Thales ProtectToolkit 5.9.1 Installation And Configuration Manual
  1. Manuals
  2. Brands
  3. Thales Manuals
  4. Network Hardware
  5. ProtectToolkit 5.9.1
  6. Installation and configuration manual

Thales ProtectToolkit 5.9.1 Installation And Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
ProtectToolkit 5.9.1
ProtectServer HSM and ProtectToolkit
INSTALLATION AND CONFIGURATION GUIDE

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ProtectToolkit 5.9.1 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Thales ProtectToolkit 5.9.1

Summary of Contents for Thales ProtectToolkit 5.9.1

  • Page 1 ProtectToolkit 5.9.1 ProtectServer HSM and ProtectToolkit INSTALLATION AND CONFIGURATION GUIDE...
  • Page 2 Thales Group does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks.
  • Page 3 Thales Group. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 4: Table Of Contents

    Secure Messaging System (SMS) Networking and Firewall Configuration Separation of Roles First Login and System Test Access the Console Power on and Login Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 5 Installing the Secure Update Package Patch Updating the Appliance Software Chapter 4: ProtectToolkit Software Installation System Requirements Operating Modes Installing ProtectToolkit on Windows Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 6 ProtectServer External 2 Server Configuration PCI Mode Client Configuration Items Network Mode Client Configuration Items Network Mode Server Configuration Items Software-Only Mode Configuration Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 7 Fixing Command Line Utility Low Performance Enabling Smart Card Access under UNIX Specifying the Network Server(s) UNIX/ Example Windows Example Using IPv6 addressing Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 8: Preface: About The Protectserver Hsm And Protecttoolkit Installation Guide

    Cautions are used to alert you to important information that may help prevent unexpected results or data loss. They use the following format: CAUTION! Exercise caution. Contains important information that may help prevent unexpected results or data loss. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 9 Represent optional alternate keywords or variables in a command line description. Choose one [<a>|<b>|<c>] command line argument enclosed within the braces, if desired. Choices are separated by vertical (OR) bars. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 10: Support Contacts

    Customer Support. Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between Thales and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.

  • Page 11: Chapter 1: Protectserver Pcie 2 Hardware Installation

    The ProtectServer PCIe 2 has been tested with a variety of representative systems/servers with compliant PCI express slots. When a compatibility problem with a current brand and model computer arises, that information is made available via the Thales Support Portal. To troubleshoot a ProtectServer PCIe 2 installation issue that you are experiencing, refer to ProtectServer PCIe 2Installation Issues Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide...

  • Page 12: Protectserver Pcie 2 Required Items

    Smart card reader Smart cards (in a single media case) Each smart card contains a total of 64 kilobytes of storage space. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 13: Optional Items

    > SafeNet 110 Time-Based OTP Token (enables multifactor authentication on ProtectServer HSM tokens) Thales recommends ordering at least two (2) OTP tokens for each slot on the HSM (one each for the Security Officer and Token User). PN: 955-000237-001 >...

  • Page 14: Adapter Features

    You can use the ctcheck -b batterystatus command to test the battery's condition. If the battery status is reported as LOW , back up the keys on the HSM and return the HSM to your nearest Thales service centre for "Support Contacts" on page 10...

  • Page 15: Installing The Adapter

    Installing the USB smart card reader To install the USB card reader, simply plug the card reader into the HSM USB port. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 16: Completing Installation

    For more information about installing ProtectToolkit, see page 60 ProtectServer PCIe 2 Storage Capacity The ProtectServer PCIe 2 has the following storage capacity: Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 17: Hardware Reference

    The battery has an expected lifetime of ten years. It should not require replacement within the normal lifetime of the adapter. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 18: Port Specifications

    The USB-to-serial cable provides an RS232 port with pin outs as shown in This port can be used for connecting a smart card reader or another serial device. Figure 3: Adapter serial connector Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 19: Chapter 2: Protectserver External 2 Installation And Configuration

    ProtectServer External 2. Please refer to the relevant high-level cryptographic API documentation: • ProtectToolkit-C Administration Guide • ProtectToolkit-J Reference Guide • ProtectToolkit-M User Guide Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 20: Product Overview

    Provides console access to the appliance. See "Access the Console" on page 29. Connects USB devices such as a keyboard or mouse to the appliance. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 21: Rear Panel View

