Establishing Trust Relationships

The following example describes how to set-up the trust relationships illustrated in Establishing trust relationships example configuration. In this system HSM 0 shares a mutual trust relationship with both HSM 1 and HSM 2. No trust is established between HSM 1 and HSM 2. This is a typical configuration used for token replication, where the master tokens are located on HSM 0. The abbreviation SN in the figure refers to the serial number of the admin token on each device. The serial numbers are used in the example to identify the HSM device.

Figure 1: Establishing trust relationships example configuration

To configure a trust relationship between HSMs

1.Generate a list of all the slots on the system to find the admin tokens' serial numbers.

Use the ctkmu utility. Each device on the system is assigned a slot number in the order: User slots, Smart card slots, Administration slot. The admin token's serial number is listed in brackets after "AdminToken". For example:

C:\>ctkmu l
ProtectToolkit C Key Management Utility 5.3.0
Copyright (c) SafeNet, Inc. 2009-2016

Cryptoki Version  = 2.20
Manufacturer      = SafeNet, Inc.
WLD_Slot_11                      (Slot 0)
WLD_Slot_22                      (Slot 1)
WLD_Slot_33                      (Slot 2)
AdminToken (1197)                (Slot 3)
<uninitialized token>            (Slot 4)
<uninitialized token>            (Slot 5)
<uninitialized token>            (Slot 6)
AdminToken (1111)                (Slot 7)
<uninitialized token>            (Slot 8)
<uninitialized token>            (Slot 9)
<uninitialized token>            (Slot 10)
AdminToken (1310)                (Slot 11)

2.Generate the HSM Identity Key-Pair on each device.

You must generate an HSM Identity Key-Pair on each participating device in a trust relationship. Use the ctident utility with the gen command and appropriate parameters. The Administration Token SO pin for each device will be prompted for. In a system where all HSMs are to participate in a trust relationship, use the ctident gen all command. Alternatively, specify the devices participating in token replication by their serial number.

Example:

C:\>ctident gen sn:1197,sn:1111,sn:1310

The ctident gen command also allows devices to be specified by device positional number. The device positional numbers are dynamically assigned when the command is invoked. If a device goes offline at the moment the command is invoked, the positional device number will move. This could result in incorrect trust relationships being established. The use of device serial numbers is STRONGLY recommended to avoid problems with positional device number reassignment.

3.Command the destination devices to trust the master device.

The HSM Identity public key of HSM 0 must be shared to HSM 1 and HSM 2 by using the ctident trust command. The first parameter specifies the device to be trusted, while the second parameter is the list of devices that are to trust the first. The Administration Token SO pin for each device must be entered.

Example:

C:\>ctident trust sn:1197 sn:1111,sn:1310

4.Command the master device to trust the destination devices.

The HSM Identity public-keys of HSM 1 and HSM 2 must be shared to HSM 0 by using the ctident trust command again. In the example below, the first command line shares HSM 1's public key with HSM 0. The second command line shares HSM 2's public key with HSM 0. The Administration Token SO PIN for each device must be entered.

Example:

C:\>ctident trust sn:1111 sn:1197
C:\>ctident trust sn:1310 sn:1197