A HSM can be used to store the master key(s) used when performing administration key operations with the vSEC:CMS such as registering a credential or PIN unblock operations. The vSEC:CMS makes use of the PKCS#11 interface available in the HSM. All management functions around the master key stored on the HSM should be managed by the HSM key management tools available from the HSM vendor.
For a full list of supported HSMs see the product sheet here.
It is expected that the HSM PKCS#11 module is installed and configured to connect to the HSM on the server where the vSEC:CMS is installed. Depending on whether you are running the 32-bit or 64-bit version of vSEC:CMS, it will be required to have the correct version (32-bit or 64-bit) of the HSM PKCS#11 module. vSEC:CMS will search in the system path for the PKCS#11 module.
It will be required that a fully licensed version of vSEC:CMS is running in order to set up and use a HSM.
vSEC:CMS requires any available slot on any available partition on HSM that is being used. The master key that vSEC:CMS uses can be AES or DES3 key type.
1. From Options - Connections click the Configure button. Make sure that the Hardware Security Module (HSM) is in the Selected window.
2. Then click Hardware Security Module (HSM) and click the Add button to setup a template. Enter a template name and from the drop-down list select the HSM that you plan to use.
3. The PKSC#11 module will be automatically detected and populated into the PKS11 DLL name field. The URL will be read from the configuration file that is typically included as part of the HSM configuration. Select the slot that the master key will reside in from the available slot list in the drop-down list. Enter the PIN credential for the user who has access to the slot and click Check connection to test connectivity. The PIN credential may not be required if the HSM does not require a PIN credential as the HSM may require that the PIN credential is entered on the HSM directly. If connectivity to HSM is functional as expected a success dialog will popup.
Click Save to save and close the configuration.
4. Once the connection is setup it will be necessary to create an Operator Service Key Store (OSKS). Navigate to Options - Operators and click the Add service key store button. Enter a name in the Store name field and click Add.
All vSEC:CMS master keys will be copied to the HSM during this process and at the end you will get a success dialog.
From the Operators table you can see that the HSM is now used as key store as indicated by the * character.
Additionally, if you go back to Options - Connections - Hardware Security Module (HSM) and select your HSM connector and Edit, then click the Check connection button you should see more information in the success dialog indicating that the master key used by vSEC:CMS was found in the slot on the HSM.
Generate New Master Key
It is strongly recommended to generate a new master key. Follow the instructions below to perform this task.
It is important to remember that any new credential administration key will be diversified from the newly generated master key. Any credential administration key diversified from older master key(s) of the vSEC:CMS application will remain operable. However, it is recommended to re-register those credentials issued from the older master key(s) of the vSEC:CMS. This will update the user's credential administration key so that it is diversified from the new master key.
1. From Options - Master Key click the Generate new master key button to start the process.
2. Select the option On server side HSM and from the drop-down list 3 options are available, DES-EDE3, AES128 and AES256. Select the appropriate key type and size as required for your environment.
It is recommended to select AES for key type as DES has been withdrawn as a standard by the National Institute of Standards and Technology. From version 6.5 of vSEC:CMS it is possible to migrate from DES managed master keys to AES.
Click Ok. A dialog will popup informing you about the change to the system. Click Yes to complete the setup.
3. Navigate to Repository - Master keys and you will see the entry. The * character indicates which master key is to be used by vSEC:CMS.
Additionally, from Repository - Smart Cards you will see that credentials managed by older master keys will have an Update needed message.
Once the HSM master key is generated it will not be possible to roll back to use an earlier master key. For any credential that was previously managed by the vSEC:CMS with an older master key that was not generated by the HSM it will be possible to continue to manage these credentials but it is recommended to update these credentials so that they will be managed by the newly created master key.
Credentials whose master key needs to be updated can be done as described below:
- From vSEC:CMS Admin console navigate to Actions - Smart Card Update and attach a credential that needs to be updated and click the Execute button;
- From a client host that has vSEC:CMS User installed and configured for updates, navigate to the Update tab to perform the update.
Any master key added to the HSM will have a label starting with CMS MK on the HSM. Depending on whether the master key is generated only on the HSM or was a key created and stored on a full-featured operator card and synced with the HSM, the label will have a different value depending on which option is selected.
For a master key generated only on the HSM the label on the HSM will be: CMS MK 4099 (this is a hex value), if this was the first key. Any additional key(s) would be incremented by one; therefore, a second master key would have a value of CMS MK 4100 and so on.
For a master key created and stored on a full-featured operator card and synced with the HSM the label on the HSM will be: CMS MK 00, if this was the first key. Any additional key(s) would be incremented by one; therefore, a second master key would have a value of CMS MK 01 and so on.
A PKCS#11 tool is included that can be useful when troubleshooting issues that may occur when setting up and using a HSM with vSEC:CMS.
This tool should be run directly on the server where vSEC:CMS is installed.
On the server where vSEC:CMS is installed you can find this tool by opening a command prompt and changing to the location where the tool is installed. If the default installation location was selected during the installation then change to C:\Program Files\Versasec\vSEC_CMS S-Series\tools for 64-bit version and C:\Program Files (x86)\Versasec\vSEC_CMS S-Series\tools for 32-bit version.
Launch the tool with -debug on as parameter.
You will be prompted to enter from a pre-existing list of HSMs but we recommend you enter the path of the pkcs#11 library that was used when setting up the HSM connection, therefore enter 8. You can get the path from the edit dialog of your HSM connection like in example below by selecting the PKCS11 DLL name and selecting Copy.
You should enter something similar to below:
You can now use PKCS11 commands to check and test that connectivity to the HSM is functional.
For example, if you want to check/compare that the master key(s) that have been configured in vSEC:CMS are present in the HSM slot you can do as below:
After connecting to the HSM (as described above) enter the slot that vSEC:CMS master key(s) are stored, for example 1 in the case of this example.
Then login to slot by selecting 14 and 1 for the USER and enter password (if this is required for the slot)
Now we want to find the master key object label so enter 19 and LABEL
In this example we have 3 keys listed
And we can cross reference these from the Repository - Master Keys in vSEC:CMS