Configuration File Reference v3.2.0

Example Configuration File

hsms:
  - primary_slot:
      # Slot index as seen from the reseed client
      index: 0
      password: Password
      login_type: cu
    partitions_to_seed:
      - index: 1
        password_label: pass_obj_0

service:
  seed_amount: 48 # Bytes
  seed_period: 10 # Seconds
  service_id: service1
  p11_lib: /usr/safenet/lunaclient/lib/libCryptoki2_64.so

logging:
  level: info

qo:
  wsr:
    type: rdseed
  cache:
    type: multithreaded-caching
    size: 8192
    prefill: 4096
    refill_at: 1024
  license: >
    <license>

HSM Configuration

hsms Is an array containing an entry for each HSM, each containing the following members:

  • One of the following:

    • primary_slot::index - Index, as seen from the client running the reseed service, of the primary slot.

    • primary_slot::id - ID, as seen from the client running the reseed service, of the primary slot.

    • primary_slot::token_label - Label of the token in the primary slot.

  • primary_slot::password - Password for the primary slot.

  • primary_slot::login_type - (Optional) Login type to use for the primary slot. ‘co’ for Crypto Officer (write-access) or ‘cu’ for Crypto User (read-only). It is recommended that the read-only login be used if possible, to avoid unnecessarily exposing write access to the partition. Default: ‘cu’ (Crypto User, read-only). If not using a Functionality Module then this must be ‘co’.

  • partitions_to_seed - An array of partitions which should be seeded, each containing the following members:
    • One of the following:

      • index - Slot index, as seen from the HSM itself, of the partition to be seeded.

      • ID - Slot ID, as seen from the client running the reseed service, of the partition to be seeded.

      • token_label - Label of the token in the slot to be seeded.

    • One of the following specifying the password for the slot, which must be the Crypto User (CU) password if using a Functionality Module, or the Crypto Officer (CO) password if not:

      • password_label - Label of the object, stored under the primary slot, containing the password for the slot to be seeded.

      • password - Plaintext password for the slot to be seeded (not supported if seeding using Functionality Module).

      • encrypted_password - Encrypted password for the slot to be seeded (not supported if seeding using Functionality Module).

Each slot configuration can specify either a slot index or a token label, but not both.

Service Configuration

  • service::seed_amount - The amount of entropy with which each slot of the HSM should be periodically reseeded. Must be <=1024 bytes.

  • service::seed_period - How often, in seconds, the HSM should be reseeded. Must be >=10 seconds.

  • service::p11_lib - Path to the PKCS#11 library to be used to access the HSM. Defaults to the standard Luna HSM library at /usr/safenet/lunaclient/lib/libCryptoki2_64.so.

Logging Configuration

  • logging::level - Logging level.

QO Core Configuration

The qo section contains the configuration for Quantum Origin Core, which is used to produce the quantum randomness for seeding. Please see the Quantum Origin Core documentation for details of the available options.