Thales SafeNet ProtectServer Network HSM Plus 5.8 Installation And Configuration Manual
  1. Manuals
  2. Brands
  3. Thales Manuals
  4. Security System
  5. SafeNet ProtectServer Network HSM Plus 5.8
  6. Installation and configuration manual

Thales SafeNet ProtectServer Network HSM Plus 5.8 Installation And Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
SafeNet ProtectServer Network HSM Plus
5.8
INSTALLATION AND CONFIGURATION GUIDE

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SafeNet ProtectServer Network HSM Plus 5.8 and is the answer not in the manual?

Questions and answers

Related Manuals for Thales SafeNet ProtectServer Network HSM Plus 5.8

Summary of Contents for Thales SafeNet ProtectServer Network HSM Plus 5.8

  • Page 1 SafeNet ProtectServer Network HSM Plus INSTALLATION AND CONFIGURATION GUIDE...
  • Page 2 Document Information Product Version Document Part Number 007-013682-006 Release Date 08 January 2020 Revision History Revision Date Reason Rev. A 08 January 2020 Initial release Trademarks, Copyrights, and Third-Party Software Copyright 2009-2020 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto and/or its subsidiaries and are registered in certain countries.
  • Page 3 consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect.

  • Page 4: Table Of Contents

    CONTENTS Preface: About the SafeNet ProtectServer Network HSM Plus Installation and Configuration Guide Gemalto Rebranding Audience Document Conventions Support Contacts Chapter 1: Product Overview Physical Features Front panel view Rear panel view Cryptographic architecture Summary of Cryptographic Service Provider setup Chapter 2: SafeNet ProtectServer Network HSM Plus Hardware Installation SafeNet ProtectServer Network HSM Plus Required Items Installing the SafeNet ProtectServer Network HSM Plus Hardware...
  • Page 5 Appendix A: Technical Specifications Glossary SafeNet ProtectToolkit 5.8 Installation and Configuration Guide 007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto...

  • Page 6: Gemalto Rebranding

    About the SafeNet ProtectServer PREFACE: Network HSM Plus Installation and Configuration Guide This Guide is provided as an instructional aid for the installation and configuration of a SafeNet ProtectServer Network HSM Plus cryptographic services hardware security module (HSM). It contains the following sections: >...

  • Page 7: Audience

    Preface:   About the SafeNet ProtectServer Network HSM Plus Installation and Configuration Guide Old product name New product name ProtectToolkit M (PTK-M) SafeNet ProtectToolkit-M ProtectToolkit FM SDK SafeNet ProtectToolkit FM SDK NOTE These branding changes apply to the documentation only. The SafeNet HSM software and utilities continue to use the old names.
  • Page 8 Preface:   About the SafeNet ProtectServer Network HSM Plus Installation and Configuration Guide **WARNING** Be extremely careful and obey all safety and security measures. In this situation you might do something that could result in catastrophic data loss or personal injury. Command Syntax and Typeface Conventions Format Convention...

  • Page 9: Support Contacts

    Preface:   About the SafeNet ProtectServer Network HSM Plus Installation and Configuration Guide Support Contacts If you encounter a problem while installing, registering, or operating this product, please refer to the documentation before contacting support. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.

  • Page 10: Chapter 1: Product Overview

    Product Overview CHAPTER 1: The SafeNet ProtectServer Network HSM Plus is a self-contained, security-hardened server providing hardware-based cryptographic functionality through a TCP/IP network connection. Together with high-level SafeNet application programming interface (API) software, it provides cryptographic services for a wide range of secure applications.
  • Page 11 Chapter 1:   Product Overview Figure 1: SafeNet ProtectServer Network HSM Plus front panel Item Name Description LCD system status screen Displays "ProtectServer +" when system is operational. Serial (console) port Local connection for initial setup, and for admin account reset (local-only action for security purposes). Ventilation fan-filter cover Removable bracket allows cleaning of air filter.

