Configuration options
Registry configuration
Entries made in the Windows registry during the installation of ProtectToolkit-M are documented in Registry configuration. These can be amended by expert users if required. Generally, the default values will not need to be changed. The exceptions are the Debug Level and User Keyset Password entries used to control error log file creation and silent user keyset login respectively. See the sections below for further information.
Error log file creation
The Debug Level registry key controls error log file creation. By default, the value of this key is set so that no error log file is produced. Should it be necessary to create an error log file, see debugLevel for more options.
Silent user keyset login
While access to the Machine and System keysets is open, access to a User keyset requires authentication.
Typically, User keyset access authentication is achieved by prompting the user for a password when access is requested. This is not convenient/permissible in all situations, so silent user keyset login is also available.
To activate silent user keyset login
Add the following value to the Windows registry:
HKEY_CURRENT_USER/Software/Safenet/ProtectToolkit M/
UserKeysetPassword=<password>
where <password> is the clear text password for the User keyset.
Since this value is located in the Current Users registry hive (which is only accessible/visible when a user authenticates themselves to the Windows operating system) there is no security risk, even though the password is stored in the clear.
Using ProtectToolkit-M with the Secure Messaging System enabled
If the Secure Messaging System (SMS) is enabled, ensure that the Cryptography API: Next Generation (CNG) service can locate the ProtectServer Identity Certificates (PICs) of the ProtectServer 3 HSMs that the client intends to communicate with over SMS. Do this in one of the following ways:
-
If you have not created PICs for the HSMs yet, set the ET_PTKC_GENERAL_CERT_STORE configuration item at the system level. Setting it at the system level allows all users in the system, including CNG, to use the same trust store folder and locate the PICs of the HSMs after they are created. For more information about setting configuration items and ET_PTKC_GENERAL_CERT_STORE specifically, refer to Configuration items overview and ET_PTKC_GENERAL_CERT_STORE, respectively.
-
If you already created PICs for HSMs and did not set the ET_PTKC_GENERAL_CERT_STORE configuration item at the system level, copy the folder containing the PICs of the HSMs (%USERPROFILE%\.ptk by default) to the C:\Windows\System32\config\systemprofile directory. Copying this folder allows CNG to locate the PICs of the HSMs.
After the client system is configured to allow CNG to locate the PICs, the client can communicate with the HSMs over SMS.
Work Load Distribution
If required, more than one hardware security module (HSM) can be used in a Work Load Distribution (WLD) configuration.
WLD allows work to be balanced across a system by transferring units of work among HSM processing modules during execution, reducing the demand on any particular processing module. This produces an increase in the system's overall throughput of processing tasks. Using multiple HSMs in this way also provides redundancy. If an HSM goes down, the work will automatically be shared amongst the remaining operational HSMs.
For further information, including implementation and maintenance instructions, refer to Work Load Distribution.