Verifying HSM configuration

You can use various methods to verify whether Hardware Security Module (HSM) is configured with IBM® Security Guardium® Key Lifecycle Manager.

Checking presence of keystore file in keystore folder

  1. On a newly installed IBM Security Guardium Key Lifecycle Manager where HSM is configured, create a crypto object. For example, create a test server certificate.
    1. Log in to the IBM Security Guardium Key Lifecycle Manager graphical user interface.
    2. Click Advanced configuration > Server certificates.
    3. Click Add and select Create self-signed certificate.
    4. Specify a certificate name and description and retain the other default values.
    5. Click Add Certificate. The new certificate is displayed in the Administer Server Certificates page.
  2. Go to the <WAS_HOME>\products\sklm\keystore folder.
    C:\Program Files\IBM\WebSphere\Liberty\products\sklm\keystore
  3. Absence of any keystore (.jceks) file in the keystore folder indicates that IBM Security Guardium Key Lifecycle Manager is configured with HSM.

Master key creation on HSM

Verify whether the master key is created on HSM by following the instructions that are provided in the appropriate HSM manufacturers documentation. For example, you can use the following verification method for Luna HSM.
  1. Start the ckdemo utility.
    1. Go to the Luna HSM Client binary directory.
      cd /usr/safenet/lunaclient/bin
    2. Run the ckdemo utility.
    1. Go to the Luna HSM Client installation folder.
      C:\Program Files\SafeNet\LunaClient
    2. Double-click ckdemo to open a console window with the ckdemo interface.
  2. The ckdemo menu lists its functions and corresponding function numbers to run them. Enter the numbers in the following sequence.

    • 1 to open a session.
    • 3 to log in.
    • 1 to log in as Crypto Officer and use the pin hsm_pin
    • 27 and then 0 to list all available objects and ensure an entry with the label tklmcipherkey exists.
    Handle        131 (0x00000083) -- label: tklmcipherkey
    Handle 4293918721 (0xfff00001) -- label: Clock
    Handle 4293918722 (0xfff00002) -- label: Monotonic Counter
    Handle 4293918720 (0xfff00000) -- label: Crypto Officer
    Handle 4293918723 (0xfff00003) -- label: Crypto User
    Enter handle of object to display (0 to list available objects) : 131
    Object handle=131
    CKA_CLASS=0004 (4)