Using Hardware Security Modules With Subsystems - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 12. Managing Tokens
has to be able to create certificates and keys on the slot with default nicknames. If not properly
cleaned up, the names of these objects may collide with previous instances.
• Before restarting the server when completing the configuration wizard, do the following:
1. Stop the server.
2. Edit to the server.xml file. Add the HSM token name to the serverCert parameter. For
example:
serverCert="lunasa2-ca:Server-Cert cert-rhpki-ca instanceID
3. Start the server.

12.2. Using Hardware Security Modules with Subsystems

The Certificate System supports two hardware security modules (HSM), nCipher netHSM and
SafeNet's LunaSA. For the Certificate System to use the HSM, the hardware must be installed
according to the hardware manufacturer's installation and configuration procedures before beginning
to configure the Certificate System. Certificate System-supported HSMs are automatically added to
the secmod.db database with modutil during the pre-configuration stage of the installation, if the
PKCS #11 library modules are in the default installation paths.
During configuration, the Key Store panel displays the supported modules, along with the NSS
internal software PKCS #11 module. All supported modules that are detected show a status of
Found and is individually marked as either Logged in or Not logged in. If a token is found but not
logged in, it is possible to log in using the Login under Operations. If the administrator can log into
a token successfully, the password is stored in a configuration file. At the next start or restart of the
Certificate System instance, the passwords in the password store are used to attempt a login for each
corresponding token.
Administrators are allowed to select any of the tokens that are logged in as the default token, which is
used to generate system keys.
When an HSM is selected as the default token, the following parameters are set in the CS.cfg file to
configure the HSM:
#RHCS supported modules
preop.configModules.module0.commonName=NSS Internal PKCS #11 Module
preop.configModules.module0.imagePath=../img/mozilla.png
preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
preop.configModules.module1.commonName=nfast
preop.configModules.module1.imagePath=../img/ncipher.png
preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module
preop.configModules.module2.commonName=lunasa
preop.configModules.module2.imagePath=../img/safenet.png
preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module
#selected token
preop.module.token=Internal Key Storage Token
In addition, the following parameter is set in the password.conf for the HSM password:
266