Skip to main content
Skip table of contents

HSM Initialization for u.trust Se100/Se2k

You can configure a Hardware Security Module to store and protect your cryptographic keys.

The following covers how to configure an HSM for the Next Generation Hardware Appliance.

Configuring an HSM for the Next Generation Hardware Appliance is irrevocable. To change an HSM configuration (except Smart Card Management and Miscellaneous), you must reset the Next Generation Hardware Appliance.

HSM initialization with 2 out of 3 Backup Protection Smart Cards without using Smart Card Activation (SCA)

If Smart Card Activation is preferred, refer to HSM Guided Setup using SCA.

In this scenario, 5 Smart Cards are used:
3x Backup Protection Smart Card and
2x Administration Smart Card.
The HSM must be in Factory Reset Mode before the HSM is initialized.

The safeguarded External Erase button is located on the back of the device and is used to trigger the Alarm State. The External Erase button must not be pressed for longer than 3 seconds.
Otherwise the HSM will be destroyed and must be replaced!

Initialization

The Next Generation Hardware Appliance is in Factory Reset State and ready to be configured. A red banner indicates this status and contains the action button: Initialize HSM.

  1. Log in to your Next Generation Hardware Appliance.

  2. Open the Security page or click Configure HSM in the Overview.

  3. An HSM information table is displayed under HSM Configuration. It contains general information about the HSM status. Verify the following information:
    An alarm should be displayed in the last line of the table.
    Alarm: external_erase zeroization event(s) / alarm occurred

  4. Click on Initialize HSM in the top red banner, the HSM Guided Setup dialog is displayed.

  5. Select the following:

HSM Guided Setup

Appliance Security Level

Use the drop down menu to specify how many Smart Cards are required and how many should be created, e.g.
2 out of 3 Backup Protection Smart Cards.

Administration Smart Card

Use the drop down menu to specify how many administrator Smart Cards are required for administrator tasks, e.g.
1 Administration Smart Card

Number of Copies

Use the drop down menu to specify the amount of copies of administrator Smart Cards, e.g. 2 Copies.

Application Audit Log Settings

Check Use Signed Audit Log if the application should also be protected with a signature.

HSM Mode Selection

Enable Run HSM in FIPS Mode if applicable. *

Smart Card Activation Users

Use the drop down menu to specify how many SCA users should be created, e.g. No Smart Card Activation

Choose PIN Pad

Use the drop down menu to select the PIN pad to be used during the setup, e.g. Default PIN Pad

* Enabling FIPS mode may limit the set of available cryptographic algorithms, as only FIPS-validated algorithms are permitted. 
Important:
Switching to FIPS mode is typically not easily reversible and may have destructive effects on existing systems and configurations.
Careful planning and thorough testing are strongly recommended before enabling FIPS mode.

Click Preview to verify the settings.

Make sure that PIN Pad Smart Card Reader “REINER SCT cyberJack one” is connected to the device or a remote PIN pad is configured before configuring the HSM.

HSM Guided Setup - Summary

  1. The HSM Guided Setup - Summary dialog is displayed with all the information you have entered.

  2. Click Start Setup.

  3. The HSM setup now begins based on your settings. You will find a list of the individual steps below the summary in the Webconf.

Interaction with the PIN pad is required for some steps. If the interaction fails, a warning message and the possibility to repeat this step appears.

If the PIN is entered incorrectly three times, the Smart Card will no longer be usable.

Make sure to label the Administration Smart Cards and Backup Protection Smart Cards accordingly to avoid confusion.

Step 1: Prepare HSM

No action required, wait until the checkbox turns green (tick). (If FIPS is enabled, this may take a little longer.)

The HSM Guided Setup will automatically proceed to the next step once the previous step has been successfully completed.

Step 2: Generate and Write Backup Protection Key Pair

  1. The PIN pad display shows: Write New Key
    press OK/Cancel
    Press OK on the PIN pad to continue.

  2. The PIN pad display shows: Insert 1. card
    press OK/Cancel
    Insert the Card 1 into the PIN pad.
    Press OK on the PIN pad to continue.

  3. The PIN pad display shows: Enter PIN
    Enter default PIN: 123456.
    Then press OK again to confirm the PIN.

  4. Repeat Step 2 and 3 for Backup Protection Smart Cards 2 and 3.

Step 3: Import Backup Protection Key Pair

Choose two from the previously written Backup Protection Smart Cards for this step.

  1. The PIN pad display shows: Read New Key
    press OK/Cancel
    Press OK on the PIN Pad.

  2. The PIN pad display shows: Insert 1. card
    press OK/Cancel
    Insert the Card 1 into the PIN Pad.
    Press OK on the PIN Pad.

  3. The PIN pad display shows: Enter PIN.
    Enter the PIN.
    Press press OK on the PIN pad to confirm the PIN.

  4. Repeat Steps 2 to 3 for the second Backup Protection Smart Card.

Step 4: Write HSM Admin Key (first copy)

  1. The PIN pad display shows: Ins. destination
    card & confirm
    Insert the first Administration Smart Card into the PIN Pad.
    Press OK on the PIN Pad.

  2. The PIN pad display shows: Enter PIN
    Enter default PIN: 123456.
    Then press OK again to confirm the PIN.

Step 5: Write HSM Admin Key (second copy)

  • Follow the same steps as in Step 4, just for the second Administration Smart Card.

Step 6: Create HSM Administrator

  • No action required, wait until the checkbox turns green.

Step 7: Create PKCS#11 HSM Users

  • No action required, wait until the checkbox turns green.

Step 8: Initialize PKCS#11 Slots

  • No action required, wait until the checkbox turns green.

Step 9: Clean Up

  • No action required, wait until the checkbox turns green.

After completing the Guided Setup, the grayed-out buttons are activated.

Click Finalize to end the process.

Internal HSM successfully set up

The last modal dialog shows the automatically generated PIN if this function has been enabled.
This PIN is only displayed once at this point. Make sure you save it.
Click Close to exit the dialog.

Refer to the HSM information table displayed under HSM Configuration for general information.
Most of this information can also be found on the Overview page.

Verify the following information:

Serial Number

XXXXXXXX should be displayed

Model

XXXXXXXX should be displayed

Firmware

XXXXXXXX should be displayed

FIPS

Enabled/Disabled

Bootloader Version

XXXXXXXX u.trust Anchor Se5k

should be displayed

Operating Mode

OPERATIONAL

State

RUNNING

Temperature*

36° [C]

HSM Battery

3.1 [V]

External Battery

3.8 [V]

Alarm

OFF (The red banner must have disappeared.)

*Values for the temperature sensors that trigger a manipulation reaction if the module is outside the defined temperature range of are:
–18° C to 81° C (-0.4° F to 177.8° F).

The Status should be displayed as INITIALIZED.

The newly generated CryptoToken #1 should be listed in the Slot Management table.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close