Configure Vault to run with Utimaco HSM | Utimaco Integration Guides

Create a /etc/vault/config.hcl file and add the contents as shown below.

config.hcl

seal "pkcs11" {

lib = "/opt/utimaco/lib/libcs_pkcs11_R3.so"

slot = "<slot_no.>"

pin = "<slot_PIN>" key_label="hsm-mkek-key6"

hmac_key_label="hsm-hmac-key6"

generate_key ="true"

}

storage "file" {

path = "/opt/vault/data"

}

listener "tcp" {

address = "0.0.0.0:8200"

tls_disable = "true"

}

disable_mlock = true

license_path = "/etc/vault/license.hclic"

ui = true

Update slot no. and slot PIN according to your setup.

2. Create a vault file /etc/sysconfig/vault and copy the contents from /etc/profile.d/vault.sh.

›_ Console

# cp /etc/profile.d/vault.sh /etc/sysconfig/vault

Create a /etc/systemd/system/vault.service file and add the following information to the file.

›_ Console

# vi /etc/systemd/system/vault.service

[Unit]

Description="HashiCorp Vault"

Requires=network-online.target

After=network-online.target

ConditionFileNotEmpty=/etc/vault/config.hcl

[Service]

User=vault

Group=vault

EnvironmentFile=/etc/sysconfig/vault

ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.hcl

StandardOutput=/opt/vault/logs/output.log

StandardError=/opt/vault/logs/error.log

ExecReload=/bin/kill --signal -HUP $MAINPID

KillMode=process

Restart=on-failure

RestartSec=5

TimeoutStopSec=30

StartLimitInterval=60

StartLimitBurst=3

AmbientCapabilities=CAP_IPC_LOCK

LimitNOFILE=65536

LimitMEMLOCK=infinity

[Install]

WantedBy=multi-user.target

If deploying on a server with more than two CPUs, you may increase the value of Environment=GOMAXPROCS accordingly.

If you are setting paths different from the default, you must edit the following lines as well in the configuration file.

›_ Console

ConditionFileNotEmpty=/etc/vault/config.hcl

EnvironmentFile=-/etc/sysconfig/vault

ExecStart=/opt/vault/bin/vault server -config=/etc/vault/config.hcl

StandardOutput=/opt/vault/logs/output.log StandardError=/opt/vault/logs/error.log