Oracle-Based Deployment Guide for Cisco IoT FND, Release 5.x.x and Later

Install and setup the SSM

Updated: March 2, 2026

Want to summarize with AI?

On this page

Overview

Install or Upgrade the SSM Server
Monitor SSM log files
Uninstall SSM servers
Switch to SSM

Overview

This topic explains how to install and set up the Software Security Module (SSM) as a utility deployment, including prerequisites, installation, integration, and key security features provided by SSM for IoT FND environments.

The Software Security Module (SSM) is a low-cost alternative to a Hardware Security Module (HSM) that provides cryptographic services for IoT FND environments.

SSM uses the CSMP protocol to communicate with meters, DA Gateway (IR500 devices), and range extenders.
it provides cryptographic services such as signing and verifying CSMP messages, and CSMP Keystore management.
SSM ensures Federal Information Processing Standards (FIPS) compliance while providing secure services.

After installing, configuring, and starting the SSM server, and configuring IoT FND for SSM, you can view the CSMP certificate by navigating to Admin > Certificates > Certificate for CSMP in the IoT FND interface.

Install or Upgrade the SSM Server

Note

If you are upgrading the SSM server, first backup the ssm_web_keystore file located at /opt/cgms-ssm/conf and restore after the update is complete.

To install the SSM server:

Procedure

Run the cgms-ssm-<version>-<release>.<architecture>.rpm rpm script:


                        [root@VMNMS demossm]# 
                        rpm -Uvh cgms-ssm-<version>.x86_64.rpm
                        Preparing... ########################################### [100%]
                        1:cgms-ssm ########################################### [100%]

Copy the pre-shared key file (fnd_psk.tgz) from Cisco IoT FND installation in opt/cgms/server/cgms/conf to /opt/cgms-ssm/conf .

Get the IoT FND configuration details for the SSM. SSM ships with following default credentials:

ssm_csmp_keystore password: ciscossm
csmp alias name: ssm_csmp
key password: ciscossm
ssm_web_keystore password: ssmweb


                        [root@VMNMS demossm]# cd /opt/cgms-ssm/bin/
                        [root@VMNMS bin]# 
                        ./ssm_setup.sh
                        Software Security Module Server
                        1. Generate a new keyalias with self signed certificate for CSMP
                        2. Generate a new keypair & certificate signing request for CSMP
                        3. Import a trusted certificate
                        4. Change CSMP keystore password
                        5. Print CG-NMS configuration for SSM
                        6. Change SSM server port
                        7. Change SSM-Web keystore password
                        Select available options.Press any other key to exit
                        Enter your choice :

Enter 5 at the prompt, and complete the following when prompted:


                        Enter current ssm_csmp_keystore password :
                        ciscossm
                        Enter alias name : 
                        ssm_csmp
                        Enter key password :
                        ciscossm
                        security-module=ssm
                        ssm-host=<Replace with IPv4 address of SSM server>
                        ssm-port=8445
                        ssm-keystore-alias=ssm_csmp
                        ssm-keystore-password=NQ1/zokip4gtUeUyQnUuNw==
                        ssm-key-password=NQ1/zokip4gtUeUyQnUuNw==

To connect to this SSM server, copy paste the output from Enter 5 at the prompt, and complete the following when prompted: into the cgms.properties file.

Note

You must include the IPv4 address of the interface for Cisco IoT FND to use to connect to the SSM server.

Configure the certificate for Cisco IoT FND to SSM communication. See document .

(Optional) Run the ssm_setup.sh script to:

Generate a new key alias with self-signed certificate for CSMP
Change SSM keystore password
Change SSM server port
Change SSM-Web keystore password

Note

If you perform any of the above operations, you must run the SSM setup script, select “Print CG-NMS configuration for SSM,” and copy and paste all details into the cgms.properties file.

Start the SSM server by running the following command:


RHEL Version	Command
8.x	`systemctl start ssm`
7.x	`service ssm start`

Example Output :

[root@VMNMS ~]# service ssm start
                        Starting Software Security Module Server: [ OK ]

Monitor SSM log files

You can monitor SSM logs in /opt/cgms-ssm/log/ssm.log. The default metrics report interval is 900 secs (15 min.), which is the minimum valid value. Only servicing metrics are logged. If there are no metrics to report, no messages are in the log.

Before you begin

Your SSM server must be up and running before starting the IoT FND server.

Procedure

To change the metrics report interval, set the ssm-metrics-report-interval field (in secs) in the /opt/cgms-ssm/conf/ssm.properties file.

Uninstall SSM servers

This section presents steps to completely uninstall the SSM server, including the steps for a fresh installation.

To uninstall the SSM server:

Procedure

Stop the SSM server by running the following command:


RHEL Version	Command
8.x	`systemctl stop ssm`
7.x	`service ssm stop`

Copy and move the /opt/cgms-ssm/conf directory and contents to a directory outside of /opt/cgms-ssm.

Uninstall the cgms-ssm rpm:

rpm -e cgms-ssm

Fresh installations only.

Install a new SSM server.

Copy and overwrite the /opt/cgms-ssm/conf directory.

Switch to SSM

Note

You must install and start the SSM server before switching to SSM.

To switch from using the Hardware Security Module (HSM) for CSMP-based messaging and use the SSM:

Procedure

Run the following command to stop Cisco IoT FND.


RHEL Version	Command
8.x	`systemctl stop cgms`
7.x	`service cgms stop`

Run the ssm_setup.sh script on the SSM server.

Select option 3 to print Cisco IoT FND SSM configuration.

Copy and paste the details into the cgms.properties to connect to that SSM server.

EXAMPLE

security-module=ssm
                        ssm-host=127.107.155.85
                        ssm-port=8445
                        ssm-keystore-alias=ssm_csmp
                        ssm-keystore-password=NQ1/zokip4gtUeUyQnUuNw==
                        ssm-key-password=NQ1/zokip4gtUeUyQnUuNw==

To set up the HSM, specify the following properties in the cgms.properties file.


                        security-module=ssm/
                        hsm
                        (required; hsm: Hardware Security Module default.)
                        hsm-keystore-name=
                        testGroup1
                        (optional; hsm partition name; testGroup1 default)
                        hsm-keystore-password=
                        TestPart1
                        (optional; encrypted hsm partition password;
                        TestPart1 default)

Ensure that the SSM up and running and you can connect to it.

Start Cisco IoT FND.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.