manualshive.com logo in svg

Thales ProtectToolkit 5.9.1, Installation And Configuration Manual

Share
Download
Thales ProtectToolkit 5.9.1 Installation And Configuration Manual Download Page 33

Chapter 2:   ProtectServer External 2 Installation and Configuration

IPv6

psesh:>

network interface ipv6 -device

<netdevice>

-ip

<IP> [

-gateway

<IP>]

Either of these commands will prompt you to restart the network service.

3.

[Optional] Configure network interface bonding. This allows the two network devices to function as a single
interface, with a single MAC address, improving bandwidth and providing redundancy.

NOTE

Use network interface bonding with static IP addresses only. If DHCP is used, the

bond will be broken if one interface is assigned a different IP.

psesh:>

network interface bonding config -ip

<IP>

-netmask

<IP>

-gateway

<IP>] [

-mode

<mode>]

psesh:>

network interface bonding enable

psesh:>

sysconf appliance reboot

Multiple bonding modes provide different options for load-balancing between the two physical interfaces:

0

: Balance Round Robin. Packets are transmitted alternately on each device in the bond, providing load

balancing and fault tolerance.

1

: Active-Backup. One bonded device is active and the other serves as a backup. The backup only

becomes active if the active device loses connectivity.

2

: Balance XOR. Transmits based on an XOR formula, where the source MAC address is XOR'd with the

destination MAC address. The same bonded device is selected for each destination MAC address,
providing load balancing and fault tolerance.

3

: Broadcast. All packets are transmitted on both bonded interfaces, providing fault tolerance.

4

: 802.3ad (Dynamic Link Aggregation). Creates aggregated groups that share the same speed and

duplex settings. This mode requires a switch that supports IEEE 802.3ad dynamic links. The dvice used
for an outgoing packet is selected by the transmit hash policy (by default, a simple XOR). This policy can
be changed via the xmit_hash_policy option.

NOTE:

Check the 802.3ad standard to ensure that your

transmit policy is 802.3ad-compliant. In particular, check section 43.2.4 for packet mis-ordering
requirements. Non-compliance tolerance may vary between different peer implementations.

5

: Balance TLB (Transmit Load Balancing). Outgoing traffic is distributed according to the current load

and queue on each bonded device. Incoming traffic is received by the current device.

6

: Balance ALB (Adaptive Load Balancing). Both outgoing and incoming traffic is load-balanced like

outgoing traffic in mode 5. Incoming load balancing is governed by ARP negotiation. The bonding driver
intercepts the ARP replies sent by the appliance and overwrites the source hardware address with the
unique hardware address of one of the bonded devices. Different clients will therefore use different
hardware addresses for the appliance.

4.

[Optional] Set the appliance hostname and domain name.

psesh:>

network hostname

<hostname>

psesh:>

network domain

<netdomain>

You must configure your DNS server to resolve the hostname to the IP address configured on the Ethernet
port of the appliance. Do this for each Ethernet port connected to a network. See your network administrator
for assistance.

Thales ProtectServer HSM 5.9.1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide

2021-11-02 08:51:40-04:00 Copyright 2009-2021 Thales Group

33

Summary of Contents for ProtectToolkit 5.9.1

Page 1: ...ProtectToolkit 5 9 1 ProtectServer HSM and ProtectToolkit INSTALLATION AND CONFIGURATION GUIDE ...

Page 2: ... of information contained herein The document could include technical inaccuracies or typographical errors Changes are periodically added to the information herein Furthermore Thales reserves the right to make any change or improvement in the specifications data information and the like described herein at any time Thales Group hereby disclaims all warranties and conditions with regard to the info...

Page 3: ...otected by copyright All trademarks and product names used or referred to are the copyright of their respective owners No part of this document may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical chemical photocopy recording or otherwise without the prior written permission of Thales Group Thales ProtectServer HSM 5 9 1 ProtectServer HSM ...

