Skip to main content
This section shows how to configure vSEC:CMS to use the Vectera Plus HSM for the Operator Service Key Store (OSKS). This process also migrates the master key stored on the System Owner (SO) token to the HSM.

vSEC:CMS Operator Console

Perform the following tasks on the Operator Console.

Log in to the OC

Perform the following steps to log in to the vSEC:CMS Operator Console (OC):
1
Start the vSEC:CMS Admin application.
2
When prompted, insert your System Owner (SO) hardware credential.
3
Enter the operator passcode for the System Owner and select [ Authenticate ].
If the authentication succeeds, the Admin application starts and logs you into the Operator Console.

Add Service Key Store

Perform the following steps to add the Service Key Store with HSM:
1
In the navigation menu, select Options > Operators.
2
Select [ Add service key store ].
3
In the Add Service Key Store (HSM) dialog, select the Futurex PKCS #11 library in the Key store drop-down list, specify a Store name, and select [ Add ].
4
Enter the operator passcode for the System Owner, and select [ OK ].
Upon success, the system creates the new service key store, and the master keys is stored on the HSM. You should see the message shown below, confirming that the operation was successful:
None
The new service key store Vectera Plus
has been successfully created and activated.

The service key store: System Keystore
has been deactivated.
Now, all administration key operations performed with the vSEC:CMS, such as registering a smart card token or PIN unblock operations, use the master keys stored on the Vectera Plus HSM.

PKCS11Manager utility

To view the keys that vSEC:CMS created on the Vectera Plus, perform the following steps on the PKCS11Manager utility packaged with the Futurex PKCS #11 module:
1
In Windows File Explorer, go to the Futurex PKCS #11 installation directory and run the PKCS11Manager.exe file.
This action displays the following menu:
Shell
Main Menu
    1. Print Library/Token Info

    2. Generate Key

    3. Find Objects
    4. Modify Objects
    5. Delete Objects

    6. Generate Random Data

    7. Sign Data

    8. Login
    9. Logout

    0. Exit
2
Enter 8 to log in and select the Enter key.
3
Enter 1 to select the Text password input mode and select the Enter key.
4
Enter the password of the identity defined in the FXPKCS11 configuration file and select the Enter key.
If successful, you receive confirmation that you are logged in.
5
Enter 3 to Find Objects and select the Enter key.
6
Enter 1 to find All objects and select the Enter key.
Upon success, you see information similar to the following example for all keys that the connecting identity has permission to access:
None
Total number of found objects: 4
  Object ID: 2
    Internal ID: 2
    Excrypt Board Slot: 1
    Class: CKOPUBLICKEY
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Modulus Bits: 2048
    KCV: CD1F
    Usage: W
  Object ID: 3
    Internal ID: 3
    Excrypt Board Slot: 2
    Class: CKOSECRETKEY
    Key Type: DES3
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Value Len: 24
    Value Bits: 192
    Label: CMS MK0
    ID: VSEC0000
    KCV: 849F
    Usage: ED
  Object ID: 4
    Internal ID: 4
    Excrypt Board Slot: 3
    Class: CKOPUBLICKEY
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Modulus Bits: 2048
    KCV: 532A
    Usage: W
  Object ID: 5
    Internal ID: 5
    Excrypt Board Slot: 4
    Class: CKOSECRETKEY
    Key Type: DES3
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Value Len: 24
    Value Bits: 192
    Label: CMS MK1
    ID: VSEC0001
    KCV: 8BAF
    Usage: ED
vSEC:CMS creates four objects on the HSM:
  • Two 3DES symmetric encryption keys, which are the master keys used by the vSEC:CMS application. These keys have the CMS MK0 and CMS MK1 PKCS #11 labels.
  • Two public RSA asymmetric keys that are used to wrap the master keys.