manualshive.com logo in svg

Thales ProtectServer 3 HSM, Installation And Configuration Manual

The Thales ProtectServer 3 HSM is a high-security hardware module designed to safeguard sensitive data and cryptographic keys. Ensure a seamless installation and configuration process using our comprehensive and user-friendly Installation And Configuration Manual. Download the manual for free from manualshive.com to effortlessly set up and begin securing your critical assets.

Share
Download
background image

Chapter 5:   Configuration Items

Software Emulator Mode Configuration

After installing the ProtectToolkit-C Software Development Kit (SDK) on your computer system further
changes, as detailed in this section, may be made to customize the installation and optimize its performance.

Storage Location Assignment

The software only variant of ProtectToolkit-C uses the local file system for storing keys and configuration
information. By default, the directory

C:\cryptoki

is used under Windows and

$HOME/.cryptoki/cryptoki

under Linux. It is possible to use a storage location other than the default location for your system by setting the
value of the ET_PTKC_SW_DATAPATH configuration item to that of the path required.

For example, on a UNIX machine, to temporarily set the location to

/usr/local/cryptoki

the following

/bin/sh

shell commands would be used:

# ET_PTKC_SW_DATAPATH=/usr/local/cryptoki

# export ET_PTKC_SW_DATAPATH

This change can be made at the temporary, user or system levels on both Linux and Windows platforms. Refer
to

"Configuration Items" on page 87

for further details on how to go about this if required.

Fixing Command Line Utility Low Performance

In software only mode the time taken to detect peripherals, such as attached smart card terminals, can
significantly slow the execution of command line utility commands. If this proves to be an annoyance then
peripheral detection can be disabled by creating the configuration item below and setting its value equal to

FALSE

.

ET_PTKC_SW_DETECTPERIPHERALS

This change can be made at the temporary, user or system levels on both Linux and Windows platforms. Refer
to

"Configuration Items" on page 87

for further details on how to go about this if required.

Enabling Smart Card Access under Linux

When attempting to access a smart card reader while operating in software only mode on Linux, ensure that
the serial port permissions have been set to allow access to the required port. If this is not done, the logged on
user will be unable to see the attached reader.

Specifying the Network Server(s)

By default, the net client will attempt to use the local machine as its server. Default values are:

>

Server Name =

127.0.0.1

>

Server Port =

12396

It is necessary to configure the client to use a different host by using the ET_HSM_NETCLIENT_SERVERLIST
configuration item. Several servers may also be specified using this configuration item in which case the
services from each server will be available seamlessly to the client.

You can use hostnames, IPv4 addresses, or IPv6 addresses to specify your network servers.

The full syntax for the ET_HSM_NETCLIENT_SERVERLIST configuration item is:

ET_HSM_NETCLIENT_SERVERLIST=server1[:port1] [server2[:port2]]

Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide

2021-06-30 10:29:48-04:00 Copyright 2009-2021 Thales Group

95

Summary of Contents for ProtectServer 3 HSM

Page 1: ...ProtectServer 3 HSM and ProtectToolkit 7 INSTALLATION AND CONFIGURATION GUIDE ...

Page 2: ...r accuracy of information contained herein The document could include technical inaccuracies or typographical errors Changes are periodically added to the information herein Furthermore Thales reserves the right to make any change or improvement in the specifications data information and the like described herein at any time Thales Group hereby disclaims all warranties and conditions with regard t...

Page 3: ...erty is protected by copyright All trademarks and product names used or referred to are the copyright of their respective owners No part of this document may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical chemical photocopy recording or otherwise without the prior written permission of Thales Group Thales ProtectServer 3 HSM and ProtectT...

Page 4: ... Cryptographic Architecture 18 Technical Specifications 19 ProtectServer 3 External Required Items 21 Contents Received 21 Optional Items 22 Installing the ProtectServer 3 External Hardware 23 Smart Card Reader Installation 23 Deployment Guidelines 24 Secure Messaging System SMS 24 Networking and Firewall Configuration 24 Separation of Roles 25 First Login and System Test 25 Access the Console Pow...

Page 5: ... System Test 60 Access the Console Power On and Log In 61 Run System Test 62 Network Configuration 62 Appliance configuration 63 Ethernet LAN device configuration 63 Gathering Appliance Network Information 63 Configuring the Network Parameters 64 SSH Network Access 67 Powering off the ProtectServer 3 External 67 Chapter 4 ProtectToolkit 7 Software Installation 68 System Requirements 68 Operating M...

Page 6: ...erence 83 safeNet install sh 84 hsmstate 85 hsmreset 86 Chapter 5 Configuration Items 87 Overview 87 Client PCIe HSM Server Configuration 88 ProtectServer 3 External Server Configuration 89 PCI Mode Client Configuration Items 91 Network Mode Client Configuration Items 91 Network Mode Server Configuration Items 93 Software Emulator Mode Configuration 95 Storage Location Assignment 95 Fixing Command...

