Select the HSM tab of the Configuration page to configure the Hardware Security Module (HSM).
After the Certificate Authorities deployment, you cannot change any of the settings below. That is, you cannot switch between HSM and no-HSM, nor can you alter any HSM configuration.
Vendor
The identifier of the HSM manufacturer.
Vendor | Description |
|---|---|
none | A built-in software PKCS #11 module (not recommended). |
nshield | An Entrust nShield HSM. See HSM requirements for the supported versions. |
Mandatory: Yes.
OCS (Operator Card Set) passphrase
The passphrase of the operator card set
The OCS must be inserted during the first deployment to create the signing key. There has to be a quorum of 1.
Mandatory: Yes.
RFS (remote file system) host to download the nShield kmdata files
The domain name or the IP address of the host for downloading the kmdata configuration files of the HSM. The first deployment will make an SSH call to download these files from the RFS.
Mandatory: When the value of Vendor is nShield.
Username to download the nShield files
The username for logging into the host and downloading the kmdata configuration of the HSM.
Mandatory: When the value of Vendor is nShield.
Password to download the nShield files
The password for logging into the host and downloading the kmdata configuration of the HSM.
Mandatory: When the value of Vendor is nShield.
Signing key unique identifier
Choose a unique identifier consisting of only lowercase alphanumeric characters for the signing key created on deployment.
After the first deployment, you must back up the configuration files – specifically the kmdata.tar file, which includes this key.
Mandatory: When the value of Vendor is nShield.