active>
    <port>2310</port>
    <interface>1</interface>
</pkcs_process>

HSM Security Policy can be defined on the device or user specific, to provide different settings per partition. The example below references to the user specific configuration. Adapt the user configuration for this specific user:

...
<crypto_user state="enabled">                   <!-- enabled=user config, disabled=device config -->
    <user_name>YourPartitionName</user_name>               
     ...
    <import_keys>disabled</import_keys>          <!-- disable key import on user -->
    <export_keys>disabled</export_keys>          <!-- disable key export on user -->
    <extract_keys>disabled</extract_keys>        <!-- disable wrapped key export on user -->
    ...
    <session_objects>enabled</session_objects>   <!-- enable session objects -->
    <destroy_objects>enabled</destroy_objects>   <!-- enable deletion of keystore objects -->
    <use_objects>enabled</use_objects>           <!-- enable usage of objects -->
    ...
    <pkcs_password state="value"/>               <!-- set partition pwd for PKCS#11, default=none -->
    <client_api_access>enabled</client_api_access> <!-- allow access to user/partition -->
    ...
    <pkcs_allowed>enabled</pkcs_allowed>         <!-- enable PKCS#11, interface on partition -->
    ...
</crypto_user>
...
Reminder

When enabling user configuration the user specific values might still be on default and differ from the device settings (e.g. empty PKCS#11 password).