diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py
index 1c791756..24eccf23 100644
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -326,6 +326,12 @@ def main():
     # ssl certificate
     # options.dirsrv_cert_files = ansible_module.params.get(
     #     'dirsrv_cert_files')
+    # hsm
+    if hasattr(ca, "hsm_version"):
+        options.token_name = None
+        options.token_library_path = None
+        options.token_password = None
+        options.token_password_file = None
     # client
     # options.no_ntp = ansible_module.params.get('no_ntp')
     # certificate system
diff --git a/roles/ipaserver/library/ipaserver_setup_ca.py b/roles/ipaserver/library/ipaserver_setup_ca.py
index 4003e14d..1a453e49 100644
--- a/roles/ipaserver/library/ipaserver_setup_ca.py
+++ b/roles/ipaserver/library/ipaserver_setup_ca.py
@@ -305,6 +305,12 @@ def main():
     options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
     options._dirsrv_pkcs12_info = ansible_module.params.get(
         '_dirsrv_pkcs12_info')
+    # hsm
+    if hasattr(ca, "hsm_version"):
+        options.token_name = None
+        options.token_library_path = None
+        options.token_password = None
+        options.token_password_file = None
     # certificate system
     options.external_ca = ansible_module.params.get('external_ca')
     options.external_ca_type = ansible_module.params.get('external_ca_type')
diff --git a/roles/ipaserver/library/ipaserver_setup_kra.py b/roles/ipaserver/library/ipaserver_setup_kra.py
index 9f05ef5a..4ea9aa6e 100644
--- a/roles/ipaserver/library/ipaserver_setup_kra.py
+++ b/roles/ipaserver/library/ipaserver_setup_kra.py
@@ -74,7 +74,7 @@ RETURN = '''
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_server import (
     check_imports, AnsibleModuleLog, setup_logging, options,
-    api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra
+    api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra, ca
 )
 
 
@@ -106,6 +106,12 @@ def main():
     options.pki_config_override = ansible_module.params.get(
         'pki_config_override')
     options.promote = False  # first master, no promotion
+    # hsm
+    if hasattr(ca, "hsm_version"):
+        options.token_name = None
+        options.token_library_path = None
+        options.token_password = None
+        options.token_password_file = None
 
     # init ##########################################################