Breadcrumbs

Configure SSL

After you initialize the Atalla HSM and create the MFK, you must install a certificate signed by a Certificate Authority (CA) and the root certificate of the CA on each Atalla HSM. The Appliance requires TLS 1.2 for communication with the Atalla HSM. See the “TLS Configuration” appendix of the Installation and Operations Guide for the Atalla HSM AT1000 for details about the files used in the following procedure.

If you are not in the same location as the AT1000 HSM, you can use the Remote Management Utility HSM File feature to move the files in this procedure between the Atalla HSM device and your Windows computer. See Chapter 8, “Remote Management Utility” in the Atalla Secure Configuration Assistant-3 User Guide. You can also use the Remote HSM Restart feature of the SCA-3 to restart the Atalla HSM. See the “Remote HSM Restart” section in Chapter 4 of the Atalla Secure Configuration Assistant-3 User Guide.

To configure SSL on Atalla HSM:

  1. Receive the serverreq.pem file from the certificates_server directory on the RMU Manage Files tab and move it to a location where it can be signed by your CA.

  2. Get the serverreq.pem file signed by your CA.

  3. Open the signed server certificate in a Certificate Viewer application and display the CN= value, located in the Subject field. Make note of this value for use when configuring SSL for the Atalla HSM Connector service.

  4. Send the signed server certificate to the file named servercert.pem in the certificates_server directory using the RMU. This requires confirmation from two or more Atalla security administrator cards.

  5. Send the root certificate or chain of certificates, obtained from your CA, to a file named trustedca.pem in the certificates_ca folder using the RMU. This requires confirmation from two or more Atalla security administrator cards.

The order of the certificates provided in a certificate chain is important. The certificate of the CA that signed the server certificate must be the first certificate in the file, followed by Intermediate certificates in descending order. The last certificate in the file is the root CA certificate.

This step assumes that you use the same CA to sign the server certificate and the certificate generated by the Appliance.

  1. Power cycle the Atalla HSM and wait 10 minutes for the system to start. The Atalla HSM system log will have messages similar to the following:

2017 Aug 24 22:23:39	[notice] - [Host Listener] Successfully processed "config.prm" file

2017 Aug 24 22:23:39	[notice] - [Host Listener] Successfully copied "config.prm" as "last-known-good-config.prm"

2017 Aug 24 22:23:39	[notice] - [System] Synchronizing server time and date with ACS

2017 Aug 24 22:23:42	[notice] - [System] Server time adjustment complete

2017 Aug 24 22:23:42	[notice] - [Host Listener] ACS Configuration process completed successfully.

2017 Aug 24 22:23:52	[notice] - [Host Listener] Atalla HSM has started successfully.

These messages indicate that you are ready to configure the Appliance.