Key Labeling
We help you streamline and simplify traditional host application API requests between a key management server and an HSM for cryptographic processing.
Using the legacy approach, the host application communicates independently with the HSMs and key management servers, sending out a single request to each device at a time. First, this approach requests the key from the key management server, and then it provides that key to the HSM along with the cryptographic processing request. In addition to requiring a more complex application development process, this results in slower transaction processing times and increases the computational burden on the host application.
With the new and improved approach presented in this guide, a works as a proxy between the host application and the and HSM. This offloads essentially all of the computational burden to the , which is designed for high throughput and can seamlessly communicate with the and HSM, as shown in the following communication flow:
The host application sends a message to the Guardian to pass to the HSM for processing. Instead of a cryptogram or key block, it sends a key label in the key tag of this message.
The Guardian replaces the key label with the returned encrypted key in the message and sends the message to the HSM for processing.
The HSM returns the required response to the Guardian.
The Guardian forwards the response to the host application.
This section provides an overview of the setup process, and later sections explain the steps in detail:
On the Guardian, create a new user group with the required permissions.
Add a new user to the user group created in the first step.
Assign the correct Key Management group to the appropriate HSM group.
In the key group from step 4, give the Use permission to the user group created on the Guardian in step 1.
Set up authentication between the host application and the Guardian.