Configure Curity to use the Vectera Plus HSM for SSL

this section covers the tasks to configure curity for the {{vectera}} log in to the hsm from curity you must configure each run time node to communicate with the hsm this requires a pin or password you can provide this interactively on the command line during startup, directly on the command line as an argument, or in the environment variable idsvr hsm pin if you don't provide this pin to each run time node, you cannot log in to the {{vectera}} and use keys that reside on the device so, you must start the nodes with this credential the command line argument that you should use is i you can also provide debug hsm in non production environments to get extra hsm related debug log messages in the server log in this case, run the following command to start a node $ idsvr debug hsm i hsm identity password enter the password of the identity configured in the fxpkcs11 cfg file in the preceding command use an hsm to enable using the hsm in curity, perform the following steps log in to the curity admin ui and go to the system tab scroll down to the hardware security module section and toggle on the hsm after enabling this, you can enter information about how the run time nodes connect to the hsm enter the file path to the {{futurex}} pkcs #11 module in the library field select slot id in the slot field and leave the slot id set to 0 configure the hsm even without committing the changes, configuring the {{futurex}} hsm for ssl enables you to configure keys similar to those in the hsm to see this, perform the following steps select facilities in the top right corner of the ui go to keys and cryptography > tls , and select the + button next to server ssl keys here, you have three options, including the use from hsm option, which is impossible until an hsm is configured now that the hsm is configured, enter the name of the key created earlier, demo 1 , into the name text field select the use from hsm option and select \[ next ] on the next screen, select rsa from the type drop down list and enter the key size used when the key was made in the hsm, namely 2048 select \[ ok ] assign the key assign the key to a run time node by running the following steps go to the system tab and then go to deployments in the sidebar select the name of one of the nodes you have configured to open the update server dialog box the ssl server keystore drop down should be visible if the node uses the https protocol from this list, select the key that you just defined select \[ close ] commit the changes by selecting commit from the changes menu and selecting \[ ok ] in the deploy changes dialog box validate success if things worked and you logged at the debug level, you should see log messages like the following sample in the run time nodes logs name = idsvr hsm 	library = /usr/local/bin/fxpkcs11/libfxpkcs11 so 	attributes = compatibility 	slotlistindex = 0 	showinfo = true sunpkcs11 initializing pkcs#11 library /usr/local/bin/fxpkcs11/libfxpkcs11 so sunpkcs11 login succeeded pkcs11keystore enginegetentry found private key entry aliases in hsm \[demo 1] hsm is loaded notice the following elements the configured library was loaded which slot list index was used the login with the pin worked the hsm has one key with the alias demo 1 this means that ssl now uses a key from the hsm test the connection to test this, open a connection to the node with a browser or openssl by running the following command $ echo | \\ 	openssl s client connect localhost 8443 showcerts | \\ 	openssl x509 inform pem noout text this should output info about the self signed cert imported onto the {{futurex}} hsm, including a line like this depth=0 cn = demo 1