Prerequisites

Before you begin, please ensure that you have:

• Installed and set up the operating system listed in Tested Versions.

• Installed and set up the HSM listed in Tested Versions.

• Replaced the HSM default admin with a new admin user.

• Created and stored the MBK on each HSM. Refer to the SecurityServer documentation to set up the MBK.

• Set up and configured the SecurityServer. Refer to the SecurityServer documentation to set up the HSM.

• Set up and configured the PKCS#11 library according to your environment. Refer to the SecurityServer documentation for instructions on setting up and configuring the PKCS#11 library.

• Created the Security Officer (SO) user and Crypto user.

• The HSM appliance is powered on and accessible on the network at a known IP address and port (default: 4001–4031). 

• A user account exists with sufficient privileges to log in and perform key operations. The username and PIN must be available. 

• An AES-256 Secret Key Object has been created on the Utimaco u.trust GP HSM and given a label (alias). This guide uses pam-master-key as the label throughout. Note this value - it will be referenced in multiple configuration files. 

• The Utimaco vendor client package has been provided by Utimaco support. This package contains the libcs_pkcs11_R3.so shared library and the CryptoServerJCE.jar file. 

On the Kron PAM server, the following conditions must be satisfied: 

• Administrative access to the server with sudo privilege is available. 

• All Kron PAM services are stopped. Applying configuration changes while services are running can result in file corruption or mid-operation failures during key migration. 

• Network connectivity from the Kron PAM server to the Utimaco u.trust GP HSM appliance has been verified (e.g., via telnet or nc to the HSM port). 

• Java is installed and accessible on the server (required to run the .jar tools).