Page 4: ... for External Tamper Detectors 17 The Battery 17 Port Specifications 18 Chapter 2 ProtectServer External 2 Installation and Configuration 19 Product Overview 20 Front panel view 20 Rear panel view 21 Cryptographic Architecture 22 Technical Specifications 22 ProtectServer External 2 Required Items 24 Contents Received 24 Optional Items 25 Installing the ProtectServer External 2 Hardware 25 Smart Ca...

Page 5: ...r External 2 Plus Hardware 46 Smart Card Reader Installation 48 Deployment Guidelines 49 Secure Messaging System SMS 50 Networking and Firewall Configuration 50 Separation of Roles 51 First Login and System Test 51 Access the Console 51 Power on and Log in 52 Run System Test 53 Network Configuration 53 Appliance configuration 53 Ethernet LAN device configuration 53 Gathering Appliance Network Info...

Page 6: ...r for UEFI Secure Boot 75 Manual Linux Installation for Net Server Mode 77 Installing ProtectToolkit C Manually on Linux 77 Changing the Cryptoki Provider manually 78 Installing ProtectToolkit J Manually on Linux 79 Installing the ProtectToolkit FMSDK Manually on Linux 79 Configuring ProtectToolkit 80 Utilities Command Reference 80 Unix Installation Utility 80 Hardware Maintenance Utilities 81 saf...

Page 7: ...art Card Access under UNIX 93 Specifying the Network Server s 93 UNIX Example 94 Windows Example 94 Using IPv6 addressing 94 Thales ProtectServer HSM 5 9 1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021 11 02 08 51 40 04 00 Copyright 2009 2021 Thales Group 7 ...

Page 8: ... document Document Conventions below Support Contacts on page 10 For information regarding the document status and revision history see Document Information on page 2 Document Conventions This document uses standard conventions for describing the user interface and for alerting you to important information Notes Notes are used to alert you to important or helpful information They use the following...

Page 9: ...type the italic attribute is used for emphasis or cross references to other documents in this documentation set variable In command descriptions angle brackets represent variables You must substitute a value for command line arguments that are enclosed in angle brackets optional optional Represent optional keywords or variables in a command line description Optionally enter the keyword or variable...

Page 10: ...r Support Portal The Customer Support Portal at https supportportal thalesgroup com is where you can find solutions for most common problems The Customer Support Portal is a comprehensive fully searchable database of support resources including software and firmware downloads release notes listing known problems and workarounds a knowledge base FAQs product documentation technical notes and more Y...

Page 11: ...the following tasks in the order indicated 1 Ensure that you have all of the required components as listed in ProtectServer PCIe 2 Required Items on the next page 2 Install and connect the hardware as described in ProtectServer PCIe 2 Installation on page 13 The ProtectServer PCIe 2 has been tested with a variety of representative systems servers with compliant PCI express slots When a compatibili...

Page 12: ...dard items you received with your order Qty Item 1 ProtectServer PCIe 2 Adapter Card short form factor performance level 25 220 or 1500 as ordered indicated on label 1 Smart card reader 5 Smart cards in a single media case Each smart card contains a total of 64 kilobytes of storage space Thales ProtectServer HSM 5 9 1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021 1...

Page 13: ...To install and commission a ProtectServer PCIe 2 card 1 Ensure you have all the necessary components on the list provided For more information see Adapter Features on the next page 2 Move the battery jumper from the OFF position to the ON position see The Battery Jumper Header on the next page 3 If you plan to use an external tamper detector ensure that it has a two conductor cable compatible with...

Page 14: ...per headers are located on the rear face of the card The Battery The battery maintains the internal flash memory You can use the ctcheck b batterystatus command to test the battery s condition If the battery status is reported as LOW back up the keys on the HSM and return the HSM to your nearest Thales service centre for battery HSM replacement See Support Contacts on page 10 CAUTION Do not attemp...

Page 15: ...ormats x4 x8 or x16 If necessary please consult the documentation accompanying your host system motherboard to find the PCIe slots If you are using a tamper detection device route the cable to it before closing the computer cover ProtectServer HSM Access Provider Installation After successful installation of the adapter 1 Install the ProtectServer HSM Access Provider package PTKpcihsmK6 2 Confirm ...

