Trust management
When secure data or keys must be transferred from one HSM to another through the process of token replication, trust management is required. Environments using Work Load Distribution (WLD) and High Availability (HA) are one example. Refer to Work Load Distribution and High Availability for details.
When a WLD system is configured, tokens must be replicated across all the HSM User slots associated with a common WLD virtual slot. It is essential that the token is deemed trustworthy before it is imported by the HSM; the token must come from a trustworthy source, and remain unaltered during transmission.
An HSM trusts another HSM when it holds the other's valid ProtectServer Identity Certificate (PIC) in its trust store. Simple trust relationships shows an example of a system where simple trust relationships have been established between HSMs. Refer to ProtectServer owner and identity certificates for more information about PICs.
The arrows indicate the trust relationship. In this system, HSM A trusts HSM B. That is, HSM A holds the PIC of HSM B in its administrative token. However, HSM B does not trust HSM A. HSM B and HSM C share a relationship of mutual trust. In this system, token replication could only be performed between HSM B and HSM C (with either device originating the tokens), as token replication requires a relationship of mutual trust.
Simple trust relationships
Relationships of mutual trust shows a system where every HSM shares a relationship of mutual trust with every other HSM. In this scenario, token replication can be performed from any HSM to any other HSM on the system.
Relationships of mutual trust
Typically, when token replication is performed in a WLD configuration, an HSM is selected to hold the master tokens and tokens are then replicated to the other HSMs.
Trust relationships in a typical WLD or HA configuration illustrates a system in a typical WLD configuration. In this system, HSM A has been selected to hold the master tokens.
The arrows indicate the relationships of mutual trust between HSM A and the other HSMs that are necessary for token replication to be performed. The figure also illustrates that it is not necessary to establish trust among the HSMs that the tokens are replicated to, in other words, no trust need be established among HSM B, HSM C, HSM D and HSM E.
Trust relationships in a typical WLD or HA configuration
Complex trust topologies can be configured depending upon system and administrative requirements. Complex trust topology illustrates an example of a complex trust topology.
Complex trust topology
The ctident utility provides the mechanism for establishing, maintaining and removing trust relationships on HSMs. See ProtectServer owner and identity certificates to create the required certificates and establish trust between HSMs.