Configure a transaction processing connection and create an application partition
For this step, you need to log in with an identity that has a role with the following permissions: Role:Add, Role:Assign All Permissions, Role:Modify, Keys:All Slots, and Command Settings:Excrypt. You can use the default Administrator role and Admin identities.
This integration guide treats the terms Application Partition and Role as synonymous.
Before an application logs in to the HSM with an authenticated user, it first connects through a Transaction Processing connection to the Transaction Processing application partition. So, you must take steps to harden the application partition by configuring the following items for the Transaction Processing partition:
- It should not have access to the All Slots permissions.
- It should not have access to any key slots.
- Enable only the PKCS #11 communication commands.
Choose one of the following methods to configure the Transaction Processing connection:
Go to the Application Partitions menu, select the Transaction Processing application partition, and select [ Modify ].
In the Permissions tab, leave the top-level Keys permission checked and uncheck the All Slots sub permission.
In the Key Slots tab, ensure that the settings do not specify key ranges. By default, the Transaction Processing application partition can access the entire range of key slots on the HSM.
In the Commands tab, make sure to enable only the following PKCS #11 Communication commands:
Command
Description
ECHO
Communication Test/Retrieve Version
PRMD
Retrieve HSM restrictions
RAND
Generate random data
HASH
Retrieve device serial
GPKM
Retrieve key table information
GPKS
General purpose key settings get/change
GPKR
General purpose key settings get (read-only)
To segregate applications on the HSM, you must create an application partition specifically for your use case. Application partitions segment the permissions and keys between applications on an HSM. The following steps outline creating and configuring a new application partition.
Choose one of the following methods to create an application partition:
Go to the Application Partitions menu and select [ Add ].
In the Basic Information tab, configure all of the fields as follows:
Option
Required configuration
Role Name
Specify any name that you would like for this new application partition.
Logins Required
Set to 1
If the HSM is in FIPS mode, you must set Logins Required to 2.
Ports
Set to Prod.
Connection Sources
Set to Ethernet.
Managed Roles
Leave blank because you specify the exact Permissions, Key Slots, and Commands for this application partition or role to have access to.
Use Dual Factor
Set to Never.
Upgrade Permissions
Leave unchecked.
In the Permissions tab, select the following key permissions:
Permission
Description
Keys
Top-level permission
Authorized
Allows for keys that require login
Import PKI
Allows trusting an external PKI. Generally not recommended, but some applications use this enable for PKI symmetric key wrapping.
No Usage Wrap
Allows for interoperable key wrapping without defining key usage as part of the wrapped key. Use this only if you want to exchange keys with external entities or use the HSM to wrap externally used keys.
In the Key Slots tab, we recommend you create a range of 1000 total keys that do not overlap with another application partition. Within the specified range, you should have ranges for both symmetric and asymmetric keys. If the application requires more keys, configure it accordingly.
To use the HSM functionality, you must enable particular functions on the application partition based on application requirements. Enable the following commands under Commands:
CNG communication commands:
Command
Description
ECHO
Communication Test/Retrieve Version
HASH
Retrieve device serial
GPKM
Retrieve key table information
GPKR
General-purpose key settings get (read-only)
Key operations commands:
Command
Description
APFP
Generate PKI Public Key from Private Key
ASYL
Load asymmetric key into key table
GECC
Generate an ECC Key Pair
GPCA
General purpose add certificate to key table
GPGS
General purpose generate symmetric key
GPKA
General purpose key add
GPKD
General purpose key slot delete/clear
GRSA
Generate RSA Private and Public Key
LRSA
Load key into RSA Key Table
RPFP
Get public components from RSA private key
Interoperable key wrapping commands:
Command
Description
GPKU
General purpose key unwrap (unrestricted)
GPUK
General purpose key unwrap (preserves key usage)
GPKW
General purpose key wrap (unrestricted)
GPWK
General purpose key wrap (preserves key usage)
Data encryption commands:
Command
Description
ADPK
PKI Decrypt Trusted Public Key
GHSH
Generate a Hash (Message Digest)
Starting in firmware version 7.x, this function is enabled by default and does not need to be specified.
GPSE
General Purpose Symmetric Encrypt
GPSD
General Purpose Symmetric Decrypt
GPGC
General purpose generate cryptogram from key slot
GPMC
General purpose MAC (Message Authentication Code)
GPSR
General purpose RSA encrypt/decrypt or sign/verify with recovery
HMAC
Generate a hash-based message authentication code
RDPK
Get Clear Public Key from Cryptogram
Signing commands:
Command
Description
ASYS
Generate a Signature Using a Private Key
ASYV
Verify a Signature Using a Public Key
GPSV
General purpose data sign and verify
RSAS
Generate a Signature Using a Private Key