Configuring an HSM for use with Secure Proxy

Perform the following steps to configure your HSM to work with Secure Proxy.

  1. Update the configuration file that is installed with Secure Proxy for your HSM type. The Secure Proxy engine adds an <SSP_INSTALL>/conf directory during installation. This directory contains the HSM configuration files for both nCipher and SafeNet. You can update any of the default settings as needed. In particular, you must edit the library location value if your location is different from the default. If this library location is not correct, the HSM will not work. Update one of the following configuration files:
    • For nCipher HSMs, update ncipher_gen2.cfg.jsse
    • For SafeNet HSMs, update lunasa_5_0_jsse.cfg
  2. Verify the default values in the security.properties file for the HSM. The Secure Proxy engine adds an <SSP_INSTALL>/bin directory during installation. The following attributes are specifically for configuring the HSM:
    Attribute Description
    HSM_KEYSTORE_TYPE If HSM_ENABLED is set to true the attribute value must be PKCS11IMPLKS
    HSM_KEYSTORE_PROVIDER If HSM_ENABLED is set to true the attribute value must be IBMPKCS11Impl
    HSM_KEYSTORE_FILE  
    HSM_ENABLED If HSM support is desired this attribute must be set to true.
    HSM_ADAPTER_TYPE If HSM_ENABLED is set to true the attribute value must be safeNet or nCipher
    prng.algorithim If HSM_ENABLED is set to true the attribute value must be PKCS11DeviceRNG.
    prng.provider If HSM_ENABLED is set to true the attribute value must be IBMPKCS11Impl
    HSM_CONFIG_FILE_LOCATION If HSM_ENABLED is set to true the attribute value must be set to the location of the IBMPKCS11 configuration.
    Note: To disable the HSM, set the HSM_ENABLED attribute in the security.properties file to false.
  3. If your HSM adapter type is set to: HSM_ADAPTER_TYPE=nCipher run the following command for UNIX and Windows both: 
    export CKNFAST_OVERRIDE_SECURITY_ASSURANCES=tokenkeys;longterm
    Note: The environment variable must be set on the same machine that Sterling Secure Proxy is running on; otherwise, all operations against the nCipher module will fail.
  4. Use the HSM Keystore Password utility to set the HSM password. The script stores the user-specified password in <SSP_INSTALL>/conf/system/ sysGlobals.xml. Run one of the following commands, where xxxxx is the HSM Keystore password: This environment variable must be set on the same machine that IBM SSP Proxy is running, otherwise all operations against the ncipher module will fail.
    • For Windows, run configureHsmPassword.bat hsmPassword=xxxxx
    • For UNIX, run configureHsmPassword.sh hsmPassword=xxxxx
    Note: If you need to manage nCipher files, you must manually manage them using nCipher provided tools at: 
    {NCIPHER_INSTALL}/kmdata/local