Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

HSM PSE integration

Export and import Private Keys

Please Note:

Integrations
HSM PSE integration
- Hardware Security Module and SafeNet Authentication Service
- Set up Hardware Security Module in Normal mode
- Set up Hardware Security Module in High Availability mode
- Manual key generation
- Export and import Private Keys
- Recommendations and troubleshooting
Integration using Keycloak
Luna HSM integration
- Prerequisites
- Configure Luna HSM for SafeNet Authentication Service
- Verify encryption on SafeNet Authentication Service
Application Integration
- SAS PCE for SAML/OIDC Application
  - Prerequisites
  - Integrate SAS PCE as an Authentication Server with a SAML Service Provider Application
  - Integrate SAS PCE as an Authentication Server with an OIDC Service Provider Application
- SAS PCE for Kintone Application (SAML)
  - Prerequisites
  - Kintone Setup
  - Identity Provider (Keycloak) setup
  - Verify Authentication

SAS PCE documentation
Integrations
HSM PSE integration
Export and import Private Keys

Export and import Private Keys

To export SAS generated key (on Slot 0 of one HSM device) to another server (with SAS PCE installed on some other machine), follow the steps:

Export Private Key (from one HSM device)
Import Private Key (to another HSM device)
Verify Private Key Operations Success

For migration of keys from PSEv2 to PSEv3 device please follow the link: https://www.thalesdocs.com/gphsm/ptk/protectserver3/docs/ps_ptk_docs/migration/migrating_keys/index.html

Export Private Keys

Navigate to the following path:

C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin
To launch the KMU tool, double-click the KMU HSM.bat batch file.
Log in to KMU using User PIN credentials to verify that a key was generated (for Slot 0), by the SAS solution.
Log in to KMU (for Slot 0) using Security Officer credentials.
Navigate to Options > Create > Generate Key Components.
The Create Key Components popup window is displayed. Edit the following attributes, and click OK:
1. Mechanism: Select Triple DES from the dropdown list.
2. Check Export and Import checkboxes.
3. Clear Private checkbox.
Number of Components window is displayed. The field Number of components to create is default populated as 2. Click OK, and click OK again.
Copy the hexadecimal component and KCV to a text file (say, info.txt file).
Repeat steps 6 and 7, as above, for the second component.
A key is generated, and is now visible.
Log in to KMU using User PIN credentials (for Slot 0). The SAS generated key and the wrapper key are available.
Right-click the SAS generated key and select Export.
The Export Key(s) window is displayed. Select the wrapper key (generated, as above, in step 10) from the Wrapping Key dropdown field and provide a path for the file to export, and click OK.
The key is exported, and a success message: Export Successful, is displayed.

Import Private Keys

As a prerequisite to importing, SAS and PTKC 5.2.0 should already be installed on this (second) machine with a different HSM device.

Copy the exported file (as above) and the text (info.txt) file to the machine where the key needs to be imported.
Navigate to the following path:

C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin
To launch the KMU tool, double-click the KMU HSM.bat batch file.
Log in to KMU using Security Officer credentials.
Navigate to Options > Create > Enter Key from Components.
The Enter Key Components popup window is displayed. Edit the following attributes, and click OK:
1. Mechanism: Select Triple DES from the dropdown list.
2. Check Export and Import checkboxes.
3. Clear Private checkbox.
The Number of Components window is displayed. Enter 2 in the Number of components to enter field, and click OK.
Enter the hexadecimal component values from the text file (info.txt file).

The KCV value is populated, by default.
Repeat the above step (step 8) for the second component.
The wrapper key is created. It is the same key that got created in Export Keys (step 11). Right-click to compare and verify that KCVs of these wrapper keys on different machines is the same.
Log in to KMU using User PIN credentials (for Slot 0).
Navigate to Options > Import Key(s).
The Import Key(s) window is displayed. Select the wrapper key (generated, as above, in step 10) from the Wrapping Key dropdown field and provide the path for the file to import. This path should be the same as the one provided for export in step 13 of Export Keys.
The key is imported, and a success message: Import Successful, is displayed. To verify if the same key (which was exported) has been imported, compare KCV of the two keys on different machines.

Verify Key operations

To verify that the Private Key export and import operations were successful, follow the steps:

Launch SAS Manager and login as administrator.
Navigate to System > Setup > HSM Database Encryption.
Provide User PIN (for Slot 0) of the HSM device configured on the second machine.
The message "HSM database encryption was successfully enabled" is displayed. The success message confirms that both the Private Key export and import operations were successful.

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com