Thales SafeNet ProtectServer Network HSM 5.8 Installation And Configuration Manual
  1. Manuals
  2. Brands
  3. Thales Manuals
  4. Server
  5. SafeNet ProtectServer Network HSM 5.8
  6. Installation and configuration manual
Thales SafeNet ProtectServer Network HSM 5.8 Installation And Configuration Manual

Thales SafeNet ProtectServer Network HSM 5.8 Installation And Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
SafeNet ProtectServer Network HSM 5.8
INSTALLATION AND CONFIGURATION GUIDE

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SafeNet ProtectServer Network HSM 5.8 and is the answer not in the manual?

Questions and answers

Related Manuals for Thales SafeNet ProtectServer Network HSM 5.8

Summary of Contents for Thales SafeNet ProtectServer Network HSM 5.8

  • Page 1 SafeNet ProtectServer Network HSM 5.8 INSTALLATION AND CONFIGURATION GUIDE...
  • Page 2 Document Information Product Version Document Part Number 007-013682-006 Release Date 08 January 2020 Revision History Revision Date Reason Rev. A 08 January 2020 Initial release Trademarks, Copyrights, and Third-Party Software Copyright 2009-2020 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto and/or its subsidiaries and are registered in certain countries.
  • Page 3 Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks.

  • Page 4: Table Of Contents

    CONTENTS Preface: About the SafeNet ProtectServer Network HSM Installation and Configuration Guide 5 Gemalto Rebranding Audience Document Conventions Support Contacts Chapter 1: Product Overview Front panel view Rear panel view Cryptographic Architecture Summary of Cryptographic Service Provider setup Chapter 2: SafeNet ProtectServer Network HSM Hardware Installation SafeNet ProtectServer Network HSM Required Items Installing the SafeNet ProtectServer Network HSM Hardware Chapter 3: Deployment Guidelines...

  • Page 5: Preface: About The Safenet Protectserver Network Hsm Installation And Configuration Guide

    About the SafeNet ProtectServer PREFACE: Network HSM Installation and Configuration Guide This Guide is provided as an instructional aid for the installation and configuration of a SafeNet ProtectServer Network HSM cryptographic services hardware security module (HSM). It contains the following sections: >...

  • Page 6: Audience

    Preface:   About the SafeNet ProtectServer Network HSM Installation and Configuration Guide Old product name New product name ProtectToolkit M (PTK-M) SafeNet ProtectToolkit-M ProtectToolkit FM SDK SafeNet ProtectToolkit FM SDK NOTE These branding changes apply to the documentation only. The SafeNet HSM software and utilities continue to use the old names.
  • Page 7 Preface:   About the SafeNet ProtectServer Network HSM Installation and Configuration Guide **WARNING** Be extremely careful and obey all safety and security measures. In this situation you might do something that could result in catastrophic data loss or personal injury. Command Syntax and Typeface Conventions Format Convention bold...

  • Page 8: Support Contacts

    Preface:   About the SafeNet ProtectServer Network HSM Installation and Configuration Guide Support Contacts If you encounter a problem while installing, registering, or operating this product, please refer to the documentation before contacting support. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.

  • Page 9: Chapter 1: Product Overview

    Product Overview CHAPTER 1: The SafeNet ProtectServer Network HSM is a self-contained, security-hardened server providing hardware- based cryptographic functionality through a TCP/IP network connection. Together with high-level SafeNet application programming interface (API) software, it provides cryptographic services for a wide range of secure applications.

  • Page 10: Rear Panel View

    Chapter 1:   Product Overview Connects a VGA monitor to the appliance. Console Provides console access to the appliance. See "Testing and Configuration" on page 20. Connects USB devices such as a keyboard or mouse to the appliance. eth0 Autosensing 10/100/1000 Mb/s Ethernet RJ45 ports for connecting the appliance to the network. eth1 HSM USB Connects a smart card reader to the appliance using the included USB-to-serial cable.

  • Page 11: Cryptographic Architecture

    Chapter 1:   Product Overview Figure 3: SafeNet ProtectServer Network HSM rear panel Tamper lock The tamper lock is used during commissioning or decommissioning of the appliance to destroy any keys currently stored on the HSM. With the key in the horizontal (Active) position, the HSM is in normal operating mode. Turning the key to the vertical (Tamper) position places the HSM in a tamper state, and any keys stored on the HSM are destroyed.

  • Page 12: Summary Of Cryptographic Service Provider Setup

    Chapter 1:   Product Overview Summary of Cryptographic Service Provider setup These steps summarize the overall procedure of setting up a cryptographic service provider using a SafeNet ProtectServer Network HSM in network mode. Relevant links to more detailed documentation are provided at each step.