Page 16: ...mputer If you prefer not to expose USB ports on your crypto server for security reasons use a PS 2 to USB adapter to connect the card reader to a standalone powered USB hub The USB connection is for power only No data transfer occurs Figure 1 The connected legacy card reader Completing Installation After you have installed the ProtectServer HSM Access Provider install the supplied SafeNet API or n...

Page 17: ...e adapter which is designed to fit with an insertable connector housing Molex part 35507 0200 a Crimp a pair of 2 mm WTB crimp terminals Molex part 50212 8100 to the ends of your tamper detector s two wire connector cable b Insert the crimped terminal sockets into the Molex connector housing 3 Plug the newly fitted connector cable into the PCIe adapter s tamper input header The external tamper det...

Page 18: ...rning the battery may need to be replaced If the adapter has been de powered or removed from its system the data in its memory is suspect If the adapter has been continuously powered then the data in memory can be trusted and you can make a backup before sending the adapter to a Thales service centre for battery HSM replacement Port Specifications The USB to serial cable provides an RS232 port wit...

Page 19: ...oolkit software on your operating system See the following sections Installing ProtectToolkit on Windows on page 63 Installing ProtectToolkit on Unix Linux on page 68 Installing ProtectToolkit on Linux Manually on page 73 5 Configure the high level cryptographic API to allow preferred operating modes Some of these tasks may include establishing a trusted channel or secure messaging system SMS betw...

Page 20: ...nd battery backed key storage The ProtectServer External 2 must be used with one of SafeNet s high level cryptographic APIs The following table shows the provider types and their corresponding SafeNet APIs API SafeNet Product Required PKCS 11 ProtectToolkit C JCA JCE ProtectToolkit J Microsoft IIS and CA ProtectToolkit M These APIs interface directly with the product s FIPS 140 2 Level 3 certified...

Page 21: ...essing the reset button forces an immediate restart of the appliance Although it does not power off the appliance it does restart the software Pressing the reset button is service affecting and is not recommended under normal operating conditions Rear panel view The features on the rear panel of the ProtectServer External 2 are illustrated below Figure 6 ProtectServer External 2 rear panel Tamper ...

Page 22: ...d storage In network mode access provider software is installed on the machine hosting the cryptographic API software The access provider allows communication between the API and the ProtectServer External 2 over a TCP IP connection The HSM can therefore be located remotely improving the security of cryptographic key data The figure below depicts a cryptographic service provider using the ProtectS...

Page 23: ...nput frequency range 50 60 Hz Physical properties 437 mm W x 270 mm D x 44 mm H 1U 19 rack mounting brackets included Weight 5 kg 11 lb Operating Environment Temperature 0 to 40 C 32 to 104 F Relative Humidity 5 to 85 Thales ProtectServer HSM 5 9 1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021 11 02 08 51 40 04 00 Copyright 2009 2021 Thales Group 23 ...

Page 24: ...E The smart cards and smart card reader are only included with your order if you purchased your ProtectServer HSM with a ProtectServer HSM Accessory Kit Power cables are no longer included with the shipment from our factory Please source your power cables locally for the intended deployment destination To configure your ProtectServer External 2 you will need to supply and connect a keyboard mouse ...

Page 25: ...dware 1 Choose a suitable location to site the equipment You can mount the ProtectServer External 2 in a standard 19 inch rack NOTE The power supply cord acts as the unit s disconnect device The main outlet socket to which the unit is connected must be easily accessible 2 Connect the ProtectServer External 2 to the network by inserting standard Ethernet cables into the LAN connectors located on th...

Page 26: ...t to the HSM USB port with the included USB to serial cable The legacy card reader must also be connected to a PS 2 port for its power Many newer servers have USB ports but do not provide a PS 2 connection If there is no available PS 2 connection there are two options Connect a PS 2 to USB adapter pink in the image below between the card reader and a USB port on the ProtectServer External 2 If for...

Page 27: ...channel between the client and the HSM and authenticates messages on that channel using a Message Authentication Code MAC approved by the FIPS 140 2 standard Refer to Secure Messaging in the Cryptoki Configuration section of the ProtectToolkit C Administration Guide for a detailed description of SMS functionality NOTE SMS encrypts and authenticates messages between the client and HSM but does not ...

