Create an Operator Service Key Store in an HSM

4min
This section shows how to configure vSEC:CMS to use the  HSM for the Operator Service Key Store (OSKS). This process also migrates the master key stored on the System Owner (SO) token to the HSM.
vSEC:CMS Operator Console
Perform the following tasks on the Operator Console:
Log in to the vSEC:CMS Operator Console (OC)
1
Start the vSEC:CMS Admin application.
2
When prompted, insert your System Owner (SO) hardware credential.
3
Enter the operator passcode for the System Owner and select  [ Authenticate ].
If the authentication succeeds, the Admin application starts and logs you into the Operator Console.
Add Service Key Store with HSM
1
In the navigation menu, select Options > Operators.
2
Select [ Add service key store ].
3
In the Add Service Key Store (HSM) dialog, select the  PKCS #11 library in the Key store drop-down list, specify a Store name, and select [ Add ].
4
Enter the operator passcode for the System Owner, and select [ OK ].
Upon success, the system creates the new service key store, and the master keys will be stored on the HSM. You should see the message shown below, confirming that the operation was successful:
Text
The new service key store Vectera Plus
has been successfully created and activated.

The service key store: System Keystore
has been deactivated.
The new service key store Vectera Plus
has been successfully created and activated.

The service key store: System Keystore
has been deactivated.
﻿
Now, all administration key operations performed with the vSEC:CMS, such as registering a smart card token or PIN unblock operations, use the master keys stored on the  HSM.
PKCS11Manager utility
To view the keys that vSEC:CMS created on the HSM, perform the following task on the PKCS11Manager utility packaged with the  PKCS #11 module:
View the keys vSEC:CMS created on the Vectera Plus
1
In Windows File Explorer, go to the  PKCS #11 installation directory and run the PKCS11Manager.exe file.
This action displays the following menu:
Shell
Main Menu
    1. Print Library/Token Info

    2. Generate Key

    3. Find Objects
    4. Modify Objects
    5. Delete Objects

    6. Generate Random Data

    7. Sign Data

    8. Login
    9. Logout

    0. Exit
Main Menu
    1. Print Library/Token Info

    2. Generate Key

    3. Find Objects
    4. Modify Objects
    5. Delete Objects

    6. Generate Random Data

    7. Sign Data

    8. Login
    9. Logout

    0. Exit
﻿
2
Enter 8 to log in and select the Enter key.
3
Enter 1 to select the Text password input mode and select the Enter key.
4
Enter the password of the identity defined in the FXPKCS11 configuration file and select the Enter key.
If successful, you receive confirmation that you are logged in.
5
Enter 3 to Find Objects and select the Enter key.
6
Enter 1 to find All objects and select the Enter key.
Upon success, you see information similar to the following example for all keys that the connecting identity has permission to access:
Text
Total number of found objects: 4
  Object ID: 2
    Internal ID: 2
    Excrypt Board Slot: 1
    Class: CKO_PUBLIC_KEY
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Modulus Bits: 2048
    KCV: CD1F
    Usage: W
  Object ID: 3
    Internal ID: 3
    Excrypt Board Slot: 2
    Class: CKO_SECRET_KEY
    Key Type: DES3
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Value Len: 24
    Value Bits: 192
    Label: CMS MK0
    ID: VSEC0000
    KCV: 849F
    Usage: ED
  Object ID: 4
    Internal ID: 4
    Excrypt Board Slot: 3
    Class: CKO_PUBLIC_KEY
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Modulus Bits: 2048
    KCV: 532A
    Usage: W
  Object ID: 5
    Internal ID: 5
    Excrypt Board Slot: 4
    Class: CKO_SECRET_KEY
    Key Type: DES3
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Value Len: 24
    Value Bits: 192
    Label: CMS MK1
    ID: VSEC0001
    KCV: 8BAF
    Usage: ED
Total number of found objects: 4
  Object ID: 2
    Internal ID: 2
    Excrypt Board Slot: 1
    Class: CKO_PUBLIC_KEY
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Modulus Bits: 2048
    KCV: CD1F
    Usage: W
  Object ID: 3
    Internal ID: 3
    Excrypt Board Slot: 2
    Class: CKO_SECRET_KEY
    Key Type: DES3
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Value Len: 24
    Value Bits: 192
    Label: CMS MK0
    ID: VSEC0000
    KCV: 849F
    Usage: ED
  Object ID: 4
    Internal ID: 4
    Excrypt Board Slot: 3
    Class: CKO_PUBLIC_KEY
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Modulus Bits: 2048
    KCV: 532A
    Usage: W
  Object ID: 5
    Internal ID: 5
    Excrypt Board Slot: 4
    Class: CKO_SECRET_KEY
    Key Type: DES3
    Token: Yes
    Private: Yes
    Sensitive: No
    Modifiable: Yes
    Value Len: 24
    Value Bits: 192
    Label: CMS MK1
    ID: VSEC0001
    KCV: 8BAF
    Usage: ED
﻿
vSEC:CMS creates four objects on the HSM:
Two 3DES symmetric encryption keys, which are the master keys used by the vSEC:CMS application. These keys have the CMS MK0 and CMS MK1 PKCS #11 labels.
Two public RSA asymmetric keys that are used to wrap the master keys.
﻿
﻿
Updated 22 Aug 2024
Did this page help you?
Configure the Futurex PKCS #11 library in vSEC:CMS
Appendix: Generate a new master key and restore or migrate keys to a new HSM