Use the Guardian Series 3 to configure HSMs for PKCS #11 integrations
This section explains how to create an Encryption Device Group and add HSMs to the device group for remote management.
Device groups simplify information management on client devices by controlling them through a single interface. Use the following procedures to create a device group and add devices.
Select Encryption Devices from the left toolbar, then select [ Add Group ] at the bottom of the window to open the Encryption Device Group window.
Enter a Group Name in the associated field.
Enter a group Description in the associated field
Select an Owner Group from the drop-down menu.
Select Hardware Security Module in the Group Type drop-down menu.
Devices that you add to the HSM group must all be the same type (such as , Excrypt Plus, Excrypt SSP Enterprise v.2).
Define Group Options.
Option
Description
Configuration
Enables remote configuration for all HSMs in the group.
Monitoring
Enables monitoring for all HSMs in the group.
Balancing
Enables load balancing between group devices for API calls sent to the group.
Choose the Connection Pair in the drop-down menu. The connection pairs available vary depending on the type of device group. For PKCS #11, you need only the Excrypt/Standard connection pair. YOu should disable the HTTP and International connection pairs.
Port
Description
Excrypt/Standard
Enables you to connect with the Excrypt or Standard APIs for transaction processing by using HSMs.
HTTP
Enables you to connect with one of the following targets:
- The client device web management portal
- The Registration Authority (RA) if you added units with the RA functionality
- The RESTful web API of the device
International
Enables you to connect with the International API for transaction processing by using HSMs when you enable the Excrypt Universal Interface license.
Select the Allow Connection checkbox and choose the Port and Header Size, if applicable.
Select the Connection Type for each connection pair from the drop-down menu. The options are Clear, SSL (default), or Anonymous TLS. Futurex recommends using SSL.
Select [ OK ] to create the group.
Groups are defined by device type. Because you can't mix and match different devices within the same group, choose the group with the same model when selecting a device to add. Perform the following steps to add a device to a group:
Select the group to add the client device to.
Select [ Add Device ] at the bottom of the screen to open the Encryption Device window.
Enter the Hostname or IP address of the client device.
HSMs managed by the in a single group must use the same firmware version and feature set.
If using certificates, keep as default all the remaining settings in this menu (steps 4-11).
In the Connection Pair drop-down menu, select the proper TLS pair for the device in question.
Define the Port on which the client devices are configured to operate. You don't need to specify a Header Size.
Designate the desired Connection Type and Configuration by using the drop-down menus.
Select the device Role from the associated drop-down menu to specify the device's use in the assigned group. Only the Primary Device role is available for the first device added to the group.
Role
Description
Primary Device
Designates a device as a primary device in the device group. The configuration details on this device automatically replicate to any additional devices added to the device group. The primary device also functions in the same role as a production device.
Production Device
Designates a device as a production device. Production devices begin actively processing transactions when you synchronize the device with the group. You can add multiple production devices to an individual device group.
Backup Device
Designating a device as a backup device causes it to remain synchronized with the group, but not process transactions. However, the device automatically begins processing transactions as soon as a production device is removed from service. Using backup devices is optional, and you can add multiple backup devices to an individual device group.
Select a Group from the drop-down menu.
Check the box next to Balancing enabled to enable balancing. This enables the Guardian to evenly distribute requests to devices in the group.
Set the number of seconds of failed pings before the Guardian considers the device disconnected.
Set the desired number of seconds for the ping timeout. The ping timeout is the amount of time before an individual ping is open
Select [ OK ] to save changes.
The Details window opens and displays the connection details and status for the device, and enables you to export this information after the process completes.
To reopen this window, right-click on the encryption device and select Show Connection Status.
If the connection is failing, consider the following:
- Are the Device Group and Device enabled?
- Are the Admin and Excrypt TLS ports configured on the HSM?
- Are the and the HSM by using the same CA tree? If using certificates, they both need to use either RSA or ECC CA.
If port 9100 fails to connect, there is a problem with the Excrypt port configuration. If port 9009 fails to connect, there is a problem with the Admin port configuration.
Perform the tasks in this section to configure the HSM.
For this step, you need to log in with an identity that has a role with Major Keys:Load permisision. You can use the default Administrator role and Admin identities.
The FTK wraps all keys stored on the HSM used with PKCS #11. If using multiple HSMs in a cluster, you can use the same FTK for syncing HSMs. Before you can use an HSM with PKCS #11, it must have an FTK.
