Prerequisites

danger

This page describes the prerequisites for setting up VaultCode on an external Docker host, outside of the HSM. This is intended for testing purposes only!

Choose the mode

The VaultCode container can either connect to an HSM Partition, or run standalone in simulator/demo mode with an insecure keystore. Choose which mode you want. In simulator mode, you can skip all the HSM-related steps given in this guide.

Install Docker

VaultCode is distributed as a Docker image. To run it, you need to have Docker installed. Additionally, this guide will use Docker Compose to manage the multi-container deployment.

Choose a host to run the VaultCode runtime on, and install Docker on this host:

On Linux, install Docker Engine and Docker Compose
On Windows, install Docker Desktop

Optional: Install the TSB

For use cases that involve Smart Key Attributes (SKA) and automated approval, we highly recommend to use the Transaction Security Broker (TSB). Follow the TSB installation guide to install the TSB.

You do not need the TSB for basic VaultCode usage. If you are doing an early proof-of-concept, you can skip this step, and return to it later. You will need the TSB for the Automated Approval tutorial.

Prepare the HSM

In simulator mode: skip this step.

When you are running VaultCode outside of the HSM but are connecting it to an HSM Partition for its keystore, you need to configure the HSM as described in this section.

Set Up the Root Key Store

Make sure that the Root Key Store (RKS) is set up on the HSM. The RKS is needed to generate attestation keys.

Enable Device-Wide Options

Make sure that the following settings are enabled device-wide.

UI
Console

SETUP → CONFIGURATION → SECURITY → DEVICE SECURITY → (setting)

Enable the following settings:

hsm_sec_list_config jce
hsm_sec_set_config jce=true

Enable Partition-Level Options

Enable VaultCode in the "User Security" settings of the Partition. Also enable the related required settings.

UI
Console

SETUP → CONFIGURATION → SECURITY → USER SECURITY → (user) → (setting)

Enable the following settings:

User Configuration
JCE
VaultCode

Optionally, when using the TSB and/or SKA, also enable:

Key Authorization
REST API access
TSB Workflow Engine

hsm_user_enter_config

hsm_user_list_config use_usr_cnf

hsm_user_set_config use_usr_cnf=true
hsm_user_set_config jce=true
hsm_user_set_config vault_code=true

# Optional, when using the TSB and/or SKA
hsm_user_set_config rest_api=true
hsm_user_set_config tsb_engine=true
hsm_user_set_config key_auth=true

hsm_user_exit_config

See Sections 4.6.3 "User Security" and 5.5.8 "User Configurations" in the Primus User Guide.

Configure the network

In simulator mode: skip this step.

Ensure that the container running on your external host can reach the HSM over the network.

Get started withCloudHSM for free.

Need help?Contact Support.

Other questions?Ask Sales.

Choose the mode​

Install Docker​

Optional: Install the TSB​

Prepare the HSM​

Set Up the Root Key Store​

Enable Device-Wide Options​

Enable Partition-Level Options​

Configure the network​