A hardware security module (HSM) is a physical device that stores, protects, and manages digital authentication keys. An HSM is often used to do cryptographic processing as well, including the generation of secure cryptographic keys. It is used in a client-server environment, which means that the server and the client each need to be prepared in advance.
To enable an HSM server in HyTrust DataControl, you need to gather certain information in advance:
These appear in the following screen shot:
To enable an HSM server, take the following steps:
1. Download the server certificate. You will need this in the next step.
#
scp admin@<HSM Server>:server.pem .
2. Log in to your HTDC server. Click the Settings icon, and then click HSM Server Settings. Fill in the fields as follows, clicking Save after each entry:
3. Click to download the Client Certificate that matches the Client Name, entered above. Taking the name in the screen shot, we look for KC_Cluster.pem, and then upload it to the HSM server, using its hostname, like this:
#
scp /KC_Cluster.pem admin@<HSM-Server>:
4. Using a shell account, log into the HSM server and delete the previous client, register the new one, and assign the Partition to this client, as follows:
lunash:> client delete -client KC_Cluster
lunash:>
client register -client KC_Cluster -hostname KC_Cluster
lunash:> client assignPartition -client KC_Cluster -partition KC_partition
5. Return to your KeyControl HSM Server Settings page, and click Test. You should see a page that shows HSM connection OK. Need to regenerate admin key..
6. Generate a new Admin Key: click the Settings Icon, then Admin Key Parts, and then Generate New Key. You should receive a message showing your success.
Your KeyControl is now set up as an HSM client.