1. Manuals
  2. Brands
  3. Gemalto Manuals
  4. Control Unit
  5. SafeNet ProtectServer
  6. Installation and configuration manual

Gemalto SafeNet ProtectServer Installation And Configuration Manual

Network hsm
Hide thumbs
Table of Contents

Advertisement

Quick Links

SafeNet ProtectServer
Network HSM
Installation and Configuration Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SafeNet ProtectServer and is the answer not in the manual?

Questions and answers

Related Manuals for Gemalto SafeNet ProtectServer

Summary of Contents for Gemalto SafeNet ProtectServer

  • Page 1 SafeNet ProtectServer Network HSM Installation and Configuration Guide...
  • Page 2 Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect.
  • Page 3 © 2016 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.
  • Page 4 Revision History Revision Date Reason 14 March 2016 Release 5.2...

  • Page 5: Table Of Contents

    Setting a name server ........................ 13 Setting access control ........................ 13 SSH network access ........................14 Restarting networking ........................14 Powering off the SafeNet ProtectServer Network HSM .............. 14 Upgrading the SafeNet ProtectServer Network HSM ..............14 Troubleshooting ..........................15 Chapter 6 PSESH Command Reference ...................
  • Page 6 Features ............................. 16 Accessing PSESH ......................... 17 Command Reference ........................17 exit............................. 18 files ............................18 help ............................19 hsm ............................20 network ............................. 21 network dns ..........................21 network interface ........................22 network interface delete ......................23 network interface dhcp ......................23 network interface static ......................

  • Page 7: Chapter 1 Introduction

    Chapter 1 Introduction This Guide is provided as an instructional aid for the installation and configuration of a SafeNet ProtectServer Network HSM cryptographic services hardware security module (HSM). Chapter 2 gives an overview of the product. Both functionality and physical characteristics are described.

  • Page 8: Chapter 2 Product Overview

    (API) software, to implement cryptographic service providers for a wide range of secure applications. The SafeNet ProtectServer Network HSM is PC based. The enclosure is a heavy duty steel case and common PC ports and controls are provided. The unit is delivered with the necessary software components pre-installed on a Linux operating system, in a “ready to operate”...

  • Page 9: Ports

    Figure 1: SafeNet ProtectServer Network HSM front panel Ports The front panel is equipped with the following ports: Used to connect a VGA monitor to the appliance. Console Used to provide console access to the appliance. See "Equipment requirements" on page 9.

  • Page 10: Reset Button

    HSM to be deleted. Once the keys are deleted they are not recoverable. Ensure that you always back up your keys. To avoid accidentally deleting the keys on an operational SafeNet ProtectServer Network HSM, remove the tamper key after installation/commissioning and store it in a safe place.

  • Page 11: Chapter 3 Implementation Overview

    In network mode, Network HSM Access Provider software is installed on the same machine used to host the cryptographic API software. It is used to implement the connection between and the SafeNet ProtectServer Network HSM and the cryptographic host using a TCP/IP network connection. The SafeNet ProtectServer Network HSM can then be located at any distance from the machine hosting the access provider, cryptographic API and application software.

  • Page 12: Implementation Steps

    Implementation steps The installation and configuration of the SafeNet ProtectServer Network HSM is part of the setup of the overall network operating mode. The following is a summary (with references to the location of detail) of the steps to setup a cryptographic service provider, using the network operating mode and a SafeNet ProtectServer Network HSM: 1.

  • Page 13: Chapter 4 Installation

    IPv6 address on each interface. If you intend to use both NICs, connect Ethernet cables to both LAN connectors. 3. Connect the power cable to the unit and a suitable power source. The SafeNet ProtectServer Network HSM is equipped with an autosensing power supply that can accept 100-240V at 50- 60Hz.
  • Page 14 The options are:  Connect a PS/2-to-USB adapter cable (pink) between the card reader and a USB port on the SafeNet ProtectServer Network HSM.  If you prefer to not expose USB ports on your crypto server (for security reasons), then connect a PS/2-to-USB adapter cable between the card reader and a standalone powered USB hub.

  • Page 15: Testing And Configuration

    Refer to the indicated sections for more detail if required. 1. Connect a keyboard/monitor or serial cable to the SafeNet ProtectServer Network HSM In order to access the SafeNet ProtectServer Network HSM console, you must do one of the following:...
  • Page 16 ProtectServer Network HSM login: prompt is displayed. 3. Login to the console Following boot up, the SafeNet ProtectServer Network HSM will prompt for login credentials. If you are using a monitor/keyboard, you can log in as pseoperator, admin or root. If you are using a serial connection, you can log in as pseoperator or admin.

