Security: Configuring a TrustWay Proteccio netHSM
You can configure a Hardware Security Module (HSM) to store and protect your cryptographic keys. Optionally, you can use the software-based SoftHSM implementation for demonstration or testing purposes.
The following describes how to configure a TrustWay Proteccio netHSM for the Software Appliance by registering the Software Appliance and connecting it to the HSM.
Configuring an HSM for the Software Appliance is irrevocable. To change an HSM configuration, you must reset the Software Appliance.
To configure a TrustWay Proteccio netHSM for your Software Appliance, follow the steps below.
Connect the Software Appliance with the TrustWay Proteccio netHSM
- Log in to your Software Appliance and open the Security page or click Configure HSM in the Overview.
In the HSM Configuration section, select TrustWay Proteccio netHSM to access the Configuration fields.
- Click Add HSM Device to open the corresponding form for the certificate.
- HSM IP Address / FQDN:
Enter the IP address or the Fully Qualified Domain Name (FQDN) of the TrustWay Proteccio netHSM.
Only IPv4 addresses are supported. - Upload the TrustWay Proteccio netHSM Server Certificate for connection, by dragging and dropping or by selecting the file.
- HSM IP Address / FQDN:
Confirm with Add HSM Device.
A warning appears to inform you that after saving HSM configuration you can no longer switch to a different HSM.
To change the HSM configuration, you need to reset your SignServer Software Appliance. Proceed by clicking Activate.
Proceed with Activate.
The information on the HSM is displayed.
HSM Client Authentication Configuration
Download your HSM client authentication configuration and upload it to your TrustWay Proteccio netHSM.
Miscellaneous Configurations
Finalize with Save HSM Configuration.
On the Security page of the application, the status of the HSM Driver will change from Not Connected to Connected as soon as the configuration is completed.
On the Overview page of the application, the status in the HSM Overview also changes to Connected as soon as the configuration is completed. During configuration, the appliance is in the Restarting status. During this time, it is not available
Once the SignServer is running again, you can proceed with adding a crypto token.
Add a Crypto Worker in SignServer
To create a Crypto Worker:
- In the Overview page of the Software Appliance, click Admin Web for SignServer.
- The SignServer page opens.
- Click Add... to continue.
- In the top menu, select Worker. You can choose the method you want to use to configure the Worker. In this example we will work with From Template.
Click From Template to continue. - Open the drop-down menu under Load from Template. Here you can select the worker to be configured. In this example we will work with p11ng-crypto.properties.
Click Next to continue. The Configuration page opens.
WORKERGENID1.NAME=CryptoTokenP11NG1: this name can be customized (CryptoTokenP11NG1) as desired.
WORKERGENID1.SHAREDLIBRARYNAME=P11 Proxy should be configured as default.
# Method will specifying the slot to use. Here it is important to know if the HSM uses SLOT_NUMBER or SLOT_INDEX. Select the applicable one.
To deselect it, put # in front of it.
To enable it, remove # in front of it.
The # can be replaced for the slot to be used and specify the number of the HSM slot instead.
#WORKERGENID1.PIN=foo123 here the password can be enabled or disabled.
To deselect it, put # in front of it.
To enable it, remove # in front of it.
# Optional PKCS#11 attributes is used for key generation, you can select the attributes.
To deselect it, put # in front of it.
To enable it, remove # in front of it.
WORKERGENID1.DEFAULTKEY=testkey0 here you can add an existing key or use the default key.
Click Apply to save the settings.The token (CryptoTokenP11NG1) is automatically logged in when the PIN is set in the Crypto Worker configuration.
- The worker is not activated yet. Click on the created token and you will see the information about the token in the Status Summary.
- Click the Configuration tab to view the full configuration of the token.
- If the configuration meets your needs, click the Crypto Token tab. Edit them if necessary.
- Click Activate.
This step is optional!
The latest version of SignServer logs on automatically if the correct PIN is defined in the configuration as described in step 6.
In the field Authentication Code enter the optional password from Step 6. Here foo123.
Click Activate. - The Crypto Token is now ACTIVE.
For more information please see Worker Crypto Token Page.
HSM Troubleshooting
In the section HSM Driver Controls the current HSM Driver Status is displayed.
In case of HSM problems, the HSM driver can be restarted via the Restart button.
For information about error codes, please refer to the TrustWay Proteccio netHSM Developer Guide.