The KMS configuration file '/etc/kms/config/cs_pkcs11_R3.cfg' needs to be updated.
|
Attribute |
Remark |
|---|---|
|
Devices |
HSM ip; eg: 3001@127.0.0.1 |
|
SlotId |
Slot id number |
|
UserPIN |
Pin of Crypto user |
|
Primary_key |
Label of the Primary key |
|
Secondary_key |
Label of the Secondary key |
|
KMS_Plugin_log_level |
Set KMS plugin log level |
Attribute list for KMS plugin
The attribute Devices will already be present in the config file 'cs_pkcs11_R3.cfg'. The HSM ip needs to be updated.
A sample of PKCS#11 config file changes for using the KMS plugin is mentioned below. Add the lines below in the config file 'cs_pkcs11_R3.cfg'.
# Cryptographic user authentication used for KMS plugin
#Slot id number
SlotId=0
#Pin of Crypto user
UserPIN=12345678
#Label of primary key
Primary_key=K8s_UTA_HSM_Key1
#Label of secondary key. If not available provide value as <none>
Secondary_key=<none>
#KMS plugin logs can be enabled ((0 = NONE; 1 = ERROR; 2 = ERROR + INFO; 3 = ERROR + INFO + DEBUG))
KMS_Plugin_log_level=1
If PKCS#11 logging is enabled, then change the log path as below. The attribute value of ‘Logpath' for Unix needs to be updated to '/tmp/k8s’.
# For Unix:
Logpath = /tmp/k8s