  • Page 17: System Testing

    This utility displays the current status of the SafeNet ProtectServer Network HSM. It provides the following information:  the status of the HSM installed in the SafeNet ProtectServer Network HSM. If the unit is functioning correctly, a message that includes the following is...

  • Page 18: Using Ipv6 Addressing

    Note: It is recommended that you use psesh:>network config interface to configure the IPv4 IP address. The SafeNet ProtectServer Network HSM is equipped with two NICs (eth0 and eth1), each of which can be configured with its own IP address(es). The IP address for each...

  • Page 19: Setting A Name Server

    Set the default gateway (that this SafeNet ProtectServer Network HSM should use) by /etc/sysconfig/network editing the file If you ever want to address the unit by its name using the loopback connection, you can set the hostname by editing the...

  • Page 20: Ssh Network Access

    After you have completed the network configuration, you can access the SafeNet ProtectServer Network HSM over the network using the SSH protocol. To access the SafeNet ProtectServer Network HSM using SSH, you require an SSH client such as puTTY (available for free from www.putty.org).

  • Page 21: Troubleshooting

    Troubleshooting Each SafeNet ProtectServer Network HSM is tested during manufacture to ensure a high level of quality. In the unlikely event the unit is not functioning correctly please re-check the installation procedure, paying particular attention to the power source and network cable connection.

  • Page 22: Psesh Command Reference

    About PSESH The PSESH shell command line tool provides access to the SafeNet ProtectServer Network HSM shell for performing basic appliance configuration tasks such as network configuration and appliance software package updates and management.

  • Page 23: Accessing Psesh

    You can now issue any PSESH command. For a summary, type "?" or "help" and press Enter. Command Reference This section describes the commands available in the SafeNet ProtectServer Network HSM command shell (psesh). The commands are described in alphabetical order and provide: ...

  • Page 24: Exit

    Display the current state of the HSM, or reset the HSM if it becomes unresponsive. network View or configure the network settings for the SafeNet ProtectServer Network HSM appliance. package Manage the software packages installed the appliance. service Manage the services on the appliance.

  • Page 25: Help

    Delete all of the files in the appliance’s SCP clear directory. Delete the specified file from the appliance’s delfile <filename> d <filename> SCP directory. show List all of the files that currently reside in the appliance’s SCP directory. Example psesh:> files show SCP Folder Content ------------------ total 861K...

  • Page 26: Hsm

    Type "help" or "?" (without the double quotation marks) to see help and syntax information for any Luna Shell command. "help" or "?" with no arguments lists the top level commands with brief descriptions. "help" or "?" followed by one or more arguments (command names, sub- commands, options) yields increasingly detailed information.

  • Page 27: Network

    [y/n]? > n Exiting..Command Result : 0 (Success) network View or configure the network settings for the SafeNet ProtectServer Network HSM appliance. User access admin, pseoperator Syntax network [dns | domain <domain> | hostname <hostname> | interface | iptables | ping <hostname_or_IP>...

  • Page 28: Network Interface

    Syntax network dns [add | delete] [nameserver <dns_name_server> | searchdomain <dns_search_domain>] Parameter Shortcut Description add nameserver Add a DNS name server to the list of servers <dns_name_server> used to provide DNS services to the appliance. Add a DNS search domain to the list of search add searchdomain <dns_search_domain>...

  • Page 29: Network Interface Delete

    network interface delete Delete the network configuration for a network interface (eth0 or eth1). Syntax network interface delete -device <netdevice> Parameter Shortcut Description -device <netdevice> Specifies the interface whose configuration you want to delete. Valid values: eth0, eth1 Example psesh:> network interface delete -device eth1 Interface eth1 removed successfully.

  • Page 30: Network Iptables

    Configure the iptables firewall for the appliance. You can use this command to configure the iptables ACCEPT and DROP rules. By default, the SafeNet ProtectServer Network HSM allows access to all networks and hosts. The default policy for the INPUT and OUTPUT chain is set to ACCEPT.

  • Page 31: Network Route

    Syntax network iptables addrule {accept | drop} {host –ip <ip_address> | network –net <ip_address> -mask <network_mask>} Parameter Shortcut Description accept Add a host or network ACCEPT rule to the iptable for the appliance. Add a host or network DROP rule to the iptable drop for the appliance.

