Previous Topic: webfort.issuance.propertiesNext Topic: Preparing for Localization

CA AuthMinder UNIX Installation GuideChanging HSM Configurations

Changing HSM Configurations

This appendix lists the steps that you must perform, if you want to change the Hardware Security Module (HSM) configurations that you have specified during installation.

Note: Before proceeding with the configurations explained in this section, ensure that you have set up the HSM server and client, and generated the 3DES key in the HSM. Refer to "(Optional, Only If You are Using HSMs) Requirements for HSM" for more information.

As mentioned in "Hardware Security Module (HSM) Requirements", AuthMinder now supports Hardware Security Module (HSM) to secure your data. If you choose to encrypt the data using HSM, then the data stored in the database is encrypted with the key that resides in the HSM.

AuthMinder supports Luna and nCipher netHSM for data encryption using hardware. The configurations for the HSMs are available in the arcotcommon.ini file. This file provides separate sections for configuring the required HSM, which in the current release are:

Based on the HSM you are configuring, you must specify the sharedLibrary parameter in the corresponding section. After specifying the HSM information, you must then re-create the securestore.enc file with the HSM key label, initialize the HSM, and then initialize AuthMinder to use the HSM key.

To change the HSM information that AuthMinder needs:

  1. Navigate to the following location: 
    <install_location>/arcot/conf
  2. Take a backup of securestore.enc.
  3. Delete the existing securestore.enc file from <install_location>/arcot/conf.
  4. To change the HSM information that AuthMinder needs:
    1. Navigate to the following location: 
      <install_location>/arcot/conf
    2. Open arcotcommon.ini in a text editor.
    3. Ensure the HSMDevice parameter in the [arcot/crypto/device] section is set to the HSM that you plan to use:
      • chrysalis for Luna HSM.

      or

      • nfast for nCipher netHSM.
    4. Depending on the HSM that you are configuring, set the sharedLibrary parameter to the location where the HSM library file is located.

      For Luna (libCryptoki2.so) and for nCipher netHSM (libcknfast.so), enter the absolute path and full name of the file.

      Note: Refer to "arcotcommon.ini" for more information on the other HSM configuration parameters available in this section.

    5. Save and close the arcotcommon.ini file.
  5. Navigate to the following location, where the DBUtil tool is available: 
    <install_location>/arcot/tools/<platform_name>
  6. Run the DBUtil tool with the following commands:
    1. dbutil -init <HSM_key_label>

      Note: The <HSM_key_label> corresponds to the 3DES key that resides in the HSM.

      The preceding command creates a new securestore.enc file with the specified key label. The generated file in stored in the <install_location>/arcot/conf location.

    2. dbutil -i <HSM_module_name> <HSM_password>

      Note: The <HSM_module_name> is chrysalis for Luna HSM, and nfast for nCipher netHSM.

      The preceding command initializes the HSM.

    3. dbutil -pi <DSN_Name> <Database_password> -h <HSM_password> -d <HSM_module_name>

      Note: <DSN_NAME> refers to the ODBC DSN that AuthMinder Server uses to connect to the AuthMinder database. <Database_password> refers to password used to connect to the database.

      The preceding command initializes the AuthMinder Server data to be encrypted using HSM.

    4. dbutil -pi <Database_Username> <Database_password> -h <HSM_password> -d <HSM_module_name>

      Note: <Database_Username> refers to the user name used to connect to the AuthMinder database. The database user name is case-sensitive, therefore ensure that you provide the correct value. <Database_password> refers to password used to connect to the database.

      The preceding command initializes the Administration Console and the User Data Service data to be encrypted by using HSM.