  • Page 12: Rear Panel View

    Chapter 1:   Product Overview Figure 2: HSM serial port pinout Rear panel view The features on the rear panel of the SafeNet ProtectServer Network HSM Plus are illustrated below: Figure 3: SafeNet ProtectServer Network HSM Plus rear panel Item Name Description Kensington security slot Attach an industry-standard locking cable for additional physical...

  • Page 13: Cryptographic Architecture

    Chapter 1:   Product Overview Item Name Description Second removable power supply The other of two redundant power supplies. Start/stop switch Use to stop the system if the command-line shutdown is not available; use to restart the system if it has been switched off. USB ports Unconfigured USB ports.

  • Page 14: Summary Of Cryptographic Service Provider Setup

    Chapter 1:   Product Overview Summary of Cryptographic Service Provider setup These steps summarize the overall procedure of setting up a cryptographic service provider using a SafeNet ProtectServer Network HSM Plus in network mode. Relevant links to more detailed documentation are provided at each step.

  • Page 15: Chapter 2: Safenet Protectserver Network Hsm Plus Hardware Installation

    SafeNet ProtectServer CHAPTER 2: Network HSM Plus Hardware Installation This chapter describes how to install and connect a SafeNet Protect Server Network HSM Plus. To ensure a successful installation, perform the following tasks in the order indicated: "SafeNet ProtectServer Network HSM Ensure that you have all of the required components, as listed in Plus Required Items" on the next page "Installing the SafeNet ProtectServer Network HSM Plus...

  • Page 16: Safenet Protectserver Network Hsm Plus Required Items

    Chapter 2:   SafeNet ProtectServer Network HSM Plus Hardware Installation SafeNet ProtectServer Network HSM Plus Required Items Follow this checklist to verify that you have all of the items required for the installation. Item SafeNet ProtectServer Network HSM Plus Appliance Null-Modem Serial Cable USB 2.0 to RS232 Serial Adapter Smart card reader SafeNet ProtectToolkit 5.8 Installation and Configuration Guide...
  • Page 17 Chapter 2:   SafeNet ProtectServer Network HSM Plus Hardware Installation Item Smart cards (in a single media case) Set of: > 2 front Mounting Brackets with Screws > 2 Side Bracket Guides > 2 Sliding Rear Brackets (fit into the guides for rear support adjustable positioning). Client / SDK Software NOTE Power cables are no longer included with the shipment from our factory.
  • Page 18 Chapter 2:   SafeNet ProtectServer Network HSM Plus Hardware Installation Item SafeNet 110 Time-Based OTP Token (enables multifactor authentication on ProtectServer HSM tokens) Gemalto recommends ordering at least two (2) OTP tokens for each slot on the HSM (one each for the Security Officer and Token User).

  • Page 19: Installing The Safenet Protectserver Network Hsm Plus Hardware

    Chapter 2:   SafeNet ProtectServer Network HSM Plus Hardware Installation Installing the SafeNet ProtectServer Network HSM Plus Hardware This section provides basic SafeNet Network HSM hardware installation instructions (mounting in a rack, connecting cables, etc.). The SafeNet Network HSM appliance comes with front brackets and side-rails and sliders for the rear brackets, packed separately in the carton.
  • Page 20 Chapter 2:   SafeNet ProtectServer Network HSM Plus Hardware Installation Mount the appliance in your equipment rack. Alternatively, ignore the rails and mounting tabs, and rest the SafeNet ProtectServer Network HSM Plus appliance on a mounting tray or shelf suitable for your specific style and brand of equipment rack.
  • Page 21 Chapter 2:   SafeNet ProtectServer Network HSM Plus Hardware Installation If you have already installed SafeNet ProtectToolkit client software, refer to the SafeNet ProtectToolkit-C Administration Guide . Smart Card Reader Installation The unit supports the use of smart cards with a SafeNet-supplied smart card reader. Other smart card readers are not supported.
  • Page 22 Chapter 2:   SafeNet ProtectServer Network HSM Plus Hardware Installation "Testing and Configuration" on page 26 Next, see SafeNet ProtectToolkit 5.8 Installation and Configuration Guide 007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto...