  • Page 32: Package

    package Manage the software packages installed the appliance. User access admin Syntax package {list [all | ptk] | update} Parameter Shortcut Description List the packages currently installed on the list [all | ptk] appliance. Use the all flag to list all packages. Use the ptk flag to list the PTK packages only.
  • Page 33 restart <service> Restart the specified service. Services require restarting if their configurations have changed. For example, after changing any network settings using the network commands, you should restart the network service to ensure the new settings take effect. Restarting a service isn't always the same as stopping and then starting a service.

  • Page 34: Status

    Command Result : 0 (Success) psesh:>service restart network Shutting down interface eth0: Shutting down interface eth1: Shutting down loopback interface: Bringing up loopback interface: Bringing up interface eth0: Bringing up interface eth1: Command Result : 0 (Success) psesh:>service status network eth0 is up Command Result : 0 (Success) status...
  • Page 35 netstat Display the current network connections. Display the status of all active processes. time Display the time currently configured on the appliance, using the 24 hour clock. zone Display the currently configured time zone. Example psesh:>status cpu CPU Load Averages: 0.14 0.10 0.08 1/68 11162 System uptime: At Tue Jan 26 06:35:23 EST 2016, I am up 4 days and 23:38 hours.
  • Page 36 psesh:>status mac eth0 00:0D:48:3B:5E:E4 Command Result : 0 (Success) psesh:>status mem total used free shared buffers cached Mem: 1019668 167744 851924 35332 67256 -/+ buffers/cache: 65156 954512 Swap: Command Result : 0 (Success) psesh:>status netstat Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State...

  • Page 37: Sysconf

    sysconf Configure the appliance time, date, or SNMP settings, or reboot or power-off the appliance. User access admin, pseoperator Syntax sysconf {appliance | snmp | time | timezone} Parameter Shortcut Description Reboot or power-off the appliance. See “sysconf appliance appliance”, below. Configure the SNMP settings on the appliance.

  • Page 38: Sysconf Snmp Config

    SNMP is stopped Command Result : 0 (Success) psesh:>sysconf snmp show SNMP is not running SNMP is disabled Current SNMP configuration ##################################################################### SafeNet ProtectServer SNMP v2c snmpd.conf ##################################################################### agentuser root syslocation TESTLAB syscontact TESTCONTACT com2sec secName 192.168.11.17 COMMUNITY group secNameGroup v2c secName view systemview included .1.3.6.1.2.1.1...

  • Page 39: Sysconf Timezone

    -community -com Specifies the community string for the SNMP server on the appliance. SNMP community strings function as passwords that are embedded in every SNMP packet to authenticate access to the Management Information Base (MIB) on the appliance. Enter this keyword followed by the community string.

  • Page 40: Syslog

    Timezone set to America/Toronto psesh:> sysconf timezone show syslog Display or archive the syslog. User access admin, pseoperator Syntax syslog {tail | tarlogs} Parameter Shortcut Description tail Display the last entries of the specified syslog. See “syslog tail”, below. tarlogs Create an archive of the syslog Example psesh:>syslog tar...

  • Page 41: User Password

    Example psesh:>syslog tail -logname messages -entries 10 Feb 12 12:00:17 PSe-II snmpd[3963]: Connection from UDP: [172.16.21.19]:62386->[172.20.11.150] Feb 12 12:00:18 PSe-II snmpd[3963]: Connection from UDP: [172.16.21.19]:62386->[172.20.11.150] Feb 12 12:04:16 PSe-II psesh [4341]: info : 0 : pssh user login : admin : 172.16.181.182/51177 Feb 12 12:04:28 PSe-II psesh [4341]: info : 0 : Command: help syslog : admin : 172.16.181.182/51177 Feb 12 12:06:36 PSe-II psesh [4341]: info : 0 : Command: help syslog...
  • Page 42 Retype new password: passwd: all authentication tokens updated successfully. Command Result : 0 (Success) [PSe-II] psesh:>user password Changing password for user admin. New password: BAD PASSWORD: it is based on a dictionary word Retype new password: passwd: all authentication tokens updated successfully. Command Result : 0 (Success) psesh:>user password –user pseoperator Changing password for user pseoperator.

  • Page 43: Appendix A Technical Specifications

    Appendix A Technical specifications The SafeNet ProtectServer Network HSM specifications are as follows: Hardware  One smart card reader secure USB port (requires the included USB-to-serial cable)  Protective, heavy duty steel, industrial PC case  ATOM D425 CPU  1 Gb RAM ...
  • Page 44 END OF DOCUMENT...

Table of Contents