Skip to main content

Initial Setup (≥ v2.11.1)

This page reflects the Quick Start Guide delivered with the device and guides how to initially setup the HSM.

Unpack the HSM

"Genesis" card and PIN may be sent by separate post mail for some Swiss customers. Depending on the device type (X-Series or E-Series) the package content may differ:

Accessory box contains:

  • this Quick Start Guide
  • 2 power cables
  • 1 USB memory stick
  • 2 Genesis Cards (GN)
  • 3 Security Officer (SO) Cards

Obtain Activation Code, License, Firmware, Documentation

Take care

To continue, access to the Securosys Support Portal https://support.securosys.com is required. If you are not a registered Support Portal user, contact sales@securosys.ch for registration.

The following preparations are necessary before setting up the Primus HSM:

Evaluate the Installed HSM Firmware Version

Depending on the installed firmware the update procedure might differ. A new device delivered from factory stock might not have the latest firmware installed (e.g. v2.7.x, v2.8.x).

The following step-by-step procedure helps to evaluate the installed firmware:

1) Power-up the device and wait for completion of the boot procedure, the blue moving LEDs to settle into 4 light blue steady LEDs. This indicates completion of the power-up sequence and self-tests.

2) Verify the firmware version of the device (example):

The LC Display shows the version on the lower line right side of the screen:

  SECUROSYS
  PRIMUS-HSM-X V2.8.46

Note: In case of firmware < v2.11, continue with Firmware update to (v2.11),
In case of firmware ≥ v2.11, continue with chapter 1.3 - Initial Setup of the HSM (firmware ≥v2.11)

Initial Setup of the HSM (firmware ≥v2.11)

V2.11 required

Note that the procedure below applies only to firmware v2.11 and newer,
check Firmware update to (v2.11) to update to firmware version v2.11


The Initial Wizard will guide you through the complete setup process.

With firmware v2.11 onwards the Initial Wizard allows to install or update various elements partially automated via present files on inserted USB stick, up to completely setup your HSM by

StepOperation
1, 2, 3, 4, 5, 6initializing the HSM (Genesis, KEK)
7applying License update
8applying Firmware update
9choosing the operation mode
10applying HSM Security Configuration (without users)
11setup Root Key Store (if licensed)
12creating Security Officers (SO)
13differentiate between initialization of Master or Clone HSM
13acreate user(s) from configuration files and report the generated setup passwords in files
14pair Decanus Remote Terminal(s) and report pairing password and files for Decanus
15generate the necessary signed attestation files for audit procedures

Preparations for the Initial Wizard (Firmware ≥v2.11)

Prepare all necessary material, information, and files for execution of the initial wizard:

  • Genesis Card(s) for devices with card slots (e.g. Primus X), the Genesis PIN, either created previously or received on other ways or the Activation Code, retrieved from the support portal to generate the initial GPIN
  • SO Cards in case of 2-factor authentication (Primus X, min. 2 cards)
  • Decide about operation mode (normal, restricted, FIPS, CC; see chapter 3.10)
  • USB memory stick to use the new features, with some of the following files prepared on the stick (optionally)

    • Updated license file (*.license) downloadable from the Securosys Support Portal (see asset under section Equipment & Contracts)

    • Latest (or required) firmware file (*.hsm; v2.11.1 or newer)

    • c) Device configuration file (*.sconfig, without user configuration) see chapter 14.11 (14.12.2) as example, without the user sections like <crypto_user state="… "> and <locked_user state="… ">

    • User configuration file(s) (*.pconfig) to create partitions see chapter 5.5.11 Create User(s) via XML File Import for details.

    • Decanus UID file (*.dconfig) for Decanus pairing Consult chapter 14.13 for XML reference.

    • HSM Backup file (*.backup) in case you want to restore from backup see chapter 9 Backup and Restore for details.

Run the Initial Wizard (Firmware v2.11+)

Tip

For Primus E-Series (and X-Series) you can setup the device via the console input ( ). Connect a PC (with terminal program) over the serial port with the following settings:

115200 8N1 (speed of 115200bps, 8 data bits, no parity bit, 1 stop bit).

