Configure the YubiHSM 2 Software on Windows

Before using the YubiHSM 2 on Windows, there are two YubiHSM 2 software components to be configured:

  • The YubiHSM 2 KSP.
  • The YubiHSM 2 Connector service.

The configuration steps are described in the sections below.

Important

Make a backup of your Windows Registry before you make any changes.

Configure the KSP Settings in the Windows Registry

To enable Microsoft Cryptographic API Next Generation (CNG) to access the YubiHSM 2 KSP, the following registry entries must be changed from their default values. The YubiHSM 64-bit KSP subkey and the YubiHSM 32-bit KSP subkey were created during the YubiHSM SDK installation:

HKEY_LOCAL_MACHINE\SOFTWARE\Yubico\YubiHSM

The edits to be made produce a result like the one illustrated below:

_images/registry-settings-yubihsm2-ksp.png

Figure - Registry settings for the YubiHSM 2 KSP

Step 1:

Click Start > Run, type regedit in the Run dialog box, and click OK.
Step 2:

Select the registry subkey for the YubiHSM 64-bit KSP.

HKEY_LOCAL_MACHINE\SOFTWARE\Yubico\YubiHSM.
Step 3:

Change the URI to the IP address and port on which the YubiHSM 2 Connector is listening by editing the following registry entry appropriately, for example:

“ConnectorURL”=http://127.0.0.1:12345

If the Connector is listening on IP address and port 192.168.100.252:12345, for example, the ConnectorURL value should be changed to:

“ConnectorURL”=http://192.168.100.252:12345
Step 4:

Enter the ID of the application authentication key (object ID 3 was used as an example in this guide; if you used another object ID be sure to enter that). For our example, because the hexadecimal value of 0x00000003 resolves to 3 in the Windows Registry, change the entry to:

“AuthKeysetID”=3
Step 5:

The application authentication key password is stored in the registry for the KSP to use when authenticating to the device. Enter the new password that you created:

“AuthKeysetPassword”={password}
Step 6:

Select the registry subkey for the YubiHSM 32-bit KSP.

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeYubicoYubiHSM
Steo 7:

Repeat steps 3-5 above.
Step 8:

To save your changes, exit the Windows Registry.

Configure the YubiHSM 2 Connector Service

The YubiHSM Connector service reads the configuration file yubihsm-connector-config.yaml. Depending on your local setup, for instance if you are running multiple instances of the software on the same host, you may need to edit this configuration file to ensure it is consistent with the Windows Registry, i.e., that the parameters and their values are the same in the configuration file and in the Windows Registry.

On Windows, the yubihsmconnector.config.yaml file is located at C:\programdata\yubiHSM\yubihsmconnector.yaml - you will need administrator rights to modify the file.