AEP Keyper Specific Information

This additional integration describes AEP Keyper Hardware Security Module installation considerations. The Keyper HSM integrates with Validation Authority using a network interface and requires no hardware modifications to the Validation Authority server.

Install the AEP Keyper HSM

Define the following environment variable as a SYSTEM variable:

KEYPER_LIBRARY_PATH

For example:

To install and configure the Keyper HSM software, follow the instructions in the Installation Guide for SureWare Keyper with PKCS11. After the HSM has been installed and is operating, install Validation Authority.

Install and Configure HSM Support on Validation Authority

Note:

If you are reconfiguring Validation Authority to use the AEP Keyper HSM after the initial installation and configuration, then you must copy the following file from the Keyper installation directory.

  • For Windows: The 32-bit library is named bp201w32HSM.dll. The 64-bit library is named ap220w64HSM.dll.

  • For Linux: <Keyper installation directory>/pkcs11.so

  1. Install Validation Authority. See section Installing Validation Authority for Windows or Installing Validation Authority for Linux.

  2. When prompted for the Install support for HSM, for Windows, browse to the location of the bp201w32HSM.dll (or ap220w64HSM.dll for a 64-bit AEP client) and for Linux, pkcs11.so .

    The installer copies the appropriate file into the Validation Authority library directories server\WEB-INF\lib and setup\server\WEB-INF\lib.

  3. Continue the remaining Validation Authority installation steps and begin the Validation Authority configuration as described in sections Configure Validation Authority for Automatic Start-Up and Shut Down for Windows and Configure Validation Authority for Automatic Start-Up and Shut Down for Linux.

  4. When you are prompted to configure the Keystore, select the option AEP Keyper Plus option.

  5. Select the Use an Oracle SunJCE keystore for SSL Key option if you want to store the SSL keys in an Oracle SunJCE keystore. The other keys will be stored in the keystore associated with the provider you selected.

  6. Select the option Regenerate Keys if you want to create new keys. The Validation Authority Configuration utility will create a new set of security keys that are protected by the AEP Keyper HSM. For more information on how to regenerate keys, see section Configuring the Keystore.

  7. Click Next, and continue with the Validation Authority configuration.