Configure Utimaco CryptoServer

This tutorial guides you on how to integrate a Utimaco CryptoServer to manage the cryptographic keys for the device profiles that require management of issuer security domain keys.

Prerequisites

  • An HSM must be installed to be integrated with the Unifyia platform.
  • You must have admin access to the Unifyia platform.
  • A user must be created in the HSM with the Cryptographic User profile for the CXI Interface.
  • The user must be associated with a group under the CXI_GROUP attribute.
  • The following details of the Utimaco CryptoServerHSM are required:
    • IP Address/Host Name
    • Port Number
    • Credentials to access the HSM
    • Group

Configuration Steps

Follow the below steps to configure the Utimaco CryptoServer HSM.

  1. Log into the platform with administrator credentials.
  2. Navigate to Integrations > HSM.
  3. Select + Add HSM. The ADD HSM page is displayed.
  4. Enter the following details:
    1. HSM type: Select Utimaco CryptoServer from the drop-down list.
    2. Name: Enter a name for the HSM.
    3. Display Name: Enter the display name or a common name for this HSM.
    4. Description: Enter a brief description of this HSM integration.
    5. IP Address/Host Name: Provide the IP address or Host Name of the HSM server in the network.
    6. Port: Specify the port number used to establish a connection with the HSM server.
    7. Username: Enter the username to connect to the HSM.
    8. Authentication Mechanism: Ensure to select the set authentication mechanism for the user in the HSM. There are three authentication mechanisms supported:
      1. Password (HMAC): Enter the CryptoServer password for authentication.
      2. Keyfile (RSA Signature): If you have selected to authenticate using a RSA Signature Keyfile, upload it to authenticate to the HSM. This file is generated for the user during user creation.
      3. Keyfile (ECDSA Signature): If you have selected to authenticate using a ECDSA Signature Keyfile upload it to authenticate to the HSM. This file is generated for the user during user creation.
    9. Group: Provide the name of the group that the user belongs to under the CXI_GROUP membership attribute in the HSM.
    10. Encrypt Password: Enable this option if the keyfile was encrypted during its generation.
    11. Password: Provide the password to decrypt the encrypted keyfile.
    12. Connection Timeout: This value determines the maximum duration the platform will wait to establish a connection with the HSM server. The recommended minimum is 5000. Specify the value in milliseconds.
    13. To check if the configuration is successful, select Test Configuration.
    14. After a successful test, select Save.
    15. A tenant key (with AES 256 algorithm) is generated which will be used for the encryption of the manufacturer factory keys if the Enable Factory Reset option for a device profile is active. The key label will be in the format - tenant_encryption_key_{organizationName}_hsm_{hsmName}.

    You have successfully integrated the Utimaco CryptoServer.


    Back Next
On this page
How-To-Guides