Store System Certificates on a Hardware Security Module (HSM)

A Hardware Security Module (HSM) is a hardware-based security device that generates, stores, and protects cryptographic keys. Secure Proxy uses keys and certificates stored in its store or on an HSM. Secure Proxy maintains information in its store about all keys and certificates.

To access keys in an HSM device, a reference to the keys and the passphrase protecting the key must be added to Secure Proxy. This reference is secure and cannot be used by an intruder to access the certificate information. You can configure keys on the HSM at CM, using command line scripts described in this chapter.

For more security, create the keys on the HSM device and store the HSM private keys on the device. To import externally-created keys into the HSM, first import the external keys into the HSM and then destroy the files containing the external private key.
Note: Safenet does not allow you to import an externally-created private key. You must create and store them on the HSM.
HSMs implement the Java JCE API. This interface accesses the keys in the device. The JCE implementations for Safenet and Thales have the following differences:
  • Safenet uses slots, logical entities defined through the Safenet administration utility. Designate a slot for Secure Proxy and assign a user PIN. Configure Secure Proxy and identify the slot to use. Only one slot can be used by Secure Proxy.
  • Safenet uses a single keystore for all keys in a slot. The user PIN protects all the keys in the slot. Each key within a slot must have a unique alias.
  • Thales uses a security world that contains one or more HSM modules. The modules can reside on the same or different machines. The keys in the security world are protected by an operator smart card. Create an operator smart card set for Secure Proxy, identify “1 of N” for the cards, and assign a passphrase to each card. Before Secure Proxy can start, insert the operator smart card protecting the Secure Proxy keys into the card reader.
  • Thales supports multiple keystores. Each keystore can contain multiple keys, but Secure Proxy only stores one key per keystore. With Thales, multiple keys can have the same alias. For example, on Sterling B2B Integrator, all keys on an Thales HSM have the alias Key. Each keystore has a unique instance ID defined as a 40-character hexadecimal string. The combination of the instance ID and the key alias makes each key unique.