Configuring the ESA with HSMs supporting PKCS#11 Interface
Verifying the Prerequisites
Ensure that the following prerequisites are met:
Ensure that you have downloaded HSM Client on your local machine.
Ensure that the HSM partition is initialized.
Ensure that you have downloaded the required libraries, configuration files, and certificates required for connecting to the HSM. The certificates can include the server certificate of the HSM, the client certificate for the ESA appliance, and the CA certificate.
For more information required about the files required for connecting to the HSM, refer the documentation for the corresponding HSM.
Configuring Connection with HSM
To configure a connection with an HSM:
On the ESA Web UI, navigate to Key Management > Key Stores.
The Key Stores screen appears.
Click New Key Store.
The Create New Key Store screen appears.
In the Key Store Information section, enter the following details.
- Name: Type a unique name for HSM. The name that you type will update the Key Store installation path field.
- Type: Select PKCS #11.
In the PKCS#11 details section, enter the following details:
- User pin: Specify the user pin for the given slot ID of the HSM.
- Slot: Enter the slot ID for the HSM.
Perform the following steps to add the environment variables.
To configure the PKCS #11 connection, you need to override the default location of the HSM configuration file. You can do this by setting the environment variable for the HSM-specific library.In the Key Store files and environment variables > Key Store environment variables section, click Add environment variable.
The Add Key Store environment variable dialog box appears.Enter the following details:
- Environment variable name: Specify the environment variable name for the HSM.
For example, specify the ChrystokiConfigurationPath for Thales Luna HSM. - Environment variable value: Specify the value for the environment variable.
For example, specify /opt/protegrity/keystore/<Keystore_name>, which is the value of the Key Store installation path field, for the Thales Luna HSM.
If you want to mask the value of the variable in the UI, then click the Sensitive toggle to the on position. This ensures that the variable value is hidden while typing and is replaced with asterisks of a fixed-length in the list of environment variables.
- Click Save.
In the Key Store files and environment variables > Key Store files section, click Add File.
The Add Key Store File dialog box appears.Select the specific file type from the drop-down menu. The following table provides more detail on each selectable type. Note that only one type of file can be selected at a time.
| File Type | File |
|---|---|
| Library | Select the HSM library file from your local machine. For example, for Thales Luna HSM, select the libCryptoki2_64.so file. |
| Configuration | Select the HSM configuration file from your local machine. For example, for Thales Luna HSM, select the Chrystoki.conf file. |
| Other | Select the HSM client certificate, client key, and server certificate from your local machine. |
Click Add File to add the file to the Key Store files section.
Repeat steps 7 to 8 till you have added all the files required to connect to the Key Store.
Perform the following steps to edit the configuration file.
a. Click the Edit icon next to the configuration file.
The Edit Key Store File screen appears.b. Update the path of the required configuration parameters to match the path displayed in the Key Store installation path field.
c. Click Save.
The Edit Key Store File screen closes.Click Save.
The Key Store saved successfully message appears.Click Test to test the Key Store connection.
The Test Key Store Connection dialog box appears.Click OK to close the Test Key Store Connection dialog box.
Click Set As Active to activate the Key Store.
Feedback
Was this page helpful?