The following instructions are for the , but you can also complete this process by using Excrypt Manager, FXCLI, or the Excrypt Touch. For more information about how to load the FTK into an HSM using the other tools or devices, see the relevant Administrative Guide.
After logging in, go to the Encryption Devices page. Right-click on the device group and select Remote Manage.
After you log in on the login screen, select Keys in the left-hand menu. Go to the Major Keys tab and select [ Load ] next to the FTK.
In the first menu, select the Algorithm, Key length, and Key parts that you want to use. Load each of the key parts.
You receive a confirmation that each key part loaded successfully. When they finish loading, you receive a Final Key Checksum.
Select [ Next ] to finish loading the key.
To segregate applications on the HSM, you must create an application partition specifically for your use case. Application partitions segment the permissions and keys between applications on an HSM between applications.
The following steps outline the process for configuring a new application partition:
Go to the Application Partitions tab and select [ Add Partition ].
In the Basic Information tab, configure all the fields as follows:
Option
Required configuration
Logins Required
Set to 1
If the HSM is in FIPS mode, you must set Logins Required to 2.
Ports
Set to Prod.
Connection Sources
Set to Ethernet.
Use Dual Factor
Set to Never.
Go to the Permissions tab and select the following permissions:
Permission
Description
Keys
Top-level permission
Authorized
Allows for keys that require login
Import PKI
Allows trusting an external PKI. Generally not recommended, but some applications use this to allow for PKI symmetric key wrapping.
No Usage Wrap
Enables interoperable key wrapping without defining key usage as part of the wrapped key. Use this only if you want to exchange keys with external entities or use the HSM to wrap externally used keys.
In the Key Slots tab, we recommend you create a range of 1000 total keys that do not overlap with another application partition. Within the specified range, you should have ranges for both symmetric and asymmetric keys. If the application requires more keys, configure it accordingly.
To use the HSM functionality, you must enable particular functions on the application partition based on application requirements. Enable the following commands under Commands:
PKCS #11 communication commands:
Command
Description
ECHO
Communication Test/Retrieve Version
PRMD
Retrieve HSM restrictions
RAND
Generate random data
HASH
Retrieve device serial
GPKM
Retrieve key table information
GPKS
General-purpose key settings get/change
GPKR
General-purpose key settings get (read-only)
Key operations commands:
Command
Description
APFP
Generate PKI Public Key from Private Key
ASYL
Load asymmetric key into the key table
GECC
Generate an ECC Key Pair
GPCA
General-purpose add certificate to key table
GPGS
General-purpose generate symmetric key
GPKA
General-purpose key add
GPKD
General-purpose key slot delete/clear
GRSA
Generate RSA Private and Public Key
LRSA
Load key into RSA Key Table
RPFP
Get public components from the RSA private key
Interoperable key wrapping commands:
Command
Description
GPKU
General-purpose key unwrap (unrestricted)
GPUK
General-purpose key unwrap (preserves key usage)
GPKW
General-purpose key wrap (unrestricted)
GPWK
General-purpose key wrap (preserves key usage-
Data encryption commands:
Command
Description
ADPK
PKI Decrypt Trusted Public Key
GHSH
Generate a Hash (Message Digest)
Starting in firmware version 7.x, this function is enabled by default so you don't need to specify it.
GPSE
General-Purpose Symmetric Encrypt
GPSD
General-Purpose Symmetric Decrypt
GPGC
General-purpose generate cryptogram from key slot
GPMC
General-purpose MAC (Message Authentication Code)
GPSR
General-purpose RSA encrypt/decrypt or sign/verify with recovery
HMAC
Generate a hash-based message authentication code
RDPK
Get Clear Public Key from Cryptogram
Signing commands:
Command
Description
ASYS
Generate a Signature Using a Private Key
ASYV
Verify a Signature Using a Public Key
GPSV
General-purpose data sign and verify
RSAS
Generate a Signature Using a Private Key
For this step, you must log in with an identity that has a role with the Identity:Add permission. You can use the default Administrator role and Admin identities.
To create this new identity, select Identity Management > Add Identity.
Specify a name for the new identity.
Then, in the Roles drop-down menu, select the name of the previously created application partition to associate the new identity with the previously created application partition.
You must set the new identity inside the fxpkcs11.cfg file in the <CRYPTO-OPR> tag.
Select [ Finish ] and then [ Yes ] to exit out of this menu and log out of the device group.