Configure Curity to use the Vectera Plus HSM for SSL
This section covers the tasks to configure Curity for the .
You must configure each run-time node to communicate with the HSM. This requires a PIN or password. You can provide this interactively on the command line during startup, directly on the command line as an argument, or in the environment variable IDSVR_HSM_PIN. If you don't provide this PIN to each run-time node, they cannot log in to the and use keys that reside on the device. So, it is imperative to start the nodes with this credential. The command line argument that you should use is -i. You can also provide --debug-hsm in non-production environments to get extra HSM-related debug log messages in the server log. In this case, run the following command to start a node:
Enter the password of the identity configured in the fxpkcs11.cfg file in the preceding command.
To use the HSM, perform the following steps:
Log in to the Curity admin UI and go to the System tab.
Scroll down to the Hardware Security Module section and toggle on the HSM.
After enabling this, you can enter information about how the run-time nodes connect to the HSM.
Enter the file path to the Futurex PKCS #11 module in the Library field.
Select slot-id in the Slot field and leave the Slot ID set to 0.
Even without committing the changes, configuring the HSM enables you to configure keys similar to those in the HSM. To see this, perform the following steps:
Select Facilities in the top-right corner of the UI.
Go to Keys and Cryptography > TLS, and select the + button next to Server SSL Keys.
Here, you have three options, including the Use from HSM option, which is impossible until an HSM is configured.
Now that the HSM is configured, enter the name of the key created earlier, Demo_1, into the Name text field.
Select the Use from HSM option and select [ Next ].
On the next screen, select rsa from the Type drop-down list and enter the key size used when the key was made in the HSM, namely 2048.
Select [ OK ].
At this point, you can assign the key to a run-time node by running the following steps:
Go to the System tab and then go to Deployments in the sidebar.
Select the name of one of the nodes you have configured to open the Update Server dialog box.
The SSL Server KeyStore drop-down should be visible if the node uses the HTTPS protocol. From this list, select the key that you just defined.
Select [ Close ].
Commit the changes by selecting Commit from the Changes menu and selecting [ OK ] in the Deploy Changes dialog box.
Finally, If things worked and you are logging at the DEBUG level, you should see log messages like these in the run-time nodes logs:
From this, you can see that the configured library was loaded, what slot list index was used, that login with the PIN worked, and that the HSM has one key with the alias Demo_1. It also means that SSL now uses a key from the HSM.
To test this, open a connection to the node with a browser or openssl by running the following command:
This should output info about the self-signed cert imported onto the HSM, including a line like this: depth=0 CN = Demo_1.