If the OpenEdge database is already enabled with TDE, you can add a second authentication layer by adding HSM support. You can enable the HSM option online in versions of OpenEdge that support it.

Before you enable HSM support:
To add HSM support to a TDE-enabled database, specify either a Slot ID or a Label ID, but not both. For example:
  • To specify a Slot ID:
    proutil testdb -C epolicy manage keystore EnableHSM kmk -HSMLibrary /lib64/libhsm.so -HSMSlotID 1234566654
  • To specify a Label ID:
    proutil testdb -C epolicy manage keystore EnableHSM kmk -HSMLibrary /lib64/libhsm.so -HSMLabel hsedemo < hsmphrases.txt
When HSM is successfully enabled, the ENABLEHSM utility returns output like the following: 
OpenEdge Release 12.5 as of Tue Jul 21 18:30:54 EDT 2021

This command requires the HSM PIN to login to the token. (20362)
The 'HSM KMK Support' feature was successfully enabled. (20319)
Created the keystore bootstrap record. (20320)
Successfully updated keystore loads to use the specified HSM configuration. (20321)
Successfully removed the keystore master key from the keystore file. (20322)
Epolicy Manage Keystore EnableHSM KMK completed successfully. (20155)
After HSM is enabled:
  • Immediately copy the keystore yielded during the HSM enablement from the production database to the hot standby database.
  • Make note of the current busy AI extent on the production database.
  • Validate the HSM integration with the database as described in Validate the HSM configuration for interactions.
you should
Note: Enabling HSM may generate a new version of the keystore, which affects replication and hot standby. See Ensure that replication or hot standby target can access HSM.

For ENABLEHSM syntax details, see PROUTIL EPOLICY MANAGE qualifier.