For Primus X devices

For the next Step 1 you will need the Genesis Card(s) for devices with card slots (e.g. Primus X), and the Activation Code, retrieved from the support portal to generate the initial GPIN.

Devices without card slots (Primus E) have the Genesis card built-in, and therefore no card insertion is requested.

Please follow carefully the step-by-step procedures described below:
Power-up the device and wait for completion of the boot procedure, until all 4 LEDs light blue steady.

  • 2) Plug-in the USB
    Plug-in the prepared (or empty) USB stick into the USB Port (X-Series: front panel; E-Series: rear panel)
  • 3) Login to device
    • Press MENU
    • select LOGIN
    • and enter the default login password ABCD,
    • followed by ENT on the displayed entry screen.
  • 4) Initial Wizard
    As long as the initial wizard is not completed you get prompted after each login again to execute (or continue) the wizard. 
      EXECUTE WIZARD
    - Confirm with YES
  • 5) Setup of Genesis PIN
    For the next step you will need the Genesis Card(s)
    for devices with card slots (e.g. Primus X),the Genesis PIN, either created previously or received on other ways (see accompanying documentation) or the Activation Code, retrieved from the support portal to generate the initial GPIN. Devices without card slots (Primus E) have the Genesis card built-in, and therefore no card insertion is requested. 
      ENTER GN CARD IN S2 (Card Slot 2)
    • 5a) In case you have an existing Genesis PIN: 
        ENTER PIN / #4 GN CARD IN S2 
      - `********`
      - Confirm with OK
    • 5b) In case you do not have a Genesis PIN: 
        ENTER ACTIVATION CODE 
      - `XXXXX-XXXXX-XXX`

        NEW PIN 
        ENTER PIN 
        GN CARD IN S2 
      - `XXXXXXXX`

        REENTER PIN 
        GN CARD IN S2 
      - `XXXXXXXX`

        NEW PIN ACCEPTED
      - Confirm with OK

        GENESIS CARD UPDATED 
      - Confirm with OK
  • 6) In case the USB stick is not yet inserted: 
      INSERT USB STORAGE DEVICE
  • 7) License update
    In case a license file (*.license) is found on the USB stick, the license is checked and updated if necessary.
    In some upgrade scenarios the license might be updated again after the firmware update.
    A license change will cause a device reboot. Restart at step 15) after the device reboot. 
      CHECKING LICENSE UPDATE PATIENCE…
  • 8) Firmware update
    In case a firmware file (*.hsm) is found on the USB stick, the file is checked and updated if necessary.
    A firmware change will cause a device reboot. Restart at step 15) after the device reboot. 
      CHECKING FIRMWARE UPDATE PATIENCE…

  • 9) Operation Mode
    In the next step you define the operation mode, which cannot be changed later.

      USE NORMAL MODE (No - For FIPS mode)
    • Select YES for
      • Standard HSM setup (see 3.10)
      • SIC/SECOM user (on S500 this results to restricted mode, see 3.10.2)
      • Common criteria (CC) compliant setup, refer to chapter 3.10.4 for correct mode and setup selection
    • Select NO for
      • User requiring strict FIPS compliance (FIPS mode see chapter 3.10)

    Select the required operation mode (default normal mode) to continue initialization and KEK creation. This creates the internal Primus HSM encryption key. The KEK encrypts all internal files, data, certificates, and passwords of the Primus HSM. It is unique to each Primus HSM, cannot be read out and therefore it remains always in the HSM. The KEK is deleted whenever the Primus is reset to the factory-reset state and generated anew during the initial wizard or restore wizard.

      CREATE NEW KEK
    - Confirm with OK

      PATIENCE OPERATION IN PROGRESS
      KEK CREATED 
    - Confirm with OK
  • 10) Device Security Configuration
    In case a device security configuration file (*.sconfig) is found on the USB stick, the content is validated and applied.
    Note: the file is invalid if it contains user information! 
      IMPORTING DEVICE CONFIGURATION PATIENCE… 
      IMPORT CONFIG FROM USB SUCCESSFUL 
    - Confirm with OK
  • 11) Root Key Store
    In case the Root Key Store is licensed, it is setup automatically (used for audit information).
    Note: This setting is required to operate TSB 
      SETTING UP ROOT KEY STORE PATIENCE 
      ROOT KEY STORE SETUP SUCCESSFULLY 
    - Confirm with OK

