Preparing the HSM to use the Authentication Suite Server SDK SEE machine

  • Published on Feb 12, 2026
  • 2 minute(s) read
Prev Next

Before you can use the Authentication Suite Server SDK SEE machine signed by OneSpan, you need to complete the following steps to be able to upload the SEE machine to the HSMs.

Loading the OneSpan certificate

To load the OneSpan certificate to the security world

  1. Connect to your security world.

  2. Type the following command to add the OneSpan certificate to your security world:

    csadmin ids add certificate_file

    Replace the following:

    • certificate_file. The name of the PEM file containing the OneSpan certificate including the full path.

Creating the user data file

To create the user data file (userdata.sar)

  1. If you don't have one already, create a signingkey with the following command:

    generatekey --generate seeinteg type=rsa size=2048 pubexp= recovery=yes nvram=no plainname=seesigningkey

  2. In your RFS directory /opt/nfast/kmdata/local (%NFAST_KMDATA%\local on Windows), use the following command to create a userdata.dat file:

    echo 'Dummy data' > userdata.dat

  3. Use the following command to generate the .sar file from userdata. The machine key should match the certificate:

    tct2 --sign-and-pack --infile=userdata.dat --key=seesigningkey --machine-key=machine_key --outfile=userdata.sar

    This file will be used by the OneSpan Key Management Tool (manager-5) to bind your storage and transport keys with your current security world.

Previous versions of the Key Management Tool (4 or earlier) used to store the generated keys in the kmdata directory. They are now stored in the kmdata/local directory, where your userdata.sar file should also reside.

Signing and loading CSEE modules

To sign and load the CSEE module

  1. Add a signature to the provided aal2sdk-signed.cs5 image file using the same signing key that was used to create the userdata.sar file:

    csadmin image signextra --appname seeinteg --key seesigningkey --out ~/aal2sdk-signedex.cs5 ~/aal2sdk-signed.cs5

  2. Open the configuration file located in the /opt/nfast/kmdata/config folder (%NFAST_KMDATA%\config on Windows) in a text editor.

  3. Locate the [codesafe] section and add the module settings:

    esn=[YOUR_HSM_ESN]
                enabled=yes
                image_file=[PATH_TO_CS5_IMAGE]
                worldid_pubname=onespan

    If the [codesafe] section does not exist, you can add it before the [load_seemachine] section. The cs5 image referenced in the path should be the aal2sdk-signedex.cs5 file signed with your signing key in the previous step.

    We recommend to put the cs5 image in your kmdata/local directory. The electronic serial number (ESN) of your HSM can be retrieved with the enquiry command if required.

  4. Use the following commands to make the HSM read the new configuration and load it:

    cfg-reread

    nopclearfail -c -m module_id

    Note that it can take a few minutes to load the SEE machine.

  5. Use the following command to make sure the SEE machine is running:

    csadmin list

    You should see an output looking like this:

    [YOUR_HSM_ESN]
                UUID State Name IP Address
                -----------------------------------------------------------------------------
                [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] RUNNING aal2sdk [IP_ADRESS]