Test the integration
Start Vault
The HSM will be accessed when starting Vault. Therefore, the OCS or Softcard is needed.
-
Start the Vault in a separate window.
If the protection method defined in
/etc/vault/config.hcl
is OCS protection, the OCS card created in install-entrust-hsm.adoc#create-ocs must be inserted in the HSM slot. Otherwise the Vault will fail to start.# vault server -config=/etc/vault/config.hcl WARNING: Request Limiter configuration is no longer supported; overriding server configuration to disable ==> Vault server configuration: Administrative Namespace: Api Address: http://127.0.0.1:8200 Cgo: enabled Cluster Address: https://127.0.0.1:8201 Environment Variables: BASH_FUNC_which%%, DBUS_SESSION_BUS_ADDRESS, DISPLAY, HISTCONTROL, HISTSIZE, HOME, HOSTNAME, LANG, LESSOPEN, LOGNAME, LS_COLORS, MAIL, MOTD_SHOWN, OLDPWD, PATH, PWD, SELINUX_LEVEL_REQUESTED, SELINUX_ROLE_REQUESTED, SELINUX_USE_CURRENT_RANGE, SHELL, SHLVL, SSH_AUTH_SOCK, SSH_CLIENT, SSH_CONNECTION, SSH_TTY, TERM, USER, VAULT_ADDR, XDG_DATA_DIRS, XDG_RUNTIME_DIR, XDG_SESSION_CLASS, XDG_SESSION_ID, XDG_SESSION_TYPE, _, which_declare Go Version: go1.23.6 Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", disable_request_limiter: "false", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled") Log Level: Mlock: supported: true, enabled: false Recovery Mode: false Storage: raft (HA available) Version: Vault v1.19.0+ent.hsm, built 2025-03-04T12:36:26Z Version Sha: 838f2be3861a749e52d97bbacf275a472bec8ccb ==> Vault server started! Log data will stream in below: ...
-
Initialize the Vault back in the original window:
The
vault operator init
command returns the Recovery Key(s) and Initial Root Token. Save these.# vault operator init Recovery Key 1: L2DHbGYEvhlNHQ9rp6BIkIAHZoYtO2b6OU+wyef5Q/N0 Recovery Key 2: VEB57DW1G6hwEj+LWLdY2jQ7Ila6g8TpFZuqRB2cdUt/ Recovery Key 3: LLCx/CG40R0uFHpogmOxijaN2QwXB9ptyfA+C8Dl31YE Recovery Key 4: 7JilYckIDit+IHgPlmPY21H5IyB1rpvCQAF4C45/9g+v Recovery Key 5: G0OgT/LBWbAkPEadhyQUBNM7RcL6h4rwBmOVXccG4Bk8 Initial Root Token: hvs.QiiNikZWKf9gNMVMVRfTEQLO Success! Vault is initialized Recovery key initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above.
Log in from the command line
Log in to Vault using the Initial Root Token saved above:
# vault login hvs.QiiNikZWKf9gNMVMVRfTEQLO
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.QiiNikZWKf9gNMVMVRfTEQLO
token_accessor yi2yH6h7oE0U5U8sQJ2jXpXd
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
Create Managed Key In Vault
-
Create an RSA-managed key hsm-key-ocs-rsa in Vault VaultKeyOCSRSA, protected by the OCS testOCS in the HSM:
# vault write /sys/managed-keys/pkcs11/hsm-key-ocs-rsa library=hsm1 slot=761406614 pin=ncipher key_label="VaultKeyOCSRSA" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048 Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-rsa
-
Write to the HSM the new managed key hsm-key-ocs-rsa:
# vault write -f /sys/managed-keys/pkcs11/hsm-key-ocs-rsa/test/sign Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-rsa/test/sign
-
Create a ECDSA managed key hsm-key-ocs-ecdsa in Vault labeled VaultKeyOCSRSA, and protected by the OCS testOCS in the HSM:
# vault write /sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa library=hsm1 slot=761406614 pin=ncipher key_label="VaultKeyOCSECDSA" allow_generate_key=true allow_store_key=true mechanism=0x1041 curve=P256 Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa
-
Write to the HSM the new managed key hsm-key-ocs-ecdsa:
# vault write -f /sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa/test/sign Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa/test/sign
-
List all keys created in the HSM. Notice the new keys VaultKeyOCSRSA and VaultKeyOCSECDSA:
# nfkminfo -l Keys with module protection: key_pkcs11_ua55376b64e163268e15e25670b0bab7f595d7a7c3 `vault_hmac_v1_m' key_pkcs11_ua96a3d9e6dd69fba7c5a4df8a26f5dc4ccb2f5f79 `vault_v1_m' Keys protected by softcards: key_pkcs11_uc925f67e72ea3c354cae4e6797bde3753d24e7744-408577c897946d66019d59cff232f989c57d6600 `vault_v1_sc' key_pkcs11_uc925f67e72ea3c354cae4e6797bde3753d24e7744-624d9f8e4e56dc281ce58b3b53dfb88772c9e88d `vault_hmac_v1_sc' Keys protected by cardsets: key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-12b105aa2cbb3c5f152ad8ea78e5d1d770dba9f2 `VaultKeyOCSECDSA' key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-3787adc4f5b499040058dcfdc0ad643e43817024 `vault_hmac_v1_ocs' key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-d8ed4d73cfd90e4bf5c41c63459019e3382c1bbc `vault_v1_ocs' key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-e0e90329b06569f64a4e5c9922c27063911cda3f `VaultKeyOCSRSA'
-
Enable the PKI secrets engine at the path
pki
and reference a managed key hsm-key stored in the HSM:# vault secrets enable -path=pki -allowed-managed-keys=hsm-key pki Success! Enabled the pki secrets engine at: pki/
-
Perform PKI operations as needed. See the PKI Secrets Engine page in the online documentation.