Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for Thales SafeNet ProtectServer Network HSM 5.5
Summary of Contents for Thales SafeNet ProtectServer Network HSM 5.5
- Page 1 SafeNet ProtectServer Network HSM 5.5 INSTALLATION AND CONFIGURATION GUIDE...
- Page 2 Document Information Product Version Document Part Number 007-013682-003 Release Date 08 January 2020 Revision History Revision Date Reason Rev. A 08 January 2020 Initial release Trademarks, Copyrights, and Third-Party Software Copyright 2009-2020 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto and/or its subsidiaries and are registered in certain countries.
- Page 3 Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks.
-
Page 4: Table Of Contents
CONTENTS Preface: About the SafeNet ProtectServer Network HSM Installation and Configuration Guide 6 Customer Release Notes Gemalto Rebranding Audience Document Conventions Notes Cautions Warnings Command Syntax and Typeface Conventions Support Contacts Customer Support Portal Telephone Support Chapter 1: Product Overview Front panel view Rear panel view Cryptographic architecture... - Page 5 Appendix A: Technical Specifications Appendix B: Glossary SafeNet ProtectToolkit 5.5 Installation and Configuration Guide 007-013682-003 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto...
-
Page 6: Preface: About The Safenet Protectserver Network Hsm Installation And Configuration Guide
PREFACE: About the SafeNet ProtectServer Network HSM Installation and Configuration Guide This Guide is provided as an instructional aid for the installation and configuration of a SafeNet ProtectServer Network HSM cryptographic services hardware security module (HSM). It contains the following sections: >... -
Page 7: Audience
Preface: About the SafeNet ProtectServer Network HSM Installation and Configuration Guide Old product name New product name ProtectServer External 2 (PSE2) SafeNet ProtectServer Network HSM ProtectServer Internal Express 2 (PSI-E2) SafeNet ProtectServer PCIe HSM ProtectServer HSM Access Provider SafeNet ProtectServer HSM Access Provider ProtectToolkit C (PTK-C) SafeNet ProtectToolkit-C ProtectToolkit J (PTK-J) -
Page 8: Cautions
Preface: About the SafeNet ProtectServer Network HSM Installation and Configuration Guide Cautions Cautions are used to alert you to important information that may help prevent unexpected results or data loss. They use the following format: CAUTION! Exercise caution. Contains important information that may help prevent unexpected results or data loss. -
Page 9: Support Contacts
Preface: About the SafeNet ProtectServer Network HSM Installation and Configuration Guide Support Contacts If you encounter a problem while installing, registering, or operating this product, please refer to the documentation before contacting support. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support. -
Page 10: Chapter 1: Product Overview
CHAPTER 1: Product Overview The SafeNet ProtectServer Network HSM is a self-contained, security-hardened server providing hardware- based cryptographic functionality through a TCP/IP network connection. Together with high-level SafeNet application programming interface (API) software, it provides cryptographic services for a wide range of secure applications. -
Page 11: Rear Panel View
Chapter 1: Product Overview Connects a VGA monitor to the appliance. Console Provides console access to the appliance. See "Testing and Configuration" on page 22. Connects USB devices such as a keyboard or mouse to the appliance. eth0 Autosensing 10/100/1000 Mb/s Ethernet RJ45 ports for connecting the appliance to the network. eth1 HSM USB Connects a smart card reader to the appliance using the included USB-to-serial cable. -
Page 12: Cryptographic Architecture
Chapter 1: Product Overview Tamper lock The tamper lock is used during commissioning or decommissioning of the appliance to destroy any keys currently stored on the HSM. With the key in the horizontal (Active) position, the HSM is in normal operating mode. Turning the key to the vertical (Tamper) position places the HSM in a tamper state, and any keys stored on the HSM are destroyed. -
Page 13: Summary Of Cryptographic Service Provider Setup
Chapter 1: Product Overview Summary of Cryptographic Service Provider setup These steps summarize the overall procedure of setting up a cryptographic service provider using a SafeNet ProtectServer Network HSM in network mode. Relevant links to more detailed documentation are provided at each step. -
Page 14: Chapter 2: Safenet Protectserver Network Hsm Hardware Installation
CHAPTER 2: SafeNet ProtectServer Network HSM Hardware Installation This chapter describes how to install and connect a SafeNet Protect Server Network HSM. To ensure a successful installation, perform the following tasks in the order indicated: "SafeNet ProtectServer Network HSM Ensure that you have all of the required components, as listed in Required Items" on the next page "Installing the SafeNet ProtectServer Network HSM Install and connect the hardware, as described in... -