Page 28: ...s The ProtectServer External 2 supports an iptables based firewall The firewall must be configured with appropriate rules to restrict access to identified network resources only See Network Configuration on page 31 for details on setting iptables Separation of Roles The ProtectServer External 2 has two role categories Appliance and HSM users For optimal security maintain these roles and their cred...

Page 29: ...ipped with a DB9 serial port you require a cable with an RJ45 connector on one end and a DB9 serial port on the other end see Serial cable RJ45 to DB9 below If your terminal device is equipped with an RJ45 serial port you can use a standard Ethernet cable Serial cables are not included Figure 8 Serial cable RJ45 to DB9 If you are using a serial connection configure your local VT100 or terminal emu...

Page 30: ...ser password The admin user can reset all account passwords to their factory defaults at any time with the PSESH command sysconf appliance factory This command will also reset the SNMP and network settings to their factory defaults CAUTION Executing sysconf appliance factory over an SSH connection may cause you to lose connection with the appliance when the IP address is reset To avoid this use a ...

Page 31: ...uration The ProtectServer External 2 is equipped with two individually configurable Ethernet LAN network devices You can configure the following network settings for each device IPv4 or IPv6 address You can configure IPv4 addresses using static or DHCP addressing IPv6 addresses must be configured as static addresses Network gateway Devices must use a gateway appropriate for the network IPv4 or IPv...

Page 32: ...a single port and use it to access the appliance over the network and complete the configuration NOTE Use a locally connected serial terminal when changing the appliance IP address to avoid SSH admin console disconnection To configure the appliance and port network parameters It is recommended that you configure and test each device You need to know the IP address of at least one network interface...

Page 33: ...ted groups that share the same speed and duplex settings This mode requires a switch that supports IEEE 802 3ad dynamic links The dvice used for an outgoing packet is selected by the transmit hash policy by default a simple XOR This policy can be changed via the xmit_hash_policy option NOTE Check the 802 3ad standard to ensure that your transmit policy is 802 3ad compliant In particular check sect...

Page 34: ...rch domain settings apply to static network configurations only If you are using DHCP the DNS search domains configured on the DHCP server are used When you add a DNS search domain to a specific network device it is added to the DNS table for the appliance and becomes available to both devices provided the device you added it to is connected to the network For example if you add a DNS server to et...

Page 35: ...ent such as puTTY available for free from www putty org Powering off the ProtectServer External 2 Use PSESH to power off the appliance before toggling the power switch To power off the ProtectServer External 2 1 While logged in to PSESH as admin or pseoperator issue the command psesh sysconf appliance poweroff Wait for the appliance to perform shutdown procedures The fan and LEDs will remain opera...

Page 36: ...ernal 2 with appliance software 5 2 0 1 Use scp Linux UNIX or pscp Windows to securely transfer the patch file to the appliance filesystem Enter the root password when prompted pscp filepath SPKG 0 1 1 i386 rpm root appliance_hostname IP tmp scp filepath SPKG 0 1 1 i386 rpm root appliance_hostname IP tmp 2 Connect to the appliance using a monitor and keyboard serial connection or SSH and log in as...

Page 37: ...r pscp Windows to securely transfer the secure package file to the appliance filesystem Enter the admin password when prompted pscp filepath filename admin appliance_hostname IP scp filepath filename admin appliance_hostname IP 2 Connect to the appliance using a monitor and keyboard serial connection or SSH and log in as admin 3 Optional Confirm that the package is available to install psesh packa...

Page 38: ... and ProtectToolkit software on your operating system See the following sections Installing ProtectToolkit on Windows on page 63 Installing ProtectToolkit on Unix Linux on page 68 Installing ProtectToolkit on Linux Manually on page 73 5 Configure the high level cryptographic API to allow preferred operating modes Some of these tasks may include establishing a trusted channel or secure messaging sy...

