Thales SafeNet ProtectServer Network HSM 5.9 Installation And Configuration Manual
  1. Manuals
  2. Brands
  3. Thales Manuals
  4. Server
  5. SafeNet ProtectServer Network HSM 5.9
  6. Installation and configuration manual
Thales SafeNet ProtectServer Network HSM 5.9 Installation And Configuration Manual

Thales SafeNet ProtectServer Network HSM 5.9 Installation And Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
SafeNet ProtectServer Network HSM 5.9
INSTALLATION AND CONFIGURATION GUIDE

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SafeNet ProtectServer Network HSM 5.9 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Thales SafeNet ProtectServer Network HSM 5.9

Summary of Contents for Thales SafeNet ProtectServer Network HSM 5.9

  • Page 1 SafeNet ProtectServer Network HSM 5.9 INSTALLATION AND CONFIGURATION GUIDE...
  • Page 2 Disclaimer All information herein is either public information or is the property of and owned solely by Thales and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.
  • Page 3 Thales does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks.

  • Page 4: Table Of Contents

    Powering off the ProtectServer Network HSM Troubleshooting Updating the Appliance Software Image Installing the Secure Update Package Patch Updating the Appliance Software Appendix A: Technical Specifications Glossary SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 5: Preface: About The Protectserver Network Hsm Installation And Configuration Guide

    SafeNet ProtectServer HSM Access Provider ProtectToolkit C (PTK-C) SafeNet ProtectToolkit-C ProtectToolkit J (PTK-J) SafeNet ProtectToolkit-J ProtectToolkit M (PTK-M) SafeNet ProtectToolkit-M ProtectToolkit FM SDK SafeNet ProtectToolkit FM SDK SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 6: Audience

    This includes SafeNet ProtectToolkit users and security officers, key manager administrators, and network administrators. All products manufactured and distributed by Thales are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them.
  • Page 7 Represent optional alternate keywords or variables in a command line description. Choose one [<a>|<b>|<c>] command line argument enclosed within the braces, if desired. Choices are separated by vertical (OR) bars. SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 8: Support Contacts

    Customer Support. Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between Thales and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.

  • Page 9: Chapter 1: Product Overview

    The features on the front panel of the ProtectServer Network HSM are illustrated below: Figure 1: ProtectServer Network HSM front panel Ports The front panel is equipped with the following ports: SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 10: Rear Panel View

    Pressing the reset button is service-affecting and is not recommended under normal operating conditions. Rear panel view The features on the rear panel of the ProtectServer Network HSM are illustrated below: SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 11: Cryptographic Architecture

    TCP/IP connection. The HSM can therefore be located remotely, improving the security of cryptographic key data The figure below depicts a cryptographic service provider using the ProtectServer Network HSM in network mode. Figure 4: ProtectServer Network HSM implementation SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 12: Summary Of Cryptographic Service Provider Setup

    Please refer to the relevant high-level cryptographic API documentation: • SafeNet ProtectToolkit-C Administration Guide • SafeNet ProtectToolkit-J Administration Guide SafeNet ProtectToolkit-M User Guide • SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 13: Chapter 2: Protectserver Network Hsm Hardware Installation

    Ensure that you have all of the required components, as listed in Items" on the next page "Installing the ProtectServer Network HSM Install and connect the hardware, as described in Hardware" on page 15 SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 14: Protectserver Network Hsm Required Items

    Optional Items The following table describes additional items which you can use with your ProtectServer HSM. Contact your Thales sales representative to order these items. SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 15: Installing The Protectserver Network Hsm Hardware

    Chapter 2:   ProtectServer Network HSM Hardware Installation Item SafeNet 110 Time-Based OTP Token (enables multifactor authentication on ProtectServer HSM tokens) Thales recommends ordering at least two (2) OTP tokens for each slot on the HSM (one each for the Security Officer and Token User). PN: 955-000237-001...
  • Page 16 USB hub. It should be noted that the USB connection is for power only. No data transfer occurs. "Testing and Configuration" on page 20 Next, see SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 17: Chapter 3: Deployment Guidelines

    > Allow only FIPS-approved mechanisms > Rotate signing and encryption keys after a specified number of packets or hours > All of the above SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 18: Networking And Firewall Configuration

