From the Trust Store Management page, you can manage Hardware Security Module (HSM) credentials. An HSM is a third-party PKCS#11 device that you can use to securely generate and store private keys. The HSM physically protects the access to and use of the private keys.
The client software is required to communicate with the HSM. The HSM client software must be installed and configured on the same computer as AEM forms.
AEM forms Digital Signatures can use credentials stored on an HSM to apply server-side digital signatures. Follow the instructions in this section to create an alias for each HSM credential that Digital Signatures will use. The alias contains all of the parameters required by the HSM.
After changing your HSM configuration, restart the AEM forms server.
Use either the Token Name, Slot ID, or Slot List Index to identify where the credentials are stored on the HSM.
Token Name: Corresponds to the name of the HSM partition to be used (for example, HSMPART1).
Slot Id: The Slot ID is a slot identifier of type data type long.
Slot List Index: If you select Slot List Index, set the Slot Info to an integer that corresponds to the slot. This is a 0-based index, which means that if the client is registered with the HSMPART1 partition first, HSMPART1 will be referred to using SlotListIndex value 0.
In the Slot Type list, select Slot Id, Slot Index, or Token Name and specify a value in the Slot Info box. AEM forms uses these settings to determine where the credentials are stored on the HSM.
Token Name: Corresponds to a partition name (for example, HSMPART1).
Slot Id: The Slot ID is an integer that corresponds to the slot, which in turn corresponds to a partition. For example, the client (forms server) registered with the HSMPART1 partition first. This maps slot 1 to the HSMPART1 partition, for this client. Because HSMPART1 is the first partition registered, the Slot ID is 1 and you would set Slot Info to 1.
The slot ID is set on a client-by-client basis. If you registered a second machine to a different partition (for example, HSMPART2 on the same HSM device), then slot 1 would be associated with the HSMPART2 partition for that client.
Slot Index: If you select Slot Index, set the Slot Info to an integer that corresponds to the slot. This is a 0-based index, which means that if the client is registered with the HSMPART1 partition first, slot 1 is mapped to the HSMPART1 for this client. Because HSMPART1 is the first partition registered, the Slot Index is 0.
Certificate: (Not required if using SHA1) Click Browse and locate the path to the public key for the credential you are using.
Certificate SHA1: (Not required if using a physical certificate) Type SHA1 value (thumbprint) of the public key (.cer) file for the credential you are using. Ensure that there are no spaces used in the SHA1 value.
The Status column reflects the current status of the credential. In case of failure, a red X is displayed in the Status column. Hover your mouse over the X to display a tool tip containing the reason for the failure.
Reset the open connections to an HSM device after any disruption to the network session between the forms server and the HSM device. For example, disruptions can happen due to a network outage or the HSM device being taken offline for a software update. After a disruption, the existing connections are stale and any signing requests against those connections fail. Using the Reset All HSM Connections option clears the old connections.
AEM forms uses a Web Services-based IPC/RPC mechanism. This mechanism enables AEM forms to use an HSM installed on a remote computer. To use this functionality, install the web service on the remote computer where the HSM is installed. See Configuring HSM support for AEM forms ES using Sun JDK on Windows 64-bit platformfor more information.
This mechanism does not support online creation of HSM profiles or status checks. However, there are two ways to create HSM profiles and perform status checks:
Create a AEM forms client credential by passing it the Signer’s Certificate. Follow the steps in Configuring HSM support for AEM forms ES using Sun JDK on Windows 64-bit platform. The web service location is passed in as a Credential property. Offline HSM profiles create using either certificate der or certificate SHA-1 hex is also supported. However, if you have upgraded to AEM forms from an earlier version of AEM forms, make client changes because the credential carried certificate and web service information.
Web Service location is specified in the administration console for the Signature service. (See Signature service settings.) Here, the client only carried the alias of the HSM profile in the trust store. You can use this option seamlessly without any client changes, even if you have upgraded to AEM forms from an earlier version of AEM forms. This option does not support HSM profiles using certificate SHA-1.