Certificate Authority
...
ISC - Linux
Configure the Vectera Plus

Configure a transaction processing connection and create an application partition

4min

For this step, you need to log in with an identity that has a role with the following permissions: Role:Add, Role:Assign All Permissions, Role:Modify, Keys:All Slots, and Command Settings:Excrypt. You can use the default Administrator role and Admin identities.

This integration guide treats the terms application partition and role as synonymous.

Configure a Transaction Processing connection

Before logging in to the HSM with an authenticated user, an application first connects through a Transaction Processing connection to the Transaction Processing application partition. So, you must take steps to harden this application partition by configuring the following items for the Transaction Processing partition:

  • It should not have access to the All Slots permissions.
  • It should not have access to any key slots.
  • Enable only the PKCS #11 communication commands.

Choose one of the following methods to configure the Transaction Processing connection:

Excrypt Manager
FXCLI
1

Go to the Application Partitions menu, select the Transaction Processing application partition, and select [ Modify ].

2

In the Permissions tab, leave the top-level Keys permission checked and uncheck the All Slots sub permission.

3

In the Key Slots tab, ensure that the settings do not specify key ranges. By default, the Transaction Processing application partition can access the entire range of key slots on the HSM.

4

In the Commands tab, make sure to enable only the following PKCS #11 Communication commands:

Command

Description



ECHO

Communication Test/Retrieve Version



PRMD

Retrieve HSM restrictions



RAND

Generate random data



HASH

Retrieve device serial



GPKM

Retrieve key table information



GPKS

General purpose key settings get/change



GPKR

General purpose key settings get (read-only)



Create an application partition

To segregate applications on the HSM, you must create an application partition specifically for your use case. Application partitions segment the permissions and keys between applications on an HSM. The following steps outline creating and configuring a new application partition.

Choose one of the following methods to create an application partition:

Excrypt Manager
FXCLI
1

Go to the Application Partitions menu and select [ Add ].

2

In the Basic Information tab, configure all of the fields as follows:

Option

Required configuration



Role Name

Specify any name that you would like for this new application partition.



Logins Required

Set to 1

If the HSM is in FIPS mode, you must set Logins Required to 2.



Ports

Set to Prod.



Connection Sources

Set to Ethernet.



Managed Roles

Leave blank because you specify the exact Permissions, Key Slots, and Commands for this application partition or role to have access to.



Use Dual Factor

Set to Never.



Upgrade Permissions

Leave unchecked.


3

In the Permissions tab, select the following key permissions:

Permission

Description



Keys

Top-level permission



Authorized

Allows for keys that require login



Import PKI

Allows trusting an external PKI. Generally not recommended, but some applications use this enable for PKI symmetric key wrapping.



No Usage Wrap

Enables interoperable key wrapping without defining key usage as part of the wrapped key. Use this only if you want to exchange keys with external entities or use the HSM to wrap externally used keys.


4

In the Key Slots tab, we recommend you create a range of 1000 total keys that do not overlap with another application partition. Within the specified range, you should have ranges for both symmetric and asymmetric keys. If the application requires more keys, configure it accordingly.

5

To use the HSM functionality, you must enable particular functions on the application partition based on application requirements. Enable the following commands under Commands:

PKCS #11 communication commands:

Command

Description



ECHO

Communication Test/Retrieve Version



HASH

Retrieve device serial



GPKM

Retrieve key table information



GPKR

General-purpose key settings get (read-only)



GPKS

General-purpose key settings get/change



Key operations commands:

Command

Description



APFP

Generate PKI Public Key from Private Key



ASYL

Load asymmetric key into key table



GECC

Generate an ECC Key Pair



GPCA

General purpose add certificate to key table



GPGS

General purpose generate symmetric key



GPKA

General purpose key add



GPKD

General purpose key slot delete/clear



GRSA

Generate RSA Private and Public Key



LRSA

Load key into RSA Key Table



RPFP

Get public components from RSA private key



Interoperable key wrapping commands:

Command

Description



GPKU

General purpose key unwrap (unrestricted)



GPUK

General purpose key unwrap (preserves key usage)



GPKW

General purpose key wrap (unrestricted)



GPWK

General purpose key wrap (preserves key usage)



Data encryption commands:

Command

Description



ADPK

PKI Decrypt Trusted Public Key



GHSH

Generate a Hash (Message Digest)

Starting in firmware version 7.x, this function is enabled by default and does not need to be specified.



GPSE

General Purpose Symmetric Encrypt



GPSD

General Purpose Symmetric Decrypt



GPGC

General purpose generate cryptogram from key slot



GPMC

General purpose MAC (Message Authentication Code)



GPSR

General purpose RSA encrypt/decrypt or sign/verify with recovery



HMAC

Generate a hash-based message authentication code



RDPK

Get Clear Public Key from Cryptogram



Signing commands:

Command

Description



ASYS

Generate a Signature Using a Private Key



ASYV

Verify a Signature Using a Public Key



GPSV

General purpose data sign and verify



RSAS

Generate a Signature Using a Private Key