Skip to main content
Skip table of contents

HSM Initialization

You can configure a Hardware Security Module to store and protect your cryptographic keys.

The following covers how to configure an HSM for the Next Generation Hardware Appliance.

Configuring an HSM for the Next Generation Hardware Appliance is irrevocable. To change an HSM configuration (except Smart Card Management and Miscellaneous), you must reset the Next Generation Hardware Appliance.

HSM initialization with 2 out of 3 Backup Protection Smart Cards

In this scenario, 5 Smart Cards are used:
3x Backup Protection Smart Card and
2x Administration Smart Card.
The HSM must be in Factory Reset Mode before the HSM is initialized.

The safeguarded External Erase button is located on the back of the device and is used trigger the Alarm State. The External Erase button must not be pressed for longer than 5 seconds.
Otherwise the HSM will be destroyed and must be replaced!

Initialization

  1. Log in to your Next Generation Hardware Appliance.

  2. Open the Security page or click Configure HSM in the Overview.

The Next Generation Hardware Appliance is in Factory Reset State and ready to be configured. A red banner indicates this status and contains the action button: Initialize HSM.

  • An HSM information table is displayed under HSM Configuration. It contains general information about the HSM status. Verify the following information:
    An alarm should be displayed in the last line of the table.
    Alarm: external_erase zeroization event(s) / alarm occurred

  • Click on Initialize HSM in the top red banner, the HSM Guided Setup pop-up window is displayed.

Select the following:

Appliance Security Level

2 out of 3 Backup Protection Smart Cards

Administration Smart Card

1 Administration Smart Card

Number of Copies

2 Copies (of Admin Cards)

Choose PIN Pad

the correct PIN Pad should be preset here and marked as SELECTED

  • Click Next Step to confirm your settings.

Make sure that PIN Pad Smart Card Reader “REINER SCT cyberJack one” is connected to the device before configuring the HSM.

HSM Guided Setup - Summary

  1. The HSM Guided Setup - Summary pop-up window is displayed with all the information you have entered.

  2. Click Start Setup.

  3. The HSM setup now begins based on your settings. You will find a list of the individual steps below the summary in the Webconf.

Interaction with the PIN Pad is required for some steps. If the interaction fails, a warning message and the possibility to repeat this step appears.

If the PIN is entered incorrectly three times, the Smart Card will no longer be usable.

Make sure to label the Administration Smart Cards and Backup Protection Smart Cards accordingly to avoid confusion.

Step 1: Prepare HSM

No action required, wait until the checkbox turns green (tick).

The HSM Guided Setup will automatically proceed to the next step once the previous step has been successfully completed.

Step 2: Generate and Write Backup Protection Key Pair

  1. The display of the PIN Pad shows: Write New Key
    press OK/Cancel
    Press OK on the PIN Pad to continue.

  2. The PIN Pad display shows: Insert 1. card
    press OK/Cancel
    Insert the Card 1 into the PIN Pad.
    Press OK on the PIN Pad to continue.

  3. The PIN Pad display shows: Enter PIN
    Enter default PIN: 123456
    Then press OK again to confirm the PIN.

  4. Repeat Step 2 and 3 for Backup Protection Smart Cards 2 and 3.

Step 3: Import Backup Protection Key Pair

Choose two from the previously written Backup Protection Smart Cards for this step.

  1. The PIN Pad display shows: Read New Key
    press OK/Cancel
    Press OK on the PIN Pad.

  2. The PIN Pad display shows: Insert 1. card
    press OK/Cancel
    Insert the Card 1 into the PIN Pad.
    Press OK on the PIN Pad.

  3. The PIN Pad display shows: Enter PIN.
    Enter the PIN
    Press press OK on the PIN Pad to confirm the PIN.

  4. Repeat Steps 2 to 3 for the second Backup Protection Smart Card.

Step 4: Write HSM Admin Key (first copy)

  1. The display of the PIN Pad shows: Ins. destination
    card & confirm
    Insert the first Administration Smart Card into the PIN Pad.
    Press OK on the PIN Pad.

  2. The display shows: Enter PIN
    Enter default PIN: 123456.
    Then press OK again to confirm the PIN.

Step 5: Write HSM Admin Key (second copy)

  • Follow the same steps as in Step 4, just for the second Administration Smart Card.

Step 6: Create HSM Administrator

  • No action required, wait until the checkbox turns green.

Step 7: Create PKCS#11 HSM Users

  • No action required, wait until the checkbox turns green.

Step 8: Initialize PKCS#11 Slots

  • No action required, wait until the checkbox turns green.

Step 9: Clean Up

  • No action required, wait until the checkbox turns green.

The set up will finish automatically.

A pop up box informs you that the set-up was successful.

The automatically generated PIN for slot 1 is also displayed.

Make a note of the PIN displayed. It will only be displayed once!

Now you may close the pop up window.

In the HSM information table, which displayed under HSM Configuration provides general information.
Most of this information can also be found on the Overview page.

Verify the following information:

Serial Number

XXXXXXXX should be displayed

Model

XXXXXXXX should be displayed

Firmware

XXXXXXXX should be displayed

Bootloader Version

XXXXXXXX should be displayed

Operating Mode

OPERATIONAL

State

RUNNING

Temperature*

36°[C]

HSM Battery

3.1[V]

External Battery

3.8[V]

Alarm

OFF (The red banner must have disappeared.)

*Values for the temperature sensors that trigger a manipulation reaction if the module is outside the defined temperature range of are:
–18°C to 81°C (-0.4°F to 177.8°F).

The Status should be displayed as INITIALIZED.

The newly generated CryptoToken #1 should be listed in the Slot Management table.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close