Skip to main content

Configure Key Manager to Use HSM Keys

After all the Key Manager Servers have been configured as HSM clients, configure Key Manager to use the HSM keys for agentless management connections. To do this provide the following settings via the Key Manager GUI, on the Settings→General→HSM page:

  1. Specify the following HSM settings:

    • Path to PKCS11 library: The file path of the PKCS #11 library file on the Key Manager Servers.

      • For Luna SA, the library file is typically at:
      /usr/lunasa/lib/libCryptoki2_64.so

      • For nShield Connect the typicaly location is (assuming nShield Connect software was installed under /opt/nfast/):

        /opt/nfast/toolkits/pkcs11/libcknfast.so

    • PIN code and Confirm PIN code: The code for accessing the keys on HSM. Set to any non-blank value if no code is required.

    Click Apply to save your settings.

  2. You must still specify the key pair on the HSM partition that is to be used as the management key:

    • Default PKCS11 key fingerprint: The management-key fingerprint.

      Key Key Manager uses the authorized key with this fingerprint to access agentless hosts. When management-key renewal is performed, all existing management keys are replaced with this authorized key.

    Click Apply to save your settings. Key Manager is now configured to use management keys from HSM.

HSM integration is now complete.

To deploy hosts using HSM keys (command-line client only):

  1. Upload the public key to the target host(s).

    To list all the available public keys from HSM:

    $ ssh-mgr-client list-hsm-keys

  2. Use add-hosts with the data attribute privatekeyfile=pkcs11: to deploy the target host(s) using HSM keys. For example:

    $ ssh-mgr-client add-hosts -d \
    'hostname=server.example.com,username=root,privatekeyfile=pkcs11:'

For more information about using command-line client commands, refer to the PrivX Key Manager Administrator Manual.