Utimaco

Prerequisites

  1. The Utimaco HSM device setup should be available.
  2. HSM slot initialization and crypto user credential creation should be done.
  3. Communication to the HSM and AppViewX nodes in the case of and the cloud connector in the case of should be available to integrate with AppViewX. The port details are as follows:
    • Port 443: HTTPS access for secure web-based management interfaces.
    • Port 9004: Typically used for the Utimaco SecurityServer Se50/Se100 for administration and key management.
    • Port 9006: Used for key management operations and cryptographic service access.
  4. Slot id and partition password from the Utimaco device should be available to use in the AppViewX. 
    pkcs11_Utimaco.so
    and
    cs_pkcs11_R2.cfg
    file should be available; a sample format of a cfg file is available here.
For references to the Utimaco documentation, see the References section.

Integrating the Utimaco HSM with AppViewX Onprem

To integrate the Utimaco HSM with the AppViewX:
  1. Login to the AppViewX server on which the AppViewX is installed.
  2. From the command line interface, navigate to the properties folder path: {APPVIEWX_INSTALLATION_PATH}/appviewx_dependencies/properties
  3. Open the hsm file using the following command: 
    vi hsm
  4. Check and confirm if the HSM file has the following lines. If not, uncomment the following lines: 
    export CS_PKCS11_R2_CFG=/appviewx/dependencies/hsm/utimaco/cs_pkcs11_R2.cfg
    echo "UTIMACO Config Path : $CS_PKCS11_R2_CFG"
  5. If the file is edited, you have to restart the avx-platform-hsm pod, using the following commands: 
    kubectl get pods -n <namespace>
    kubectl delete pods -n <namespace> <PodName>
  6. Login to the AppViewX UI using valid credentials.
    The Dashboard page is displayed by default.
  7. On HSM page, click Add HSM, from the navigation pane on the left, select Utimaco.
    The HSM > Add page is updated to display the fields required to integrate Utimaco with the AppViewX.
  8. To integrate the utimaco hsm device with appviewx, please get the following details from the hsm device.
  9. In the General Information section, enter/select the required field information.
    Table 1. Field descriptions for General Information
    Field Description
    *Name Enter a name for this integration.
    Description Enter a description for the integration.
    Implementation type Select an implementation type from the following options:
    • CSR generation
    • Master key encryption
      1. Click Proceed.
      2. To confirm this action enable the Master Key Encryption settings under HSM inventory > Settings.
    • Both
    *Data center From the dropdown list, from the list of applicable values, select the required data center.
    Note: The data center selected here is used to map the AppViewX Cloud Connector for this integration.
    * : Mandatory fields
  10. In the Vendor specific details section, enter/select the required field information.
    Table 2. Field descriptions for Vendor specific details
    Field Description
    *Slot Id Unique identification number of the slot in the HSM will be used to communicate with the end HSM device.
    *Partition password Password of the HSM partition for the specific slot mentioned above.
    *Key handler name A reference name to create a Master Encryption key in HSM. This enables us to pick the right MEK for crypto operations over KEK.
    *So File The SO file is used to facilitate the communication between the HSM and AppViewX. To upload the .so file:
    1. Click Browse.
    2. Navigate to the location of the .so file.
    3. Select the .so file, and click Open.
    *Config file The Config file is used to facilitate the communication between the HSM and AppViewX. To upload the .conf file:
    1. Click Browse.
    2. Navigate to the location of the .conf file.
    3. Select the .conf file, and click Open.
    * : Mandatory fields
  11. Click Save.
  12. Scroll to the end of this page to view the table or navigate to HSM inventory to view the HSM status. If the HSM has been configured correctly, the status for the HSM will be set to Available after checking the encryption and decryption logic. If the Status is Not Available:
    1. Check the installation path for the HSM.
    2. Ensure that all required permissions have been enabled.
    3. Go to Logs > Logging :: All. Search with HSM and see the Log message.
  13. If the implementation type is CSR Generation, refer to the Cert+ User Guide for steps on how to generate a CSR.

Integrating the Utimaco HSM with AppViewX SaaS

To integrate the Utimaco HSM with the AppViewX:
  1. Login to the AppViewX server on which the Cloud Connector is installed.
  2. From the command line interface, navigate to the properties folder path: {CC_INSTALLATION_PATH}/deps/properties
  3. Open the hsm file using the following command: 
    vi hsm
  4. Check and confirm if the HSM file has the following lines. If not, uncomment the following lines: 
    export CS_PKCS11_R2_CFG= /appviewx/dependencies/external_libs/hsm/utimaco/cs_pkcs11_R2.cfg
    echo "UTIMACO Config Path : $CS_PKCS11_R2_CFG"
  5. If the file is edited, you have to restart the avx-mid-server-platform pod, using the following commands: 
    kubectl get pods -n <namespace>
    kubectl delete pods -n <namespace> <PodName>
  6. Login to the AppViewX UI using valid credentials.
    The Dashboard page is displayed by default.
  7. On HSM page, click Add HSM, from the navigation pane on the left, select Utimaco.
    The HSM > Add page is updated to display the fields required to integrate Utimaco with the AppViewX.
  8. To integrate the utimaco hsm device with appviewx, please get the following details from the hsm device.
  9. In the General Information section, enter/select the required field information.
    Table 3. Field descriptions for General Information
    Field Description
    *Name Enter a name for this integration.
    Description Enter a description for the integration.
    Implementation type Select an implementation type from the following options:
    *Data center From the dropdown list, from the list of applicable values, select the required data center.
    Note: The data center selected here is used to map the AppViewX Cloud Connector for this integration.
    * : Mandatory fields
  10. In the Vendor specific details section, enter/select the required field information.
    Table 4. Field descriptions for Vendor specific details
    Field Description
    *Slot Id Unique identification number of the slot in the HSM will be used to communicate with the end HSM device.
    *Partition password Password of the HSM partition for the specific slot mentioned above.
    *Key handler name A reference name to create a Master Encryption key in HSM. This enables us to pick the right MEK for crypto operations over KEK.
    *So File The SO file is used to facilitate the communication between the HSM and AppViewX. To upload the .so file:
    1. Click Browse.
    2. Navigate to the location of the .so file.
    3. Select the .so file, and click Open.
    *Config file The Config file is used to facilitate the communication between the HSM and AppViewX. To upload the .conf file:
    1. Click Browse.
    2. Navigate to the location of the .conf file.
    3. Select the .conf file, and click Open.
    * : Mandatory fields
  11. Click Save.
  12. Scroll to the end of this page to view the table or navigate to HSM inventory to view the HSM status. If the HSM has been configured correctly, the status for the HSM will be set to Available after checking the encryption and decryption logic. If the Status is Not Available:
    1. Check the installation path for the HSM.
    2. Ensure that all required permissions have been enabled.
    3. Go to Logs > Logging :: All. Search with HSM and see the Log message.
  13. If the implementation type is CSR Generation, refer to the Cert+ User Guide for steps on how to generate a CSR.