Create an Operator Service Key Store in an HSM

this section shows how to configure vsec\ cms to use the {{vectera}} hsm for the operator service key store (osks) this process also migrates the master key stored on the system owner (so) token to the hsm vsec\ cms operator console perform the following tasks on the operator console log in to the vsec\ cms operator console (oc) start the vsec\ cms admin application when prompted, insert your system owner (so) hardware credential enter the operator passcode for the system owner and select \[ authenticate ] if the authentication succeeds, the admin application starts and logs you into the operator console add service key store with hsm in the navigation menu, select options > operators select \[ add service key store ] in the add service key store (hsm) dialog, select the {{futurex}} pkcs #11 library in the key store drop down list, specify a store name , and select \[ add ] enter the operator passcode for the system owner, and select \[ ok ] upon success, the system creates the new service key store, and the master keys will be stored on the hsm you should see the message shown below, confirming that the operation was successful the new service key store vectera plus has been successfully created and activated the service key store system keystore has been deactivated now, all administration key operations performed with the vsec\ cms, such as registering a smart card token or pin unblock operations, use the master keys stored on the {{vectera}} hsm pkcs11manager utility to view the keys that vsec\ cms created on the hsm, perform the following task on the pkcs11manager utility packaged with the {{futurex}} pkcs #11 module view the keys vsec\ cms created on the vectera plus in windows file explorer, go to the {{futurex}} pkcs #11 installation directory and run the pkcs11manager exe file this action displays the following menu main menu 1\ print library/token info 2\ generate key 3\ find objects 4\ modify objects 5\ delete objects 6\ generate random data 7\ sign data 8\ login 9\ logout 0\ exit enter 8 to log in and select the enter key enter 1 to select the text password input mode and select the enter key enter the password of the identity defined in the fxpkcs11 configuration file and select the enter key if successful, you receive confirmation that you are logged in enter 3 to find objects and select the enter key enter 1 to find all objects and select the enter key upon success, you see information similar to the following example for all keys that the connecting identity has permission to access total number of found objects 4 object id 2 internal id 2 excrypt board slot 1 class cko public key token yes private yes sensitive no modifiable yes modulus bits 2048 kcv cd1f usage w object id 3 internal id 3 excrypt board slot 2 class cko secret key key type des3 token yes private yes sensitive no modifiable yes value len 24 value bits 192 label cms mk0 id vsec0000 kcv 849f usage ed object id 4 internal id 4 excrypt board slot 3 class cko public key token yes private yes sensitive no modifiable yes modulus bits 2048 kcv 532a usage w object id 5 internal id 5 excrypt board slot 4 class cko secret key key type des3 token yes private yes sensitive no modifiable yes value len 24 value bits 192 label cms mk1 id vsec0001 kcv 8baf usage ed vsec\ cms creates four objects on the hsm two 3des symmetric encryption keys, which are the master keys used by the vsec\ cms application these keys have the cms mk0 and cms mk1 pkcs #11 labels two public rsa asymmetric keys that are used to wrap the master keys