Page 7: ...n about this document Document Conventions below Support Contacts on page 9 For information regarding the document status and revision history see Document Information on page 2 Document Conventions This document uses standard conventions for describing the user interface and for alerting you to important information Notes Notes are used to alert you to important or helpful information They use th...

Page 8: ... italics In type the italic attribute is used for emphasis or cross references to other documents in this documentation set variable In command descriptions angle brackets represent variables You must substitute a value for command line arguments that are enclosed in angle brackets optional optional Represent optional keywords or variables in a command line description Optionally enter the keyword...

Page 9: ... you Customer Support Portal The Customer Support Portal at https supportportal thalesgroup com is where you can find solutions for most common problems The Customer Support Portal is a comprehensive fully searchable database of support resources including software and firmware downloads release notes listing known problems and workarounds a knowledge base FAQs product documentation technical note...

Page 10: ... in ProtectServer 3 PCIe Installation on page 12 CAUTION This product uses semiconductors that can be damaged by electro static discharge ESD When handling the device avoid contact with exposed components and always use an anti static wrist strap connected to an earth ground In rare cases ESD can trigger a tamper or decommission event on the HSM If this happens all cryptographic materials configur...

Page 11: ...nts Received The following table contains the standard items you received with your order Qty Item 1 ProtectServer 3 PCIe Adapter Card 1 Smart card reader 5 Smart cards in a single media case Each smart card contains a total of 64 kilobytes of storage space Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10 29 48 04 00 Copyright 2009 2021 Thales Grou...

Page 12: ...s associated software More detailed instructions are provided in the following sections Install the ProtectServer 3 PCIe card into the host computer See Installing the ProtectServer 3 PCIe Card Into the Host Computer below Connect a chassis intrusion connector to the tamper header on the card if necessary See Connecting a Chassis Intrusion Connector to the Tamper Header on page 14 Connect a card r...

Page 13: ...eight mounting bracket is included for this purpose To install the half height bracket remove the two screws connecting the full height bracket to the card and use them to mount the half height bracket in its place 4 Align the ProtectServer 3 PCIe card with the vacant slot You might need to introduce the tip of the card hold down bracket first the silver metal part along the back edge of the card ...

Page 14: ...connector to the tamper header 1 Install the card as described in Installing the ProtectServer 3 PCIe Card Into the Host Computer on page 12 2 Connect the chassis intrusion connector to the tamper input header on the card shown below NOTE If used this pin pair would usually be wired to a chassis switch that is held open when the lid or panel is in place Opening the lid or panel would close the swi...

Page 15: ...eader simply plug the card reader into the HSM s USB port ProtectServer 3 PCIe Storage Capacity The ProtectServer 3 PCIe has the following storage capacity Functionality Module FM storage 8 MB Secure Memory File System SMFS storage for keys and cryptographic materials 4 MB shared between the firmware and FMs Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 ...

Page 16: ...urity of the product 5 Log in to the appliance for the first time and check that the system is operating correctly see First Login and System Test on page 25 6 Configure the ProtectServer 3 External network settings see Network Configuration on page 27 7 Install and configure the ProtectToolkit software see ProtectToolkit 7 Software Installation on page 68 8 Configure the high level cryptographic ...

Page 17: ...h a tamper resistant and battery backed key storage The ProtectServer 3 External must be used with one of SafeNet s high level cryptographic APIs The following table shows the provider types and their corresponding SafeNet APIs API SafeNet Product Required PKCS 11 ProtectToolkit C JCA JCE ProtectToolkit J Microsoft IIS and CA ProtectToolkit M These APIs interface directly with the product s FIPS 1...

Page 18: ...l are illustrated below Figure 2 ProtectServer 3 External rear panel Tamper lock The tamper lock is used during commissioning or decommissioning of the appliance to destroy any keys currently stored on the HSM With the key in the horizontal Active position the HSM is in normal operating mode Turning the key to the vertical Tamper position places the HSM in a tamper state and any keys stored on the...

Page 19: ...ta The figure below depicts a cryptographic service provider using the ProtectServer 3 External in network mode Figure 3 ProtectServer 3 External implementation Technical Specifications The ProtectServer 3 External specifications are as follows Hardware One smart card reader secure USB port requires the included USB to serial cable Protective heavy duty steel industrial PC case Intel Atom CPU E382...

Page 20: ...ing brackets included Weight 5 kg 11 lb Operating Environment Temperature 0 to 40 C 32 to 104 F Relative Humidity 5 to 85 Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10 29 48 04 00 Copyright 2009 2021 Thales Group 20 ...

