000029248 - How to specify the Safenet slot to use?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029248
Applies ToRSA Data Protection Manager
IssueWhen using RSA DPM with a Sanefet Hardware Security Module (HSM),
  • how to specify the Safenet slot to use?
  • can a High Availability (HA) slot be used?
ResolutionWhen using a Safenet HSM, the DPM configuration file will contain those two parameters:
  • provider.profile
  • provider.slot
If you have a Luna SA4, use
  • provider.profile=level1Sn
If you have a Luna SA5, use
  • provider.profile=level1Sn5
Then specify the slot number to use:
  • provider.slot=1
Using the Safenet command "vtl verify", this will show you all available slots. Example, if you have configured the Safenet client with two HSMs, that command will show two slots (1 and 2) with their own slot "serial number". Then if HA is configured using Safenet's commands (please refer to Safenet documentation here), the command "vtl verify" will still show you only slot 1 and slot 2 as the "vtl verify" command only shows physical slots. You should then turn on HA, which will cause the command "vtl verify" to then show only one slot (slot 1) but that slot serial number will be the HA slot. You should use this virtual slot number in keyManagerServer.properties.
To view the HA slot, you can use the Safenet command "cmu list"
If HAOnly=1 is set in Chrystoki.conf, then the API will only present one slot which is the HA slot (Vtl verify still showing 2 slots)
If HAOnly=0 then the API will present all slots (1, 2 and 3) (vtl verify still showing 2 slots)
The ultimate recommendation is to set “provider.slot=1” and to have “HAOnly=1” at all times. 
  1. Configure Safenet HA: you will see all standard slots plus the virtual slot
  2. Turn on Safenet HA: standard slots will disapear, leaving only the virtual slot visible
  3. Use this slot number for "provider.slot" in keyManagerServer.properties