Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
4 replies Latest Post - ‏2012-11-28T20:29:42Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic HSM keys - Importing into other local domains

‏2012-11-27T21:43:08Z |
I have initialized the HSM on the default domain on my XI52. I have imported keys successfuly into that HSM.

Q: Can I create another HSM repository on a different domain on the same device? Or is only 1 HSM allowed per device?
Updated on 2012-11-28T20:29:42Z at 2012-11-28T20:29:42Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: HSM keys - Importing into other local domains

    ‏2012-11-27T23:46:21Z  in response to SystemAdmin
    Link: http://www-01.ibm.com/support/docview.wss?uid=swg21412060

    Question: Can I export HSM private keys from one domain and import them into another domain?
    Answer: No. Once an HSM key generated, it has an immutable label attribute that determines its domain. Since this label cannot be changed the key cannot be moved to another domain.
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: HSM keys - Importing into other local domains

      ‏2012-11-28T14:54:58Z  in response to SystemAdmin
      Q: Can I create another HSM repository on same device after 1 has already been created?
      • inestlerode
        inestlerode
        166 Posts
        ACCEPTED ANSWER

        Re: HSM keys - Importing into other local domains

        ‏2012-11-28T17:23:19Z  in response to SystemAdmin
        > Q: Can I create another HSM repository on same device after 1 has already been created?

        I'm not sure what you mean by "create another HSM repository". You should only run hsm-reinit one time for the entire device; you do not rerun it once per domain. Whether the HSM is initialized is a device wide state.

        However, the keys stored inside of the HSM are a per-domain state. Each domain has a different, domain-specific view of which keys are inside of the HSM for that domain. This is automatic. Once the HSM is initialized one time (for the whole device) you can generate and import private keys in the HSM separately in each domain.
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: HSM keys - Importing into other local domains

          ‏2012-11-28T20:29:42Z  in response to inestlerode
          Thanks. ok that is what I thought I read too. HSM initialization = entore device. Now I'm just having trouble importing keys into the HSM from within a different domain that Default.