Installation Procedure

Prerequisites:

Install the client software for each type of HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system.. For details, refer to the ActivID CMS Technical Note applicable to your HSM configuration.
Make sure that the HSM is accessible and functional.
Install ActivID KMS in a folder without any space characters " ".

Create a new directory on your hard drive.
Copy the ActivID KMS directory from the ActivID CMS distribution into the directory you created in step 1. Then copy the principal.cfg and test.cfg files of the HSM directory from the ActivID CMS distribution into the local KMS directory.
Important: This version of ActivID CMS supports FIPS Federal Information Processing Standard 140-2 Level 3 Entrust Datacard^® (formerly Thales^®) HSMs, which no longer support 2TDEA key generation and thus cannot issue SCP01 profiles.
As a result, the default configuration of the HSM directory delivered with this version was updated to be more secure. SCP01 keys were removed and a Legacy subdirectory was added, providing access to definitions of the SCP01 keys (including 2TDEA keys).
For new ActivID CMS installations or upgrades that still require support for SCP01 profiles:
- use the LEGACY\Test.cfg and LEGACY\Principal.cfg files (provided in the .zip file) for HSM initialization on an HSM that is not FIPS 140-2 Level 3.
For new ActivID CMS installations or upgrades with only SCP03 profiles support:
- use the main Test.cfg and Principal.cfg files for HSM initialization.
For more information about which devices support SCP01 and SCP03 profiles, refer to Device Profiles and Hardware Devices.
The directory contains the:
- ActivID KMS executable file (ackms.exe)
- principal.cfg sample (for use when you create your own custom principal.cfg file)
- test.cfg file containing the keys that ActivID KMS injects into the HSM during the Init Test HSM operation
If using an Entrust Datacard (formerly Thales) nShield™ HSM, on the machine where ActivID KMS is installed, go to System Properties > Advanced and then click Environment Variables.
1. Under System variables, click Path, and then click Edit.
2. Append the path variable value with <nfast ROOT>\bin directory (for example, C:\Program Files (x86)\nCipher\nfast\bin).
Depending on which HSM you are using, now you must copy a specific DLL file to the local KMS directory. Select one of the following:

For SafeNet Luna, copy the cryptoki.dll file from the HSM Installed directory (for example, C:\Program Files\SafeNet\LunaClient\) to the local KMS directory.

Note: For SafeNet Luna SA HSM, you must have the 64-bit Luna SA HSM client software installed and correctly configured, so that the HSM partition that you are targeting is visible on your machine. For details about connecting a client machine to HSM, refer to the SafeNet Luna SA HSM documentation.

For Entrust Datacard (formerly Thales) nShield Connect:
1. Copy the PKCS #11 cknfast-64.dll file from the <nfast ROOT>\toolkits\pkcs11 directory of the HSM Installed directory to the local KMS directory.
2. Modify or create the cknfastrc file in the <nFast ROOT> directory of the HSM Installed directory (for example, C:\Program Files(x86)\nCipher\nfast) to turn off the view of the accelerator slot and disable the security assurance mechanisms.
  To modify the file, add the following lines:
  Copy
```
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=tokenkeys;unwrap_mech;unwrap_kek;explicitness
CKNFAST_NO_ACCELERATOR_SLOTS=1
```
Note: Make sure that the cknfastrc configuration file (located in C:\Program Files (x86)\nCipher\nfast\cknfastrc) only contains the above lines.
For AEP Keyper, copy the ap220w64HSM.dll file from the HSM Installed directory (for example, C:\Program Files\AEP\) or C:\Windows\System32 to the local KMS directory.

When you finish step 4, ActivID KMS installation is complete.