HSM Configuration

Installing a Hardware Security Module (HSM) on your server is a multi-step process that ensures your cryptographic operations are secure. While the specific steps may vary depending on the HSM vendor, the following general instructions provide an overview of the typical process.

CAUTION  Using an HSM-protected key requires proper configuration, backup, and consistent uptime of the HSM for Trust Protection Platform to operate. If no HSM device is available, Trust Protection Platform attempts to reconnect to the HSM for a period of time, then it logs an error to the local Windows system event log and shuts down. If a broken HSM connection causes Trust Protection Platform to shut down, you will need to use VCC to update the HSM settings. The Venafi Trust Protection Platform service itself will not load until the problem is corrected and the connection is reinitialized.

For a list of supported HSM versions with links to their documentation (when available), see Supported HSMs in the System Requirements. Be aware that Azure Dedicated HSMs are powered by SafeNet Luna SA, so they are supported, and should be configured using SafeNet Luna SA instructions.

You will likely need to refer to the vendor's documentation when installing and configuring the HSM and client software.

Venafi provides support only for supported HSMs. If you need assistance with a self-certified HSM, please contact the vendor directly.

IMPORTANT  HSM connectors are global configurations. As such, the following requirements must be met before your begin:

  • All Trust Protection Platform servers need to have access to the HSM.

  • The HSM client must be installed to the same location on all Trust Protection Platform servers.

  • The HSM client must present the same partition label on all Trust Protection Platform servers.

  • Ideally the serial number presented for the partition is the same on all servers.

Make sure all of these requirements are met before creating an HSM connector.

Once these requirements are met for every Trust Protection Platform server in the cluster, you can then create a connector to the HSM from any server in the cluster.

Since HSM connectors are global configurations, each server in the cluster will load the configuration after it is created on one of them. HSM information is stored in encrypted form in the registry (only when the System Protection Key is stored in the HSM), and in Secret Store. When it is updated in VCC, the updates are stored and VCC passes the information to other servers in the cluster. If the System Protection Key is on the HSM, the individual Venafi servers will update their registries.

TIP  When using an HSM setup, we strongly recommend you use a High Availability (HA) setup, which will ensure redundancy in the HSM environment. This means that if one HSM in the HSM HA setup goes down (maintenance, hardware error, etc.), Trust Protection Platform will still function. We recommend you review your HSM vendor's documentation for information about their HA offerings.

Prerequisites

  1. Review Documentation. Obtain and review the installation and configuration documentation provided by your HSM vendor. Links to vendor documentation are provided, when available, in the Supported HSMs section of the System Requirements.

  2. Verify Compatibility.: Ensure your server hardware, operating system, and software are compatible with the HSM.

  3. Backup Data. Perform a full backup of your server to prevent data loss during installation.

Installation Steps

  1. Install HSM Drivers and Software:

    • Obtain the latest HSM drivers and management software from the vendor’s website or installation media.

    • Follow the vendor’s instructions to install the client drivers on each server in the cluster.

    • Use the vendor-provided management software to initialize and configure the HSM client on each server in the cluster.

    • Reboot the servers (if required).

  2. Integrate with Venafi Platform:

    • If you don't already have an HSM connector, create an HSM connector using Venafi Configuration Console (VCC).

    • In Policy Tree, on the Policy root node, click the Certificate tab. In the Other Information section, select your connector in the Encryption Key field.

    • Test the integration to ensure that applications are correctly communicating with the HSM.

  3. Verify and Test:

    • Perform initial tests to verify the HSM installation and configuration.

    • Use vendor-provided tools to run diagnostics and confirm the HSM is functioning correctly.

    • Open Venafi Platform on the web. If the HSM is correctly configured, Venafi Platform will function normally.

Post-Installation Steps

  1. Document the configuration. Record the HSM configuration settings, including administrative accounts, access controls, and key management details.

  2. Implement Monitoring and Alerts. Set up monitoring tools to keep track of the HSM’s performance and status. Configure alerts for any potential issues.

  3. Regular Maintenance. Follow the vendor’s guidelines for regular maintenance, firmware updates, and periodic security audits.

By following these general instructions, you can ensure a smooth installation process for your HSM. Always refer to the specific documentation provided by your HSM vendor for detailed and accurate guidance.

Removing an HSM

Before you remove an HSM from your cluster, you need to make sure all objects that reference the HSM have been removed.

If you attempt to remove an HSM that is being referenced by objects, you'll see a warning box with information on what you need to do to proceed.

Click the Copy details to clipboard link to copy a detailed list of objects that are referencing the HSM. Once there are no more objects referencing an HSM, it can be deleted from the cluster.

To delete an HSM

  1. Open the Venafi Configuration Console.

  2. Open the Connectors node.

  3. Click the HSM in the Platform Connectors panel.

  4. Click the Delete action in the Actions panel.