Multi-tenant licensing

To use the full set of multi-tenancy features, a valid license must be purchased and applied. Without a license, only a single VCM can be created and started (see Non-multi-tenant operation).

The multi-tenant license must be applied as the first operation after booting the multi-tenant firmware. Refer to Maximum number of concurrently active VCMs feature for how to apply the license.

The multi-tenant license determines the maximum number of active VCMs that can run on the HSM to which the license applies. When you reach the maximum number of active VCMs, you will not be able to start any more VCMs on that HSM. Before you can start another VCM you must stop a VCM that is already running or purchase a new license.

A multi-tenant license enables you to create up to 1,000 inactive VCMs. This means that you can create several inactive VCMs and start only the ones that you want to have currently active, as controlled by your license.

There is an exception for the nShield 5s Base speed HSM which is restricted to only creating 5 VCMs.

Non-multi-tenant operation

There is no advantage in using multi-tenant firmware for non-multi-tenant operation. Unless you have been advised to use multi-tenant firmware in this way by Entrust it is recommended that you load non-multi-tenant firmware.

If you use multi-tenant firmware without a multi-tenant license, you will be restricted to creating and starting a single VCM. However, you will still need to configure your system as though you were using it for multi-tenancy, including setting up the networking between the tenant and VCM and enrolling the tenant.

To do this, use the hsmadmin vcm single-setup command. This automates the process and configures an autocreated-vcm for you.

Use of the command hsmadmin vcm single-setup configures a default configuration that is most appropriate for non-multi-tenant operation. It is unlikely to be suitable for multi-tenant operation. If you subsequently purchase a multi-tenant license, you should delete the auto-created VCM and start a fresh installation.