Skip to main content

On-premises Hardware Security Modules

On-premises HSMs connectivity details showcase general details for:

Securosys Primus HSM

To setup and configure the Primus HSM hardware, please refer to the Primus HSM User Guides(account required).

Required API licences

Ensure the APIs to be used are included in your HSM license. For license upgrades please contact Securosys.

Default Configuration

The on-premises Primus HSM can be reached through the default ports (listed in the table below) unless they have been configured differently by your HSM administrator.

For more details, pelase refer to the Primus HSM User Guides(account required).

HSM URL/IPTCP Port
JCE/JCA		TCP Port
PKCS#11		TCP Port
MS CNG		TCP Port
High Availability		TCP Port
Decanus		Partition Decanus
Provided by your HSM administrator.
2300
2310
2320
2330
2340
If enabled uses JCE, PKSC11, MSCNG ports.
JCE API port

The Transaction Security Broker (TSB) and REST API are using the JCE API port.

Setup Password & Permanent Secret

To establish a valid connection to the HSM, an application will require a valid setup password, which can be issued as follows:

  ROLES → USER → NEW SETUP PASSWORD
warning

The setup password has limited time validity and should be used to obtain or update a permanent secret as soon as possible, not as a permanent solution.

As the Setup password will expire (by default in 72 hours), you should fetch the permanent secret. See the respective documentation for each API on how fetch the permanent secret:

Decanus Terminal

Decanus is the tamper-protected remote administration terminal for the Primus HSM.

warning

The Decanus Terminal must be enabled in the HSM configuration before use. The Decanus Terminal must be paired initially with the HSM, to establish a secure connection.

Decanus may comprise different firmware variants and applications, e.g.:

  • Primus HSM Device Administration

    • Enabling remote administration of up to 64 Primus HSM devices, by extending the user interface, card slots, and USB slot in a secure manner.
    • Connects over an IP network to the configured HSM management interface and TCP port, see Default Configuration for default values.

  • Primus HSM Partition Administration and Auditing

    • Enabling remote administration and audit of up to 64 single Primus HSM partitions (Partition SO)
    • Connects to one of the configured Primus HSM API interfaces and port (on HA Master device), see Default Configuration for default values.

For more details refer to Decanus Terminal User Guide, downloadable from the Securosys Support Portal.

High Availability

note

High availability is configured by HSM administrators and requires multiple Primus HSM devices.

Devices of a cluster, for which the high-availability option “HA” is enabled, are synchronized in a timely manner to ensure load balancing without the need for manual cloning each time a user key or object is generated or modified.

By default, a Clone tries to establish a connection with the Master using the configured Master URLs and tries to synchronize with the Master. After pairing, these devices will synchronize themselves via Ethernet as long as they are able to connect to the network.

For more details on High Availability, please refer to the Primus User Guide - High-Availability Remote Cloning (account required).

Transaction Security Broker

Connectivity details for on-premises Transaction Security Broker (TSB) with different deployment versions of Securosys Hardware Security Modules (HSMs).

TSB ServiceDescriptionAuthenticationEndpoint(s)
HSMaaSHSMaaS with onPremise TSB-Deployment, hsm.host=HSMaaS-Hostname and hsm.port=2300 default (JCE/JCA) PortanyHSMaaS - Hostname(s)
Dedicated (Platinum)TSB bound to CloudHSM PLA partitionmutualTLSdedicated domain-name as <dedicated>.cloudshsm.com
OnPremise (HSM)hsm.host=<IP> of HSM (Data-Interface),
hsm.port=2300 default (JCE/JCA) Port		anyhttp://localhost:8080

You might be interested in