Test the integration

Start Vault

The HSM will be accessed as part of starting Vault. Therefore, the OCS or Softcard is needed.

  1. Start the Vault in a separate window.

    If the protection method defined in /etc/vault/config.hcl is OCS protection, the OCS card created in create-vault-encryption-keys.adoc#create-keys-ocs must be inserted in the HSM slot. Otherwise the Vault will fail to start. The OCS card is not required for the Vault to start if the protection method is Softcard on Module.

    # vault server -config=/etc/vault/config.hcl

WARNING: storage configured to use "file" which is not supported for Vault
Enterprise, must be "raft" or "consul"

==> Vault server configuration:

Administrative Namespace:
             Api Address: http://127.0.0.1:8200
                     Cgo: enabled
         Cluster Address: https://127.0.0.1:8201
   Environment Variables: DBUS_SESSION_BUS_ADDRESS, DISPLAY, GDK_BACKEND, GODEBUG, HISTCONTROL, HISTSIZE, HOME, HOSTNAME, LANG, LESSOPEN, LOGNAME, LS_COLORS, MAIL, OLDPWD, PATH, PWD, SELINUX_LEVEL_REQUESTED, SELINUX_ROLE_REQUESTED, SELINUX_USE_CURRENT_RANGE, SHELL, SHLVL, SSH_ASKPASS, SSH_AUTH_SOCK, SSH_CLIENT, SSH_CONNECTION, SSH_TTY, TERM, USER, VAULT_ADDR, XDG_DATA_DIRS, XDG_RUNTIME_DIR, XDG_SESSION_ID, _
              Go Version: go1.21.1
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level:
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: file
                 Version: Vault v1.15.0+ent.hsm, built 2023-09-22T21:04:53Z
             Version Sha: d3729711f875a9dedea802079cd7f0e4b1d6e8d5

==> Vault server started! Log data will stream in below:
...

  2. Initialize the Vault back in the original window.

    The vault operator init command returns the Recovery Key(s) and Initial Root Token. Keep a note of these.

    # vault operator init
Recovery Key 1: PK0s3VaswduJGkng079G3EPDU1vXifZt27tSnnnJ2kdO
Recovery Key 2: R8rNXyj1CA77UKPuV4zf4MvNv4CODN/AhyLraYcikHKx
Recovery Key 3: 0Bw0TVnq7+zbGMjsJyuzWda7HpBVzlRXzp/0JWwIqAF9
Recovery Key 4: A4t1XIhAcvQKfYPaR6aCVgB6mVCu50zDwI03IHnEsxvD
Recovery Key 5: wc/QtGFBPhKDwXGHW2OCKJEm8XJbEwsCHzKnU1p3Tr+b

Initial Root Token: hvs.7QEXwRx230xNd67I44nJjAxZ

Success! Vault is initialized

Recovery key initialized with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above.

Log in from the command line

Log in to Vault using the Initial Root Token saved above and save the token below.

# vault login hvs.7QEXwRx230xNd67I44nJjAxZ
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.7QEXwRx230xNd67I44nJjAxZ
token_accessor       GeheYAQMr1dL4VjzGzeSbbzH
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Create Managed Key In Vault

  1. Create an RSA-managed key hsm-key-ocs-rsa in Vault VaultKeyOCSRSA, protected by the OCS testOCS in the nShield HSM.

    # vault write /sys/managed-keys/pkcs11/hsm-key-ocs-rsa library=hsm1 slot=761406615 pin=ncipher key_label="VaultKeyOCSRSA" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048
Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-rsa

  2. Write to the nShield HSM the new managed key hsm-key-ocs-rsa.

    # vault write -f /sys/managed-keys/pkcs11/hsm-key-ocs-rsa/test/sign
Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-rsa/test/sign

  3. Create a ECDSA managed key hsm-key-ocs-ecdsa in Vault labeled VaultKeyOCSRSA, and protected by the OCS testOCS in the nShield HSM.

    # vault write /sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa library=hsm1 slot=761406615 pin=ncipher key_label="VaultKeyOCSECDSA" allow_generate_key=true allow_store_key=true mechanism=0x1041 curve=P256
Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa

  4. Write to the nShield HSM the new managed key hsm-key-ocs-ecdsa.

    # vault write -f /sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa/test/sign
Success! Data written to: sys/managed-keys/pkcs11/hsm-key-ocs-ecdsa/test/sign

  5. List all keys created in the nShield HSM. Notice the new keys VaultKeyOCSRSA and VaultKeyOCSECDSA

    # nfkminfo -l

Keys with module protection:
 key_pkcs11_ua47626b663321b99fb7ce1d035bb211a5311abf0f `vault_hmac_v1_m'
 key_pkcs11_uab23eff123cdbd108ff958fae07b12c1da92762dc `vault_v1_m'

Keys protected by softcards:
 key_pkcs11_uc925f67e72ea3c354cae4e6797bde3753d24e7744-6c07551e82281c8cc6a531d12c934701409d42be `vault_hmac_v1_sc'
 key_pkcs11_uc925f67e72ea3c354cae4e6797bde3753d24e7744-cdd81cd59c7a4a8518cdcc6c2b7beeac4a88c340 `vault_v1_sc'

Keys protected by cardsets:
 key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-3ea7edc9ff8a7c2b17401920b12a3a67a3e21dd7 `vault_v1_ocs'
 key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-5e0252dea777e36934160cbd072bf03cd1e9ba70 `vault_hmac_v1_ocs'
 key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-625a46d71da150187d78ecc095a3176b00f97296 `VaultKeyOCSRSA'
 key_pkcs11_ucedb3d45a28e5a6b22b033684ce589d9e198272c2-779846e6edc71265bcc561ba3acaa1c64fa68204 `VaultKeyOCSECDSA'

  6. Enable the PKI secrets engine at the path pki and reference a managed key hsm-key stored in the HSM.

    # vault secrets enable -path=pki -allowed-managed-keys=hsm-key pki
Success! Enabled the pki secrets engine at: pki/

  7. Perform PKI operations as needed. See the PKI Secrets Engine page in the online documentation.