  • Page 13: Chapter 2: Safenet Protectserver Network Hsm Hardware Installation

    SafeNet ProtectServer CHAPTER 2: Network HSM Hardware Installation This chapter describes how to install and connect a SafeNet Protect Server Network HSM. To ensure a successful installation, perform the following tasks in the order indicated: "SafeNet ProtectServer Network HSM Ensure that you have all of the required components, as listed in Required Items" on the next page "Installing the SafeNet ProtectServer Network HSM Install and connect the hardware, as described in...

  • Page 14: Safenet Protectserver Network Hsm Required Items

    Chapter 2:   SafeNet ProtectServer Network HSM Hardware Installation SafeNet ProtectServer Network HSM Required Items This section provides a list of components that you should have received with your SafeNet ProtectServer Network HSM order. Contents Received The following table contains the standard items you received with your order: Item SafeNet ProtectServer Network HSM standalone appliance Smart card reader...

  • Page 15: Installing The Safenet Protectserver Network Hsm Hardware

    Chapter 2:   SafeNet ProtectServer Network HSM Hardware Installation Item SafeNet 110 Time-Based OTP Token (enables multifactor authentication on ProtectServer HSM tokens) Gemalto recommends ordering at least two (2) OTP tokens for each slot on the HSM (one each for the Security Officer and Token User).
  • Page 16 Chapter 2:   SafeNet ProtectServer Network HSM Hardware Installation Smart Card Reader Installation The unit supports the use of smart cards with a SafeNet-supplied smart card reader. Other smart card readers are not supported. The SafeNet ProtectServer Network HSM supports two different card readers: >...

  • Page 17: Chapter 3: Deployment Guidelines

    Deployment Guidelines CHAPTER 3: Users must consider the following best practices for security and compliance when deploying SafeNet ProtectServer Network HSMs for their network/application environment: > "Secure Messaging System (SMS)" below > "Networking and Firewall Configuration" on the next page > "Separation of Roles" on the next page Secure Messaging System (SMS) SafeNet ProtectServer HSMs store cryptographic keys and objects in tamper-resistant secure memory, which is erased when a tamper is detected.

  • Page 18: Networking And Firewall Configuration

    Chapter 3:   Deployment Guidelines For maximum security, enable all of the above features. See "Security Flags" on page 1 in the PTK-C Administration Guide for flag descriptions and setup instructions. NOTE Enabling FIPS mode will block all mechanisms that are not FIPS-approved. If you are using unapproved mechanisms and understand the implications, do not enable FIPS mode.
  • Page 19 Chapter 3:   Deployment Guidelines "User Roles" on page 1 in the PTK-C Administration Guide for the responsibilities of each role. SafeNet ProtectToolkit 5.8 Installation and Configuration Guide 007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto...

  • Page 20: Chapter 4: Testing And Configuration

    Testing and Configuration CHAPTER 4: This chapter provides a step-by-step overview of how to confirm correct operation of the Safenet ProtectServer Network HSM, and configure its network settings. These instructions assume that the installation process "Installing the SafeNet ProtectServer Network HSM Hardware" on page 15 covered in is complete.

  • Page 21: Power On And Login

    Chapter 4:   Testing and Configuration Figure 5: Serial cable: RJ45 to DB9 If you are using a serial connection, configure your local VT100 or terminal emulator settings as follows: Speed (bits per second) 115200 Word length (data bits) Parity Stop bit Power on and Login Power on the SafeNet ProtectServer Network HSM and the (optional) monitor.

  • Page 22: Run System Test

    Chapter 4:   Testing and Configuration After logging in, you will be prompted to change the password for the account. Please remember your password. To change the account password at any time, login to the account and use the command user password .

  • Page 23: Gathering Appliance Network Information

    Chapter 4:   Testing and Configuration Appliance configuration The following network parameters are configured at the appliance level: > Appliance hostname. A hostname is optional, unless you are using DNS. Ethernet LAN device configuration The SafeNet ProtectServer Network HSM is equipped with two individually-configurable Ethernet LAN network devices.

  • Page 24: Configuring The Network Parameters

    Chapter 4:   Testing and Configuration Configuring the Network Parameters You can use the serial connection to configure all of your network parameters, or configure a single port and use it to access the appliance over the network and complete the configuration. NOTE Use a locally-connected serial terminal when changing the appliance IP address, to avoid SSH admin console disconnection.
  • Page 25 Chapter 4:   Testing and Configuration be changed via the xmit_hash_policy option. NOTE: Check the 802.3ad standard to ensure that your transmit policy is 802.3ad-compliant. In particular, check section 43.2.4 for packet mis-ordering requirements. Non-compliance tolerance may vary between different peer implementations. •...