  • Page 23: Chapter 3: Deployment Guidelines

    Deployment Guidelines CHAPTER 3: Users must consider the following best practices for security and compliance when deploying SafeNet ProtectServer Network HSMs for their network/application environment: > "Secure Messaging System (SMS)" below > "Networking and Firewall Configuration" on the next page > "Separation of Roles" on the next page Secure Messaging System (SMS) SafeNet ProtectServer HSMs store cryptographic keys and objects in tamper-resistant secure memory, which is erased when a tamper is detected.

  • Page 24: Networking And Firewall Configuration

    Chapter 3:   Deployment Guidelines For maximum security, enable all of the above features. See "Security Flags" on page 1 in the PTK-C Administration Guide for flag descriptions and setup instructions. NOTE Enabling FIPS mode will block all mechanisms that are not FIPS-approved. If you are using unapproved mechanisms and understand the implications, do not enable FIPS mode.
  • Page 25 Chapter 3:   Deployment Guidelines "User Roles" on page 1 in the PTK-C Administration Guide for the responsibilities of each role. SafeNet ProtectToolkit 5.8 Installation and Configuration Guide 007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto...

  • Page 26: Chapter 4: Testing And Configuration

    Testing and Configuration CHAPTER 4: This chapter provides a step-by-step overview of how to confirm correct operation of the Safenet ProtectServer Network HSM Plus, and configure its network settings. These instructions assume that the installation process "SafeNet ProtectServer Network HSM Plus Hardware Installation" on page 15 covered in is complete.

  • Page 27: Power On And Log In

    Chapter 4:   Testing and Configuration N,8,1 (no parity, 8 data-bits, one stop-bit) • • VT-100 terminal emulation • hardware flow control selected Power on and Log in Power on the SafeNet ProtectServer Network HSM Plus. Power-up is complete when the login prompt appears: Protect Server External 5.8.0 PSE+ login:...

  • Page 28: Network Configuration

    Chapter 4:   Testing and Configuration Network Configuration The SafeNet ProtectServer Network HSM Plus is intended to be installed in a data center and accessed remotely over a network. Network access is provided by two Ethernet LAN ports. The network device interfaces (eth0 and eth1) are located on the back of the appliance, as illustrated below: Appliance configuration The following network parameters are configured at the appliance level: >...

  • Page 29: Configuring The Network Parameters

    Chapter 4:   Testing and Configuration DNS Name Server IP address(es) (per port) > > Search Domain name(s) (per port) > Device subnet mask (per port) DNS Entries > Ensure that you have configured your DNS Server(s) with the correct entries for the appliance and the client.
  • Page 30 Chapter 4:   Testing and Configuration • 0 : Balance Round Robin. Packets are transmitted alternately on each device in the bond, providing load balancing and fault tolerance. • 1 : Active-Backup. One bonded device is active and the other serves as a backup. The backup only becomes active if the active device loses connectivity.
  • Page 31 Chapter 4:   Testing and Configuration [Optional] Add a search domain to the network configuration. These are automatically appended to an internet address you specify in PSESH. For example, if you add the search domain mycompany.com , entering the command network ping hsm1 would search for the domain hsm1.mycompany.com . If the domain resolves, it pings the device with that hostname.

  • Page 32: Ssh Network Access

    Chapter 4:   Testing and Configuration After making any change to the network configuration, reboot the appliance: psesh:> sysconf appliance reboot View the new network settings: psesh:> network show SSH Network Access After you have completed the network configuration, you can access the SafeNet ProtectServer Network HSM Plus over the network using the SSH protocol.

