5c 10G Configuration using KeySafe 5

The 5c 10G HSM does not use an RFS for its configuration. Instead, KeySafe 5 is used for configuration and management of the HSM. This section describes what needs to take place in the KeySafe 5 WebUI so the 5c 10G can be used by this integration. The assumption is that KeySafe 5 is already installed and that you have already provisioned the 5c 10G according to the 5c 10G Quick Start Guide.

Add the OpenShift nodes and deployment server as clients of the HSM.

You will need to add all OpenShift nodes and the deployment server as clients of the HSM. Since you don’t know what node will be used by Openshift to deploy the pods, all nodes must be added as clients.

  1. Log in to the KeySafe 5 UI that you have installed:

    https://xx.xxx.xxx.xxx:18080

  2. Select Hardware Management > HSMs.

    ks5 hsms

  3. Select the Tenant HSM.

    The Tenant HSM is the HSM with the ESN displayed with the KeyHash.

    ks5 tenanthsm

  4. Select the Clients tab.

  5. Select Add New Client.

  6. In the Client Configuration dialog:

    1. For Client Permission: select unprivileged.

    2. For Client Authentication: Select Address and enter the IP address.

    3. Select Save.

      ks5 addclient

  7. Once saved, the new client should be listed.

    ks5 clientlist

  8. Do this for the deployment server and every OpenShift node.

    Now the HSM is ready to be enrolled at the client.

TVD - Remote Administration Client

If you have to present Cards to clients of the HSM using a TVD, you must use RA Enable cards. You do this by Enabling Dynamic Slots on the HSM.

  1. In the KeySafe 5 UI, in the Tenant HSM, select the Configuration Tab.

  2. Select Dynamic Slots.

  3. Select Edit.

  4. In the Edit Dynamic Slots Dialog:

    1. For Number of Dynamic Slots: Enter 4.

    2. Select Save.

  5. The KeySafe 5 UI will indicate the Module must be cleared for the configuration changes to take effect.

  6. Select Close.

  7. Select Actions > Clear HSM for the changes to take effect.