Page 39: ...e generation and verification and key management with a tamper resistant and battery backed key storage The ProtectServer External 2 Plus must be used with one of SafeNet s high level cryptographic APIs The following table shows the provider types and their corresponding SafeNet APIs API SafeNet Product Required PKCS 11 ProtectToolkit C JCA JCE ProtectToolkit J Microsoft IIS and CA ProtectToolkit ...

Page 40: ...ge the mounting posts at the left and right ends of the appliances front panel f Rack mount tabs removable Use the tabs on the front and the sliding tabs towards the rear of the appliance to support your SafeNet appliance in a compatible equipment rack g Securing screw for fan bay Torx screw secures the fan bay CAUTION Opening the fan bay will trigger a tamper event on the device h i USB ports Unc...

Page 41: ...or decommissioning of the appliance to destroy any keys currently stored on the HSM CAUTION Activating the tamper switch deletes any keys currently stored on the HSM Deleted keys are not recoverable Ensure that you always back up your keys To avoid accidentally deleting the keys on an operational ProtectServer External 2 Plus ensure the users with access to the appliance are familiar with the swit...

Page 42: ...d storage High level cryptographic API software This software uses the HSM s cryptographic capabilities to provide security services to applications Access provider software to allow communication between the API software and the HSMs Operating in network mode a standalone ProtectServer External 2 Plus can provide key processing and storage In network mode access provider software is installed on ...

Page 43: ...et PCI HSM Access Provider software SafeNet HSM Net Server software Power Supply Nominal power consumption 156 W Input AC voltage range 100 240 V Input frequency range 50 60 Hz Physical properties 482 mm W x 533 mm D x 44 mm H 1U 19 rack mounting brackets included Weight 12 7 kg 28 lb Operating Environment Temperature 0 to 40 C 32 to 104 F Relative Humidity 5 to 85 Thales ProtectServer HSM 5 9 1 P...

Page 44: ... you have all of the items required for the installation Qty Item 1 ProtectServer External 2 Plus Appliance 1 Null Modem Serial Cable 1 USB 2 0 to RS232 Serial Adapter 1 Smart card reader Thales ProtectServer HSM 5 9 1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021 11 02 08 51 40 04 00 Copyright 2009 2021 Thales Group 44 ...

Page 45: ... with a ProtectServer HSM Accessory Kit Power cables are no longer included with the shipment from our factory Many customers are buying HSMs from one country but shipping them for final deployment to different countries which has resulted in many wasted power cables that are incorrect format for destination countries Please source your power cables locally for the deployment destination Software ...

Page 46: ... computer as a user with Administrator privileges 2 A computer that is to be used only for administering the ProtectServer External 2 Plus does not need the Client software only an SSH client such as the PuTTY program that we have provided for Windows or the SSH utilities that come standard with most Linux and UNIX platforms 3 Both tasks Client and administration can be performed on a single compu...

Page 47: ...rand of equipment rack CAUTION Support the weight of the appliance until all four brackets are secured 3 Insert the power a and network b cables at the rear panel The ProtectServer External 2 Plus is equipped with two NICs eth0 and eth1 incorporating an IPv4 IPv6 dual stack allowing you to configure both an IPv4 and IPv6 address on each interface If you intend to use both NICs connect Ethernet cab...

Page 48: ...pports the use of smart cards with a SafeNet supplied smart card reader Other smart card readers are not supported The ProtectServer Network HSM Plus supports two different card readers the new USB card reader introduced in 5 2 the legacy card reader which provides a serial interface for data via a USB to serial cable and a PS 2 interface for power direct or via a PS 2 to USB adapter Thales Protec...

Page 49: ...USB port on the ProtectServer Network HSM Plus If for security reasons you prefer to not expose USB ports on your crypto server connect a PS 2 to USB adapter cable between the card reader and a standalone powered USB hub NOTE The USB connection is for power only No data transfer occurs over this connection Next see First Login and System Test on page 51 Deployment Guidelines Users must consider th...

