Skip to main content

Verifying Keys on the HSM Partition

This section describes how to verify that Key Manager is able to use keys from its HSM partition. The procedures described in this section are optional. These procedures may be performed on any Key Manager Server (after the Key Manager system and all the Key Manager Servers have been set up to use HSM).

To test that the HSM setup works as intended, verify that the key-generation tools on the Key Manager Server is able to read and decode keys found on the HSM partition. This is done as follows:

  1. You will need to provide the PIN code of the HSM partition to Key Manager services. To do this, save the PIN code of the HSM partition to a file on the Key Manager Server.

    After you have created the PIN-code file, set the environment variables SSH_PKCS11_PINFILE to point to the file (replace hsm/pinfile with the path of the file containing the HSM-partition PIN code):

    # export SSH_PKCS11_PINFILE=hsm/pinfile

  2. Activate the sshmgr runtime environment to enable manual use of the Key Manager key-generation tool:

    # source /opt/sshmgr-runtime/bin/activate

  3. Finally, use the Key Manager key-generation tool to verify that keys in the HSM partition can be read:

    # /opt/sshmgr-runtime/bin/ssh-keygen \
    -D /usr/lunasa/lib/libCryptoki2_64.so

    The command should output the public-key data of the keys in the HSM partition.

    Delete the PIN-code file after you have completed verification.