Configuration Using the RRO Stored in an HSM

This section provides a brief description of the process by which you prepare the ActivID CMS credential provider for UniCERT UPI for use with an HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system..

Prerequisites: Install Java (either the Java Development Kit (JDK) 8 or 11), and include JAVA_HOME\bin in the PATH environment variable. Note that JDK 17 is Not supported for this configuration.

To use the RRO stored in an HSM, perform the following steps:

  1. Copy the hsmTool folder from <ActivID CMS distribution>\Tools\Verizon to the machine connecting to the HSM. The hsmTool is used for registering the RRO credential in the HSM.

  2. Modify the hsmOperatorRegistraton.properties file to specify your specific HSM and certification information as shown below in the sample file:

    Copy 
    # HSM information
    dll = C:\\Program Files (x86)\\nCipher\\nfast\\bin\\cknfast-64.dll
    slot = 0
    pin = activcard
     
    # Certificate information
    keyLength = 2048
    DN = cn=RRO121,ou=Engineering,o=ActivID,c=US
    keyAlias = RRO121
    certificateFile = RRO121.p7c

  3. Run the generateKeyPair.cmd file to generate a key pair in the HSM and a .p10 certificate request.

  4. Copy the .p10 file to the CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment..

  5. To register the RRO using the .p10 file: use a profile with the Key Storage property set to Hardware and the Generation Site property set to End Entity.

  6. Copy the .p7c certificate file to the machine connecting to the HSM.

  7. Run the importCertificate.cmd file to import certificate to the HSM.