Skip to main content
Skip table of contents

Net-attached HSM: Configuring a Thales DPoD

A Hardware Security Module (HSM) can be configured to store and protect cryptographic keys in a centralized, high-assurance appliance, providing a root of trust for sensitive cryptographic data transactions.

The following describes how to configure a Thales DPoD for the Next Generation Hardware Appliance by registering the appliance and connecting it to the HSM.

For more information on the Thales DPoD refer to the documentation that you received with your purchase of the HSM.

We recommend uploading the Thales DPoD from a zip file using a driver.

Versions v10.2.0-111 and v10.4.0 have been thoroughly tested.
If you choose to upload zip-file that does not have its own driver, we use v10.2.0-111 by default.

To configure a Thales DPoD for your Next Generation Hardware Appliance, follow the steps below.

If you run into issues after the configuration, you can get HSM specific log messages from a HSM Support Package.
For further information please refer to Create an HSM Log.

Connect the Next Generation Hardware Appliance with the Thales DPoD

To connect the Next Generation Hardware Appliance with the HSM:

  1. Log in to your Next Generation Hardware Appliance.

  2. Open the Security page or click Configure HSM in the Overview.

  3. In the HSM Configuration section, click + Add External HSM in the HSM Selection field.

  4. The Add an external HSM window opens.
    Select Thales DPoD to access the Configuration fields.

  5. Click Select HSM Type to continue. 

  6. Upload your DPoD service client.zip file.

  7. Finalize with Save HSM Configuration.

  8. A modal dialog requests to confirm your configuration.
    Save HSM Configuration

  9. Proceed with Activate.


The HSM device is now configured and displayed in the DPoD Service Client section.

Usage Information

CryptoWorker Configuration
The following note can be found in the info box:

In order to use this HSM in SignServer, you need to select the following
PKCS#11 library in the P11NG CryptoWorker configuration:
Reference: PKCS#11 Proxy - Thales DPoD

The last line in Usage Information displays the options:

Remove HSM Configuration
To remove the HSM configuration you need to type REMOVE HSM CONFIGURATION into the Confirm Action field.
Click Cancel/Remove.
If remove is chosen the application will restart.

If changes have been made to the sections:
HSM Client Authentication Configuration
Secure Channel Client Configuration
Miscellaneous Configurations

these can be made with undone with Cancel or saved with Save HSM Configuration.

Abort
Click Abort to terminate the process of configuring a HSM.

Save HSM Configuration
Click Save HSM Configuration to save changes made on the HSM configuration.

After the DPoD file is successfully uploaded, there is an option to modify the already uploaded DPoD file. The checksum of the service client and the partition serial number of the uploaded DPoD zip file are additionally displayed. Click Remove Service Client to upload a new zip file. 

On the Security page of the application, the status of the HSM Driver will change from Not Connected to Connected as soon as the configuration is completed.

On the Overview page of the application, the status in the HSM Overview also changes to Connected as soon as the configuration is completed. During configuration, the appliance is in the Restarting status. During this time, it is not available.

Once the SignServer is running again, you can proceed with adding a Crypto Worker.

Add a Crypto Worker in SignServer

To create a Crypto Worker:

  1. In the Overview page of the Next Generation Hardware Appliance, click Admin Web for SignServer.

  2. The SignServer page opens.

  3. Click Add... to continue.

  4. In the top menu, select Worker. You can choose the method you want to use to configure the Worker. In this example we will work with From Template.
    Click From Template to continue.

  5. Open the drop-down menu under Load from Template. Here you can select the Worker to be configured. In this example we will work with p11ng-crypto.properties.
    Click Next to continue.

  6. The Configuration page opens.

    Scroll down a little bit.
    WORKERGENID1.SHAREDLIBRARYNAME
    In Webconf open the Security page.
    Scroll down to HSM Configuration.
    The Usage Information displays the requested entry.
    Here: PKCS#1 Proxy - Thales DPoD
    CryptoWorker Configuration
    The following note can be found in the info box:
    In order to use this HSM in SignServer, you need to select the following
    PKCS#11 library in the P11NG CryptoWorker configuration:
    Reference: PKCS#1 Proxy - Thales DPoD

    WORKERGENID1.SHAREDLIBRARYNAME=P11 Proxy should be configured as default

    Scroll down a little bit.
    Method for pointing out which slot to use:
    # Method will specifying the slot to use.

    1. If the Slot is to be addressed by number:
      type SLOT_NUMBER SLOTLABELTYPE=SLOT_LABEL.

    2. If the Slot is to be addressed by label:
      type SLOT_LABEL SLOTLABELTYPE=SLOT_INDEX.

    3. To address the Slot via the SLOT_ INDEX of occurrence is not recommended because the list order is not stable.
      To deselect it, put # in front of it.
      To enable it, remove # in front of it.
      The # can be replaced for the slot to be used and specify the number of the HSM slot instead.

      #WORKERGENID1.PIN=foo123 here the password can be enabled or disabled.
      To deselect it, put # in front of it.
      To enable it, remove # in front of it.

      # Optional PKCS#11 attributes is used for key generation, you can select the attributes.
      To deselect it, put # in front of it.
      To enable it, remove # in front of it.

      WORKERGENID1.DEFAULTKEY=testkey0 here you can add an existing key or use the default key.
      Click Apply to save the settings.

    The token (CryptoTokenP11NG1) is automatically logged in when the PIN is set in the Crypto Worker configuration.

  7. The Worker is not activated yet. Click on the created token and you will see the information about the token in the Status Summary.

  8. Click the Configuration tab to view the full configuration of the token.

  9. If the configuration meets your needs, click the Crypto Token tab. Edit them if necessary.
    Click Activate.

    • This step is optional!
      The latest version of SignServer logs on automatically if the correct PIN is defined in the configuration as described in step 6.

      In the field Authentication Code enter the optional password from Step 6. Here foo123.
      Click Activate.

  10. If the default key exists and has been activated, the Crypto Worker is now ACTIVE.

For more information please see Worker Crypto Token Page.

HSM Troubleshooting

In the section HSM Driver Controls the current HSM Driver Status is displayed.
In case of HSM problems, the HSM driver can be restarted via the Restart button.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close