Page 21: ...ing table contains the standard items you received with your order Qty Item 1 ProtectServer 3 External standalone appliance 1 Adapter Cable RJ45 to USB with a standard eight pin eight connector 8P8C modular connector 1 Smart card reader Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10 29 48 04 00 Copyright 2009 2021 Thales Group 21 ...

Page 22: ...an be disconnected from the appliance Optional Items The following items can be used with your ProtectServer 3 HSM Contact your Thales sales representative to order these items SafeNet 110 Time Based OTP Token enables multifactor authentication on ProtectServer 3 HSM tokens Thales recommends ordering at least two 2 OTP tokens for each slot on the HSM one each for the Security Officer and Token Use...

Page 23: ...h0 and eth1 The client machine s with SafeNet cryptographic API software installed should be hosted on the same network NOTE The ProtectServer 3 External is equipped with two NICs eth0 and eth1 incorporating an IPv4 IPv6 dual stack allowing you to configure both an IPv4 and IPv6 address on each interface If you intend to use both NICs connect Ethernet cables to both LAN connectors 3 Connect the po...

Page 24: ... to Secure Messaging in the ProtectToolkit C Administration Guide for a detailed description of SMS functionality NOTE SMS encrypts and authenticates messages between the client and HSM and allows the client to authenticate the HSM credentials This flag requires a valid ProtectServer Identity Key Certificate on the HSM See ProtectServer Owner and Identity Certificates in the ProtectToolkit C Admin...

Page 25: ...ng iptables Separation of Roles The ProtectServer 3 External has two role categories Appliance and HSM users For optimal security maintain these roles and their credentials separately do not share between users Do not share the appliance management HSM Administration and User terminals Appliance Users The following roles can log in to the PSE shell PSESH to configure and manage the appliance admin...

Page 26: ...t download and install automatically go to http www prolific com tw to download and install the PL2303 USB to Serial Windows driver 3 Open Device Manager Control Panel Hardware Device Manager and expand the Ports COM and LPT folder If the driver installed successfully an entry is displayed for the Prolific USB to Serial Comm Port followed by the port associated with the adapter For example Prolifi...

Page 27: ...xecuting sysconf appliance factory over an SSH connection may cause you to lose connection with the appliance when the IP address is reset To avoid this use a serial connection instead when using this command Run System Test Before field testing and deployment run the diagnostic utility While logged in as the admin or pseoperator enter the command hsm state to display the current status psesh hsm ...

Page 28: ...ices must use dotted quad format for example 255 255 255 0 IPv6 devices can use full or shorthand syntax Static network route DNS configuration Although you configure DNS at the device level the settings you configure for a device are available to all devices on the appliance if the configured device is connected to the network To ensure DNS access it is recommended that you configure each device ...

Page 29: ...know the IP address of at least one network interface to establish an SSH connection to the appliance 1 Login to the appliance as admin 2 Configure the IP address network mask and gateway optional on at least one of the Ethernet LAN ports eth0 or eth1 You can specify a static address or retrieve one from a DHCP server You can configure each port to use an IPv4 or IPv6 address NOTE IPv6 addresses m...

Page 30: ...d to ensure that your transmit policy is 802 3ad compliant In particular check section 43 2 4 for packet mis ordering requirements Non compliance tolerance may vary between different peer implementations 5 Balance TLB Transmit Load Balancing Outgoing traffic is distributed according to the current load and queue on each bonded device Incoming traffic is received by the current device 6 Balance ALB...

Page 31: ...and becomes available to both devices provided the device you added it to is connected to the network For example if you add a DNS server to eth0 eth1 will be able to access the DNS server if eth0 is connected to the network If eth0 is disconnected from the network eth1 also loses DNS server access To ensure that any DNS server you add is available in the event of a network or port failure it is r...

Page 32: ...he network configuration you can access the ProtectServer 3 External over the network using the SSH protocol You need an SSH client such as puTTY available for free from www putty org Powering off the ProtectServer 3 External Use PSESH to power off the appliance before toggling the power switch To power off the ProtectServer 3 External 1 While logged in to PSESH as admin or pseoperator issue the c...

Page 33: ...nsumption on page 58 4 Review the recommended Deployment Guidelines on page 59 for the security of the product 5 Log in to the appliance for the first time and check that the system is operating correctly see First Login and System Test on page 60 6 Configure the ProtectServer 3 External network settings see Network Configuration on page 62 7 Install and configure the ProtectToolkit software see P...

Page 34: ...ft IIS and CA ProtectToolkit M These APIs interface directly with the product s FIPS 140 2 Level 3 certified core using high speed hardware based cryptographic processing Key storage is tamper resistant and battery backed A smart card reader supplied with the HSM allows for the secure loading and backup of keys Cryptographic architecture A hardware based cryptographic system consists of three gene...

