Configure the transaction processing connection

Excrypt Manager
FXCLI

For this step, you need to log in with an identity that has a role with the following permissions: Role:Add, Role:Assign All Permissions, Role:Modify, Keys:All Slots, and Command Settings:Excrypt. You can use the default Administrator role and Admin identities.

This integration guide treats the terms application partition and role as synonymous.

Before logging in to the HSM with an authenticated user, an application connects through a transaction processing connection to the transaction processing application partition. Therefore, you must take steps to configure the following items to harden this partition:

It should not have access to the All Slots permissions.
It should not have access to any key slots.
Enable only the PKCS #11 communication commands.

Choose one of the following methods to configure the transaction processing connection:

Excrypt Manager

Perform the following steps to configure a transaction processing connection on Excrypt Manager:

Go to the Application Partitions menu, select the transaction processing application partition, and select [ Modify ].

In the Permissions tab, leave the top-level Keys permission checked and uncheck the All Slots sub permission.

In the Key Slots tab, ensure that the settings do not specify key ranges. By default, the transaction processing application partition can access the entire range of key slots on the HSM.

In the Commands tab, make sure to enable only the following PKCS #11 Communication commands:

Command	Description
ASYS	Generate signature using PKI private key
ECHO	Communication Test/Retrieve Version
GPKM	Retrieve key table information
GPKR	General-purpose key settings get (read-only)
GPKS	General-purpose key settings get/change
HASH	Retrieve device serial
PRMD	Retrieve HSM restrictions
RAND	Generate random data
STAT	HSM statistics
TIME	Set time

FXCLI

Run the following role modify FXCLI commands to remove all permissions and key ranges that are currently assigned to the Transaction Processing role and enable only the PKCS #11 Communication commands:

Because the Transaction Processing role was previously called the Anonymous role, the following commands specify Anonymous in the name field.

FXCLI

  role modify --name Anonymous --clear-perms --clear-key-ranges

FXCLI

  role modify --name Anonymous --add-perm "Keys" --add-perm Excrypt:ASYS --add-perm Excrypt:ECHO --add-perm Excrypt:GPKM --add-perm Excrypt:GPKR --add-perm Excrypt:GPKS --add-perm Excrypt:HASH --add-perm Excrypt:PRMD --add-perm Excrypt:RAND --add-perm Excrypt:STAT --add-perm Excrypt:TIME

Load major keys

Create an application partition for Protegrity

⌘I

Certificate Authority

Certificate management

Certificate validation

Code signing

Credential management

Data protection

Database

Digital signing

DNS

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

TLS offloading

VPN

Configure the transaction processing connection

Excrypt Manager

FXCLI

Certificate Authority

Certificate management

Certificate validation

Code signing

Credential management

Data protection

Database

Digital signing

DNS

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

TLS offloading

VPN

Documentation Index

​Excrypt Manager

​FXCLI

Excrypt Manager

FXCLI