Securosys HSM Integration Guide

This page provides detailed instructions for integrating Securosys HSMs with MTG CLM and CARA, using the PKCS#11 interface. The information below covers supported products, configuration requirements, deployment steps, and operational details.

Supported Integration Method

MTG ERS products, MTG-KMS and CARA, integrate with Securosys HSMs via the PKCS#11 interface. Subsequently, MTG CLM is able to leverage similar security benefits by using CARA as it’s CA. Both Securosys Primus HSM (on-premises) and CloudHSM deployments are supported. There are no functional limitations between the two from MTG’s side; differences may arise only from the HSM licensing model.

Integration Points in MTG CLM

  • In a standard setup, private keys for both the Root CA and Sub CA are stored in the HSM.

  • The Root CA private key is used only when creating a Sub CA.

  • The Sub CA private key is used for every end-entity certificate signing and renewal.

  • All certificate creation and renewal operations in MTG CLM leverage HSM protection.

  • Realm and policy management are handled within CLM and do not affect the CARA/HSM setup.

Typical Deployment Scenarios

  • All production PKI environments are strongly encouraged to use HSM protection for CA private keys.

  • Securosys HSM integration is applicable for both new and existing PKI deployments seeking hardware-based key security.

Configuration Requirements

Securosys HSM

  • Management access to the HSM device is required (method depends on HSM model and licensing).

  • Console port (CLI), front-panel with SmartCard slots, or Decanus Terminal can be used for administration.

Pre-Installation Checklist

  1. Activation code

  2. License file on a USB stick

  3. Firmware files (.hsm and SHA) on a USB stick

  4. PKCS#11 library package downloaded and transferred to the CARA/KMS server

HSM Setup Steps

  1. Insert USB stick into the HSM.

  2. Set SmartCard PINs:

    • Unlock front-panel or connect via console.

    • Use activation code to set Genesis Card PIN.

    • Set SO1 and SO2 usernames and PINs.

    • Create partition user and save temporary password.

  3. Install firmware:

    • Activate SO role with both SmartCards.

    • Update firmware (system will reboot).

  4. Import license file (required after each firmware update):

    • Activate SO role with both SmartCards.

    • Import license (system will reboot).

  5. Validate digital seal:

    • Activate SO role with both SmartCards.

    • Use Genesis Card PIN to display and record the digital seal.

    • Submit a validation request to Securosys support with the device serial number and seal.

  6. Configure network and partitions:

    • Export system configuration, edit as needed, and import back.

  7. Retrieve Restore Encryption PIN:

    • Activate SO role with both SmartCards.

    • Access Genesis Role to retrieve REP.

CARA Server

  1. Install PKCS#11 library client (e.g., apt install ./PrimusAPI_PKCS11-X-2.2.2-debian10-x86_64.deb).

  2. Install OpenSC (apt install opensc).

  3. Edit /etc/primus/primus.cfg with HSM connection details:

    primus:
{
wait_delay = 250; /* in ms*/
wait_max_tries = 5;
connect_on_init = true;
hsms:
{
hsm0:
{
host = "$HSM_IP";
port = "$HSM_PORT";
slots:
{
slot0:
{
client_id = "cara";
user_name = "partition1"; /* Partition user name */
id = 0;
};
};
};
};
log:
{
file = "/tmp/primus.log";
write_log_file = true;
write_syslog = true;
trace_linenumber = false;
trace_timestamp = true;
trace_function = true;
trace_inout = false;
trace_pid = true;
trace_filename = false;
trace_mask = 0x00;
trace_level = 7;
};
};

  4. Use the temporary partition user password to create a new PKCS#11 password: /usr/local/primus/bin/ppin -a -e $PARTITION_USERNAME $TEMP_PASSWORD $PKCS11_PASSWORD

  5. Test connectivity: /usr/local/primus/bin/pkcs11-tool --module /usr/local/primus/lib/libprimusP11.so -L

  6. Edit the CARA WS server service configuration (/etc/opt/mtg-cara-ws-server/mtg-cara-ws-server.service.conf):

    SECUROSYS_SECRETS_CONF=/user/local/primus/etc/secrets.cfg
    SECUROSYS_PKCS11_CONF=/etc/primus/primus.cfg
    Ensure above files are readable by the cara user.

  7. Set pkcs11Folder=/usr/local/primus/lib/ in /etc/opt/mtg-cara-ws-server/application.properties.

Performance and Operations

  • Every certificate creation and renewal requires access to the Sub CA private key in the HSM.

  • The HSM may become a bottleneck if certificate issuance volume is high; select an HSM model that matches expected throughput.

  • Monitoring and troubleshooting can be performed using Securosys and MTG logs, but specific Securosys monitoring solutions should be referenced in their documentation.

Additional Notes

  • No functional differences exist between Primus HSM and CloudHSM from the MTG integration perspective.

  • Licensing and device management methods may vary by HSM model.

  • For further details on Securosys HSM management or advanced monitoring, consult Securosys documentation or support.