    With the key in the horizontal (Active) position, the HSM is in normal operating mode. Turning the key to the vertical (Tamper) position places the HSM in a tamper state, and any keys stored on the HSM are destroyed. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 22: Cryptographic Architecture

    4 GB solid state flash memory hard disk (DOM) > 10/100/1000 Mbps autosensing Network Interface with RJ45 LAN connector Pre-installed Software > Linux operating system ProtectServer HSM Access Provider software > Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 23 Weight 5 kg (11 lb) Operating Environment Temperature: 0 to 40 ° C (32 to 104 ° F) > > Relative Humidity: 5 to 85% Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 24: Protectserver External 2 Required Items

    After the appliance is placed into service, the keyboard, mouse and monitor can be disconnected from the appliance. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 25: Optional Items

    > SafeNet 110 Time-Based OTP Token (enables multifactor authentication on ProtectServer HSM tokens) Thales recommends ordering at least two (2) OTP tokens for each slot on the HSM (one each for the Security Officer and Token User). PN: 955-000237-001 >...

  • Page 26: Smart Card Reader Installation

    Chapter 2:   ProtectServer External 2 Installation and Configuration Smart Card Reader Installation The unit supports the use of smart cards with a Thales-supplied smart card reader. Other smart card readers are not supported. The ProtectServer External 2 supports two different card readers: >...

  • Page 27: Deployment Guidelines

    For maximum security, enable all of the above features. See in the "Security Policies and User Roles" section of the ProtectToolkit-C Administration Guide for flag descriptions and setup instructions. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 28: Networking And Firewall Configuration

    ProtectToolkit-C Administration Guide for the responsibilities of each role. First Login and System Test When starting up your ProtectServer External 2 for the first time, follow these steps: Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 29: Access The Console

    Power on the ProtectServer External 2 and the (optional) monitor. A green LED on the front of the device will illuminate and the startup messages will be displayed on the monitor: Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 30: Run System Test

    You can also use the PSESH command status to check each of the HSM's processes. See the PSESH Command Reference Guide for command syntax. "Network Configuration" on the next page Continue to Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 31: Network Configuration

    These settings apply to static network configurations only. If you are using DHCP, the DNS search domains and DNS nameservers configured on the DHCP server are used. > Network device bonding Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 32: Gathering Appliance Network Information

    IPv6 addresses must be configured as static addresses. Static psesh:> network interface static -device <netdevice> -ip <IP_address> -netmask <netmask> [- gateway <IP_address>] DHCP psesh:> network interface dhcp -device <netdevice> Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 33 You must configure your DNS server to resolve the hostname to the IP address configured on the Ethernet port of the appliance. Do this for each Ethernet port connected to a network. See your network administrator for assistance. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 34 -ip <IP_address> psesh:> network iptables addrule accept network -net <IP_address> -mask <netmask> To add a DROP rule, specify a host or network: Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 35: Ssh Network Access

    LEDs will turn off. Updating the Appliance Software Image Thales provides secure update packages on the Customer Support Portal that allow the appliance administrator to update the appliance software image on your ProtectServer External 2 and take advantage of new PSESH functionality. If you are updating the appliance software from version 5.6.0 or earlier, you must first install the secure package update patch, also available from the Support Portal.

  • Page 36: Installing The Secure Update Package Patch

    Appliance Software" on the next page only. Prerequisites > Download the patch ( SPKG-0.1-1.i386.rpm ) from the Thales Customer Support Portal (see "Support Contacts" on page 10 > If you are installing the patch on a ProtectServer External 2 running software version 5.2.0, ensure that you have root access.

  • Page 37: Updating The Appliance Software

    The following procedure allows you to update the software image on your ProtectServer External 2 appliance using a secure package. Prerequisites > "Support Contacts" on Download the secure package file from the Thales Customer Support Portal (see page 10 > You must have admin access to the appliance. >...

