Planning the HSM configuration

Integration of Hardware Security Module (HSM) with IBM Guardium Key Lifecycle Manager requires careful planning and consideration of various prerequisites.

  • Set up HSM by following the instructions from HSM manufacturers. Ensure that HSM is properly installed. For instructions, see the appropriate HSM guide.
    Note: The nCipher HSM guide is accessible only through registration on the nCipher Support page. To register, send an email to support@ncipher.com. After the registration, you can access the guide by using the following link https://ncipher.zendesk.com/hc/en-us/articles/360002627898-Security-World-v12-60-documentation. Ensure that the world and module files are received from the nCipher HSM team.
  • Ensure that IBM Guardium Key Lifecycle Manager is properly installed.
  • The IBM Guardium Key Lifecycle Manager process owner needs to be a member of the HSM’s functional group.

    The following information is applicable only for Gemalto/SafeNet Luna SA where Luna HSM client (for example, LunaClient_10.2.0-111_Linux), is installed on the Linux® platform.

    The IBM Guardium Key Lifecycle Manager process owner that is the Db2 administrator ID (klmdb50) needs to be a member of the HSM’s functional group. As the HSM client is installed as a root user, which is not the process owner for IBM Guardium Key Lifecycle Manager.

    Adding IBM Guardium Key Lifecycle Manager process owner to the HSM’s functional group is needed for proper communication between HSM and IBM Guardium Key Lifecycle Manager. For example, the hsmusers group is created during the Luna HSM client installation. You need to add the IBM Guardium Key Lifecycle Manager process owner, which is klmdb50 to this hsmusers group.

  • For nCipher HSM, you must configure nCipher Security World Client (nCipher HSM client). For the configuration steps, see Configuring nCipher HSM client.

    The IBM Guardium Key Lifecycle Manager process owner that is the Db2® administrator must have read and write access to the /opt/nfast/kmdata/local folder.

What to do next

Configure IBM Guardium Key Lifecycle Manager with HSM. For more information, see Configuring IBM Guardium Key Lifecycle Manager with HSM.