Accessing HSM Tokens from ActivID KMS/CMS

Depending upon how the AEP Keyper HSM was configured, it may expose one or more HSM tokens to ActivID KMS and ActivID CMS.

ActivID KMS forces the operator to select the HSM token to use during an ActivID KMS session when there is more than one token available. If there is only a single HSM token, that token is automatically selected. Each HSM token is identified by a slot ID number as well as a token name. To identity an HSM token, ActivID KMS displays both the slot ID and token name for each HSM token.

Important: The slot ID cannot be used as the unique identifier for an HSM that manages several tokens because the HSM re-orders the slot ID depending on the availability of tokens.

To choose the correct token, configure an ActivID CMS file, which includes either the recorder slot ID or token name. For example, for ActivID CMS for Windows, perform the following steps:

  1. Locate the cmsslot.ini file on the ActivID CMS distribution.

  2. In the <CMS_distribution>\HSM folder:

    • Copy the cmsslot.ini file to the Windows folder of your ActivID CMS server.

    • In the cmsslot.ini file specify either a TokenName or a SlotID (if the cmsslot.ini file is not found, ActivID CMS chooses to connect to the slot that has the fewer number of sessions).

      Note: If High Availability has been configured, the cmsslot.ini file must contain a reference to either a physical token or to a virtual token.

  3. Locate the %PROGRAMDATA%\HID Global\Credential Management System\Local Files\pkcs11.cfg file and add the following line:

    Copy 
    slot=xxxxxx

    where xxxxx is the SlotID.