Forum Discussion
CirrostratusHelp with Viprion Vcmp and Thales HSM implementation
Has anyone been able to successfully implement Thales HSM solution with Vcmp guests on a Viprion system?
2 Replies
R_MarcNimbostratus
I haven't actually done it, but looking through the doco, it looks pretty similar to a standard NetHSM client configuration. I'm looking at https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-fips-thales-11-5-0/1.html
I'd been meaning to test that out. The one thing that I would think could be an issue is they are installing to a non-standard location, so NFKM_LOCAL will need to be set somehow. Presumably they do that. Are you having an issue doing it?
- R_Marc
I was able to get it working. It didn't work quite the way I expected it would. It uses PKCS11 as the keystore format, but requires a pointer object (a la chil/embed). If you create a new key, it'll generate that key pointer in /config/ssl/ssl.key If you need to import an existing pkcs11 key, you'll have to retarget that key to embed in order to generate they key pointer (there may be other ways to do that, but that's the way I know).
The following doco filled in some gaps that the other one left out: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-fips-thales-11-5-0/2.html
There are a lot of gaps still left after that, which need to be filled in by general nCipher knowledge.
