A HSM can be used to store the master key(s) used when performing administration key operations with the vSEC:CMS such as registering a credential or PIN unblock operations. The vSEC:CMS makes use of the PKCS#11 interface available in the HSM. All management functions around the master key stored on the HSM should be managed by the HSM key management tools available from the HSM vendor.
For a full list of supported HSMs see the product sheet here.
It is expected that the HSM PKCS#11 module is installed and configured to connect to the HSM on the server where the vSEC:CMS is installed. Depending on whether you are running the 32-bit or 64-bit version of vSEC:CMS, it will be required to have the correct version (32-bit or 64-bit) of the HSM PKCS#11 module. vSEC:CMS will search in the system path for the PKCS#11 module.
It will be required that a fully licensed version of vSEC:CMS is running in order to set up and use a HSM.
1. From Options - Connections click the Configure button. Make sure that the Hardware Security Module (HSM) is in the Selected window.
2. Then click Hardware Security Module (HSM) and click the Add button to setup a template. Enter a template name and from the drop-down list select the HSM that you plan to use.
3. In this article, we will demonstrate how a typical connection to a Safenet Luna SA HSM would be configured. The PKSC#11 module will be automatically detected and populated into the PKS11 DLL name field. The URL will be read from the configuration file that is typically included as part of the HSM configuration. Select the slot that the master key will reside in from the available slot list in the drop-down list. Enter the PIN credential for the user who has access to the slot and click Check connection to test connectivity. The PIN credential may not be required if the HSM does not require a PIN credential as the HSM may require that the PIN credential is entered on the HSM directly. Click Save to save and close the configuration.
4. Once the connection is setup it will be necessary to create an Operator Service Key Store (OSKS). Navigate to Options - Operators and click the Add service key store button. Enter a name in the Store name field and click Add.
The current vSEC:CMS master key will be copied to the HSM during this process and at then end you will get a success dialog.
From the Operators table you can see that the HSM is now used as key store as indicated by the * character.
Generate New Master Key
If it is strongly recommended to generate a new master key. Follow the instructions below to perform this task.
It is important to remember that any new credential administration key will be diversified from the newly generated master key. Any credential administration key diversified from the old administration key of the vSEC:CMS application will remain operable. However, it is recommended to re-register those credentials issued from the old administration key of the vSEC:CMS. This will update the user's credential administration key so that it is diversified from the new master key.
1. From Options - Master Key click the Generate new master key button to start the process.
2. Select the option On server side HSM and from the drop-down list 3 options are available, DES-EDE3, AES128 and AES256. Select the appropriate key type and size as required for your environment.
Click Ok. A dialog will popup informing you about the change to the system. Click Yes to complete the setup.
3. Navigate to Repository - Master keys and you will see the entry. The * character indicates which master key is to be used by vSEC:CMS.
Additionally, from Repository - Smart Cards you will see that credentials managed by older master keys will have an Update needed message.
Once the HSM master key is generated it will not be possible to roll back to use an earlier master key. For any credential that was previously managed by the vSEC:CMS with an older master key that was not generated by the HSM it will be possible to continue to manage these cards but it is recommended to update these cards so that they will be managed by the newly created master key.
Credentials whose master key needs to be update can be done as described below:
- From vSEC:CMS Admin console navigate to Actions - Smart Card Update and attach a credential that needs to be updated and click the Execute button;
- From a client host that has vSEC:CMS User installed and configured for updates, navigate to the Update tab to perform the update.
Restore or Migrate to New HSM
If it is required to move and/or restore your current HSM then follow the instructions in this section.
It is expected that proper backup procedures have been used when backing up your current HSM system such that any vSEC:CMS master key(s) are stored correctly by your HSM backup procedures. This is out of scope for the vSEC:CMS.
1. From Options - Operators select the HSM key store and delete it. You will be prompted that removing the key store will impact the listed card templates in the warning dialog. Select Yes to continue. As it is expected that the HSM is unavailable you will receive another warning dialog informing you that the HSM is currently not available and that the master key(s) previously stored on the HSM cannot be deleted. It is expected that the HSM administrator would manage any clean up tasks regarding these key(s). Select Yes to continue and complete the deletion.
2. Add a new connection for the HSM from Options - Connections similar to what is described in the Configure HSM Support above. When you click the Check connection button you will be prompted that the connection was established and all master key(s) found were successfully verified. Click the Save button on the connection dialog. You will be prompted that vSEC:CMS master key(s) were found and asked whether you want to make them available to the vSEC:CMS. Select Yes to continue. The vSEC:CMS will automatically create a new key store which you can verify and activate from the Options - Operators page.
3. From Options - Operators select the newly created key store. It should start with a name Restored from… and click the Activate button to complete the flow.
Any master key added to the HSM will have a label starting with CMS MK on the HSM. Depending on whether the master key is created and stored on operator smart card tokens and synced with the HSM OR the master key is generated only on the HSM the label will have a different value depending on which option is selected.
For a master key created and stored on operator smart card tokens and synced with the HSM the label on the HSM will be: CMS MK 00, if this was the first key. Any additional key(s) would be incremented by one; therefore, a second master key would have a value of CMS MK 01 and so on.
For a master key generated only on the HSM the label on the HSM will be: CMS MK 4100, if this was the first key. Any additional key(s) would be incremented by one; therefore, a second master key would have a value of CMS MK 4101 and so on.