  • Page 38: Chapter 3: Protectserver External 2 Plus Installation And Configuration

    ProtectServer External 2. Please refer to the relevant high-level cryptographic API documentation: • ProtectToolkit-C Administration Guide • ProtectToolkit-J Reference Guide • ProtectToolkit-M User Guide Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 39: Product Overview

    Here are some of the physical features of the ProtectServer External 2 Plus: Front panel view The features on the front panel of the ProtectServer External 2 Plus are illustrated below: Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 40 HSM serial port pin configuration The serial port on the USB-to-serial cable, illustrated below, uses a standard RS232 male DB9 pinout: Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 41 Press tab to release the catch, and remove the power supply from the appliance. Removable power supply One of two redundant power supplies. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 42: Cryptographic Architecture

    The figure below depicts a cryptographic service provider using the ProtectServer External 2 Plus in network mode. Figure 12: ProtectServer External 2 Plus implementation Technical Specifications The ProtectServer External 2 Plus specifications are as follows: Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 43 Weight 12.7 kg (28 lb) > Operating Environment Temperature: 0 to 40 ° C (32 to 104 ° F) > Relative Humidity: 5 to 85% > Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 44: Protectserver External 2 Plus Required Items

    Follow this checklist to verify that you have all of the items required for the installation. Item ProtectServer External 2 Plus Appliance Null-Modem Serial Cable USB 2.0 to RS232 Serial Adapter Smart card reader Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 45 Please source your power cables locally for the deployment destination. > Software is available by download from Thales. Physical media for software and documentation are special-request items. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide...

  • Page 46: Optional Items

    > SafeNet 110 Time-Based OTP Token (enables multifactor authentication on ProtectServer HSM tokens) Thales recommends ordering at least two (2) OTP tokens for each slot on the HSM (one each for the Security Officer and Token User). PN: 955-000237-001 >...
  • Page 47 NICs, connect Ethernet cables to both LAN connectors. For proper redundancy and best reliability, the power cables should connect to two independent power sources. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 48: Smart Card Reader Installation

    (via a USB-to-serial cable) and a PS/2 interface for power (direct or via a PS/2 to USB adapter) Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 49: Deployment Guidelines

    ProtectServer External 2 Plus for their network/application environment: > "Secure Messaging System (SMS)" on the next page > "Networking and Firewall Configuration" on the next page > "Separation of Roles" on page 51 Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 50: Secure Messaging System (Sms)

    This configuration prevents Man-in-the-Middle and other malicious attacks. If possible, connect the HSM directly to the client using a cross-cable. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 51: Separation Of Roles

    You must connect a terminal directly to the serial port on the front end of the appliance with a null modem serial cable. Use the console port to configure at least one of the network interfaces. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 52: Power On And Log In

    The admin user can reset all account passwords to their factory defaults at any time with the PSESH command sysconf appliance factory . This command will also reset the SNMP and network settings to their factory defaults. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 53: Run System Test

    Network mask. IPv4 devices must use dotted-quad format (for example, 255.255.255.0). IPv6 devices can use full or shorthand syntax. > Static network route. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 54: Gathering Appliance Network Information

    It is recommended that you configure and test each device. You need to know the IP address of at least one network interface to establish an SSH connection to the appliance. Login to the appliance as admin or pseoperator . Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 55 5. Incoming load balancing is governed by ARP negotiation. The bonding driver intercepts the ARP replies sent by the appliance and overwrites the source hardware address with the Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 56 IP address from the default setting. [Optional] Add iptables ACCEPT and DROP rules to manage network access to the appliance. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 57: Ssh Network Access

    To power off the ProtectServer External 2 Plus While logged in to PSESH as admin or pseoperator , issue the command: psesh:> sysconf appliance poweroff Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 58: Updating The Appliance Software Image

    Updating the Appliance Software Image Thales provides secure update packages on the Customer Support Portal that allow the appliance administrator to update the appliance software image on your ProtectServer External 2 Plus and take advantage of new PSESH functionality. If you are updating the appliance software from version 5.6.0 or earlier, you must first install the secure package update patch, also available from the Support Portal.

  • Page 59: Updating The Appliance Software

    The following procedure allows you to update the software image on your ProtectServer External 2 Plus appliance using a secure package. Prerequisites > "Support Contacts" on Download the secure package file from the Thales Customer Support Portal (see page 10 > You must have admin access to the appliance. >...

  • Page 60: Chapter 4: Protecttoolkit Software Installation

    NOTE > The older (minor) versions of Java 7 or Java 8 could cause issues with the SAFENET java library ( jprov_sfnt.jar ). Thales Group recommends updating Java 7/8 to the latest version. > Warnings appear when compiling some of the provided Java samples with Java runtime 9, 10, or 11 installed.
  • Page 61 Chapter 4:   ProtectToolkit Software Installation M=ProtectToolkit-M, MS CSP 2.0 with CNG J=ProtectToolkit-J, Java runtime 6.x/7.x/8.x/9.x/10.x/11.x. NOTE Do not upgrade to ProtectToolkit 5.9.1 if you are using the legacy PSG HSM. Operating System 64-bit 64-bit PTK 32-bit PTK 32-bit PTK type...