Page 50: ... versa The HSM supports the following SMS modes HIMK ADH ADH2 PTK 5 4 and above For secure deployment use ADH or ADH2 Refer to Secure Messaging in the Cryptoki Configuration section of the ProtectToolkit C Administration Guide for descriptions of the difference between these modes The SMS feature is flexible and can be configured to Encrypt decrypt all messages Sign verify all messages Allow only ...

Page 51: ...n and User terminals Appliance Users The following roles can log in to the PSE shell PSESH to configure and manage the appliance admin pseoperator audit See Using PSESH in the PSESH Command Reference Guide for the responsibilities of each role HSM Users The following roles can log in to manage the HSM token and perform cryptographic operations Administration Security Officer ASO Administrator Secu...

Page 52: ...or configuring and managing the appliance See the PSESH Command Reference Guide for command syntax There is a third account audit which is used to configure audit logging on the appliance This account cannot be used to perform administrative tasks The default passwords for the admin and pseoperator users are User name Default password admin password pseoperator password After logging in you will b...

Page 53: ...y over a network Network access is provided by two Ethernet LAN ports The network device interfaces eth0 and eth1 are located on the back of the appliance as illustrated below Appliance configuration The following network parameters are configured at the appliance level Appliance hostname A hostname is optional unless you are using DNS Ethernet LAN device configuration The ProtectServer External 2...

Page 54: ...ateway IP address per port DNS Name Server IP address es per port Search Domain name s per port Device subnet mask per port DNS Entries Ensure that you have configured your DNS Server s with the correct entries for the appliance and the client If you are using DHCP then all references to the Client and the HSM appliance as in Certificates should use hostnames Configuring the Network Parameters You...

Page 55: ...es as a backup The backup only becomes active if the active device loses connectivity 2 Balance XOR Transmits based on an XOR formula where the source MAC address is XOR d with the destination MAC address The same bonded device is selected for each destination MAC address providing load balancing and fault tolerance 3 Broadcast All packets are transmitted on both bonded interfaces providing fault ...

Page 56: ...rt failure it is recommended that you add it to both network connected devices 6 Optional Add a search domain to the network configuration These are automatically appended to an internet address you specify in PSESH For example if you add the search domain mycompany com entering the command network ping hsm1 would search for the domain hsm1 mycompany com If the domain resolves it pings the device ...

Page 57: ...sh network iptables delrule rulenum number A rule s number is based on its current list position so executing network iptables delrule rulenum 1 multiple times will eventually delete the entire list e Save your iptables changes psesh network iptables save You must execute this command or any changes will be lost on the next appliance reboot 8 After making any change to the network configuration re...

Page 58: ...ly Prerequisites Download the patch SPKG 0 1 1 i386 rpm from the Thales Customer Support Portal see Support Contacts on page 10 If you are installing the patch on a ProtectServer External 2 running software version 5 2 0 ensure that you have root access If you are installing the patch on a ProtectServer External 2 running software version 5 4 0 5 5 0 or 5 6 0 ensure that you have admin access If y...

Page 59: ...stomer Support Portal see Support Contacts on page 10 You must have admin access to the appliance The Admin token must be initialized See CTCONF in the Command Line Utilities Reference section of the ProtectToolkit C Administration Guide for more information about initializing the Admin token To update the appliance software 1 Use scp Linux UNIX or pscp Windows to securely transfer the secure pack...

Page 60: ...on 6 x 7 x 8 x 9 x 10 x and 11 x NOTE The older minor versions of Java 7 or Java 8 could cause issues with the SAFENET java library jprov_sfnt jar Thales Group recommends updating Java 7 8 to the latest version Warnings appear when compiling some of the provided Java samples with Java runtime 9 10 or 11 installed These warnings can be safely ignored NET versions 3 5 and 4 5 Windows only All requir...

Page 61: ...E2 PSE2 Server 2012 R2 64 bit C M J PCIe2 PSE2 PSE2 C J PSE2 PSE2 Server 2008 R1 and R2 64 bit C M J PCIe2 PSE2 PSE2 C J PSE2 PSE2 7 32 bit C J KSP support PCIe2 PSE2 PSE2 7 64 bit C M J PCIe2 PSE2 PSE2 C J PSE2 PSE2 Linux RHEL 7 64 bit C J PCIe2 PSE2 PSE2 C J PSE2 PSE2 RHEL 6 32 bit C J PCIe2 PSE2 PSE2 RHEL 6 64 bit C J PCIe2 PSE2 PSE2 C J PSE2 PSE2 SUSE12 64 bit C J PCIe2 PSE2 PSE2 C J PSE2 PSE2...