Page 35: ...Figure 4 ProtectServer 3 External implementation Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10 29 48 04 00 Copyright 2009 2021 Thales Group 35 ...

Page 36: ...e installation Qty Item 1 ProtectServer 3 External Appliance 1 Adapter Cable RJ45 to USB with a standard eight pin eight connector 8P8C modular connector 1 Smart card reader Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10 29 48 04 00 Copyright 2009 2021 Thales Group 36 ...

Page 37: ...ains a total of 64 kilobytes of storage space 1 Front Ear Bracket Set Set includes 2 front ear brackets 4 bracket screws Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10 29 48 04 00 Copyright 2009 2021 Thales Group 37 ...

Page 38: ... of varying depth it must not be used to extend the appliance out of the rack Optional gliding rails with rolling bearings are available for situations where rolling excursion of the appliance while attached to the rack is required for maintenance See ProtectServer 3 External Required Items on page 36 1 Friction Rail Rack Mounting Screws Cage Nuts Set includes 8 M5 cage nuts 8 M5x14 rack screws If...

Page 39: ... items Optional Items The following items can be used with your ProtectServer 3 HSM Contact your Thales sales representative to order these items SafeNet 110 Time Based OTP Token enables multifactor authentication on ProtectServer 3 HSM tokens Thales recommends ordering at least two 2 OTP tokens for each slot on the HSM one each for the Security Officer and Token User PN 955 000237 001 ProtectServ...

Page 40: ... server rack The optional sliding rail mounts allow for easy removal and access to the rear face of the HSM See Using the Optional Sliding Rail System on page 44 for installation instructions The set includes 2 sliding rail mounts with removable side rails 2 transformer brackets 6 rail screws Sliding Rail Rack Mounting Screws Set includes 8 M5x8 flat headed screws Thales ProtectServer 3 HSM and Pr...

Page 41: ...racks with a maximum depth of 27 inches 686 mm For racks larger than 27 inches a mounting tray or shelf is recommended CAUTION The included mounting hardware is meant for static positioning of the appliance The long tab that slides into the bracket applied to each side of the appliance is adjustable for fitting the appliance into racks of varying depth it must not be used to extend the appliance o...

Page 42: ...e sliding rear brackets fit into the side rails 4 Install the two sliding rear brackets in your equipment rack using four rack mounting screws NOTE While any standard equipment rack screws should fit the brackets certain large headed screws may interfere with the operation of the secure locking bezel Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10...

Page 43: ...e back towards you until the sliding rear brackets fit into the side rails Pull the appliance back onto the rear brackets until the front ear brackets meet the equipment rack CAUTION Support the weight of the appliance with the hydraulic lift until all four brackets are secured 7 Secure the front ear brackets using rack mounting screws Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation a...

Page 44: ...ical security The sliding rail mounts fit into any standard 19 equipment rack Ensure you have all the necessary components before proceeding In addition to the supplied components you will need a 2 Philips screwdriver To mount the ProtectServer 3 External hardware 1 Install the two front ear mounting brackets on the HSM chassis using the included screws and a 2 Phillips screwdriver 2 Fit the front...

Page 45: ...wide flat headed screws 4 Fasten the transformer bracket to each sliding mount with two wide flat headed screws Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10 29 48 04 00 Copyright 2009 2021 Thales Group 45 ...

Page 46: ...ack mounts until they lock into place 7 The HSM now moves smoothly and securely on the rails Push the HSM all the way back and secure it to the transformer bracket with four rack screws NOTE Screws with heads that are too large can prevent the locking bezel from fitting to the faceplate Use the screws included with the ProtectServer 3 External or other screws with suitable heads Thales ProtectServ...

Page 47: ... A Front ear brackets Connect to the front of the appliance chassis with the provided screws allowing it to be mounted in a standard 19 inch equipment rack The extending tabs act as posts for the locking bezel B Mounts for optional locking bezel The secure locking bezel connects to the appliance faceplate here Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 202...

Page 48: ...lso Powering off the ProtectServer 3 External on page 67 F Fan status LEDs The appliance has three 3 cooling fans If these lights are illuminated the fans are working correctly G Ventilation fan filter cover Removable cover allows cleaning of air filter See also Power Supply and Fan Maintenance on page 51 H Fan bay securing screw Torx screw secures the fan bay CAUTION Opening to swap fan modules t...

Page 49: ...pliance Pressing the tamper button flags the HSM to be placed in a tamper state After the next appliance reboot all cryptographic objects on the HSM are erased and the HSM must be re initialized CAUTION Deleted keys are not recoverable Ensure that you always back up your important keys This button should only be pressed as part of decommissioning and zeroizing the appliance Pressing this button wh...

