The Installation and User's Guide describes how the HSM is installed and how how PKCS#11 tokens are created and how a backup of a token is done. But it might be helpful to mention some additional things:

  1. A virtual HSM correspond to a PKCS#11 token.
  2. The number of the virtual HSM corresponds to the PKCS#11 slot ID of the token.
  3. The PKCS#11 user PIN is the PKCS#11 application authentication in the Personalizing a virtual HSM step.
  4. If CIK startup mode is selected for the virtual HSM personalization you must start the HSM manually before EJBCA can use it.
  5. Make sure that backup-restore work before taken the HSM in production since the first versions did not backup the certificate of a key which is needed by the java wrapper.

Improving timeout handling

The Proteccio client library has a rather long network timeout (several minutes). This can result in timeouts in other parts of the system, e.g. in database transactions or in API calls to EJBCA. For auto-activated Crypto Tokens, EJBCA can automatically restore the connection on failure, so there is no reason to use a long timeout.

To use a shorter timeout in the PKCS#11 client library, edit proteccio.rc / proteccio.ini, and add:

proteccio.rc / proteccio.ini