Page 62: ...tectServer PCIe 2 installed may also be used as a server in network mode Software only mode on a local machine without access to a hardware security module Within the client server runtime environment the server performs cryptographic processing at the request of the client The server itself will only operate in one of the hardware runtime modes The software only version is available for a variety...

Page 63: ...otectServer PCIe 2 Installation on page 13 Installing the ProtectServer External 2 Hardware on page 25 Installing the ProtectServer External 2 Plus Hardware on page 46 If you are planning to operate ProtectToolkit in PCIe or network mode you must install the ProtectServer HSM Access Provider software before installing ProtectToolkit components See Installing the ProtectServer HSM Access Provider o...

Page 64: ...plete the installation NOTE The following information applies to the installation of PTKpcihsmK6 msi and PTKnethsm msi If you are installing PTKpcihsmK6 msi a reboot may be required to successfully load the driver If you are installing PTKnethsm msi the following command window appears during installation Specify the hostname or IP address of one or more HSMs on the network separated by single spa...

Page 65: ...K C SDK component as a prerequisite NOTE Thales recommends that you develop and test FMs in Software Emulation mode before installing them on your production HSMs This installation package is located in the folder for your architecture in the installation directory 2 Work through the installation wizard to complete the installation If you selected the ProtectToolkit C SDK package a command window ...

Page 66: ...fenet crypto provider slot n SAFENETProvider To install ProtectToolkit J on Windows 1 Run the installation package for the ProtectToolkit J component that you would like to install PTKjprt msi installs all the necessary tools and interfaces for a PTK J Cryptoki service provider using the Java Cryptographic Architecture JCA Java Cryptographic Extension JCE interface NOTE PTK J requires the PTK C Ru...

Page 67: ...by configuring the client to use one or more servers that are available on the same network Refer to Specifying the Network Server s on page 93 If you have installed ProtectToolkit C and intend to use software only mode Customize the installation to optimize performance Refer to Software Only Mode Configuration on page 93 Changing the Cryptoki Provider The setmode executable binary file allows the...

Page 68: ...ctToolkit M software Failure to do so may prevent the ProtectToolkit M software from uninstalling correctly 3 Select Uninstall Installing ProtectToolkit on Unix Linux Installation and uninstallation commands are different for each of the supported Unix platforms To account for these differences the package should be installed using the Unix Installation Utility Manual commands specific to your ope...

Page 69: ...t on page 71 Changing the Cryptoki provider on page 72 Configuring ProtectToolkit on page 72 Uninstalling a package on page 73 Boot Service Operation on Unix Linux Platforms on page 73 Utility Startup Options can be specified when executing the safeNet install sh command These options are not normally required and are mainly useful for troubleshooting To troubleshoot an issue you are experiencing ...

Page 70: ...afeNet Network HSM Access Provider installs the components required to access a ProtectServer HSM over the network whether a ProtectServer External 2 ProtectServer External 2 Plus or ProtectServer PCIe 2 configured for network access SafeNet PCIe HSM Access Provider Device Driver installs the device driver components for a ProtectServer PCIe 2 HSM installed in the host system SafeNet HSM Net Serve...

Page 71: ...stall a package from this CD from the utility s Main Menu A list of installable SafeNet packages is displayed 2 Select the package required by typing the appropriate menu number followed by Enter The utility verifies the action and executes the appropriate command for your platform 3 On some platforms you may be prompted for additional installation options On Linux for example you can add a nodeps...

Page 72: ... modes To change the Cryptoki provider 1 From the Main menu select Set the default cryptoki and or HSM link The Cryptoki Selection screen is displayed Gemalto Unix Installation Utility Hostname 66 Linux 2 6 32 504 16 2 el6 i686 Main Menu Check Set Default Cryptoki HSM Menu Cryptoki Selection 1 SafeNet ProtectToolkit C SDK Software emulator 2 SafeNet ProtectToolkit C SDK Runtime hardware 3 SafeNet ...