  • Page 62: Operating Modes

    The software-only version is available for a variety of platforms, including Windows NT and Solaris, and is typically used as a development and testing environment for applications that will eventually use the hardware variant of ProtectToolkit-C. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 63: Installing Protecttoolkit On Windows

    If you are setting up ProtectToolkit to run in Software-only mode, HSM setup and ProtectServer HSM Access Provider installation are unnecessary. > Download the latest ProtectToolkit product installation packages from the Thales Customer Portal. > Ensure that you have administrator privileges on the system.
  • Page 64 To change server details temporarily, use an environment variable to override the registry setting. "Configuration Items" on page 85 For more information about configuration items, see Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 65: Installing Protecttoolkit-C On Windows

    C SDK component as a prerequisite. NOTE Thales recommends that you develop and test FMs in Software Emulation mode before installing them on your production HSMs. This installation package is located in the folder for your architecture in the installation directory.

  • Page 66: Installing Protecttoolkit-J On Windows

    Full support for ProtectToolkit-M is provided on 64-bit versions of Windows only. 32-bit versions support KSP only. To install ProtectToolkit-M on Windows Run the installation package for the ProtectToolkit-M component that you would like to install: Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 67: Configuring Protecttoolkit

    Unauthorized Access error will be returned. If you receive this error, open the command prompt or SetMode.cmd file by right-clicking and selecting Run as Administrator . Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 68: Uninstalling Protecttoolkit

    The Installation Utility is more likely to result in a problem-free installation or uninstallation. The latest versions of the client software and HSM firmware can be found on the Thales Technical Support Customer Portal. See "Support Contacts" on page 10...

  • Page 69: Utility Startup

    You must become the superuser of the host system before adding or removing any packages. NOTE If you are installing ProtectToolkit 5.9.1 on an AIX system, you must first download ProtectToolkit 5.9 from the Thales Support Portal and install it by following the procedures described in this section.

  • Page 70: Available Packages

    Chapter 4:   ProtectToolkit Software Installation To start up the utility The Thales Unix Installation Utility is located in the installation image's root directory. Unzip the image by following standard procedure for your platform and installation. Change to the unzipped directory and start the utility. The utility scans the system and the directory and displays the Main Menu.

  • Page 71: Installing A Package

    If you add it to your startup file, your environment will be set each time you log in. To set up your environment Go to the ProtectToolkit software installation directory: Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 72: Changing The Cryptoki Provider

    > ProtectToolkit-C Administration Guide > ProtectToolkit-J Reference Guide > ProtectToolkit-M User Guide > ProtectToolkit FM SDK Programming Guide Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 73: Uninstalling A Package

    See for more information. You must become the superuser of the host system before adding or removing any packages. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 74: Manual Linux Installation For Network Mode

    Chapter 4:   ProtectToolkit Software Installation NOTE If you are installing ProtectToolkit 5.9.1 on an AIX system, you must first download ProtectToolkit 5.9 from the Thales Support Portal and install it by following the procedures described in this section. If you wish to install ProtectToolkit components manually, use the commands described in this section after extracting the installation files you downloaded from the Thales Support Portal: >...

  • Page 75: Signing The Protectserver Pcie 2 Driver For Uefi Secure Boot

    Driver signing requires that the following tools be available on the system: Tool Provided by Used on Purpose Package openssl openssl Build system Generates public and private X.509 key pair Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 76 Request that your public key be added to the MOK list. # mokutil --import <public_keyname> .der You are prompted to enter and confirm a password for the request. Reboot the machine. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 77: Manual Linux Installation For Net Server Mode

    ProtectToolkit C Runtime: installs all the necessary tools and interfaces for a ProtectToolkit-C based Cryptoki service provider. Requires the correct Access Provider package for your deployment as a prerequisite. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 78: Changing The Cryptoki Provider Manually