Page 15: Safenet Protectserver Network Hsm Required Items
Chapter 2: SafeNet ProtectServer Network HSM Hardware Installation SafeNet ProtectServer Network HSM Required Items This section provides a list of components that you should have received with your SafeNet ProtectServer Network HSM order. Contents Received The following table contains the standard items you received with your order: Item SafeNet ProtectServer Network HSM standalone appliance. -
Page 16: Installing The Safenet Protectserver Network Hsm Hardware
Chapter 2: SafeNet ProtectServer Network HSM Hardware Installation Item SafeNet ProtectToolkit Software DVD (in DVD case) Documentation DVD (in DVD case) (*) Power cables are no longer included with the shipment from our factory. Please source your power cables locally for the intended deployment destination. NOTE To configure your SafeNet ProtectServer Network HSM you will need to supply and connect a keyboard, mouse, and display monitor. - Page 17 Chapter 2: SafeNet ProtectServer Network HSM Hardware Installation NOTE The power supply cord acts as the unit's disconnect device. The main outlet socket to which the unit is connected must be easily accessible. Connect the SafeNet ProtectServer Network HSM to the network by inserting standard Ethernet cables into the LAN connectors located on the unit's front face (labelled eth0 and eth1 ).
- Page 18 Chapter 2: SafeNet ProtectServer Network HSM Hardware Installation Next, see "Testing and Configuration" on page 22 SafeNet ProtectToolkit 5.5 Installation and Configuration Guide 007-013682-003 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto...
-
Page 19: Chapter 3: Deployment Guidelines
CHAPTER 3: Deployment Guidelines Users must consider the following best practices for security and compliance when deploying SafeNet ProtectServer Network HSMs for their network/application environment: > "Secure Messaging System (SMS)" below > "Networking and Firewall Configuration" on the next page > "Separation of Roles" on the next page Secure Messaging System (SMS) SafeNet ProtectServer HSMs store cryptographic keys and objects in tamper-resistant secure memory, which is erased when a tamper is detected. -
Page 20: Networking And Firewall Configuration
Chapter 3: Deployment Guidelines For maximum security, enable all of the above features. See "Security Flags" on page 1 in the PTK-C Administration Guide for flag descriptions and setup instructions. NOTE Enabling FIPS mode will block all mechanisms that are not FIPS-approved. If you are using unapproved mechanisms and understand the implications, do not enable FIPS mode. - Page 21 Chapter 3: Deployment Guidelines "User Roles" on page 1 in the PTK-C Administration Guide for the responsibilities of each role. SafeNet ProtectToolkit 5.5 Installation and Configuration Guide 007-013682-003 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto...
-
Page 22: Chapter 4: Testing And Configuration
CHAPTER 4: Testing and Configuration This chapter provides a step-by-step overview of how to confirm correct operation of the Safenet ProtectServer Network HSM, and configure its network settings. These instructions assume that the installation process "Installing the SafeNet ProtectServer Network HSM Hardware" on page 16 covered in is complete. -
Page 23: Power On And Login
Chapter 4: Testing and Configuration Figure 5: Serial cable: RJ45 to DB9 If you are using a serial connection, configure your local VT100 or terminal emulator settings as follows: Speed (bits per second) 115200 Word length (data bits) Parity Stop bit Power on and Login Power on the SafeNet ProtectServer Network HSM and the (optional) monitor. -
Page 24: Run System Test
Chapter 4: Testing and Configuration CAUTION! Executing sysconf appliance factory over an SSH connection may cause you to lose connection with the appliance when the IP address is reset. To avoid this, use a serial connection instead when using this command. Run System Test Before field testing and deployment, run the diagnostic utility. -
Page 25: Gathering Appliance Network Information
Chapter 4: Testing and Configuration Network gateway. Devices must use a gateway appropriate for the network (IPv4 or IPv6). > > Network mask. IPv4 devices must use dotted-quad format (for example, 255.255.255.0). IPv6 devices can use full or shorthand syntax. >... - Page 26 Chapter 4: Testing and Configuration To configure the appliance and port network parameters: It is recommended that you configure and test each device. You need to know the IP address of at least one network interface to establish an SSH connection to the appliance. Login to the appliance as admin or pseoperator .
