Oracle Cloud Infrastructure Documentation

Activating an HSM Cluster

Learn what operations are needed to activate an HSM cluster in Dedicated Key Management after initialization.

After the HSM cluster is initialized, the state changes to "Activation Required." To activate the cluster, you need to complete the following tasks:

  1. Gather the following information about the HSM cluster from the cluster details page:

    • DNS name for the HSM partition
    • User Management utility and Key Management utility port details for the HSM partition
    • PRECO credentials for the HSM cluster in the "Activation Required" state

    See the following topics for instructions: Get DNS name, Get HSM partition port details, and View PRECO Credentials.

  2. Create a Compute instance in the OCI Compute service to use with the Dedicated KMS command line tools. See Creating an Instance for instructions.
  3. Configure a service gateway, as needed. A service gateway lets cloud resources without public IP addresses to privately access Oracle services. If you access Oracle services through a service gateway, you must use client utilities to access your HSM partitions. For more information on how to set up and manage a service gateway, see Access to Oracle Services: Service Gateway.

  4. Install and configure Dedicated KMS command line tools:

  5. Change the default PRECO user password using a command line tool. After you change the default password, the HSM cluster state changes from "Activation Required" to "Activating," and then to "Active." After the cluster is in the "Active" state, it is ready for use. See To change the default PRECO user password in this topic for instructions.

Changing the Default PRECO User Password

After completing these steps in this topic, you must sign in to a Linux or Windows User Management Utility using PRECO user credentials and change the default PRECO user password. Upon changing the password, the PRECO user account is converted to a Crypto Officer account.

To change the default PRECO user password

  1. From the command line, open the User_Mgmt_util utility.

    Linux:

    $ /opt/oci/hsm/bin/user_mgmt_util /opt/oci/hsm/data/user_mgmt_util.cfg

    Windows: 

    c:\Program Files\Oracle\DedicatedKMS\user_mgmt_util.exe c:\Program Files\Oracle\DedicatedKMS\data\user_mgmt_util.cfg
  2. Sign in as PRECO User. 
    loginHSM PRECO <Username>
Enter password: ****
  3. List the number of users.
    cloudmgmt>listUsers 
Number of users found:2    
User Id     User Type       User Name              LoginFailureCnt              
1            PRECO          <preco_username>         0                         
2            CU             app_user                 0
  4. Change the default PRECO password using the changePswd command. 
    changePswd PRECO <Username>
  5. List users to verify if the user account has changed from PRECO to Crypto Officer (CO).
  6. After few minutes, the HSM cluster state changes from "Activation Required" to "Activating" and later "Active" and ready for use.