Local configuration
The name of the CSP provider at Dinamo is "Dinamo HSM Cryptographic Provider".
CSP(Cryptographic Service Provider) configuration can be done via the Dinamocon console.
The CSP parameters are kept in a file (.ini). The settings are placed in the scope of the user profile and are therefore valid and recognized only for applications running under the current user profile.
There is no need for an administrative profile or elevation of privilege for the user to set or edit the CSP parameters. The CSP settings are the same for 32-bit and 64-bit applications.
To edit the configuration, open the Dinamocon console and click on Environment configuration.
Info
For more information on settings in the Session and Log tabs, see the topic Environment configuration.
The CSP configuration options are detailed below.
Select the MS CAPI tab.
IP
This field is used to enter the address of a specific HSM.
Info
If load balancing is enabled (see Environment configuration) the field is locked and the message Load balancer enabled is displayed.
User
Identification of the HSM user that will be used to establish a session with the HSM.
Password
Password of the HSM user credential that will be used to establish a session with the HSM.
The password is kept encrypted in a key shared with the CSP.
Timeout
The time (in seconds) that the CSP will wait to establish a connection with the HSM before returning an error to the application.
Enable CNG
By checking this option, the library will use CNG whenever possible or necessary. To enable it, you need to start DINAMOcon with administrator permission.
CNG compatibility mode
Force CNG to use legacy mode AT_SIGNATURE
. In this case the key names will be understood as container names with a slot type AT_SIGNATURE
. This option is a workaround for specific cases and should only be used when really necessary.
SPB mode
SPB Mode: The CSP is compatible with the operating rules of the Brazilian Payment System (SPB). When SPB Mode is activated, the following parameters are changed:
- Initialization vector (IV): when a 3DES key is created or imported, the initialization vector is always loaded with the first eight bytes of the key.
- Padding: no padding operation is performed, in which case the blocks to be encrypted/decrypted must be multiples of the 3DES algorithm block size (8 bytes).
These rules are related to the second version of the SPB Security Protocol, which has now been discontinued. From the third version onwards, the AES symmetric encryption algorithm is used.
Short sessions
By checking this option, the library will open and close sessions at each call. It is necessary to use this option for some third-party applications such as PJe-Office.
Serialization
It performs some operations in serialized form.
The MSCAPI API functions affected by this option:
CryptCreateHash()
CryptSignHash()
CryptVerifySignature()
Overall performance can be greatly affected.
Test connection
Before running a test with new settings, click the Apply button to save the changes.
The Test button can be used to check the connection to the HSM, including authentication of the credential entered. The test is carried out with the settings saved in a file, and not with the parameters displayed on the screen.
Containers / Certificate Store
See the specific topic Containers / Certificate Store.