I have initialized the HSM on the default domain on my XI52. I have imported keys successfuly into that HSM.
Q: Can I create another HSM repository on a different domain on the same device? Or is only 1 HSM allowed per device?
NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
This topic has been locked.
4 replies Latest Post - 2012-11-28T20:29:42Z by SystemAdmin
Pinned topic HSM keys - Importing into other local domains
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-11-28T20:29:42Z at 2012-11-28T20:29:42Z by SystemAdmin
Re: HSM keys - Importing into other local domains2012-11-27T23:46:21Z in response to SystemAdminLink: http://www-01.ibm.com/support/docview.wss?uid=swg21412060
Question: Can I export HSM private keys from one domain and import them into another domain?
Answer: No. Once an HSM key generated, it has an immutable label attribute that determines its domain. Since this label cannot be changed the key cannot be moved to another domain.
inestlerode 270001CUTT166 PostsACCEPTED ANSWER
Re: HSM keys - Importing into other local domains2012-11-28T17:23:19Z in response to SystemAdmin> Q: Can I create another HSM repository on same device after 1 has already been created?
I'm not sure what you mean by "create another HSM repository". You should only run hsm-reinit one time for the entire device; you do not rerun it once per domain. Whether the HSM is initialized is a device wide state.
However, the keys stored inside of the HSM are a per-domain state. Each domain has a different, domain-specific view of which keys are inside of the HSM for that domain. This is automatic. Once the HSM is initialized one time (for the whole device) you can generate and import private keys in the HSM separately in each domain.
Re: HSM keys - Importing into other local domains2012-11-28T20:29:42Z in response to inestlerodeThanks. ok that is what I thought I read too. HSM initialization = entore device. Now I'm just having trouble importing keys into the HSM from within a different domain that Default.