IBM Support

Frequently asked questions about HSM device with WebSphere DataPower

Technote (FAQ)


The following are questions and answers related to the Hardware Security Module (HSM) device if purchased with a 9235, 7198, or 7199 WebSphere DataPower Appliance. Questions that only apply to specific hardware platforms indicate this in parentheses.


Question: Can the HSM device store certificates?

Answer: No. The HSM device only stores private keys.

Question: Can I export private keys from the HSM device?
Answer: Yes. Private keys can be exported from the HSM device using the crypto-export command and imported into another HSM device using the crypto-import command as long as the hardware platforms are compatible. 9235 appliances with HSM are compatible with each other in terms of exported HSM keys. 7198 and 7199 appliances with HSM are compatible with each other in terms of exported HSM keys. HSM keys cannot be exported from a 9235 appliance and imported into a 7198/7199 appliance or vice-versa.

Question: Can I export HSM private keys from one domain and import them into another domain?
Answer: No. Once an HSM key generated, it has an immutable label attribute that determines its domain. Since this label cannot be changed the key cannot be moved to another domain.

Question: Is the HSM appliance slower?
Answer: The HSM appliance performance is comparable to the non-HSM appliance. It is completely identical in non-crypto areas, and the RSA and SSL performance is quite close; it will be identical in any real world scenario that mixes in some non-crypto processing.

Question: (9235 only) Why are crypto operations on my HSM running very slowly?
Answer: Make sure the Crypto Key object is inside the HSM (hsm://hsm1/alice) since this is the purpose of the HSM device. Using private keys outside the HSM device can greatly slow the appliance since such keys have to be imported into the HSM, used, then deleted from the HSM on each RSA operation. Existing private key files can be brought into the HSM using the crypto-import command to avoid this problem.

Question: (9235 only) How many PEDs do I need?
Answer: If you are only using the HSM in level 2 mode, then you do not need any PEDs. If you are using it in HSM level 3 mode, then you need at least one. One PED can be shared between any number of appliances (it is a matter of logistics to physically move it around between them though). Note that if you only have one PED and you have a mix of 9235 and pre-9235 HSM appliances, then you will need two different kinds of PED cables. Note that the 7198/7199 appliances never use a PED.

Question: How can I find the status of the HSM device?
Answer: There are two important CLI commands to know about when dealing with an HSM appliance: show crypto-engine and show hsm-keys.

The show crypto-engine command shows what kind of crypto hardware an appliance has (an HSM appliance will show hsm1 or hsm2) as well as which mode an HSM is running in (level 2 or level 3) and whether the HSM is healthy (or whether somebody forgot to do the PED login at boot time. This status provider is global to the entire appliance.

The show hsm-keys command shows all of the keys stored inside of the HSM. For each Crypto Key that resides in the HSM, you should see two rows in this status provider (one private and one public). If you want to delete keys from the HSM, the easiest way is to use this status provider in the WebGUI (it provides a delete button within the table). This status provider is per domain.

Question : (9235 only) What is the difference between Level 2 and Level 3 Mode?
Answer : In level 2 mode, no PED is required and the device can power on like any other DataPower device (without needing human interaction). To use level 3 mode (or even to use hsm-reinit to get out of level 3 mode) you need to use the PED. At boot time, you will need to insert the black PED key and type its PIN into the PED. Only then will the appliance boot with a functional HSM. If you skip this process, the appliance will eventually boot but the HSM will not be functional. It will behave like an uninitialized HSM until the appliance reboots and the PED procedure is done properly.

Question: How do you import keys and change the configuration to use the keys?
Answer: Create an imported object for each private key by choosing Administration > Crypto Tools > Import tab in the domain where the key is stored in the cert or sharedcert directory. When you import a private key, you must specify a new Object Name for the imported copy of that key. After importing the keys, update your configuration where keys are used to use the imported object name, rather than the name of the key stored on the file system. For example, drill into a processing policy where a key is used in a sign action, and down at the bottom where the key is specified in a pull-down menu, change the key reference to the imported key object name.

Cross reference information
Segment Product Component Platform Version Edition
Business Integration WebSphere DataPower B2B Appliance XB62 4.0.2, 5.0.0, 6.0.0 Edition Independent
Business Integration WebSphere DataPower Integration Appliance XI50 4.0.2, 4.0.1, 3.8.2, 5.0.0, 6.0.0 Edition Independent
Business Integration WebSphere DataPower Integration Appliance XI52 4.0.2, 5.0.0, 6.0.0 Edition Independent
Business Integration WebSphere DataPower Service Gateway XG45 4.0.2, 5.0.0, 6.0.0 Edition Independent
Business Integration WebSphere DataPower XML Security Gateway XS40 4.0.2, 4.0.1, 3.8.2, 5.0.0, 6.0.0 Edition Independent

Document information

More support for: IBM DataPower Gateways

Software version: 3.8.2, 4.0.1, 4.0.2, 5.0.0, 6.0.0

Operating system(s): Firmware

Software edition: Edition Independent

Reference #: 1412060

Modified date: 12 July 2012