Skip to main content
This section covers the tasks to configure Curity for the KMES Series 3.

Log in to the KMES from Curity

You must configure each run-time node to communicate with the HSM. This requires a PIN or password. You can provide this interactively on the command line during startup, directly on the command line as an argument, or in the environment variable IDSVR_HSM_PIN. If you don’t provide this PIN to each run-time node, you cannot log in to the KMES Series 3 and use keys that reside on the device. So, you must start the nodes with this credential. The command line argument that you should use is -i. You can also provide --debug-hsm in non-production environments to get extra HSM-related debug log messages in the server log. In this case, run the following command to start a node:
Bash
$ idsvr --debug-hsm -i kmes_identity_password
Enter the password of the identity configured in the fxpkcs11.cfg file in the preceding command.
Warning:Make sure to follow all the steps in section Create a PKI container and certificate with key pair on the KMES. If any steps are skipped, Curity will fail to connect to the KMES due to missing TLS server certificate configurations (for example, the SHA-1 hash signing algorithm hasn’t been selected, default approval group isn’t defined, or Allow object signing hasn’t been enabled), even if the key has not yet been selected for use in Curity.

Use the KMES

To enable using the HSM in Curity, perform the following steps:
1
Log in to the Curity admin UI and go to theSystem tab.
Note: After running the command to start the Curity, the last line of the log will show you which port to connect to.
2
Scroll down to the Hardware Security Module section and toggle on the HSM.After enabling this, you can enter information about how the run-time nodes connect to the HSM.
3
Enter the file path to the Futurex PKCS #11 module in the Library field.
4
Select slot-id in the Slot field and leave the Slot ID set to 0.

Configure Curity TLS settings to use the server key stored in the KMES

Even without committing the changes, configuring the Futurex HSM for SSL enables you to configure keys similar to those in the HSM. To see this, perform the following steps:
1
Select Facilities in the top-right corner of the UI.
2
Go to Keys and Cryptography > TLS, and select the **+**button next to Server SSL Keys.
Here, you have three options, including the Use from HSM option, which is impossible until an HSM is configured.
3
Now that the HSM is configured, enter the name of the key created earlier, Curity_Demo_1, into the Name text field.
Note:Curity uses the Java Keystore to find the private key stored in the KMES. Make sure it matches what is found in the response of the keytool command that was ran in the previous section.
4
Select the Use from HSM option and select [ Next ].
5
On the next screen, select rsa from the Type drop-down list and enter the key size used when the key was made in the HSM, namely 2048.
6
Select [ OK ].

Assign the key

Assign the key to a run-time node by running the following steps:
1
Go to the System tab and then go to Deployments in the sidebar.
2
Select the name of one of the nodes you have configured to open the Update Server dialog box.
3
The SSL Server KeyStore drop-down should be visible if the node uses the HTTPS protocol. From this list, select the key that you just defined.
4
Select [ Close ].
5
Commit the changes by selecting Commit from the Changes menu and selecting [ OK ] in the Deploy Changes dialog box.