Page 50: ...re separate locations To lock the bezel 1 The locks fit over the posts highlighted below Fit the bezel over the posts with both keys in the horizontal position 2 Turn the keys to the vertical position to lock the bezel Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10 29 48 04 00 Copyright 2009 2021 Thales Group 50 ...

Page 51: ...wer the appliance while the other is removed and replaced with no service interruption The indicator light LED on each power supply shows different behavior depending upon conditions Power Supply Condition Power Supply LED DC present only standby output on Flashing green 1Hz Power supply DC output ON and OK Steady green Power supply failure Steady RED Power supply warning Flashing Blue Red 1Hz alt...

Page 52: ... power supply we recommend that you remove the second supply to silence the audible alarm Replacing a Power Supply You may need to replace a power supply in the event of a failure To remove a power supply 1 To remove a power supply face the back of the appliance 2 Disconnect unplug the selected power supply 3 Press the lever sideways to release the power supply retaining catch and simultaneously p...

Page 53: ...h on the appliance rear panel Cleaning the Filter The ventilation grille located to the right on the appliance front panel is secured in two parts by two screws a knurled captive thumb screw and a Torx T8 screw The knurled screw can be fastened or released without tools It secures the lattice screen that in turn retains the mesh air filter While we recommend controlled atmosphere environments for ...

Page 54: ...fingers and tug it free The mesh is flexible and is held in its cavity only by friction If it is dusty handle carefully so as not to dislodge any dirt that could then be sucked in by the fans 3 To clean the filter either blow it out with compressed air away from the vicinity of the appliance or rinse with water If using water ensure that the mesh is dry before reinstalling 4 To reinstall the mesh ...

Page 55: ... the retainer out like a door and remove it There is no need to separate the filter mesh and its retainer from the larger fan retainer the assembly can come out as one piece The illustration below happens to show them separated 3 The fan modules are now exposed and are held in place only by the friction of their electrical connectors 4 Grasp the handle of the selected fan module and pull straight ...

Page 56: ... bezel reconnect any cables and return the appliance to service If the power was left on during the operation you will nevertheless need to restart sysconf appliance reboot in order to clear the tamper event caused by opening the fan bay Summary Removing cleaning and replacing the fan filter the black mesh behind the grille does not cause a tamper and can be done at any time without disrupting you...

Page 57: ...Clients If only one fan module is showing a defect you can probably leave replacing it until scheduled down time during which there would be no unexpected disruption to your Clients Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10 29 48 04 00 Copyright 2009 2021 Thales Group 57 ...

Page 58: ...red on 26W typical Power on Input Surge 15A typical 40A at 90 132VAC max 60A at 180 265VAC max Active under load from clients 84W typical 100W max The appliance has two power supplies each rated at 350W either of which is capable of running the system alone Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2021 06 30 10 29 48 04 00 Copyright 2009 2021 Thales Grou...

Page 59: ...e Messaging in the PTK C Administration Guide for a detailed description of SMS functionality NOTE SMS encrypts and authenticates messages between the client and HSM and allows the client to authenticate the HSM credentials This flag requires a valid ProtectServer Identity Key Certificate on the HSM See ProtectServer Owner and Identity Certificates in the ProtectToolkit C Administration Guide for ...

Page 60: ...ng iptables Separation of Roles The ProtectServer 3 External has two role categories Appliance and HSM users For optimal security maintain these roles and their credentials separately do not share between users Do not share the appliance management HSM Administration and User terminals Appliance Users The following roles can log in to the PSE shell PSESH to configure and manage the appliance admin...

Page 61: ... download and install automatically go to http www prolific com tw to download and install the PL2303 USB to Serial Windows driver 3 Open Device Manager Control Panel Hardware Device Manager and expand the Ports COM and LPT folder If the driver installed successfully an entry is displayed for the Prolific USB to Serial Comm Port followed by the port associated with the adapter For example Prolific...

Page 62: ...d will also reset the SNMP and network settings to their factory defaults CAUTION Executing sysconf appliance factory over an SSH connection may cause you to lose connection with the appliance when the IP address is reset To avoid this use a serial connection instead when using this command Run System Test Before field testing and deployment run the diagnostic utility While logged in as the admin ...

Page 63: ... it is recommended that you configure each device You can configure the following settings DNS nameservers DNS search domains These settings apply to static network configurations only If you are using DHCP the DNS search domains and DNS nameservers configured on the DHCP server are used Gathering Appliance Network Information Before you begin obtain the following information see your network admi...

Page 64: ...esh network interface ipv6 device netdevice ip IP gateway IP Either of these commands will prompt you to restart the network service 3 Optional Configure network interface bonding This allows multiple network devices to function as a single interface with a single MAC address improving bandwidth and providing redundancy NOTE Use network interface bonding with static IP addresses only If DHCP is us...

