Page 2
Disclaimer SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes.
Page 3
United States (800) 545-6608 www.safenet-inc.com Support and Down- www.safenet-inc.com/support loads Provides access to the SafeNet Knowledge Base and quick downloads for various products. Technical Support https://serviceportal.safenet-inc.com Customer Portal Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base.
NOTE: This release applies to the second-generation ProtectServer External appliance, named ProtectServer External 2 (PSE2). This new hardware variant is ROHS-compliant, and uses all the software that accompanied the original PSE, namely Ptk-C, Ptk-J, Ptk-M, and all of their documents, libraries, utilities, etc.
These services include encryption, decryption, signature generation and verification, and key management with a tamper resistant and battery-backed key storage. To implement a cryptographic service provider, use the PSE2 with one of SafeNet’s high level cryptographic APIs. The provider types that can be implemented and the corresponding SafeNet high level cryptographic API required are shown in the following table.
Figure 1: PSE2 front panel Ports The front panel is equipped with the following ports: Used to connect a VGA monitor to the appliance. Console Used to provide console access to the appliance. See "Equipment requirements" on page 9. Used to connect USB devices such as a keyboard or mouse to the appliance.
Pressing the reset button is service affecting and is not recommended under normal operating conditions. Rear panel view Figure 3 illustrates the rear panel of the ProtectServer External 2 appliance. Figure 3: PSE2 rear panel Tamper lock The tamper lock allows you to set the tamper state of the HSM inside the appliance.
3. Access provider software to implement the connection between the cryptographic API software and the HSMs. Where key processing and storage is to be implemented using a standalone SafeNet Protect Server External 2 (PSE2) HSM, the cryptographic service provider will operate in network mode.
Implementation steps The installation and configuration of the PSE2 is part of the setup of the overall network operating mode. The following is a summary (with references to the location of detail) of the steps to setup a cryptographic service provider, using the network operating mode and a PSE2: 1.
Smart Card Reader Installation The ProtectServer offers functionality supporting the use of smart cards. To make use of these features, a SafeNet-supplied smart card reader must be used. Smart card readers, other than those supplied by SafeNet, are not supported.
Page 14
USB hub. Again, the USB connection is for power only. No data transfer occurs. Note: You must use the supplied SafeNet smart card reader. Smart card readers, other than those supplied by SafeNet, are not supported.
Chapter 5 Testing and configuration This chapter provides information on how to: test the Protect Server External 2 (PSE2) to confirm correct operation configure network settings. The assumptions are: The installation steps covered in the previous chapter are complete. ...
Page 16
use a serial cable (not included) to connect the RJ45 console port to a terminal emulation device, such as a laptop or terminal server. If you are using a serial connection, configure your local VT100 or terminal emulator settings as follows: Speed (bits per second) 115200 Word length (data bits)
9. Verify that you have SSH network access to the PSe (if required) Refer to "SSH network access" on page 13 for details 10. Detach keyboard and monitor if no longer required (if applicable) System testing Before field test and deployment we recommend that you run the diagnostic utility hsmstate to ensure that the unit is functioning correctly.
Setting a hostname and default gateway Set the default gateway (that this SafeNet PSE2 should use) by editing the file /etc/sysconfig/network If you ever want to address the unit by its name using the loopback connection, you...
Once a table configuration has been created that provides suitable network access, it can be stored as the active network configuration using the following command: /etc/init.d/iptables save active Before iptables(8) is completely configured it should have an inactive table defined. This is less critical as there is very little running in the operating system by the time the inactive table is loaded.
Process 1. Select and download the desired PSE2 image upgrade file from the SafeNet Web site at http://www.safenet-inc.com. 2. Place the upgrade files onto the root directory of a USB memory stick or onto a CDROM. 3. Connect the CDROM drive or memory stick to any USB port on the back of the PSe.
2 Gb solid state flash memory hard disk (DOM) 10/100/1000 Mbps autosensing Network Interface with RJ45 LAN connector Pre-installed Software Linux operating system SafeNet PCI HSM Access Provider software SafeNet HSM Net Server software Power Supply Nominal power consumption: 43 W ...