Creating a HSM (Cryptoki) connector

After you have completed the necessary preconfiguration requirements, you can create the HSM connector in the Venafi Configuration Console. The HSM connector provides the information required to access encryption keys in Trust Protection Platform.

IMPORTANT  HSM connectors are global configurations. As such, the following requirements must be met before your begin:

  • All Trust Protection Platform servers need to have access to the HSM

  • The HSM client must be installed to the same location on all Trust Protection Platform servers

  • The HSM client must present the same partition label on all Trust Protection Platform servers

  • Ideally the serial number presented for the partition is the same on all servers

Make sure all of these requirements are met before creating an HSM connector.

Once these requirements are met for every Trust Protection Platform server in the cluster, you can then create a connector to the HSM from any server in the cluster. Since HSM connectors are global configurations, each server in the cluster will load the configuration after it is created on one of them.

To create a HSM connector

  1. On the Venafi Trust Protection Platform server, open the Venafi Configuration Console, and open the Connectors node.
  2. In the Actions panel, click Create HSM Connector.
  3. (Conditional) If requested, enter your Venafi Trust Protection Platform administration credentials.
  4. Enter data into the fields, as described below.

    Field

    Description

    Name

    Name of the HSM connector. Use something descriptive so you can identify it later.

    Cryptoki DLL Path

    Trust Protection Platform requires access to the 64-bit version of Cryptoki DLL.

    For SafeNet Luna SA devices, this is the path to the cryptoki.dll file.

    For Entrust nShield Connect HSM devices, this is the path to the cknfast.dll file.

    After selecting the DLL, click Load Slots. Trust Protection Platform will query the HSM and return the available slots.

    IMPORTANT  Trust Protection Platform requires the path to the DLL file to initialize the connection to the HSM device. This path will be used for all Trust Protection Platform servers in the cluster (connected to the same database). All servers in the cluster must have their DLL file in the same location.

    Slot

    Slot ID for the HSM partition where you want Trust Protection Platform to access the encryption keys.

    NOTE  While slot numbers are listed in the drop-down list, Trust Protection Platform does not depend on slot numbers. Trust Protection Platform identifies HSM partitions by label first, and in the case that there are duplicate labels, it falls back to the serial number.

    User Type

    User type required to access the HSM keys on the designated partition (Slot ID).

    The designated User Type must have sufficient permissions to use the keys in the Encryption Driver’s Permitted Keys list.

    Pin

    Pin, if one is required to access the HSM.

    If you use Entrust nShield token protection, leave the field empty.

    If you are setting up AWS CloudHSM, the pin must be in the following format: <CU_user_name>:<password> .

    Permitted Keys

    A list of keys that can be used for encryption and decryption of data by the Trust Protection Platform servers. The keys listed are the ones that can be used to encrypt data stored in the Trust Protection Platform Secret Store.

    Allow Key Storage

    Tells Trust Protection Platform whether this HSM can be used to generate and store new private keys associated with Code Signing certificates.

    NOTE  This feature is available only for Venafi CodeSign Protect.

  5. Click Verify.