Go to content

Local configuration

The name of the CSP provider at Dinamo is "Dinamo HSM Cryptographic Provider".

CSP(Cryptographic Service Provider) configuration can be done via the Dinamocon console.

The CSP parameters are kept in a file (.ini). The settings are placed in the scope of the user profile and are therefore valid and recognized only for applications running under the current user profile.

There is no need for an administrative profile or elevation of privilege for the user to set or edit the CSP parameters. The CSP settings are the same for 32-bit and 64-bit applications.

To edit the configuration, open the Dinamocon console and click on Environment configuration.

Dinamocon console

Dinamocon console

Info

For more information on settings in the Session and Log tabs, see the topic Environment configuration.

The CSP configuration options are detailed below.

Select the MS CAPI tab.

HSM Client Configuration - CSP Parameters

HSM Client Configuration - CSP Parameters

IP

This field is used to enter the address of a specific HSM.

Info

If load balancing is enabled (see Environment configuration) the field is locked and the message Load balancer enabled is displayed.

User

Identification of the HSM user that will be used to establish a session with the HSM.

Password

Password of the HSM user credential that will be used to establish a session with the HSM.

The password is kept encrypted in a key shared with the CSP.

Timeout

The time (in seconds) that the CSP will wait to establish a connection with the HSM before returning an error to the application.

Enable CNG

By checking this option, the library will use CNG whenever possible or necessary. To enable it, you need to start DINAMOcon with administrator permission.

CNG compatibility mode

Force CNG to use legacy mode AT_SIGNATURE. In this case the key names will be understood as container names with a slot type AT_SIGNATURE. This option is a workaround for specific cases and should only be used when really necessary.

SPB mode

SPB Mode: The CSP is compatible with the operating rules of the Brazilian Payment System (SPB). When SPB Mode is activated, the following parameters are changed:

  1. Initialization vector (IV): when a 3DES key is created or imported, the initialization vector is always loaded with the first eight bytes of the key.
  2. Padding: no padding operation is performed, in which case the blocks to be encrypted/decrypted must be multiples of the 3DES algorithm block size (8 bytes).

These rules are related to the second version of the SPB Security Protocol, which has now been discontinued. From the third version onwards, the AES symmetric encryption algorithm is used.

Short sessions

By checking this option, the library will open and close sessions at each call. It is necessary to use this option for some third-party applications such as PJe-Office.

Serialization

It performs some operations in serialized form.

The MSCAPI API functions affected by this option:

  1. CryptCreateHash()
  2. CryptSignHash()
  3. CryptVerifySignature()

Overall performance can be greatly affected.

Test connection

Before running a test with new settings, click the Apply button to save the changes.

The Test button can be used to check the connection to the HSM, including authentication of the credential entered. The test is carried out with the settings saved in a file, and not with the parameters displayed on the screen.

Containers / Certificate Store

See the specific topic Containers / Certificate Store.