Hardware Security Module usage in IBM Security Key Lifecycle Manager

You must add the parameters to the IBM Security Key Lifecycle Manager configuration file to define a Hardware Security Module (HSM).

You can use HSM for storing master key to protect all passwords that are stored in the IBM Security Key Lifecycle Manager database. You can enable this capability for the installations with existing data, or for the new installations of IBM Security Key Lifecycle Manager.

IBM Security Key Lifecycle Manager supports the following cryptography cards:
  • SafeNet Luna SA 4.5
  • SafeNet Luna SA 5.0
  • SafeNet Luna SA 6.1
  • nCipher nShield Connect 1500
  • IBM 4765 PCIe Cryptographic Coprocessor
Note:
  • You can use SafeNet Luna SA 4.5, SafeNet Luna SA 5.0, SafeNet Luna SA 6.1, and IBM 4765 PCIe Cryptographic Coprocessor only when the keystore is not defined in IBM Security Key Lifecycle Manager. These cards do not allow import of keys from outside.
  • IBM 4765 PCIe Cryptographic Coprocessor is supported only for the following PKCS#11 crypto operations:
    • Translate an AES 128-bit or 256-bit software key to an AES hardware (PKCS#11) key
    • Generate an AES 128-bit or 256-bit key
    • Encrypt and decrypt data by using an AES key and an AES/ECB/NoPadding cipher
    • Store and retrieve an AES key to/from a PKCS11IMPLKS (PKCS#11) keystore
You can use the following configuration parameters to define HSM:
  • pkcs11.pin
  • pkcs11.pin.obfuscated
  • pkcs11.config
For HSM configuration parameter details, see the Reference topics in the IBM Security Key Lifecycle Manager documentation.

Sample HSM configuration files

Sample HSM configuration file for SafeNet Luna SA 4.5, 5.0, and 6.1
#SafeNet Luna
name = TKLM
library=C:/Program Files/LunaSA/cryptoki.dll
description=Luna sample config


slotListIndex = 0

attributes (*, CKO_PRIVATE_KEY, *) = {
   CKA_SENSITIVE = true
} 
attributes (GENERATE, CKO_SECRET_KEY, *) = {
   CKA_SENSITIVE = true
   CKA_ENCRYPT = true
   CKA_DECRYPT = true
} 
attributes (IMPORT, CKO_PUBLIC_KEY, *) = {
   CKA_VERIFY = true
}
Note: For the name parameter, you must always specify the value TKLM.

Sample HSM configuration file for nCipher nShield Connect 1500
# nCipher nShield, nForce 4000 - Generation 2 cards
name = TKLM
library=C:/nCipher/nfast/cknfast.dll
description= nCipher sample config for TKLM

slotListIndex=1

attributes(*, CKO_SECRET_KEY, *) = {
  CKA_ENCRYPT=true
  CKA_DECRYPT=true
  CKA_SENSITIVE=true
  CKA_TOKEN=true
}

attributes(*, CKO_PRIVATE_KEY, *) = {
  CKA_SIGN=true
  CKA_SENSITIVE=false
#  CKA_DERIVE=true
# when using KeyAgreement CKA_DERIVE  should
# set to true and CKA_SIGN should set to false
}

attributes(GENERATE, CKO_PUBLIC_KEY, *) = {
  CKA_VERIFY=true
}

attributes(GENERATE, CKO_PRIVATE_KEY, CKK_RSA) = {
  CKA_DECRYPT=true
  CKA_UNWRAP=true
  CKA_EXTRACTABLE=true
}

attributes(*, CKO_PUBLIC_KEY, CKK_RSA) = {
  CKA_ENCRYPT=true
  CKA_WRAP=true
  CKA_VERIFY=true
}  
attributes(IMPORT, CKO_PRIVATE_KEY, CKK_RSA) = {
  CKA_EXTRACTABLE=true
  CKA_DECRYPT=true
  CKA_UNWRAP=true
  CKA_DERIVE=true
}
Note: For the name parameter, you must always specify the value TKLM.