Verifying HSM configuration

You can use various methods to verify whether Hardware Security Module (HSM) is configured with IBM® Security Guardium® Key Lifecycle Manager.

Checking presence of keystore file in keystore folder

  1. On a newly installed IBM Security Guardium Key Lifecycle Manager where HSM is configured, create a crypto object. For example, create a test server certificate.
    1. Log in to the IBM Security Guardium Key Lifecycle Manager graphical user interface.
    2. Click Advanced configuration > Server certificates.
    3. Click Add and select Create self-signed certificate.
    4. Specify a certificate name and description and retain the other default values.
    5. Click Add Certificate. The new certificate is displayed in the Administer Server Certificates page.
  2. Go to the <WAS_HOME>\products\sklm\keystore folder.
    Windows
    C:\Program Files\IBM\WebSphere\Liberty\products\sklm\keystore
    Linux
    /opt/IBM/WebSphere/Liberty/products/sklm/keystore
  3. Absence of any keystore (.jceks) file in the keystore folder indicates that IBM Security Guardium Key Lifecycle Manager is configured with HSM.

Master key creation on HSM

Verify whether the master key is created on HSM by following the instructions that are provided in the appropriate HSM manufacturers documentation. For example, you can use the following verification method for Luna HSM.
  1. Start the ckdemo utility.
    Linux
    1. Go to the Luna HSM Client binary directory.
      cd /usr/safenet/lunaclient/bin
    2. Run the ckdemo utility. 
      ./ckdemo
    Windows
    1. Go to the Luna HSM Client installation folder.
      C:\Program Files\SafeNet\LunaClient
    2. Double-click ckdemo to open a console window with the ckdemo interface.

  2. The ckdemo menu lists its functions and corresponding function numbers to run them. Enter the numbers in the following sequence.

    • 1 to open a session.
    • 3 to log in.
    • 1 to log in as Crypto Officer and use the pin hsm_pin
    • 27 and then 0 to list all available objects and ensure an entry with the label tklmcipherkey exists.
    Handle        131 (0x00000083) -- label: tklmcipherkey
Handle 4293918721 (0xfff00001) -- label: Clock
Handle 4293918722 (0xfff00002) -- label: Monotonic Counter
Handle 4293918720 (0xfff00000) -- label: Crypto Officer
Handle 4293918723 (0xfff00003) -- label: Crypto User
Enter handle of object to display (0 to list available objects) : 131
Object handle=131
CKA_CLASS=0004 (4)
CKA_TOKEN=01
CKA_PRIVATE=01