Skip to main content

Onboard VaultCode to TSB

If you want to use VaultCode for automated approval of SKA tasks, you need to onboard VaultCode to the Transaction Security Broker (TSB). The TSB needs to know how it can call VaultCode when an approval task is pending.

Fetch the output key

Call the GET /api/v1/get_public_key endpoint to get the "output key". VaultCode has automatically generated this key on the HSM, and will use it to sign the output that the JAR executables produce. See the How it works section for an explanation of these keys.

Replace the VAULTCODE_HOST variable with an URL to the host running VaultCode. Then run:

VAULTCODE_HOST="https://my-hsm.example.com"
VAULTCODE_HOST="http://10.0.0.10:2350"
VAULTCODE_HOST="http://[2001:db8::10]:2350"

curl -L "${VAULTCODE_HOST}/api/v1/get_public_key"

Extract the output public key from the JSON response. For example, with jq installed:

curl -L --silent "${VAULTCODE_HOST}/api/v1/get_public_key" | jq ".outputKey.publicKey"

Optionally, verify the attestation to check that the key was generated in a Primus HSM.

Copy the output key to the TSB

Next, take the outputKey and set it in the application-automated-approval.yml file on your TSB. Automated approval was added to the TSB in version 2.5.0.

automatedApproval:
  approvalInformations:
    -
      approvalCertificate: ''
      approvalPublicKey: 'MIIBIjAN...AQAB'
      host: 'vaultcode.example.com' # VaultCode host
      port: 8080                    # VaultCode port, default: 443
      localhost: false              # Localhost connection between TSB and VaultCode, for when running inside HSM, default is false

This tells the TSB where it can reach VaultCode. When the TSB encounters an SKA key that has this approvalPublicKey in its SKA policy, the TSB calls the POST /api/v1/execute endpoint of this VaultCode instance. VaultCode then executes the currently loaded JAR executable, which should contain the automated approval logic. The JAR runs and produces and output. VaultCode then signs the output with the outputKey. The output together with the signature are the approval or rejection that the TSB then handles in its SKA workflow.

Get started withCloudHSM for free.
Other questions?Ask Sales.
Last updated on
Feedback
Need help?