The Installation and User's Guide describes how the HSM is installed and how how PKCS#11 tokens are created and how a backup of a token is done. But it might be helpful to mention some additional things:

  1. A virtual HSM correspond to a PKCS#11 token.
  2. The number of the virtual HSM corresponds to the PKCS#11 slot ID of the token.
  3. The PKCS#11 user PIN is the PKCS#11 application authentication in the Personalizing a virtual HSM step.
  4. If CIK startup mode is selected for the virtual HSM personalization you must start the HSM manually before EJBCA can use it.
  5. Make sure that backup-restore work before taken the HSM in production since the first versions did not backup the certificate of a key which is needed by the java wrapper.