To set up an HSM for your TDE encrypted database, you need information about the module and certain file locations on your system.

HSMs are generally installed and maintained outside of the application for which they store data. You need the following information from the enterprise HSM administrator:
  • The location of the client's API library on the OS host or hosts. This library, which is supplied by the HSM product vendor, must implement the PKCS#11 standard API. The TDE keystore uses the standard API to enable support for more than one HSM product vendor. The DBA needs the absolute path to the library for auditing and troubleshooting.
  • Access to the client's API library on the OS host.
  • A blank, initialized HSM token.
  • The initialized HSM token's identifier (label, slot ID, or both). The HSM vendor specifies which type of token identifier is needed.
  • The initialized HSM token's PIN number.

Before you can access TDE encrypted data, you need the database's files, the keystore file, the HSM product, and access to the HSM product's token data.

Keystore access requires the passphrase of the TDE keystore and the HSM token's PIN.

The TDE keystore's .ks file must exist as a link in the same filesystem directory as the database .db file. You may use a soft link to make backups easier.

Note: If a DBA disables HSM support in the database, it cannot be enabled again until the HSM administrator resets the HSM token to its original initialized state. (OpenEdge will validate that no other database is using the HSM token before allowing HSM enablement.)