    # rm libcryptoki.so # ln -s libcthsm.so libcryptoki.so The following shell commands may be used to enable the software emulation (executed as the super-user): Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 79: Installing Protecttoolkit-J Manually On Linux

    First, install the FMSDK package. Execute the following as root (where x.x.x-yy is the PTK version number). Specify the location you chose for the installation files: # cd /output-unix/Linux64/fm_sdk rpm -i PTKfmsdk-x.x.x-yy.x86_64.rpm Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 80: Configuring Protecttoolkit

    This utility is for use on Unix systems only. The platforms supported are AIX, Linux, and Solaris. The utility handles installation, uninstallation, and configuration tasks using a simple menu-driven interface. "safeNet-install.sh" on page 82 The utility is described in Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 81: Hardware Maintenance Utilities

    External 2 Access Provider installations. The utilities are named hsmstate and hsmreset . The utilities are described in "hsmstate" on page 83 "hsmreset" on page 84 Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 82: Safenet-Install.sh

    Plain mode. In this mode the ‘tput’ is not used for video enhancements. -s<size> Override the screen size (default = ‘tput lines/cols’ or 24x80). Print the version of this script. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 83: Hsmstate

    Number of message frames in one direction Host Interface version = V0.3 NOTE The information presented with the -v option may only be required when contacting technical support. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 84: Hsmreset

    The command hsmreset will reset the first HSM. Upon execution, the following message displays: HSM is in normal mode. Resetting it might disturb other applications. Continue [N/Y]: Type Y to complete the operation. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 85: Chapter 5: Configuration Items

    Regardless of the platform, a common naming convention for configuration items has been followed. Understanding this naming convention will help you locate and change the appropriate configuration items when required. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 86: Client/Pcie Hsm Server Configuration

    Add a new key entitled NETCLIENT and open it. Add a new string named ET_HSM_NETCLIENT_CONNECT_TIMEOUT_SECS . Set the value data to the desired time in seconds. Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 87: Protectserver External 2 Server Configuration

    "Network Mode Server Configuration Items" on page 91 For example: ET_HSM_NETSERVER_OLD_WORKER_COUNT=5 ET_HSM_NETSERVER_V2_WORKER_COUNT=12 ET_HSM_NETSERVER_READ_TIMEOUT_SECS=40 ET_HSM_NETSERVER_WRITE_TIMEOUT_SECS=40 ET_HSM_NETSERVER_CONN_TIMEOUT_COUNT=5 ET_HSM_NETSERVER_FRAG_SIZE=5000 ET_HSM_NETSERVER_ALLOW_RESET=OnHalt ET_HSM_NETSERVER_PORT=12396 Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 88 Command Result : 0 (Success) Restart the etnetserver service. psesh:> service restart etnetserver View the new configuration to confirm the changes. psesh:> sysconf etnetcfg show Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 89: Pci Mode Client Configuration Items

    Currently, there is only one modifiable configuration item for PCI mode. NOTE Thales recommends leaving configuration items at the their default value or setting them to a valid value specified in the following table. If the value of a configuration item must...
  • Page 90 Chapter 5:   Configuration Items NOTE Thales recommends leaving configuration items at the their default value or setting them to a valid value specified in the following table. If the value of a configuration item must be changed and no valid values are given, contact Thales Customer Support for assistance.

  • Page 91: Network Mode Server Configuration Items

    NOTE Thales recommends leaving configuration items at the their default value or setting them to a valid value specified in the following table. If the value of a configuration item must be changed and no valid values are given, contact Thales Customer Support for assistance.
  • Page 92 ET_HSM_NETSERVER_LOG_LEVEL Amount of tracing to generate. Valid values are: > 0(default): Startup and Errors > 1: Startup + errors + client connections Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

  • Page 93: Software-Only Mode Configuration

    You can use hostnames, IPv4 addresses, or IPv6 addresses to specify your network servers. The full syntax for the ET_HSM_NETCLIENT_SERVERLIST configuration item is: ET_HSM_NETCLIENT_SERVERLIST=server1[:port1] [server2[:port2]] Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...
  • Page 94 Since the interface ports listen for both IPv6 and IPv4, you can specify both IPv4 and IPv6 addresses in the ET_ HSM_NETCLIENT_SERVERLIST configuration item, as follows: export ET_HSM_NETCLIENT_SERVERLIST=[<IPv6_address>] <IPv4_address>… Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group...

Table of Contents