Hardware Security Module (HSM)

The following is applicable only when setting up KMS Server , MiniCA and Secrets Protection Manager.

The MTG-KMS needs HSMs for the secure storage of its (master) key material. Currently, HSMs from MTG; Utimaco, Gemalto-SafeNet and Entrust(nCipher) are supported.

To operate the HSMs with MTG-KMS, the HSMs have to be configured correctly using the HSM vendor specific tools. However, the configuration of the HSM is not part of these installation instructions.

The Following HSMs are supported:

UTIMACO

Utimaco HSM

LUNA_SA

Luna SA HSM

KEYSTORE

Bouncy-Castle-Fips-Keystore-Datei (bcfks) on the file system

PKCS11

Utimaco and Entrust(nCipher) HSM providing a PKCS11 interface

Additional Jars and libraries for the HSM

Most required HSM .jar files are already included in the application and loaded by default, except in cases where these dependencies are not compatible with each other (e.g., the Utimaco CXI / Utimaco-EID / Utimaco-EID HSM Cluster Connector .jar files). In such cases, you’ll need to manually add the appropriate HSM .jar files to the application’s loader path.

To do this, the path to the HSM .jar files must be configured within the systemd config file of each application via the LOADER_PATH variable:

export LOADER_PATH=<path where the HSM library jar file is located>

The following relative paths can be used to quickly add these Utimaco HSM dependencies from inside the application’s .jar:

Utimaco-CXI

BOOT-INF/classes/lib-hsm/utimaco-cxi

Utimaco-EID

BOOT-INF/classes/lib-hsm/utimaco-eid

Utimaco-EID (HSM Cluster Connector)

BOOT-INF/classes/lib-hsm/utimaco-eid-hsm-cluster-connector

Alternatively, you can use the absolute path of a directory on the file system, in order to load a custom HSM .jar file (e.g., one directly provided by Utimaco).

If using Utimaco-CXI the CryptoServerCXI version 1.81 is actually needed. The failover mode of the CXI interface is not supported.

If using a PKCS11 library the following environment variables need to be set:

Entrust(nCipher)

export CKNFAST_LOADSHARING=true
export CKNFAST_ASSUME_SINGLE_PROCESS=0

UTIMACO

export CS_PKCS11_R3_CFG=<path and file name to cs_pkcs11_R3.cfg file>

LUNA_SA

LD_LIBRARY_PATH=<path where the libLunaAPI.so is installed> which is normally /usr/safenet/lunaclient/jsp/lib

The vendor specific installation and configuration of HSMs or HSM clients are not be covered in this page.