Page 65: ...in You must configure your DNS server to resolve the hostname to the IP address configured on the Ethernet port of the appliance Do this for each Ethernet port connected to a network See your network administrator for assistance 5 Optional Add a domain name server to the network configuration for the appliance The name server is added to the appliance DNS table There is one DNS table that applies ...

Page 66: ...for the FORWARD chain is set to DROP since the ProtectServer 3 External is not used to forward packets as in a router or proxy CAUTION If you are configuring iptables via SSH a malformed rule can cause a lockout a To add an ACCEPT rule specify a host or network psesh network iptables addrule accept host ip IP_address psesh network iptables addrule accept network net IP_address mask netmask b To ad...

Page 67: ...r 3 External Use PSESH to power off the appliance To power off the ProtectServer 3 External While logged in to PSESH as admin or pseoperator issue the command psesh sysconf appliance poweroff Wait for the appliance to perform shutdown procedures The fan and LEDs will remain operational until shutdown is complete Thales ProtectServer 3 HSM and ProtectToolkit 7 Installation and Configuration Guide 2...

Page 68: ...e product has been tested using Java runtime version 7 x 8 x 9 x 10 x and 11 x NOTE Warnings appear when compiling some of the provided Java samples with Java runtime 9 10 or 11 installed These warnings can be safely ignored NET versions 3 5 and 4 5 Windows only All required NET versions are available for download from Microsoft Microsoft Visual C 2005 2008 2010 2015 2019 Windows only All required...

Page 69: ...roduct such as the ProtectServer 3 External A machine with a ProtectServer 3 PCIe installed may also be used as a server in network mode Software Emulator mode on a local machine without access to a hardware security module Within the client server runtime environment the server performs cryptographic processing at the request of the client The server itself will only operate in one of the hardwar...

Page 70: ...nstaller exe downloaded from the Thales Customer Portal ProtectToolkit Installation Procedure Complete the following procedure to install ProtectToolkit on a Windows client To install ProtectToolkit on Windows 1 Run the Windows Installer PTKinstaller exe on your client and follow the wizard instructions to accept the licensing agreement and select your desired install location 2 Choose the Protect...

Page 71: ...tion API CNG PTK M Provider Installs components for using PTK M with the older Microsoft Cryptographic API MSCAPI 3 If you installed the Network HSM Communication Interface you are prompted to specify a space separated list of IP addresses for ProtectServer 3 HSMs you will access from this client If you set custom ports specify them as well in the format IP_address port 4 If you installed any of t...

Page 72: ...twork HSM Communication Interface is installed you can update the list of IP addresses for ProtectServer 3 HSMs this client will access 4 If any of the HSM Communication Interface components are installed you can switch between HSM and Software Emulation mode CAUTION Applications that were running before the modification including cmd windows must be restarted before changes are reflected Be espec...

Page 73: ... Issues in the ProtectServer 3 HSM and ProtectToolkit 7 Troubleshooting Guide Syntax safeNet install sh h p s size v Option Description h Show help p Plain mode In this mode the tput is not used for video enhancements s size Override the screen size default tput lines cols or 24x80 v Print the version of this script If you wish to enter platform specific commands manually use the commands given in...

Page 74: ...an additional script driver install sh to install the PCIe driver SafeNet HSM Net Server installs the components required to make an installed ProtectServer 3 PCIe HSM available on the network to other ProtectToolkit clients Requires an installed ProtectServer 3 PCIe and the SafeNet PCIe HSM Access Provider package as prerequisites SafeNet ProtectToolkit C Runtime installs all the necessary tools ...

Page 75: ...he checking of dependencies These options should be selected with appropriate care 4 You may now need to respond to any platform specific messages for example to confirm you wish to proceed with the installation 5 After installation the utility will return Success or Failure scan the system again and display the current installation status Press the Enter key to continue NOTE If you install the PC...

Page 76: ... to change modes To change the Cryptoki provider 1 From the Main menu select Set the default cryptoki and or HSM link The Cryptoki Selection screen is displayed Gemalto Unix Installation Utility Hostname 66 Linux 2 6 32 504 16 2 el6 i686 Main Menu Check Set Default Cryptoki HSM Menu Cryptoki Selection 1 SafeNet ProtectToolkit C SDK Software emulator 2 SafeNet ProtectToolkit C SDK Runtime hardware ...

Page 77: ...e information If you wish to install ProtectToolkit components manually use the commands described in this section after extracting the installation files you downloaded from the Thales Support Portal Manual Linux Installation for Network Mode below Manual Linux Installation for PCIe Mode on the next page Signing the ProtectServer 3 PCIe Driver for UEFI Secure Boot on the next page Manual Linux In...

