HSM Architecture describes the components that provide HSM security for your TDE keystore.

Figure 1. HSM Architecture
  • HSM product—May be a network enabled service, so that HSM-enabled token is available to all locations where TDE database hot standby or replicas are located.
  • HSM client API library—Implements the standard PKCS#11 API, which lets OpenEdge databases support HSM products of varying capabilities from multiple commercial vendors. The library needs to be installed and registered with a networked HSM product.
  • HSM storage controller—Communicates with the client library and manages the token.
  • Token—Secure, encrypted, and isolated data partitions where TDE key store stores secure information.

  • Token identifiers—A user account PIN provides access to a token.