The HSM Master Key Persistence Tool (hsm-masterkey-registration.jar) serves two purposes: it validates that Kron PAM can successfully connect to the HSM and locate the named key, and it encrypts the HSM slot PIN before writing it into security.properties. This means the PIN is never stored in plaintext anywhere on the filesystem.
Run the tool as root from the Kron PAM server, pointing it at the security.properties file edited in the previous step.
[pamuser@KronPAM_Instance]# java -jar hsm-masterkey-registration.jar /pam/kron/security/security.properties
The tool presents an interactive menu. Select option 2-) Update passwords and enter the HSM keystore PIN when prompted. Both the load password and entry password prompts typically require the same slot PIN. A successful session looks like this:
=== HSM Master Key Persistence Tool ===
HSM properties will be loaded from /pam/kron/security/security.properties
Menu:
1-) Save/update master key
2-) Update passwords
0-) Exit
Choose an option: 2
Enter HSM keystore load password: [enter slot PIN]
Enter HSM keystore entry password: [enter slot PIN]
HSM key successfully found with alias pam-master-key
Some parameters updated, overwrite? [y]/n: y
security.properties file updated successfully.
Choose an option: 0
The line “HSM key successfully found with alias pam-master-key” is the critical confirmation. It means the tool was able to connect to the HSM over the network, authenticate with the provided PIN, and locate the key object identified by the alias in security.properties. If this message does not appear, the most likely causes are incorrect PIN, wrong alias, a network connectivity issue, or an incorrect Device address in cs_pkcs11_R3.cfg. Check /var/log/utimaco/ for detailed error output.
After the tool exits, security.properties will contain encrypted representations of the passwords. These are specific to the current server and key configuration - do not copy security.properties to another server as-is.