PKCS#11 HSM

Stream supports key management through PKCS#11 HSMs.

Stream has been qualified to work with the following HSMs but should be working with any PKCS#11 HSM:

  • Entrust nShield Solo, Entrust nShield Connect, Entrust nShield as a Service

  • Atos Proteccio

  • Thales Luna (including DPoD), Thales Protect Server

  • Utimaco CryptoServer

To set up a PKCS#11 keystore:

1. Log in to the Stream Administration Interface.

2. Go to Keystores and keys and click add_external_ca.

3. In Type, select PKCS#11. In Name, set the name you want to give to your keystore. Optionally, you can add a description to your keystore.

4. Input the full path of the PKCS#11 library (ending in .so) of your HSM, then click the parse add_existing_managed_ca button. If your HSM’s library was succesfully loaded into Stream, you should be seeing your HSM’s information. If you get an HSM error, please check the configuration of your HSM. Click "Next".

5. Select the HSM slot that you will be using on your HSM for this keystore and input its PIN code. Then click "Add".

If everything was good, your keystore should appear in your keystores list with a green circle next to its name:

Stream keystores tab with PKCS11 keystore