Configuring KeyControl as an HSM Client using an nShield HSM

The following procedure describes how to configure KeyControl as an nShield HSM client. You can either use a standalone KeyControl node or a cluster.

Before You Begin 

For the nShield HSM server that you want to connect to KeyControl, make sure you have the following information available:

• The HSM Server Name, Server IP/FQDN, ESN, Port, and Keyhash.
• The Security World Bundle file that is provided by the HSM Administrator.

• Information to create a softcard consisting of a label and password.

You will also need:

• A KeyControl account with Security Admin privileges.

• If you are using an on-premise HSM server, you must have access.

If you plan to use a FIPS 140-2 Level 3 compliant Security World environment, see Hardware Security Modules with KeyControl for more information.

Procedure 

1. Log into the KeyControl Vault Management webGUI using an account with Security Admin privileges.

   Note: If you are using a cluster, you only need to use the KeyControl Vault Management webGUI for one node.

2. In the top menu bar, click Settings.
3. In the System Settings section, click HSM Server Settings.

4. On the HSM Server Settings tab, select nShield HSM.

   The nShield HSM Server Settings window displays the information you will need to continue.

5. Click the Copy the IP address and keyhashes to the keyboard link and paste them in a text window.

6. Use the IP address and keyhash to authenticate KeyControl on nShield. Please see your nShield documentation.

   Important: For KeyControl clusters, you will need to authenticate the IP address and keyhash for each KeyControl cluster node.

7. Copy the Security World Bundle from nShield and place it on your local machine. It should be in the format world.zip.
8. After reading the Get Started Screen, click Continue.

9. On the Enrollment screen, complete the following: 

   Note: All information is from the nShield HSM. The Server Name is used for display purposes and the Server IP/FQDN is used for communication.

   Field	Description
   Server Name	Enter the FQDN of the nShield HSM.
   Server IP/FQDN	Enter the IP address or FQDN for the nShield HSM.
   Server ESN	Enter the nShield Electronic Serial Number (ESN).
   Port	Enter the port used for the nShield HSM.
   Keyhash	Enter the keyhash of the nShield HSM.

10. Click Enroll and Continue.
11. On the Security World screen, click Browse and locate the security world bundle that you downloaded from the nShield HSM.
12. Click Upload and Continue.

13. If you are using a FIPS 140-2 Level 3 Security World, on the Card List screen, select one of the following: 

    • Accept all cards—Accepts all nShield Remote Administration smart cards.

    • Add Specific cards—Accepts specific nShield Remote Administration smart cards. To add a card, click + Add Card, enter the card serial number and optional description, check the Enable checkbox, and click Add. You can add multiple cards at one time.

14. If you are using a FIPS 140-2 Level 3 Security World, on the Softcard screen, enter the Softcard Label and Softcard Password that you want to use to link to the HSM server.

    You must have entered a valid smart card or selected Accept all cards in order to create a Softcard. The Softcard Label and Softcard Password must meet the following requirements:

    Softcard Label

    • At least 8 characters

    • No more than 31 characters

    • Can include uppercase, lowercase, numbers, and special characters

    • No space or tab character

    Softcard Password

    • At least 8 characters

    • No more than 127 characters

    • At least 1 uppercase

    • At least 1 lowercase

    • At least 1 number

    • No space or tab character

15. Click Complete Setup.

    After the setup is complete, you will be returned to the nShield HSM Server Settings page.

    Note: If the configuration failed, then you must select Actions > Reset HSM Configuration before you try again.

16. Select Actions > Test Connection from the Basic tab to ensure that the HSM is fully connected to KeyControl.

What to Do Next 

• If you want to use nShield HSM to store your Admin Key, you will need to generate a new one. See Generating the Admin Key.

  The new Admin Key is automatically stored in the nShield HSM. Click Locate Admin Key in the nShield HSM Server Settings page to view.

• If you want to use HSM Root-of-Trust, see Adding HSM Root-of-Trust to nShield Server .
• If you want to form a KeyControl cluster using the nShield HSM, see Adding a KeyControl Node to a Cluster using an nShield HSM client.
• If you want to use an additional nShield HSM for a high availability cluster, see Configuring an nShield HSM for High Availability .