Skip to main content
This section covers the tasks to configure Curity for the Vectera Plus.

Log in to the HSM from Curity

You must configure each run-time node to communicate with the HSM. This requires a PIN or password. You can provide this interactively on the command line during startup, directly on the command line as an argument, or in the environment variable IDSVR_HSM_PIN. If you don’t provide this PIN to each run-time node, you cannot log in to the Vectera Plus and use keys that reside on the device. So, you must start the nodes with this credential. The command line argument that you should use is -i. You can also provide --debug-hsm in non-production environments to get extra HSM-related debug log messages in the server log. In this case, run the following command to start a node:
Bash
$ idsvr --debug-hsm -i hsm_identity_password
Enter the password of the identity configured in the fxpkcs11.cfg file in the preceding command.

Use an HSM

To enable using the HSM in Curity, perform the following steps:
1
Log in to the Curity admin UI and go to the System tab.
2
Scroll down to the Hardware Security Module section and toggle on the HSM.After enabling this, you can enter information about how the run-time nodes connect to the HSM.
3
Enter the file path to the Futurex PKCS #11 module in the Library field.
4
Select slot-id in the Slot field and leave the Slot ID set to 0.

Configure the HSM

Even without committing the changes, configuring the Futurex HSM for SSL enables you to configure keys similar to those in the HSM. To see this, perform the following steps:
1
Select Facilities in the top-right corner of the UI.
2
Go to Keys and Cryptography > TLS, and select the + button next to Server SSL Keys.
Here, you have three options, including the Use from HSM option, which is impossible until an HSM is configured.
3
Now that the HSM is configured, enter the name of the key created earlier, Demo_1, into the Name text field.
4
Select the Use from HSM option and select [ Next ].
5
On the next screen, select rsa from the Type drop-down list and enter the key size used when the key was made in the HSM, namely 2048.
6
Select [ OK ].

Assign the key

Assign the key to a run-time node by running the following steps:
1
Go to the System tab and then go to Deployments in the sidebar.
2
Select the name of one of the nodes you have configured to open the Update Server dialog box.
3
The SSL Server KeyStore drop-down should be visible if the node uses the HTTPS protocol. From this list, select the key that you just defined.
4
Select [ Close ].
5
Commit the changes by selecting Commit from the Changes menu and selecting [ OK ] in the Deploy Changes dialog box.

Validate success

If things worked and you logged at the DEBUG level, you should see log messages like the following sample in the run-time nodes logs:
None
name = IDSVR_HSM
	library = /usr/local/bin/fxpkcs11/libfxpkcs11.so
	attributes = compatibility
	slotListIndex = 0
	showInfo = true
sunpkcs11: Initializing PKCS#11 library /usr/local/bin/fxpkcs11/libfxpkcs11.so
sunpkcs11: login succeeded
pkcs11keystore: engineGetEntry found private key entry
Aliases in HSM: [Demo_1]
HSM is loaded
Notice the following elements:
  • The configured library was loaded.
  • Which slot list index was used.
  • The login with the PIN worked.
  • The HSM has one key with the alias Demo_1. This means that SSL now uses a key from the HSM.

Test the connection

To test this, open a connection to the node with a browser or openssl by running the following command:
None
$ echo | \
	openssl s_client -connect localhost:8443 -showcerts | \
	openssl x509 -inform pem -noout -text
This should output info about the self-signed cert imported onto the Futurex HSM, including a line like this: depth=0 CN = Demo_1.