License
Introduction
As of version 6.0.0.0, HSM operates using a licensing mechanism.
Licenses enable certain HSM capabilities, classified into the following types:
- functionality (enabling specialist modules such as Pix, Blockchain etc);
- quantitative (number of keys, number of connections, etc.);
- performance (transactions per second).
The HSM is shipped from the factory without installed licenses. In the process of activating the HSM, the operator must upload the licenses received.
Licenses are usually issued by HSM serial number. They are physically files with a .lpack extension, encrypted and digitally signed, and are sent to the customer in a separate channel (usually by e-mail) to the persons established in the contract or at the delivery stage.
Before the license is installed, the HSM 's operation is fairly restricted; enough for an operator connection and upload. Activation is immediate, there is no need to reboot or stop the service for a valid license to be recognized. The process is done via the remote GUI console (via browser), so the HSM must already have the network settings ready and the service started.
In terms of scope, licenses can be of the following types:
- OEM: only the manufacturer can remove or change (they are prefixed with
@); - Regular: the operator can remove them via the console (they are prefixed with
+).
As for the period of validity, they can be
- perpetual;
- with an expiration date (they are prefixed with
=).
Performance licenses are controlled bysecurity level groups, for example the rsa2k key license controls the number of transactions per second of any RSA key up to 2048 bits.
Licenses available
The following list is currently available:
The
*in the following terms is replaced by the specific value in the license issued.
-
Functionalities: enables specialist modules and specific functions.
module-xml-dsig: enables the XML Sign module.module-spb: enables the SPB module.module-eft: enables the module EFT.module-eft-direct: enables the EFT Direct module.module-tsp: enables the TSP (Time Stamping) module.pix: enables the Pix.module-svault: enables the SVault module.module-blockchain: enables the Blockchain module.module-safekeeping: enables the Safe Keeping module.disclosed-key-gen: enables optimized key generation API (for export without KEK).firmware-update: enables firmware update.cloud-telemetry: enables telemetry for the Dinamo cloud.
-
Quantitative
db-*-objects: defines the maximum number of objects that can be created in the HSM base (keys, certificates, etc.); includes persistent and temporary objects.db-*-partitions: sets the maximum number of partitions that can be created.max-*-connections: sets the maximum number of connections in the HSM (simultaneous sessions).
-
Performance: transactions per second (tps).
sym128-*-tps: maximum tps with 128-bit symmetric keyssym192-*-tps: maximum tps with 192-bit symmetric keyssym256-*-tps: maximum tps with 256-bit symmetric keysrsa2k-*-tps: maximum tps with 2048-bit RSA keysrsa3k-*-tps: maximum tps with 3072-bit RSA keysrsa4k-*-tps: maximum tps with 4096-bit RSA keysrsa8k-*-tps: maximum tps with 8192-bit RSA keysecc256-*-tps: maximum tps with 256-bit EC keysecc384-*-tps: maximum tps with 384-bit EC keysecc512-*-tps: maximum tps with 512-bit EC keysml-dsa44-*-tps: maximum tps with ml-dsa44 PQC keysml-dsa65-*-tps: maximum tps with ml-dsa65 PQC keysml-dsa87-*-tps: maximum tps with ml-dsa87 PQC keysml-kem512-*-tps: maximum tps with ml-kem512 PQC keysml-kem768-*-tps: maximum tps with ml-kem768 PQC keysml-kem1024-*-tps: maximum tps with ml-kem1024 PQC keysslh-dsa1-*-tps: maximum tps with slh-dsa1 PQC keysslh-dsa3-*-tps: maximum tps with slh-dsa3 PQC keysslh-dsa5-*-tps: maximum tps with slh-dsa5 PQC keys
New modalities may be added to this list over time.
In some cases, a special administrative license(full lic) can be used to enable all the equipment's capabilities (it is identified by a specific GUID ).
Installation
The procedure with the steps for installing the licenses is available in the topic Installing Licenses.