Creating a HSM connector

After you have completed the necessary preconfiguration requirements, you can create the HSM connector in the Venafi Configuration Console. The HSM connector provides the information required to access encryption keys in Trust Protection Platform. Trust Protection Platform supports HSM connectors using the PKCS#11 standard using the Cryptoki API.

To create an HSM connector

  1. On the Venafi Trust Protection Platform server, open the Venafi Configuration Console, and open the Connectors node.
  2. In the Actions panel, click Create HSM Connector.
  3. (Conditional) If requested, enter your Venafi Trust Protection Platform administration credentials.

  4. Enter data into the fields, as described below.

    Field

    Description

    Name

    Name of the HSM connector. Use something descriptive so you can identify it later.

    Cryptoki DLL Path

    Trust Protection Platform requires access to the 64-bit version of Cryptoki DLL.

    For SafeNet Luna SA devices, this is the path to the cryptoki.dll file.

    For Entrust nShield Connect HSM devices, this is the path to the cknfast.dll file.

    After selecting the DLL, click Load Slots. Trust Protection Platform will query the HSM and return the available slots.

    IMPORTANT  Trust Protection Platform requires the path to the DLL file to initialize the connection to the HSM device. This path will be used for all Trust Protection Platform servers in the cluster (connected to the same database). All servers in the cluster must have their DLL file in the same location.

    Slot

    Slot ID for the HSM partition where you want Trust Protection Platform to access the encryption keys.

    NOTE  While slot numbers are listed in the drop-down list, Trust Protection Platform does not depend on slot numbers. Trust Protection Platform identifies HSM partitions by label first, and in the case that there are duplicate labels, it falls back to the serial number.

    User Type

    User type required to access the HSM keys on the designated partition (Slot ID).

    The designated User Type must have sufficient permissions to use the keys in the Encryption Driver’s Permitted Keys list.

    Pin

    Pin, if one is required to access the HSM.

    If you use Entrust nShield token protection, leave the field empty.

    If you are setting up AWS CloudHSM, the pin must be in the following format: <CU_user_name>:<password> .

    Permitted Keys

    A list of keys that can be used for encryption and decryption of data by the Trust Protection Platform servers. The keys listed are the ones that can be used to encrypt data stored in the Trust Protection Platform Secret Store.

    Allow Key Storage

    Tells Trust Protection Platform whether this HSM can be used to generate and store new private keys associated with Code Signing certificates.

    NOTE  This feature is available only for Venafi CodeSign Protect and requires Venafi Advanced Key Protect.

    New Key(button)

    If you want to generate a new AES 256-bit symmetric key on the HSM, click this button. A new key will be generated.

  5. Click Verify.

These steps only create the connecter that exists between Venafi Platform and the HSM. You will need to use Policy Tree to enable the connector when you are ready. You will do that In Policy Tree, on the Policy root node. Click the Certificate tab. In the Other Information section, select your connector in the Encryption Key field.

WARNING!  Don't change the Encryption Key field in the Policy Tree until the HSM configuration is installed on, and has been tested on every server in your cluster.

Once the HSM connector has been added and the connection has been verified, we recommend reviewing the post-installation steps.