The Installation and User's Guide describes how the HSM is installed and how how PKCS#11 tokens are created and how a backup of a token is done. But it might be helpful to mention some additional things:
- A virtual HSM correspond to a PKCS#11 token.
- The number of the virtual HSM corresponds to the PKCS#11 slot ID of the token.
- The PKCS#11 user PIN is the PKCS#11 application authentication in the Personalizing a virtual HSM step.
- If CIK startup mode is selected for the virtual HSM personalization you must start the HSM manually before EJBCA can use it.
- Make sure that backup-restore work before taken the HSM in production since the first versions did not backup the certificate of a key which is needed by the java wrapper.
Improving timeout handling
The Proteccio client library has a rather long network timeout (several minutes). This can result in timeouts in other parts of the system, e.g. in database transactions or in API calls to EJBCA. For auto-activated Crypto Tokens, EJBCA can automatically restore the connection on failure, so there is no reason to use a long timeout.
To use a shorter timeout in the PKCS#11 client library, edit proteccio.rc / proteccio.ini, and add:
proteccio.rc / proteccio.ini
shortTimeout=0
CODE