Generic

Key Labeling

4min

We help you streamline and simplify traditional host application API requests between a key management server and an HSM for cryptographic processing.

Legacy approach

Using the legacy approach, the host application communicates independently with the HSMs and key management servers, sending out a single request to each device at a time. First, this approach requests the key from the key management server, and then it provides that key to the HSM along with the cryptographic processing request. In addition to requiring a more complex application development process, this results in slower transaction processing times and increases the computational burden on the host application.

Improved approach

With the new and improved approach presented in this guide, a

 works as a proxy between the host application and the

and HSM. This offloads essentially all of the computational burden to the

, which is designed for high throughput and can seamlessly communicate with the

and HSM, as shown in the following communication flow:

1

The host application sends a message to the Guardian to pass to the HSM for processing. Instead of a cryptogram or key block, it sends a key label in the key tag of this message.

2

The Guardian interrogates the message before forwarding it to the HSM and detects that the key tag has a key label. The Guardian then requests the encrypted key, held under the key label, from the

.

3

The

 returns the encrypted key to the Guardian.

4

The Guardian replaces the key label with the returned encrypted key in the message and sends the message to the HSM for processing.

5

The HSM returns the required response to the Guardian.

6

The Guardian forwards the response to the host application.

Overview of the setup process

This section provides an overview of the setup process, and later sections explain the steps in detail:

This process assumes you have already connected a

 and an HSM with a

by using Key and Certificate Management and Hardware Security Module Encryption Device Groups, respectively. Refer to the appropriate user guide for instructions on how to set this up.

Complete steps 1-3 on the Guardian, and complete steps 4-5 need on the

.

1

On the Guardian, create a new user group with the required permissions.

2

Add a new user to the user group created in the first step.

3

Assign the correct Key Management group to the appropriate HSM group.

4

On the

, create a new key group.

5

In the key group from step 4, give the Use permission to the user group created on the Guardian in step 1.

6

Set up authentication between the host application and the Guardian.