- Page 27 Chapter 4: Testing and Configuration NOTE The search domain settings apply to static network configurations only. If you are using DHCP, the DNS search domains configured on the DHCP server are used. When you add a DNS search domain to a specific network device, it is added to the DNS table for the appliance and becomes available to both devices, provided the device you added it to is connected to the network.
-
Page 28: Ssh Network Access
Chapter 4: Testing and Configuration SSH Network Access After you have completed the network configuration, you can access the SafeNet ProtectServer Network HSM over the network using the SSH protocol. You need an SSH client such as puTTY (available for free from www.putty.org). - Page 29 APPENDIX A: Technical Specifications The SafeNet ProtectServer Network HSM specifications are as follows: Hardware > One smart card reader secure USB port (requires the included USB-to-serial cable) > Protective, heavy duty steel, industrial PC case > ATOM D425 CPU > 1 Gb RAM >...
- Page 30 Appendix B: Glossary APPENDIX B: Glossary Adapter The printed circuit board responsible for cryptographic processing in a HSM Advanced Encryption Standard Application Programming Interface Administration Security Officer Asymmetric Cipher An encryption algorithm that uses different keys for encryption and decryption. These ciphers are usually also known as public-key ciphers as one of the keys is generally public and the other is private.
- Page 31 Appendix B: Glossary CAST Encryption algorithm developed by Carlisle Adams and Stafford Tavares Certificate A binding of an identity (individual, group, etc.) to a public key which is generally signed by another identity. A cer- tificate chain is a list of certificates that indicates a chain of trust, i.e. the second certificate has signed the first, the third has signed the second and so on CMOS Complementary Metal-Oxide Semiconductor.
- Page 32 Appendix B: Glossary Encryption The process of converting the plaintext data into the ciphertext so that the content of the data is no longer obvious. Some algorithms perform this function in such a way that there is no known mechanism, other than decryption with the appropriate key, to recover the plaintext.
- Page 33 Appendix B: Glossary Internet Protocol Java Cryptography Architecture Java Cryptography Extension Keyset A keyset is the definition given to an allocated memory space on the HSM. It contains the key information for a spe- cific user KWRAP Key Wrapping Key Message authentication code.
- Page 34 Appendix B: Glossary Padding A mechanism for extending the input data so that it is of the required size for a block cipher. The PKCS documents contain details on the most common padding mechanisms of PKCS#1 and PKCS#5 Peripheral Component Interconnect Privacy Enhanced Mail Personal Identification Number PKCS...
- Page 35 Appendix B: Glossary Request for Comments, proposed specifications for various protocols and algorithms archived by the Internet Engin- eering Task Force (IETF), see http://www.ietf.org Random Number Generator Cryptographic algorithm by Ron Rivest, Adi Shamir and Leonard Adelman Real Time Clock Software Development Kits Other documentation may refer to the SafeNet Cprov and Protect Toolkit J SDKs.
- Page 36 Appendix B: Glossary Token PKCS#11 token that provides cryptographic services and access controlled secure key storage TokenPKCS#11 Token that provides cryptographic services and access controlled secure key storage Universal Resource Identifier Validation Authority X.509 Digital Certificate Standard X.509 Certificate Section 3.3.3 of X.509v3 defines a certificate as: "user certificate; public key certificate; certificate: The public keys of a user, together with some other information, rendered unforgeable by encipherment with the private key of the cer- tification authority which issued it"...
Need help?
Do you have a question about the SafeNet ProtectServer Network HSM 5.5 and is the answer not in the manual?
Questions and answers