Configuring HSM parameters
You must define the pkcs11.pin, pkcs11.config, and useMasterKeyInHSM configuration parameters to configure Hardware Security Module.
Procedure
- Set up the HSM as per the instructions from HSM manufacturers.
-
Add the pkcs11.pin, pkcs11.config, and
useMasterKeyInHSM parameters to the IBM® Security Key Lifecycle Manager configuration file. You can use the following
REST service or CLI command to add the parameter:
- REST interface
-
PUT https://localhost:port/SKLM/rest/v1/configProperties { "pkcs11.pin" : "hsm_pin"} -
PUT https://localhost:port/SKLM/rest/v1/configProperties { "pkcs11.config" : "hsm_config_file"} -
PUT https://localhost:port/SKLM/rest/v1/configProperties { "useMasterKeyInHSM" : "true | false"} - Where,
- hsm_pin is the pin for HSM.
- hsm_config_file is the full path and file name of the HSM configuration file.
For example:
- Windows
- C:\Program Files\IBM\WebSphere\AppServer\products\sklm\config\LunaSA.cfg
- Linux®
/opt/IBM/WebSphere/AppServer/products/sklm/config/LunaSA.cfg
- Command-line interface
-
print AdminTask.tklmConfigUpdateEntry('[-name pkcs11.pin -value hsm_pin]') -
print AdminTask.tklmConfigUpdateEntry('[-name pkcs11.config -value hsm_config_file]') -
print AdminTask.tklmConfigUpdateEntry('[-name useMasterKeyInHSM -value true | false]')
-
Restart IBM Security Key Lifecycle Manager.
Table 1. Content change log Date Change description 22 Nov 2021 Added hsm_config_file example for Linux. 10 Dec 2019 Initial version.