Configuration

You must configure Securosys HSM for the integration with Secret Server. For an overview of the HSM configuration and the high-level configuration steps, see Primus HSM Configuration in the Securosys documentation.

This topic describes how to perform the following configuration steps:

  • Configure an HSM by using the PKCS#11 configuration file.

  • Connect to the HSM to extract and save the user secret.

Configuring Securosys HSM

To configure Securosys HSM:

  1. Open the PKCS#11 configuration file, primus.cfg, for editing.

    • The default location of the file in Windows is \Program Files\Securosys\PrimusP11\primus.cfg

    • The default location of the file in Linux is /usr/local/primus/etc/primus.cfg

  2. Configure one HSM by updating the host, port, and username. Remove the proxy_password.

    We recommend that you configure multiple high-availability (HA) clusters to allow for redundancy and load balancing. For details of HA cluster setup, see the Primus HSM User Guide.

  3. Use the ppin utility to connect to the HSM and extract and save the user's secret:

    1. Open a terminal as an administrator.

    2. Change the directory to the Primus PKCS#11 installation directory where the ppin utility is located.

      In Windows, you can find ppin in Primus PKCS#11 installation directory\ppin.exe. In Linux, you can find ppin in Primus PKCS#11 installation directory/bin/ppin.

    3. Type pin -a -e <YOUR_USERNAME>

    4. Enter your setup password and the PKCS11 password.

      You can obtain the setup and the PKCS11 passwords from your HSM administrator.

The message "User has permanent secret configured" appears.