Test the integration

Start Vault

The HSM will be accessed when starting Vault. Therefore, the OCS or Softcard is needed.

  1. Start the Vault in a separate window.

    If the protection method defined in /etc/vault/config.hcl is OCS protection, the OCS card created in install-entrust-hsm.adoc#create-ocs must be inserted in the HSM slot. Otherwise the Vault will fail to start.

    # vault server -config=/etc/vault/config.hcl
    WARNING: Request Limiter configuration is no longer supported; overriding server configuration to disable
    
    ==> Vault server configuration:
    
    Administrative Namespace:
                 Api Address: http://127.0.0.1:8200
                         Cgo: enabled
             Cluster Address: https://127.0.0.1:8201
       Environment Variables: BASH_FUNC_which%%, DBUS_SESSION_BUS_ADDRESS, DISPLAY, HISTCONTROL, HISTSIZE, HOME, HOSTNAME, LANG, LESSOPEN, LOGNAME, LS_COLORS, MAIL, MOTD_SHOWN, OLDPWD, PATH, PWD, SELINUX_LEVEL_REQUESTED, SELINUX_ROLE_REQUESTED, SELINUX_USE_CURRENT_RANGE, SHELL, SHLVL, SSH_AUTH_SOCK, SSH_CLIENT, SSH_CONNECTION, SSH_TTY, TERM, USER, VAULT_ADDR, XDG_DATA_DIRS, XDG_RUNTIME_DIR, XDG_SESSION_CLASS, XDG_SESSION_ID, XDG_SESSION_TYPE, _, which_declare
                  Go Version: go1.23.6
                  Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", disable_request_limiter: "false", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
                   Log Level:
                       Mlock: supported: true, enabled: false
               Recovery Mode: false
                     Storage: raft (HA available)
                     Version: Vault v1.19.0+ent.hsm, built 2025-03-04T12:36:26Z
                 Version Sha: 838f2be3861a749e52d97bbacf275a472bec8ccb
    
    ==> Vault server started! Log data will stream in below:
    ...
  2. Initialize the Vault back in the original window:

    The vault operator init command returns the Recovery Key(s) and Initial Root Token. Save these.

    # vault operator init
    Recovery Key 1: L2DHbGYEvhlNHQ9rp6BIkIAHZoYtO2b6OU+wyef5Q/N0
    Recovery Key 2: VEB57DW1G6hwEj+LWLdY2jQ7Ila6g8TpFZuqRB2cdUt/
    Recovery Key 3: LLCx/CG40R0uFHpogmOxijaN2QwXB9ptyfA+C8Dl31YE
    Recovery Key 4: 7JilYckIDit+IHgPlmPY21H5IyB1rpvCQAF4C45/9g+v
    Recovery Key 5: G0OgT/LBWbAkPEadhyQUBNM7RcL6h4rwBmOVXccG4Bk8
    
    Initial Root Token: hvs.QiiNikZWKf9gNMVMVRfTEQLO
    
    Success! Vault is initialized
    
    Recovery key initialized with 5 key shares and a key threshold of 3. Please
    securely distribute the key shares printed above.

Log in from the command line

Log in to Vault using the Initial Root Token saved above:

# vault login hvs.QiiNikZWKf9gNMVMVRfTEQLO
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.QiiNikZWKf9gNMVMVRfTEQLO
token_accessor       yi2yH6h7oE0U5U8sQJ2jXpXd
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Create Managed Key In Vault

  1. Create an RSA-managed key hsm-key-ocs-rsa in Vault VaultKeyOCSRSA, protected by the OCS testOCS in the HSM:

    # vault write /sys/managed-keys/pkcs11/hsm-key-ocs-rsa library=hsm1 slot=761406614 pin=ncipher key_label="VaultKeyOCSRSA" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048
    Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-rsa
  2. Write to the HSM the new managed key hsm-key-ocs-rsa:

    # vault write -f /sys/managed-keys/pkcs11/hsm-key-ocs-rsa/test/sign
    Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-rsa/test/sign
  3. Create a ECDSA managed key hsm-key-ocs-ecdsa in Vault labeled VaultKeyOCSRSA, and protected by the OCS testOCS in the HSM:

    # vault write /sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa library=hsm1 slot=761406614 pin=ncipher key_label="VaultKeyOCSECDSA" allow_generate_key=true allow_store_key=true mechanism=0x1041 curve=P256
    Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa
  4. Write to the HSM the new managed key hsm-key-ocs-ecdsa:

    # vault write -f /sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa/test/sign
    Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa/test/sign
  5. List all keys created in the HSM. Notice the new keys VaultKeyOCSRSA and VaultKeyOCSECDSA:

    # nfkminfo -l
    
    Keys with module protection:
     key_pkcs11_ua55376b64e163268e15e25670b0bab7f595d7a7c3 `vault_hmac_v1_m'
     key_pkcs11_ua96a3d9e6dd69fba7c5a4df8a26f5dc4ccb2f5f79 `vault_v1_m'
    
    Keys protected by softcards:
     key_pkcs11_uc925f67e72ea3c354cae4e6797bde3753d24e7744-408577c897946d66019d59cff232f989c57d6600 `vault_v1_sc'
     key_pkcs11_uc925f67e72ea3c354cae4e6797bde3753d24e7744-624d9f8e4e56dc281ce58b3b53dfb88772c9e88d `vault_hmac_v1_sc'
    
    Keys protected by cardsets:
     key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-12b105aa2cbb3c5f152ad8ea78e5d1d770dba9f2 `VaultKeyOCSECDSA'
     key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-3787adc4f5b499040058dcfdc0ad643e43817024 `vault_hmac_v1_ocs'
     key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-d8ed4d73cfd90e4bf5c41c63459019e3382c1bbc `vault_v1_ocs'
     key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-e0e90329b06569f64a4e5c9922c27063911cda3f `VaultKeyOCSRSA'
  6. Enable the PKI secrets engine at the path pki and reference a managed key hsm-key stored in the HSM:

    # vault secrets enable -path=pki -allowed-managed-keys=hsm-key pki
    Success! Enabled the pki secrets engine at: pki/
  7. Perform PKI operations as needed. See the PKI Secrets Engine page in the online documentation.