Prerequisites
This page describes the prerequisites for setting up VaultCode on an external Docker host, outside of the HSM. This is intended for testing purposes only!
Choose the mode
The VaultCode container can either connect to an HSM Partition, or run standalone in simulator/demo mode with an insecure keystore. Choose which mode you want. In simulator mode, you can skip all the HSM-related steps given in this guide.
Install Docker
VaultCode is distributed as a Docker image. To run it, you need to have Docker installed. Additionally, this guide will use Docker Compose to manage the multi-container deployment.
Choose a host to run the VaultCode runtime on, and install Docker on this host:
- On Linux, install Docker Engine and Docker Compose
- On Windows, install Docker Desktop
Install the TSB
For most use cases of VaultCode (in particular, for automated approval) you also need a Transaction Security Broker (TSB) to make effective use of Smart Key Attributes (SKA).
Follow the TSB installation guide to install the TSB.
Prepare the HSM license and user config
In simulator mode: skip this step.
Even when running outside of the HSM, VaultCode needs to be licensed for the device and needs to be explicitly enabled for each HSM user (Partition). The following options need to be licensed and enabled:
jce_allowedrest_apitsb_enginekey_authvault_code
When these are enabled, the XML export of the config should look like this:
<crypto_user state="enabled">
<user_name>DEVELOPMENT</user_name>
<jce_allowed>enabled</jce_allowed>
<rest_api>enabled</rest_api>
<tsb_engine>enabled</tsb_engine>
<key_authorization>enabled</key_authorization>
<vault_code>enabled</vault_code>
<!-- other settings-->
</crypto_user>
See sections 4.6.3 "User Security" and 5.5.8 "User Configurations" of the Primus User Guide E25.
Configure the network
In simulator mode: skip this step.
Ensure that the container running on your external host can reach the HSM over the network.