Air-Gapped Profile TSB Installation & Configuration
This page provides a comprehensive step by step guide on how to fully install and configure the "Air-Gapped" Profile TSB.
Prerequisites
Before starting with the installation of the "Air-Gapped" Profile TSB it is important to familiarize yourself with the Multi-Authorization Workflow as well as with Smart Key Attributes, see What are Smart Key Attributes?.
This guide assumes the familiarity both with Multi-Authorization Workflow and SKAs.
The following prerequisites are needed for the installation of the "Air-Gapped" Profile TSB:
- Primus HSM - 2.8 and above with TSB license, configured and deployed in an air-gapped environment. See Primus HSM Setup.
- Installed and configured "Local" Profile TSB within the air-gapped environment. See Installation Guide (On-Prem) for a detailed guide on how to install and configure the TSB to have a connection to the HSM.
- Securosys Authorization App, downloaded and installed. See Get Started with the Authorization App for a comprehensive task listing.
- Business application which can issue calls via REST API to the "Air-Gapped" Profile TSB.
Setting Up The Workflow Engine
The workflow engine setup has to be prepared on the "Local" Profile TSB. You can skip this step if you already have a the workflow engine setup.
- Before setting up the workflow engine, please ensure you adhere to the prerequisites.
- On the "Local" Profile TSB, follow the step-by-step guide on how to create a new approver and onboard it on the Securosys Authorization App Approver Management - API.
- On the "Local" Profile TSB, follow the step-by-step guide on how to Create Policy Based Key.
As the "Air-Gapped" Profile TSB does not have a direct connection to the HSM, any timelock and timeout SKA policies should be set to 0 (disabled). This is due to the way timestamping works with SKA, where the workflow requires fetching the timestamp key from the HSM, which is not possible as the "Air-Gapped" Profile TSB doesn't have a direct connection.
After creating all your required approvers, onboarding them and then creating SKA keys with the desired quorums, it's possible to proceed with the installation and configuration of the "Air-Gapped" Profile TSB.
Install "Air-Gapped" Profile TSB
The "Air-Gapped" Profile TSB is installed the same way as the "Local" Profile TSB. See Installation Guide (On-Prem) for more information on how to deploy TSB in your environment.
The "Air-Gapped" Profile TSB comes with a prepared configuration file. It only requires a simple hsm.airGapped parameter change to true in the configuration .yaml file before running the TSB "Air-Gapped" profile docker container. This parameter specifies that the TSB will be installed as a "Air-Gapped" Profile TSB and will require a connection to a Primus HSM.
Make sure to install the "Air-Gapped" Profile TSB on a host device which has a connection to your business application as well as the Securosys Authorization App.
Configure "Air-Gapped" Profile TSB
To setup the "Air-Gapped" Profile TSB use the application-air-gapped.yml file and in the HSM CONFIGURATION set the hsm.airGapped parameter to true:
##HSM CONFIGURATION
hsm:
hsm.airGapped: true
Do not forget to configure the "Air-Gapped" Profile TSB as you would with any other TSB. See Installation Guide (On-Prem) - Download Configuration Files for more information on how to do so.
Configuring Securosys Authorization App
After all previous successful steps it is required to set the TSB Url in the settings of the Approvers' Securosys Authorization App to point to the "Air-Gapped" Profile TSB. This way the Securosys Authorization App will be able to fetch the approval tasks from the "Air-Gapped" Profile TSB.
See Application Settings for more information on how to do so.