  • 12) Security Officer (SO)
    For the next step you will need the SO Cards in case of 2-factor authentication (Primus X, min. 2 cards).
    Create two or more Security Officers (SO) for the device, by defining unique SO operator names and the associated SO PIN, which must have 8 to 12 digits and shall not lead with 0:

      CREATE NEW SO? 
    - Confirm with OK

      ENTER SO OWNER NAME 
    - `SO1` (or SO-Name of your choice)

      NEW PIN 
      ENTER PIN SO CARD IN S1
    - `********`

      REENTER PIN SO CARD IN S1 
    - `********` 
      PIN ACCEPTED OK

  • ….(same procedure for SO2 in cardslot 3)

      CONTINUE WIZARD?
      (No - to add SO)
    • Choose NO to create more Security Officers.
    • Choose YES if all SOs are defined and to continue the next activity of the wizard.
      SO ROLE CREATED
    - Confirm with OK
  • 13) Clustering
    In the next step you define if you setup the device as Master or Clone (and HA or Manual): 
      SETUP AS MASTER?
    • 13a) Yes - “Setup as Master” selected:
      In case Partition Configuration File(s) (*.pconfig) is found on the USB stick, the specified user(s) is created, the original file deleted, and the information of the created user with the necessary credentials (setup password etc.) is written to the output file(s) (*.pcreated) on the USB stick, until all files are processed. 
        CREATING USER FROM CONFIGURATION FILE
      - Confirm with OK

        USER SUCCESSFULLY CREATED!
        XXXXXXXXXX
      - Confirm with OK
      • Continue with step 14)
    In case no Partition Configuration File was found, you are asked to create a new user (partition) and to define the username. In this case you should note the displayed Temporary Setup Password (not written to USB stick), required to initially connect with the Client Providers (JCE, MS CNG, PKCS#11) safely to the HSM. The setup password is only valid for 3 days (configurable), starting after first usage. 
      ENTER NEW USERNAME 
    - `PARTITION001` 

      TEMPORARY SETUP PASSWORD `AAAAA-BBBBB-CCCCC-DDDDD-EEEEE`
    • Continue with step 14)

    • 13b) No – “Setup as Clone” selected:

      Select if you want to setup the Clone as HA Clone or Manual Clone.
      The procedure writes the clone key as file to the USB stick (<devicename>.clone):

        SETUP AS HA CLONE?
      - Choose Yes to integrate the clone device into a high-availability cluster
      - Choose No to create a offline clone

        PATIENCE OPERATION IN PROGRESS 
        CLONE KEY CREATED 
      - Confirm with OK
  • 14) Decanus
    In case a Decanus list file (*.dconfig) is found on the USB stick and Decanus process is enabled, the listed Decanus ID(s) is paired, the pairing password(s) is written back to the list file, and Decanus pairing files (*.decanus) are generated: 
      CREATING DECANUS PAIRING FILES PATIENCE…
  • 15) Audit Information
    In case the Root Key Store is setup, the Audit Information is written to the USB stick (*.sconfig.zip, *.seal.zip, *.state.zip). After that the initial wizard terminates. 
      EXPORTING DEVICE AUDIT INFORMATION PATIENCE…
      WIZARD FINISHED OK 
    - Confirm with OK

After this step the initial wizard has completed and cannot be restarted (except after factory reset).

After the initial wizard, the HSM is either in the state “Master” or “Clone” as indicated on the display with "MSTR" or "CLON".

tip

Note: before live operation, we recommend to setup additional GN and SO cards for redundancy purposes in case of loss/damage of a card. See the User Guide for specific instructions.

Assure integrity of the device (checking digital seal and hardware seal)

The digital seal allows to check that the equipment was not manipulated, tampered, or reset since factory provisioning.

 AUDIT → DIGITAL SEAL → DISPLAY SEAL

The above command should display the digital seal code.

Raise a ticket on the Securosys Support Portal under "1 – Administrative”, “Digital Seal Validation request (Primus HSM or Imunes TEE)", referencing the equipment (asset, serial number) and the digital seal code.

Our technical support will confirm the validity of the digital seal code.