Managing HSM credentials

1. In Administration Console, click Settings >Trust Store Management > HSM Credentials and then click Add.

2. In the Profile Name box, type a string used to identify the alias. This value is used as a property to some Digital Signatures operations, such as the Sign Signature Field operation.

3. In the PKCS11 Library box, type the fully qualified path of your HSM client library on the server. For example, c:\Program Files\LunaSA\cryptoki.dll. In a clustered environment, this path must be identical for all servers in the cluster.

4. Click Test HSM Connectivity. If LiveCycle is able to connect to the HSM device, a message displays, stating that the HSM is available. Click Next.

5. Use either the Token Name, Slot ID, or Slot List Index to identify where the credentials are stored on the HSM.

   • Token Name: Corresponds to the name of the HSM partition to be used (for example, HSMPART1).

   • Slot Id: The Slot ID is a slot identifier of type data type long.

   • Slot List Index: If you select Slot List Index, set the Slot Info to an integer that corresponds to the slot. This is a 0-based index, which means that if the client is registered with the HSMPART1 partition first, HSMPART1 will be referred to using SlotListIndex value 0.

6. In the Token Pin box, type the password required to access the HSM key and click Next.

7. In the Credentials box, select a credential. Click Save.

1. In Administration Console, click Settings >Trust Store Management > HSM Credentials and then click Add.

2. In the Profile Name box, type a string used to identify the alias. This value is used as a property to some Digital Signatures operations, such as the Sign Signature Field operation.

3. In the PKCS11 Library box, type the fully qualified path of your HSM client library on the server. For example, c:\Program Files\LunaSA\cryptoki.dll. In a clustered environment, this path must be identical for all servers in the cluster.

4. Select the Offline Profile Creation check box. Click Next.

5. In the HSM Device list, select the manufacturer of the HSM device where the credential is stored.

6. In the Slot Type list, select Slot Id, Slot Index, or Token Name and specify a value in the Slot Info box. LiveCycle uses these settings to determine where the credentials are stored on the HSM.

   • Token Name: Corresponds to a partition name (for example, HSMPART1).

   • Slot Id: The Slot ID is an integer that corresponds to the slot, which in turn corresponds to a partition. For example, the client (LiveCycle server) registered with the HSMPART1 partition first. This maps slot 1 to the HSMPART1 partition, for this client. Because HSMPART1 is the first partition registered, the Slot ID is 1 and you would set Slot Info to 1.

     The slot ID is set on a client-by-client basis. If you registered a second machine to a different partition (for example, HSMPART2 on the same HSM device), then slot 1 would be associated with the HSMPART2 partition for that client.

   • Slot Index: If you select Slot Index, set the Slot Info to an integer that corresponds to the slot. This is a 0-based index, which means that if the client is registered with the HSMPART1 partition first, slot 1 is mapped to the HSMPART1 for this client. Because HSMPART1 is the first partition registered, the Slot Index is 0.

7. Select one of these options and provide the path:

   • Certificate: (Not required if using SHA1) Click Browse and locate the path to the public key for the credential you are using.

   • Certificate SHA1: (Not required if using a physical certificate) Type SHA1 value (thumbprint) of the public key (.cer) file for the credential you are using. Ensure that there are no spaces used in the SHA1 value.

8. In the Password box, type the password required to access the HSM key for the given slot information, and then click Save.

1. In Administration Console, click Settings >Trust Store Management > HSM Credentials.

2. Click the alias name of the credential alias to view the properties and then click OK.

1. In Administration Console, click Settings >Trust Store Management > HSM Credentials.

2. Click the check box next to credential that you want to check and click Check Status.

The Status column reflects the current status of the credential. In case of failure, a red X is displayed in the Status column. Hover your mouse over the X to display a tool tip containing the reason for the failure.

1. In Administration Console, click Settings >Trust Store Management > HSM Credentials.

2. Click the alias name of the credential alias.

3. Click Update Credential and update the settings as required.

Reset the open connections to an HSM device after any disruption to the network session between the LiveCycle server and the HSM device. For example, disruptions can happen due to a network outage or the HSM device being taken offline for a software update. After a disruption, the existing connections are stale and any signing requests against those connections fail. Using the Reset All HSM Connections option clears the old connections.

1. In Administration Console, click Settings >Trust Store Management > HSM Credentials.

2. Click Reset All HSM Connections.

1. In Administration Console, click Settings >Trust Store Management > HSM Credentials.

2. Select the check boxes for the HSM credentials you want to delete, click Delete, and then click OK.

LiveCycle uses a Web Services-based IPC/RPC mechanism. This mechanism enables LiveCycle to use an HSM installed on a remote computer. To use this functionality, install the web service on the remote computer where the HSM is installed. See Configuring HSM support for LiveCycle ES using Sun JDK on Windows 64-bit platformfor more information.

This mechanism does not support online creation of HSM profiles or status checks. However, there are two ways to create HSM profiles and perform status checks:

• Create a LiveCycle client credential by passing it the Signer’s Certificate. Follow the steps in Configuring HSM support for LiveCycle ES using Sun JDK on Windows 64-bit platform. The web service location is passed in as a Credential property. Offline HSM profiles create using either certificate der or certificate SHA-1 hex is also supported. However, if you have upgraded to LiveCycle from an earlier version of LiveCycle, make client changes because the credential carried certificate and web service information.

• Web Service location is specified in the Administration Console for the Signature service. (See Signature service settings.) Here, the client only carried the alias of the HSM profile in the trust store. You can use this option seamlessly without any client changes, even if you have upgraded to LiveCycle from an earlier version of LiveCycle. This option does not support HSM profiles using certificate SHA-1.