Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

HSM PSE integration

Recommendations and troubleshooting

search

Recommendations and troubleshooting

Please Note:

Recommendations and troubleshooting

IISRESET use cases

Following are a few cases, where IISRESET operation is highly recommended.

  1. When an HSM (with which the SAS solution is communicating), is turned off, and then subsequently turned on, an IISRESET is recommended to re-enable the SAS to start communicating with the HSM.

  2. Whenever there is a change in Registry Settings, or an Environment Variable, an IISRESET operation is recommended.

Normal mode setup

HSM PSEv3 can have some trouble while configuring in normal mode. Check if the Windows/System32 has cryptoki.dll file. If not, copy it from the PSE install location to the following the path \ProtectToolkit 7\C SDK\bin\sw and try again.

Set up Environment Variables

If you are unable to select an Adapter during Slot Creation and Initialization, follow the steps to configure environment variables:

  1. Click Control Panel > System.

  2. From the left pane, click Advanced System Settings.

  3. The System Properties dialog box with Advanced tab selected, is displayed.

  4. To configure, click Environment Variables.

Verify Key Checksum Value in Replicated Slots

To verify if KCV of the key in both slots is the same, follow the steps:

  1. Execute the KMU HSM.bat batch file available at the following path:

    C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin

  2. Select Slot 0 of device 0 and provide User PIN to login.

    Enter PIN Popup Window

  3. Right-click the key and select View KCV.
    Note down the KCV value for Slot 0 of device 0.

    kMU Window

  4. Select replicated slot from device 1 and login as User PIN of Slot 0 of device 0.

    KCV Popup Window

  5. Right-click the key and select View KCV.

    KCV Popup Window

The value of KCV for this key should be the same as noted from Slot 0 of device 0.

Update User PIN in SAS

An Administrator may require changing the User PIN of HSM. After changing User PIN of an HSM slot, the
same User PIN must also be updated in the SAS solution, otherwise, the SAS solution does not allow the Administrator to create users, and perform related activities. Following are the steps, to achieve the same:

  1. Login to SAS Administrator console using username and password.

  2. Navigate to System > HSM Database Encryption.

  3. Update the new User PIN in the HSM PIN of Slot 0 field, and click Apply. The appropriate messages, as shown in the screenshot, are displayed.

    HSM PIN Updated Message

  4. The server on which the SAS solution is installed now needs to be restarted, to ensure that a new session is created between the SAS and HSM.

Unresponsive failover server

If the failover server is not responding, ensure that the below steps were followed. If they were not, perform the steps that were missed:

  1. Install SAS.

  2. Install PTKC 5.2.0 (PTKnethsm.msi and PTKcpsdk.msi) packages.

  3. Provide only one IP for HSM device 0 while installing PTKnethsm.msi.

  4. Restart the server to reflect changes.

  5. Create a slot in HSM (if not already available).

  6. Enable HSM in SAS (in Normal mode).

  7. Create users in SAS.

  8. Stop HSM device.

  9. Try to open the created user. If the Created User page is accessible, perform an IISRESET operation. If the Created User page is inaccessible, continue following the steps.

  10. Start HSM and open created user. The user detail page is displayed.

  11. Update ET_HSM_NETCLIENT_SERVERLIST in registry and environment variable. Add IP of the second HSM (device 1).

  12. Perform IISRESET operation.

  13. Open command line and execute hsmstateand ctkmu l commands.
    State of both HSMs, and slot details of both HSMs should be displayed.

  14. Create a new slot in HSM device 1 (second HSM device). Replicate the newly created slot with Slot 0 of HSM device 0.

    After successful replication, verify that the KCV of keys in both slots are the same.

  15. Change ET_PTKC_GENERAL_LIBRARY_MODE to HA and ET_PTKC_WLD_SLOT_0 to <Slot label> in the registry.

  16. Add key ET_PTKC_HA_LOG_FILE in the registry, available at the following path: HKEY_LOCAL_MACHINE/SOFTWARE/Safenet/PTKC/HA, and set its value to NULL.

  17. Perform IISRESET operation.

  18. Execute ctkmu lcommand. Only Slot 0 should be visible.

  19. Open SAS, and open the created user.

  20. Test the failover server without performing an IISRESET operation.