How to use DocuSign HSM Appliance (formerly PrivateServer HSM) FAQs

Notice: The PrivateServer product is being renamed to HSM Appliance. You will see our documentation and marketing materials take on the new name. Rest assured that they are one and the same product and that support continues as before.
 

HSM Appliance is the leading high-security (FIPS 140-2 Level 3), high-capacity, network–attached multi-user HSM.

How do I convert PrivateServer version 3 smartcards to Private Server version 4 smartcards?

There are three ways to convert old PrivateServer version 3 smartcards to a PrivateServer version 4 compatible pair. The conversion is performed on INIT and STARTUP cards only. The conversion is performed by PSVGENCARDS.exe v4.6.2 and up.
  • Conversion of the same pair. In this case, we simply read the INIT+ STARTUP data. The application converts the data in the memory and then writes it again on the same INIT + STARTUP smartcards.
    • Pros: This is the quickest way, and requires no added materials except the original INIT+STARTUP cards and their passwords. This is recommended in test or temporal environments.
    • Cons: This is an intrusive operation, if these are the only existing production cards, it is recommended not to use them, as there is always a concern that an occasional power failure / smartcard disconnection during writing to the cards can damage them.
  • Conversion from existing pair to new generated pair. In this case, we are only reading the data from the original cards; the application converts the data and writes it on a new pre-created pair.
  • The new pre-created pair must have the same PrivateServer ID and PrivateServer name, and must be certified by the original root.
    • Pros: This is a less intrusive operation as there is no writing on the original cards.
    • Cons: There is still some concern regarding the existing set as you still have to insert them into reader. This is also the longer operation, requiring the original root smartcard, its password, and two pre-defined smartcards with original PrivateServer ID and PrivateServer name, and must be certified by the original root.
  • Creation of new cards based on the original SVMK pairs. In this case, you simply re-create the original smartcards on new PrivateServer version 4 media type using all the original data. You must have both parts of the SVMK in the correct order, the PrivateServer ID + PrivateServer name, the original root and its password.

Note: If the SVMK parts stored do not fit the SVMK on the PrivateServer, the environment will not run.

  • Pros: This is a completely safe and non-intrusive method which does not involve the original smartcards.
  • Cons: This method is time consuming and requires two additional smartcards and SVMK parts and additional data. Furthermore, if the SVMK parts do not match the PrivateServer SVMK, the cards will not work.

What Smartcards and passwords are needed for Administrative PrivateServer operations?

To start the PrivateServer or to change the IP address: STARTUP card and STARTUP password. Initializing a new environment: INIT card and INIT password, STARTUP card and STARTUP password. If restoring existing backup after the initialization: First card and First password. Reset tampering: INIT card and INIT password, STARTUP card and STARTUP password. Restoring backup on existing environment: First card and First password or any other administrative media and password. Creating a new user media: Empty media, Root card and root password (to certify the new media), First card + password (to create user reference inside the PrivateServer), or only First card and password (to create user reference and certify the media).Recreating another pair of INIT/STARTUP cards: Pair of empty smartcards, Root card and root password (to certify the new media), PrivateServer name and ID, Both parts of the original SVMK or working pair of existing INIT/STARTUP + passwords.

What do I need to know about PrivateServer smartcards management?

If your organization has a security protocol of handling smartcards, use it. In case you don’t have a protocol, or want to review it, please read the following guidelines. For an implementation of the PrivateServer environment, you need the following four smartcards: Root, INIT, STARTUP and First. It is always recommended to create at least one backup copy of the INIT and STARTUP pair, (two backup pairs are preferred). Make sure that during the creation of the smartcards you write down the PrivateServer ID and PrivateServer name, and both of the SVMK parts. After the environment is set, make sure you make another strong administrative user (i.e. a user with full access rights/authorizations) such as “second”, “admin” etc., which is certified by Root or First. Then, backup the database with the added user. The Root card is unique and cannot be replicated or replaced by any other card. If you store the smartcards and their passwords in separate places (for example: root and INIT in safety deposit box A; First and passwords in safety deposit box B; STARTUP cards inside the PrivateServer for unattended startup sequence, and the backup pair of INIT STARTUP with their passwords in safety deposit box C), then make sure that you create a list of all the smartcards with their whereabouts, replicate this list as needed, and set it in each site where the smartcards are stored, so that when you need a specific smartcard or password, you will know where to look.
 

How do I upgrade PrivateServer internal version?

  1. Open PrivateServer management application.
  2. Connect to the required server.
  3. Select Server -> Backup to backup the database of the server.
  4. Select Server ->Upgrade. The following dialog appears:
    User-added image
  5. Enter the path and name of the DESCR.VER file or files you wish to load, or use the Browse button to browse to their location.
  6. Click Upgrade. When the operation ends successfully, a success message appears.
  7. Shutdown PrivateServer and turn the power off and on for the changes to take effect.

Can the log format be changed?

No. Since the PrivateServer's internal software underwent FIPS 140-1 level 3 certification, it is not possible to change the log format.
 

In PrivateServer Admin I see users with red characters. What does this mean?

  1. When a user appears in red on the Admin screen, this means that either their certificate has expired, or there are 14 or fewer days until the certificate expires. In this case the user’s certificate should be reloaded.

    User-added image
  2. To reload a user certificate, in PrivateServer management application, select Load public key from media from the User menu. 
    User-added image

How do I maintain a backup user?

If you add or grant rights to original keys, you must also do so for backup keys to ensure that they have the same rights. Keep in mind that the backup user’s certificate will need to be renewed before it expires so that access to PrivateServer is not denied.
 

What do I need to know about User Backup?

Backing up a user is important, as it will enable users to connect to the server should any loss/damage occur to the original media. When creating a backup user, be sure to use the same authorization mask, the same access level, the same certifier, etc. The certificate lifetime of the backup user should be longer than the certificate lifetime of the original user. This backup user must have the same access rights to keys (owner/user) as the original user. It is highly recommended to back up important users. Backup cards are used if/when the original cards are lost or damaged, or if the original user can no longer connect because his/her certificate has expired. If the certificate lifetime of the original user expires, the backup user can connect and renew the certificate so that the original user is able to connect. In this case, the backup user will be able to connect to the server and perform all operations that the original user was able to perform.
 

The PrivateServer time is incorrect. How can I change the PrivateServer HSM time?

There is no need to change the PrivateServer HSM time. The PrivateServer time is automatically set according to GMT during manufacturing, but this does not impact on the cryptographic operations or any other operation throughout the product's use. The time element is only used for logging purposes.
 

Can I change the time of the PrivateServer?

No, the time of the PrivateServer can not be changed.
 

In PrivateServer Admin I see users with red characters. What does this mean?

When a user appears in red on the Admin screen, this means that either their certificate has expired, or there are 14 or fewer days until the certificate expires. In this case the user’s certificate should be reloaded.

To reload a user certificate, in PrivateServer management application, select Load public key from media from the User menu.
 
Have an issue? To send us an email, please submit this form.