  • Page 26: Ssh Network Access

    Chapter 4:   Testing and Configuration connected to the network. If eth0 is disconnected from the network, eth1 also loses DNS server access. To ensure that any DNS server you add is available in the event of a network or port failure, it is recommended that you add it to both network-connected devices.

  • Page 27: Powering Off The Safenet Protectserver Network Hsm

    Chapter 4:   Testing and Configuration Powering off the SafeNet ProtectServer Network HSM Use PSESH to power off the appliance before toggling the power switch. To power off the SafeNet ProtectServer Network HSM While logged in to PSESH as admin or pseoperator , issue the command: psesh:>...

  • Page 28: Installing The Secure Update Package Patch

    Chapter 4:   Testing and Configuration Installing the Secure Update Package Patch The following procedure allows you to install the secure package update patch on your SafeNet ProtectServer Network HSM appliance running appliance software 5.2.0 to 5.6.0. The procedure is different depending on your appliance's current software version.

  • Page 29: Updating The Appliance Software

    Chapter 4:   Testing and Configuration psesh:> exit Updating the Appliance Software The following procedure allows you to update the software image on your SafeNet ProtectServer Network HSM appliance using a secure package. Prerequisites > Download the secure package file from the Gemalto Customer Support Portal (see "Support Contacts" on page 8 >...

  • Page 30: Appendix A: Technical Specifications

    Technical Specifications APPENDIX A: The SafeNet ProtectServer Network HSM specifications are as follows: Hardware > One smart card reader secure USB port (requires the included USB-to-serial cable) > Protective, heavy duty steel, industrial PC case > Intel® Atom™ CPU E3827 1.74GHz 2 GB RAM >...

  • Page 31: Glossary

    Glossary Glossary Adapter The printed circuit board responsible for cryptographic processing in a HSM Advanced Encryption Standard Application Programming Interface Administration Security Officer Asymmetric Cipher An encryption algorithm that uses different keys for encryption and decryption. These ciphers are usually also known as public-key ciphers as one of the keys is generally public and the other is private.
  • Page 32 Glossary third has signed the second and so on CMOS Complementary Metal-Oxide Semiconductor. A common data storage component Cprov ProtectToolkit C - SafeNet’s PKCS #11 Cryptoki Provider Cryptoki Cryptographic Token Interface Standard. (aka PKCS#11) Cryptographic Services Adapter CSPs Microsoft Cryptographic Service Providers Decryption The process of recovering the plaintext from the ciphertext Cryptographic algorithm named as the Data Encryption Standard...
  • Page 33 Glossary FIPS Federal Information Protection Standards Functionality Module. A segment of custom program code operating inside the CSA800 HSM to provide additional or changed functionality of the hardware FMSW Functionality Module Dispatch Switcher High Availability HIFACE Host Interface. It is used to communicate with the host system Hardware Security Module IDEA International Data Encryption Algorithm...
  • Page 34 Glossary Java Cryptography Extension Keyset A keyset is the definition given to an allocated memory space on the HSM. It contains the key information for a spe- cific user KWRAP Key Wrapping Key Message authentication code. A mechanism that allows a recipient of a message to determine if a message has been tampered with.
  • Page 35 Glossary Privacy Enhanced Mail Personal Identification Number PKCS Public Key Cryptographic Standard. A set of standards developed by RSA Laboratories for Public Key Cryptographic processing PKCS #11 Cryptographic Token Interface Standard developed by RSA Laboratories Public Key Infrastructure ProtectServer SafeNet HSM ProtectToolkit C SafeNet's implementation of PKCS#11.
  • Page 36 Glossary Real Time Clock Software Development Kits Other documentation may refer to the SafeNet Cprov and Protect Toolkit J SDKs. These SDKs have been renamed ProtectToolkit C and ProtectToolkit J respectively. ·The names Cprov and Pro- tectToolkit C refer to the same device in the context of this or previous manuals. ·The names Protect Toolkit J and ProtectToolkit J refer to the same device in the context of this or previous manuals.
  • Page 37 Glossary Universal Resource Identifier Validation Authority X.509 Digital Certificate Standard X.509 Certificate Section 3.3.3 of X.509v3 defines a certificate as: "user certificate; public key certificate; certificate: The public keys of a user, together with some other information, rendered unforgeable by encipherment with the private key of the cer- tification authority which issued it"...

Table of Contents