For the latest version, please use Certificate Lifecycle Manager 6.1.0!

Securosys HSM Integration Guide

This page provides detailed instructions for integrating Securosys HSMs with MTG CLM and CARA, using the PKCS#11 interface. The information below covers supported products, configuration requirements, deployment steps, and operational details.

Supported Integration Method

MTG ERS products, MTG-KMS and CARA, integrate with Securosys HSMs via the PKCS#11 interface. Subsequently, MTG CLM is able to leverage similar security benefits by using CARA as it’s CA. Both Securosys Primus HSM (on-premises) and CloudHSM deployments are supported. There are no functional limitations between the two from MTG’s side; differences may arise only from the HSM licensing model.

Integration Points in MTG CLM

  • In a standard setup, private keys for both the Root CA and Sub CA are stored in the HSM.

  • The Root CA private key is used only when creating a Sub CA.

  • The Sub CA private key is used for every end-entity certificate signing and renewal.

  • All certificate creation and renewal operations in MTG CLM leverage HSM protection.

  • Realm and policy management are handled within CLM and do not affect the CARA/HSM setup.

Typical Deployment Scenarios

  • All production PKI environments are strongly encouraged to use HSM protection for CA private keys.

  • Securosys HSM integration is applicable for both new and existing PKI deployments seeking hardware-based key security.

Configuration Requirements

Securosys HSM

  • Management access to the HSM device is required (method depends on HSM model and licensing).

  • Console port (CLI), front-panel with SmartCard slots, or Decanus Terminal can be used for administration.

Pre-Installation Checklist

  1. Activation code

  2. License file on a USB stick

  3. Firmware files (.hsm and SHA) on a USB stick

  4. PKCS#11 library package downloaded and transferred to the CARA/KMS server

HSM Setup Steps

  1. Insert USB stick into the HSM.

  2. Set SmartCard PINs:

    • Unlock front-panel or connect via console.

    • Use activation code to set Genesis Card PIN.

    • Set SO1 and SO2 usernames and PINs.

    • Create partition user and save temporary password.

  3. Install firmware:

    • Activate SO role with both SmartCards.

    • Update firmware (system will reboot).

  4. Import license file (required after each firmware update):

    • Activate SO role with both SmartCards.

    • Import license (system will reboot).

  5. Validate digital seal:

    • Activate SO role with both SmartCards.

    • Use Genesis Card PIN to display and record the digital seal.

    • Submit a validation request to Securosys support with the device serial number and seal.

  6. Configure network and partitions:

    • Export system configuration, edit as needed, and import back.

  7. Retrieve Restore Encryption PIN:

    • Activate SO role with both SmartCards.

    • Access Genesis Role to retrieve REP.

CARA Server

  1. Install PKCS#11 library client (e.g., apt install ./PrimusAPI_PKCS11-X-2.2.2-debian10-x86_64.deb).

  2. Install OpenSC (apt install opensc).

  3. Edit /etc/primus/primus.cfg with HSM connection details:

    primus:
{
wait_delay = 250; /* in ms*/
wait_max_tries = 5;
connect_on_init = true;
hsms:
{
hsm0:
{
host = "$HSM_IP";
port = "$HSM_PORT";
slots:
{
slot0:
{
client_id = "cara";
user_name = "partition1"; /* Partition user name */
id = 0;
};
};
};
};
log:
{
file = "/tmp/primus.log";
write_log_file = true;
write_syslog = true;
trace_linenumber = false;
trace_timestamp = true;
trace_function = true;
trace_inout = false;
trace_pid = true;
trace_filename = false;
trace_mask = 0x00;
trace_level = 7;
};
};

  4. Use the temporary partition user password to create a new PKCS#11 password: /usr/local/primus/bin/ppin -a -e $PARTITION_USERNAME $TEMP_PASSWORD $PKCS11_PASSWORD

  5. Test connectivity: /usr/local/primus/bin/pkcs11-tool --module /usr/local/primus/lib/libprimusP11.so -L

  6. Edit the CARA WS server service configuration (/etc/opt/mtg-cara-ws-server/mtg-cara-ws-server.service.conf):

    SECUROSYS_SECRETS_CONF=/user/local/primus/etc/secrets.cfg
    SECUROSYS_PKCS11_CONF=/etc/primus/primus.cfg
    Ensure above files are readable by the cara user.

  7. Set pkcs11Folder=/usr/local/primus/lib/ in /etc/opt/mtg-cara-ws-server/application.properties.

Performance and Operations

  • Every certificate creation and renewal requires access to the Sub CA private key in the HSM.

  • The HSM may become a bottleneck if certificate issuance volume is high; select an HSM model that matches expected throughput.

  • Monitoring and troubleshooting can be performed using Securosys and MTG logs, but specific Securosys monitoring solutions should be referenced in their documentation.

Additional Notes

  • No functional differences exist between Primus HSM and CloudHSM from the MTG integration perspective.

  • Licensing and device management methods may vary by HSM model.

  • For further details on Securosys HSM management or advanced monitoring, consult Securosys documentation or support.