Hardware Security Module usage in IBM Security Key Lifecycle Manager
You must add the parameters to the IBM Security Key Lifecycle Manager configuration file to define a Hardware Security Module (HSM).
You can use HSM for storing master key to protect all passwords that are stored in the IBM Security Key Lifecycle Manager database. You can enable this capability for the installations with existing data, or for the new installations of IBM Security Key Lifecycle Manager.
IBM Security Key Lifecycle Manager supports
the following cryptography cards:
SafeNet Luna SA 4.5
SafeNet Luna SA 5.0
SafeNet Luna SA 6.1
nCipher nShield Connect 1500
IBM 4765 PCIe Cryptographic Coprocessor
Note:
- You can use
SafeNet Luna SA 4.5
,SafeNet Luna SA 5.0
,SafeNet Luna SA 6.1
, andIBM 4765 PCIe Cryptographic Coprocessor
only when the keystore is not defined in IBM Security Key Lifecycle Manager. These cards do not allow import of keys from outside. IBM 4765 PCIe Cryptographic Coprocessor
is supported only for the followingPKCS#11
crypto operations:- Translate an AES 128-bit or 256-bit software key to an AES hardware
(
PKCS#11
) key - Generate an AES 128-bit or 256-bit key
- Encrypt and decrypt data by using an AES key and an AES/ECB/NoPadding cipher
- Store and retrieve an AES key to/from a
PKCS11IMPLKS
(PKCS#11
) keystore
- Translate an AES 128-bit or 256-bit software key to an AES hardware
(
You can use the following configuration parameters to define HSM:
- pkcs11.pin
- pkcs11.pin.obfuscated
- pkcs11.config
Sample HSM configuration files
- Sample HSM configuration file for SafeNet Luna SA 4.5, 5.0, and 6.1
#SafeNet Luna name = TKLM library=C:/Program Files/LunaSA/cryptoki.dll description=Luna sample config slotListIndex = 0 attributes (*, CKO_PRIVATE_KEY, *) = { CKA_SENSITIVE = true } attributes (GENERATE, CKO_SECRET_KEY, *) = { CKA_SENSITIVE = true CKA_ENCRYPT = true CKA_DECRYPT = true } attributes (IMPORT, CKO_PUBLIC_KEY, *) = { CKA_VERIFY = true }
Note: For the name parameter, you must always specify the value TKLM.- Sample HSM configuration file for nCipher nShield Connect 1500
# nCipher nShield, nForce 4000 - Generation 2 cards name = TKLM library=C:/nCipher/nfast/cknfast.dll description= nCipher sample config for TKLM slotListIndex=1 attributes(*, CKO_SECRET_KEY, *) = { CKA_ENCRYPT=true CKA_DECRYPT=true CKA_SENSITIVE=true CKA_TOKEN=true } attributes(*, CKO_PRIVATE_KEY, *) = { CKA_SIGN=true CKA_SENSITIVE=false # CKA_DERIVE=true # when using KeyAgreement CKA_DERIVE should # set to true and CKA_SIGN should set to false } attributes(GENERATE, CKO_PUBLIC_KEY, *) = { CKA_VERIFY=true } attributes(GENERATE, CKO_PRIVATE_KEY, CKK_RSA) = { CKA_DECRYPT=true CKA_UNWRAP=true CKA_EXTRACTABLE=true } attributes(*, CKO_PUBLIC_KEY, CKK_RSA) = { CKA_ENCRYPT=true CKA_WRAP=true CKA_VERIFY=true } attributes(IMPORT, CKO_PRIVATE_KEY, CKK_RSA) = { CKA_EXTRACTABLE=true CKA_DECRYPT=true CKA_UNWRAP=true CKA_DERIVE=true }
Note: For the name parameter, you must always specify the value TKLM.