Page 78: ...pt driver install sh to install the PCIe driver If you plan to configure the client for Secure Boot see Signing the ProtectServer 3 PCIe Driver for UEFI Secure Boot below before running the script opt safenet protecttoolkit7 pcihsm driver driver install sh To uninstall the PCie access provider manually Use the rpm 8 command with the appropriate package name as a parameter rpm e PTKpcihsmK7 Signing...

Page 79: ...to sign kernel modules perl perl Build system Perl interpreter used to run the signing script mokutil mokutil Target system Optional tool used to manually enroll the public key keyctl keyutils Target system Optional tool used to display public keys in the system key ring To sign and load the ProtectServer 3 PCIe driver 1 Create a configuration file with parameters for generating a key pair that sa...

Page 80: ... then Yes to confirm that you want to enroll the key f Enter the password you created for the enrollment request g Select Reboot to reboot the machine 4 If you specified a custom location for the signing keypair set the following variables to point to the key locations If you specified the default locations in step 2 skip this step export MOK_PRIV dir MOK priv export MOK_PUB dir MOK der 5 Run the ...

Page 81: ...no longer required and then install the new one 2 Execute the following as root for your selected package where x x x yy is the PTK version number Specify the location you chose for the installation files ProtectToolkit C Runtime cd output unix Linux64 PTKC_Runtime rpm i PTKcprt x x x yy x86_64 rpm ProtectToolkit C SDK cd output unix Linux64 hsm_net_server rpm i PTKcpsdk x x x yy x86_64 rpm 3 Add ...

Page 82: ... Linux Use the following commands to install or uninstall ProtectToolkit J NOTE PTK J requires the PTK C Runtime component as a prerequisite To install ProtectToolkit J manually 1 First install the ProtectToolkit J Runtime package which includes all the necessary tools and interfaces for a PTK J Cryptoki service provider using the Java Cryptographic Architecture JCA Java Cryptographic Extension JC...

Page 83: ...on number Specify the location you chose for the installation files cd output unix Linux64 fm_toolchain rpm i eldk x x x i686 rpm To uninstall the ProtectToolkit FMSDK packages manually Use the rpm 8 command with the appropriate package name as a parameter rpm e eldk rpm e PTKfmsdk Utilities Command Reference This chapter provides command reference details for the Linux Installation Utility and th...

Page 84: ...t install sh This copy can be used to uninstall or configure the software For more information see Installing ProtectToolkit 7 on Linux on page 72 Syntax safeNet install sh h p s size v Option Description h Show help p Plain mode In this mode the tput is not used for video enhancements s size Override the screen size default tput lines cols or 24x80 v Print the version of this script Thales Protec...

Page 85: ...ests Examples The command hsmstate will show all devices found in the system For example HSM device 0 HSM in NORMAL MODE RESPONDING HSM device 1 HSM in NORMAL MODE RESPONDING HSM device 2 HSM in NORMAL MODE RESPONDING The command hsmstate d1 v will show a report with full details about device 1 For example HSM device 1 HSM in NORMAL MODE RESPONDING to requests State 0x8000 0x41403 I2O_INBOARD_MF_O...

Page 86: ...n hsmstate without any options included f Force an HSM reset without prompting for confirmation h Display helpful usage information v Verbose flag This will display a more detailed report about the HSM Example The command hsmreset will reset the first HSM Upon execution the following message displays HSM is in normal mode Resetting it might disturb other applications Continue N Y Type Y to complet...

Page 87: ...at four configuration levels When a configuration item is queried item locations are searched in order of level precedence 1 Temporary Any changes made at the temporary configuration level override any corresponding entries at the user system and default levels 2 User Changes made at the user level override any corresponding entries at the system and default levels 3 System System changes override...

Page 88: ...t section below Windows Temporary Temporary configuration changes are made using environment variables Since environment variables are not hierarchical the hierarchy is implicitly defined by the name of the variable In Network mode to temporarily change the length of time the HSM will wait before timing out a connection attempt In a command prompt enter set ET_HSM_NETCLIENT_CONNECT_TIMEOUT_SECS ti...

Page 89: ...oolkit C file where the logger library writes log information ctlog log is stored in the etc default et_ptkc file as the entry ET_PTKC_LOGGER_FILE ctlog log ProtectServer 3 External Server Configuration Server configuration settings on the ProtectServer 3 External are edited by transferring a new configuration file to the appliance and applying it using PSESH This procedure must be completed by th...

Page 90: ...nce psesh files show psesh files show SCP Folder Content total 0 4K 0 4K et_hsm txt Command Result 0 Success 5 Set the etnetserver configuration file See sysconf etnetcfg in the PSESH Command Reference Guide for syntax psesh sysconf etnetcfg set filename psesh sysconf etnetcfg set et_hsm txt WARNING This command will modify the settings of the appliance It could affect client connections and resul...

