Create an Operator Service Key Store with HSM
This section explains how to configure vSEC:CMS to use the KMES Series 3 for the Operator Service Key Store (OSKS). During this process, the master key stored on the System Owner (SO) token migrates to the KMES.
Start the vSEC:CMS Admin application.
When prompted, insert your System Owner (SO) hardware credential.
Enter the operator passcode for the System Owner and select [ Authenticate ].
If authentication succeeds, the Admin application starts, and you are logged in to the Operator Console.
In the navigation menu, select Options > Operators.
Select the [ Add service key store ] button.
In the Add Service Key Store (HSM) window, select the Futurex PKCS #11 library in the Key store drop-down list, specify a Store name, and select [ Add ].
Enter the operator passcode for the System Owner and select [ OK ].
After the new service key store is created, the master keys are stored on the KMES Series 3. You should see a message similar to the following example, confirming that the operation succeeded:
Now, all administration key operations performed with the vSEC:CMS, such as registering a smart card token or PIN unblock operations, will use the master keys stored on the KMES Series 3.
vSEC:CMS creates two 3DES symmetric encryption keys on the KMES Series 3. These are the master keys used by the vSEC:CMS application, and they have the CMS MK0 and CMS MK1 PKCS #11 labels.
To view the keys, perform the following steps:
Log in to the KMES application interface with the default admin identities.
Go to Key Management > Keys.
Select the symmetric key group Versasec created on the KMES through the PKCS #11 library.
This displays the two Triple 3DES symmetric data encryption keys in the Keys section of the menu.