Configure Curity to use the Vectera Plus HSM for SSL

this section covers the tasks to configure curity for the {{vectera}} log into the hsm from curity you must configure each run time node to communicate with the hsm this requires a pin or password you can provide this interactively on the command line during startup, directly on the command line as an argument, or in the environment variable idsvr hsm pin if you don't provide this pin to each run time node, they cannot log in to the {{vectera}} and use keys that reside on the device so, it is imperative to start the nodes with this credential the command line argument that you should use is i you can also provide debug hsm in non production environments to get extra hsm related debug log messages in the server log in this case, run the following command to start a node $ idsvr debug hsm i hsm identity password enter the password of the identity configured in the fxpkcs11 cfg file in the preceding command enable using an hsm in curity to use the hsm, perform the following steps log in to the curity admin ui and go to the system tab scroll down to the hardware security module section and toggle on the hsm after enabling this, you can enter information about how the run time nodes connect to the hsm enter the file path to the futurex pkcs #11 module in the library field select slot id in the slot field and leave the slot id set to 0 configure the futurex hsm for ssl even without committing the changes, configuring the hsm enables you to configure keys similar to those in the hsm to see this, perform the following steps select facilities in the top right corner of the ui go to keys and cryptography > tls , and select the + button next to server ssl keys here, you have three options, including the use from hsm option, which is impossible until an hsm is configured now that the hsm is configured, enter the name of the key created earlier, demo 1 , into the name text field select the use from hsm option and select \[ next ] on the next screen, select rsa from the type drop down list and enter the key size used when the key was made in the hsm, namely 2048 select \[ ok ] at this point, you can assign the key to a run time node by running the following steps go to the system tab and then go to deployments in the sidebar select the name of one of the nodes you have configured to open the update server dialog box the ssl server keystore drop down should be visible if the node uses the https protocol from this list, select the key that you just defined select \[ close ] commit the changes by selecting commit from the changes menu and selecting \[ ok ] in the deploy changes dialog box finally, if things worked and you are logging at the debug level, you should see log messages like these in the run time nodes logs name = idsvr hsm 	library = /usr/local/bin/fxpkcs11/libfxpkcs11 so 	attributes = compatibility 	slotlistindex = 0 	showinfo = true sunpkcs11 initializing pkcs#11 library /usr/local/bin/fxpkcs11/libfxpkcs11 so sunpkcs11 login succeeded pkcs11keystore enginegetentry found private key entry aliases in hsm \[demo 1] hsm is loaded from this, you can see that the configured library was loaded, what slot list index was used, that login with the pin worked, and that the hsm has one key with the alias demo 1 it also means that ssl now uses a key from the hsm to test this, open a connection to the node with a browser or openssl by running the following command $ echo | \\ 	openssl s client connect localhost 8443 showcerts | \\ 	openssl x509 inform pem noout text this should output info about the self signed cert imported onto the {{futurex}} hsm, including a line like this depth=0 cn = demo 1