diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py
index 1c7917565ecee56bf5cc50d8519315eebec226d1..24eccf2389a6c95ea245cb12aefa23fc5ced0109 100644
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -326,6 +326,12 @@ def main():
     # ssl certificate
     # options.dirsrv_cert_files = ansible_module.params.get(
     #     'dirsrv_cert_files')
+    # hsm
+    if hasattr(ca, "hsm_version"):
+        options.token_name = None
+        options.token_library_path = None
+        options.token_password = None
+        options.token_password_file = None
     # client
     # options.no_ntp = ansible_module.params.get('no_ntp')
     # certificate system
diff --git a/roles/ipaserver/library/ipaserver_setup_ca.py b/roles/ipaserver/library/ipaserver_setup_ca.py
index 4003e14d41557645c788aeda6673c530a9f28f0f..1a453e49ad792110c89f56d1d32e32b649b1d449 100644
--- a/roles/ipaserver/library/ipaserver_setup_ca.py
+++ b/roles/ipaserver/library/ipaserver_setup_ca.py
@@ -305,6 +305,12 @@ def main():
     options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
     options._dirsrv_pkcs12_info = ansible_module.params.get(
         '_dirsrv_pkcs12_info')
+    # hsm
+    if hasattr(ca, "hsm_version"):
+        options.token_name = None
+        options.token_library_path = None
+        options.token_password = None
+        options.token_password_file = None
     # certificate system
     options.external_ca = ansible_module.params.get('external_ca')
     options.external_ca_type = ansible_module.params.get('external_ca_type')
diff --git a/roles/ipaserver/library/ipaserver_setup_kra.py b/roles/ipaserver/library/ipaserver_setup_kra.py
index 9f05ef5a1da40f3a99c154cc60c8e36e09bdcf3a..4ea9aa6e242a29f8e7b7dc91e967832fdd95359f 100644
--- a/roles/ipaserver/library/ipaserver_setup_kra.py
+++ b/roles/ipaserver/library/ipaserver_setup_kra.py
@@ -74,7 +74,7 @@ RETURN = '''
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_server import (
     check_imports, AnsibleModuleLog, setup_logging, options,
-    api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra
+    api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra, ca
 )
 
 
@@ -106,6 +106,12 @@ def main():
     options.pki_config_override = ansible_module.params.get(
         'pki_config_override')
     options.promote = False  # first master, no promotion
+    # hsm
+    if hasattr(ca, "hsm_version"):
+        options.token_name = None
+        options.token_library_path = None
+        options.token_password = None
+        options.token_password_file = None
 
     # init ##########################################################