Initializing the HSM

When you initialize the HSM, it implements FIPS 140-2 Security Level 3. The HSM on a physical DataPower® Gateway appliance does not use a PIN Entry Device (PED).

Before you begin

During the initial setup of the DataPower Gateway, the process does not initialize the HSM.

About this task

Initializing the HSM provides FIPS 140-2 Security Level 3, assigns the HSM to a key-sharing domain, and sets the names and passwords for the Cryptographic Officer (CO) and Cryptographic User (CU) roles. To initialize the HSM, you must use the hsm-reinit command. You cannot initialize the HSM through any other DataPower management interface.

You can set the following HSM characteristics with the hsm-reinit command.
  • Set the name of the key-sharing domain. A key-sharing domain is a group of HSM-equipped appliances that support the import and export of keys. Always change the name of the key-sharing domain, never use the default of datapower as the name of the key-sharing domain. For improved security, secure the name of the key-sharing domain as part of the protection against key theft.
  • Instead of using randomly generated credentials for the Cryptographic Office (CO) and Cryptographic User (CU) roles, you can set the names and passwords for these roles. These credentials are used by the DataPower Gateway to authenticate itself in the assigned role to its HSM. Independent of whether these credentials are randomly generated or explicitly defined, you cannot access these credentials. For all other HSM operations, you never need to provide these credentials. For information about these roles, see Changing the HSM operator role.
Attention: After you initialize the HSM, the next firmware reload deletes all private keys in the HSM.

For more information, see the hsm-reinit command.

Procedure

  1. Log in to the CLI.
  2. Enter the following command sequence to access the hsm-reinit command. 
    # configure terminal
Global configuration mode
(config)# crypto
Crypto configuration mode
(config-crypto)#
  3. Use the hsm-reinit command to initialize the HSM.
    The following example assigns the HSM to the datapower3 key-sharing domain and randomly generates the credentials for the CO and CU roles.
    (config-crypto)# hsm-reinit hsm-domain datapower3
WARNING - all private keys in the HSM will be destroyed at next firmware reload.
Do you want to continue ('yes' or 'no'): yes
% HSM reinit succeeded
(config-crypto)#
  4. Restart the DataPower Gateway with the shutdown reboot command. 
    (config-crypto)# exit
(config) # flash
Flash configuration mode
(config-flash) # shutodwn reboot 10
    The DataPower Gateway waits 10 second to shut down and then restarts.

What to do next

Verify the status of the HSM from the GUI or CLI.