Page 91: ... a configuration item must be changed and no valid values are given contact Thales Customer Support for assistance For more information about using configuration items see Configuration Items on page 87 Configuration Item Meaning ET_HSM_PCICLIENT_READ_TIMEOUT_SECS Determines the time in seconds the PCI driver will wait before timing out on a read operation It should be set long enough to avoid an ...

Page 92: ...connection alive Default 60 ET_HSM_NETCLIENT_LOG_CHANNEL Channel destination to write log entries to Values are platform dependent For Windows valid values are 0 Windows Event Log 1 Standard out 2 Standard error Default 0 For Unix valid values are from 0 to 7 inclusive and map to syslog LOG_LOCAL values Default 0 ET_HSM_NETCLIENT_LOG_NAME Name of application context to associate with log entries D...

Page 93: ...table If the value of a configuration item must be changed and no valid values are given contact Thales Customer Support for assistance For more information about using configuration items see Configuration Items on page 87 Configuration Item Meaning ET_HSM_NETSERVER_OLD_WORKER_COUNT Number of threads to reserve for processing old ProtectToolkit C remote client connections Default 3 ET_HSM_NETSERV...

Page 94: ...ion item with the following valid values Always Always allow reset Never Never allow reset OnHalt default Allow reset only when the HSM is not in normal mode ET_HSM_NETSERVER_PORT TCP port number to use Default 12396 ET_HSM_NETSERVER_LOG_CHANNEL Channel destination to write log entries to Values are platform dependent For Windows valid values are 0 default Windows Event Log 1 Standard out 2 Standa...

Page 95: ...commands If this proves to be an annoyance then peripheral detection can be disabled by creating the configuration item below and setting its value equal to FALSE ET_PTKC_SW_DETECTPERIPHERALS This change can be made at the temporary user or system levels on both Linux and Windows platforms Refer to Configuration Items on page 87 for further details on how to go about this if required Enabling Smar...

Page 96: ...6 addressing For example the following command is valid for a server with an IPv6 address of 2001 db8 221 5eff fe46 f17e export ET_HSM_NETCLIENT_SERVERLIST 2001 db8 221 5eff fe46 f17e Symbolic server names are also supported and they must be declared in the etc hosts and etc networks files For example if the etc hosts file contains the following entry 2001 db8 221 5eff fe46 f17e ServerV6 then you ...

Reviews:

No comments

Related manuals for ProtectServer 3 HSM

IBM BladeCenter HS23 Product Manual preview
BladeCenter HS23
Brand: IBM Pages: 28
TANDBERG S3 Administrator'S Manual preview
S3
Brand: TANDBERG Pages: 127
IBM 84885BU Maintenance And Troubleshooting Manual preview
84885BU
Brand: IBM Pages: 200
d3 Technologies d3 4x4pro Quick Start Manual preview
d3 4x4pro
Brand: d3 Technologies Pages: 10
DNP WPS Pro EU User Manual preview
WPS Pro EU
Brand: DNP Pages: 93
Altos R360 F5 LFF User Manual preview
R360 F5 LFF
Brand: Altos Pages: 104
Boca Systems BocaVision WT120 User Handbook Manual preview
BocaVision WT120
Brand: Boca Systems Pages: 28
Digi Connectware PortServer TS 8/16 Configuration And Administration Manual preview
Connectware PortServer TS 8/16
Brand: Digi Pages: 106
Digi PortServer CM User Manual preview
PortServer CM
Brand: Digi Pages: 126
Fujitsu PRIMERGY RX200 S6 Options Manual preview
PRIMERGY RX200 S6
Brand: Fujitsu Pages: 84
7th Sense Delta User Manual preview
Delta
Brand: 7th Sense Pages: 156
Promise Technology VTrak J5960 Quick Start Manual preview
VTrak J5960
Brand: Promise Technology Pages: 25
GRASS VALLEY HDMA-4000SYNC Datasheet preview
HDMA-4000SYNC
Brand: GRASS VALLEY Pages: 2
Certon integrita Manual preview
integrita
Brand: Certon Pages: 29
Obvius A8812 Installation And Operation Manual preview
A8812
Brand: Obvius Pages: 39
ZLAN ZLAN9153 User Manual preview
ZLAN9153
Brand: ZLAN Pages: 16
ZLAN ZLAN8303 User Manual preview
ZLAN8303
Brand: ZLAN Pages: 17
QNAP GM-1002 Quick Installation Manual preview
GM-1002
Brand: QNAP Pages: 16

Brands by name

Popular brands

Load more brands