    The following roles can log in to manage the HSM token and perform cryptographic operations: > Administration Security Officer (ASO) > Administrator > Security Officer (SO) Token Owner (User) > SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...
  • Page 19 Chapter 3:   Deployment Guidelines "User Roles" on page 1 in the SafeNet ProtectToolkit-C Administration Guide for the responsibilities of each role. SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 20: Chapter 4: Testing And Configuration

    ). If your terminal device is equipped with an RJ45 serial port, you can use a standard Ethernet cable. Serial cables are not included. SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 21: Power On And Login

    See the PSESH Command Reference Guide for command syntax. The default passwords for the admin and pseoperator users are: User name Default password admin password pseoperator password SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 22: Run System Test

    PSESH to complete the network configuration. Appliance configuration The following network parameters are configured at the appliance level: SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 23: Gathering Appliance Network Information

    Ensure that you have configured your DNS Server(s) with the correct entries for the appliance and the client. If you are using DHCP, then all references to the Client and the HSM appliance (as in Certificates) should > use hostnames. SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 24: Configuring The Network Parameters

    This mode requires a switch that supports IEEE 802.3ad dynamic links. The dvice used for an outgoing packet is selected by the transmit hash policy (by default, a simple XOR). This policy can SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...
  • Page 25 For example, if you add a DNS server to eth0, eth1 will be able to access the DNS server if eth0 is SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 26: Ssh Network Access

    After you have completed the network configuration, you can access the ProtectServer Network HSM over the network using the SSH protocol. You need an SSH client such as puTTY (available for free from www.putty.org). SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 27: Powering Off The Protectserver Network Hsm

    If it ever becomes necessary to get into the BIOS, press <Delete> as the ProtectServer Network HSM boots. For further assistance contact your supplier or Thales support with the following details at hand: > The product serial number (at the back of the unit) >...

  • Page 28: Installing The Secure Update Package Patch

    Appliance Software" on the next page only. Prerequisites > Download the patch ( SPKG-0.1-1.i386.rpm ) from the Thales Customer Support Portal (see "Support Contacts" on page 8 > If you are installing the patch on a ProtectServer Network HSM running software version 5.2.0 or 5.3.0, ensure that you have root access.

  • Page 29: Updating The Appliance Software

    The following procedure allows you to update the software image on your ProtectServer Network HSM appliance using a secure package. Prerequisites > Download the secure package file from the Thales Customer Support Portal (see "Support Contacts" on page 8 > You must have admin access to the appliance.

  • Page 30: Appendix A: Technical Specifications

    Weight 5 kg (11 lb) > Operating Environment Temperature: 0 to 40 ° C (32 to 104 ° F) > > Relative Humidity: 5 to 85% SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

  • Page 31: Glossary

    A binding of an identity (individual, group, etc.) to a public key which is generally signed by another identity. A cer- tificate chain is a list of certificates that indicates a chain of trust, i.e. the second certificate has signed the first, the SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...
  • Page 32 Some algorithms perform this function in such a way that there is no known mechanism, other than decryption with the appropriate key, to recover the plaintext. With other algorithms there are known flaws which reduce the difficulty in recovering the plaintext SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...
  • Page 33 Host Interface. It is used to communicate with the host system Hardware Security Module IDEA International Data Encryption Algorithm Microsoft Internet Information Services Internet Protocol Java Cryptography Architecture SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...
  • Page 34 A mechanism for extending the input data so that it is of the required size for a block cipher. The PKCS documents contain details on the most common padding mechanisms of PKCS#1 and PKCS#5 Peripheral Component Interconnect SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...
  • Page 35 Request for Comments, proposed specifications for various protocols and algorithms archived by the Internet Engin- eering Task Force (IETF), see http://www.ietf.org Random Number Generator Cryptographic algorithm by Ron Rivest, Adi Shamir and Leonard Adelman SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...
  • Page 36 PKCS#11 token that provides cryptographic services and access controlled secure key storage TokenPKCS#11 Token that provides cryptographic services and access controlled secure key storage SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...
  • Page 37 SafeNet ProtectToolkit 5.9 Installation and Configuration Guide 007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales...

Table of Contents