  • Page 33: Updating The Appliance Software Image

    Chapter 4:   Testing and Configuration Updating the Appliance Software Image Gemalto provides secure update packages on the Customer Support Portal that allow the appliance administrator to update the appliance software image on your SafeNet ProtectServer Network HSM Plus and take advantage of new PSESH functionality. If you are updating the appliance software from version 5.6.0 or earlier, you must first install the secure package update patch, also available from the Support Portal.
  • Page 34 Chapter 4:   Testing and Configuration Prerequisites > Download the secure package file from the Gemalto Customer Support Portal (see "Support Contacts" on page 9 > You must have admin access to the appliance. > If the Admin Token is initialized, you require the Admin Token PIN. To update the appliance software Use scp (Linux/UNIX) or pscp (Windows) to securely transfer the secure package file to the appliance filesystem.
  • Page 35 Technical Specifications APPENDIX A: The SafeNet ProtectServer Network HSM Plus specifications are as follows: Hardware > Protective, heavy duty steel, industrial PC case > Intel® Pentium® CPU G6950 2.80GHz > 2 GB RAM 250 GB hard disk drive > > 10/100/1000 Mbps autosensing Network Interface with RJ45 LAN connector >...
  • Page 36 Glossary Glossary Adapter The printed circuit board responsible for cryptographic processing in a HSM Advanced Encryption Standard Application Programming Interface Administration Security Officer Asymmetric Cipher An encryption algorithm that uses different keys for encryption and decryption. These ciphers are usually also known as public-key ciphers as one of the keys is generally public and the other is private.
  • Page 37 Glossary third has signed the second and so on CMOS Complementary Metal-Oxide Semiconductor. A common data storage component Cprov ProtectToolkit C - SafeNet’s PKCS #11 Cryptoki Provider Cryptoki Cryptographic Token Interface Standard. (aka PKCS#11) Cryptographic Services Adapter CSPs Microsoft Cryptographic Service Providers Decryption The process of recovering the plaintext from the ciphertext Cryptographic algorithm named as the Data Encryption Standard...
  • Page 38 Glossary FIPS Federal Information Protection Standards Functionality Module. A segment of custom program code operating inside the CSA800 HSM to provide additional or changed functionality of the hardware FMSW Functionality Module Dispatch Switcher High Availability HIFACE Host Interface. It is used to communicate with the host system Hardware Security Module IDEA International Data Encryption Algorithm...
  • Page 39 Glossary Java Cryptography Extension Keyset A keyset is the definition given to an allocated memory space on the HSM. It contains the key information for a spe- cific user KWRAP Key Wrapping Key Message authentication code. A mechanism that allows a recipient of a message to determine if a message has been tampered with.
  • Page 40 Glossary Privacy Enhanced Mail Personal Identification Number PKCS Public Key Cryptographic Standard. A set of standards developed by RSA Laboratories for Public Key Cryptographic processing PKCS #11 Cryptographic Token Interface Standard developed by RSA Laboratories Public Key Infrastructure ProtectServer SafeNet HSM ProtectToolkit C SafeNet's implementation of PKCS#11.
  • Page 41 Glossary Real Time Clock Software Development Kits Other documentation may refer to the SafeNet Cprov and Protect Toolkit J SDKs. These SDKs have been renamed ProtectToolkit C and ProtectToolkit J respectively. ·The names Cprov and Pro- tectToolkit C refer to the same device in the context of this or previous manuals. ·The names Protect Toolkit J and ProtectToolkit J refer to the same device in the context of this or previous manuals.
  • Page 42 Glossary Universal Resource Identifier Validation Authority X.509 Digital Certificate Standard X.509 Certificate Section 3.3.3 of X.509v3 defines a certificate as: "user certificate; public key certificate; certificate: The public keys of a user, together with some other information, rendered unforgeable by encipherment with the private key of the cer- tification authority which issued it"...

Table of Contents