The Database Administrator must work with the enterprise HSM Administrator or Security Administrator to set up, manage, and maintain the system. The HSM administrator controls all aspects of the HSM product, including token storage. Depending on your organization's processes, the HSM Administrator may or may not permit the DBA to use local client-side utilities and delegate some tasks. Table 1 shows a typical division of tasks between administrators.

Table 1. HSM Administration Tasks
Task Owner
Install network enabled centralized HSM product and client library HSM administrator
Allocate and initialize one HSM token per OpenEdge database instance HSM administrator
Manage HSM account PIN HSM administrator
Back up, restore, and clone HSM token HSM administrator
Manage HSM autostart enable, disable, and refresh DBA
Coordinate HSM PIN changes HSM administrator notifies DBA when changing a PIN
Incorporate HSM recovery in disaster recovery process If HSM token is unavailable, DBA depends on HSM administrator to restore it. HSM administrator or DBA must ensure that the roll-forward recovery operations use the correct backup information.
Create new instance of a TDE database DBA coordinates with HSM administrator. When HSM is present, a rebind operation requires allocating another token, which is the responsibility of the HSM administrator.
Note: Do not distribute a template TDE database with HSM enabled. Create a copy of the database in the new location, and then re-enable TDE on the copy.