Net-attached HSM: Configuring a TrustWay Proteccio HSM
A Hardware Security Module (HSM) can be configured to store and protect cryptographic keys in a centralized, high-assurance appliance, providing a root of trust for sensitive cryptographic data transactions.
The following describes how to configure a TrustWay Proteccio netHSM for the Next Generation Hardware Appliance by registering the appliance and connecting it to the HSM.
For more information on the TrustWay Proteccio netHSM refer to the documentation that you received with your purchase of the HSM.
To configure a TrustWay Proteccio netHSM for your Next Generation Hardware Appliance, follow the steps below.
If you run into issues after the configuration, you can get HSM specific log messages from a HSM Support Package.
For further information please refer to Create an HSM Log.
Connect the Next Generation Hardware Appliance with the TrustWay Proteccio netHSM
Log in to your Next Generation Hardware Appliance.
Open the Security page or click Configure HSM in the Overview.
In the HSM Configuration section, click + Add External HSM in the HSM Selection field.
The Add an external HSM window opens.
Select TrustWay Proteccio netHSM tile to access the Configuration fields.Click Select HSM Type to continue.
The HSM Client Version section is displayed on the Security page.
Click on the HSM client version tile to be used.
Click Add HSM Device in the TrustWay Proteccio netHSM Devices section.
The corresponding form Add HSM Device for the certificate opens.
For Trustway Proteccio 3.01.05 and 3.06.05
HSM IP Address:
Enter the IP address of the TrustWay Proteccio netHSM.
Only IPv4 addresses are supported.Upload the TrustWay Proteccio netHSM Server Certificate for connection, by dragging and dropping or by selecting the file.
Confirm with Add HSM Device.
For Trustway Proteccio 4.05.04
HSM IP Address:
Enter the IP address of the TrustWay Proteccio netHSM.
Only IPv4 addresses are supported.Upload the TrustWay Proteccio netHSM Server Certificate for connection, by dragging and dropping or by selecting the file.
Secure Channel Client Configuration
This step is optional only necessary if the Secure Channel is enabled on the HSM side or is to be used in the future.
If a Trustway Proteccio 4.05.04 HSM client version has been selected, there is an additional function.
Download Secure Channel Client Key.
Then upload Secure Channel Client Key to your TrustWay Proteccio netHSM.
The driver page will show connected even if the secure channel has not yet been successfully established (e.g. if the client key has not yet been uploaded to the HSM whitelist).
Confirm with Add HSM Device.
A modal dialog requests to confirm your configuration.
Save HSM configurationProceed with Activate.
The HSM device is now configured and displayed in a table in the TrustWay Proteccio netHSM Devices section.
Here you can now preform actions such as Edit Device or Remove Device.
HSM Client Authentication Configuration
In this section, the HSM Server Certificate is displayed after saving the HSM configuration.
Secure Channel Client Configuration for Trustway Proteccio 4.05.04
In this section, the Secure Channel Client Key is displayed after saving the HSM configuration.
Miscellaneous Configurations
All HSMs in the same group must have the same
hardware,
firmware,
key material,
and software configuration.
In addition, the same cryptographic configuration must be used.
The HSMs must be installed with the same install secret and user password.
Check mark the applicable option.
Use Load balancing Mode
Load balancing mode mirrors keys to other HSMs to ensure redundancy.Use Short Timeout
Short Timeout reduces the response timeout for requests sent by the client host.
Usage Information
CryptoToken Configuration
The following note can be found in the info box:
In order to use this HSM in EJBCA, you need to select the following
PKCS#11 library in the P11NG CryptoToken configuration:
Reference: PKCS#11 Proxy - TrustWay Proteccio netHSM
The last line in Usage Information displays the options:
Remove HSM Configuration:
To remove the HSM configuration you need to type REMOVE HSM CONFIGURATION into the Confirm Action field.
Click Remove to remove the configuration or Cancel to close the modal dialog.
If Remove is chosen the application will restart.
If changes have been made to the sections:
HSM Client Authentication Configuration
Secure Channel Client Configuration
Miscellaneous Configurations
these can be made with undone with Cancel or saved with Save HSM Configuration.
Abort
Click Abort to terminate the process of configuring a HSM.
Save HSM Configuration
Click Save HSM Configuration to save changes made on the HSM configuration.
On the Security page of the application, the status of the HSM Driver will change from Not Connected to Connected as soon as the configuration is completed.
On the Overview page of the application, the status in the HSM Overview also changes to Connected as soon as the configuration is completed. During configuration, the appliance is in the Restarting status. During this time, it is not available.
Once EJBCA is running again, you can proceed with adding a crypto token.
Add a Crypto Token in EJBCA Enterprise
To create a crypto token:
On the Overview page of the Next Generation Hardware Appliance, click Admin Web for EJBCA in the Application Overview column.
The EJBCA Enterprise page opens.
Check whether the Create new CA checkbox is selected.Open the CA Functions drop-down menu in the top menu.
In the CA Functions section, select Crypto Tokens.
On the Manage Crypto Tokens page, click Create New...
The individual configuration of the Crypto Token depends on the configuration of the HSM! For detailed Information please see managing crypto tokens.
HSM Troubleshooting
In the section HSM Driver Controls the current HSM Driver Status is displayed.
In case of HSM problems, the HSM driver can be restarted via the Restart button.
For information about error codes,
please refer to the TrustWay Proteccio netHSM Developer Guide.