Page 73: ...latforms you may be prompted for additional uninstallation options On Linux for example you can add a nodeps option to suppress the checking of dependencies These options should be selected with appropriate care 4 After completing uninstallation the utility will return Success or Failure scan the system again and display the current installation status 5 You may now need to respond to any platform...

Page 74: ...package It includes the components required to access a ProtectServer HSM over the network whether a ProtectServer External 2 ProtectServer External 2 Plus or ProtectServer PCIe 2 configured for network access To install the Network Access Provider manually Execute the following as root where x x x yy is the PTK version number Specify the location you chose for the installation files cd output uni...

Page 75: ...erating RSA signing keys and certificates Signing the ProtectServer PCIe driver Enrolling the signing public key into the system keyring Loading the signed driver NOTE This procedure applies only to a CentOS 7 environment with UEFI Secure Boot enabled The steps have been tested on RHEL release 7 6 1810 The mokutil utility on earlier versions of Red Hat might show inconsistent behavior If you encou...

Page 76: ...eyUsage digitalSignature subjectKeyIdentifier hash authorityKeyIdentifier keyid 2 Use the openssl tool to generate a signing key pair Specify the configuration file you created and public and private keys named MOK der and MOK priv You can use the default locations specified in the command below or specify your own filepaths openssl req x509 new nodes utf8 sha256 days 36500 batch config configurat...

Page 77: ...ckage It includes the components required to make an installed ProtectServer PCIe 2 HSM available on the network to other ProtectToolkit clients Requires an installed ProtectServer PCIe 2 and the PCIe HSM Access Provider package as prerequisites To install the Net Server Access Provider manually Execute the following as root where x x x yy is the PTK version number Specify the location you chose f...

Page 78: ... to use under opt safenet protecttoolkit5 To uninstall the ProtectToolkit C packages manually Use the rpm 8 command with the appropriate package name as a parameter rpm e PTKcprt rpm e PTKcpsdk Changing the Cryptoki Provider manually This section applies to the SDK package only Different ProtectToolkit C Cryptoki provider files are required if an HSM is present PCI or network mode or not software ...

Page 79: ... PTK version number Specify the location you chose for the installation files cd output unix Linux64 PTKJ_SDK rpm i PTKjpsdk x x x yy x86_64 rpm To uninstall the ProtectToolkit J packages manually Use the rpm 8 command with the appropriate package name as a parameter rpm e PTKjpsdk rpm e PTKjprov Installing the ProtectToolkit FMSDK Manually on Linux Use the following commands to install or uninsta...

Page 80: ...nfigure the secure messaging system SMS Refer to Secure Messaging in the Cryptoki Configuration section of the ProtectToolkit C Administration Guide Establish network communication network operating mode only by configuring the client to use one or more servers that are available on the same network Refer to Specifying the Network Server s on page 93 If you have installed ProtectToolkit C and inte...

Page 81: ...ver PCIe 2 and ProtectServer External 2 Access Provider installations The utilities are named hsmstate and hsmreset The utilities are described in hsmstate on page 83 and hsmreset on page 84 Thales ProtectServer HSM 5 9 1 ProtectServer HSM and ProtectToolkit Installation and Configuration Guide 2021 11 02 08 51 40 04 00 Copyright 2009 2021 Thales Group 81 ...

Page 82: ...This copy can be used to uninstall or configure the software For more information see Installing ProtectToolkit on Unix Linux on page 68 Syntax safeNet install sh h p s size v Option Description h Show help p Plain mode In this mode the tput is not used for video enhancements s size Override the screen size default tput lines cols or 24x80 v Print the version of this script Thales ProtectServer HS...

Page 83: ...es The command hsmstate will show all devices found in the system For example HSM device 0 HSM in NORMAL MODE RESPONDING HSM device 1 HSM in NORMAL MODE RESPONDING HSM device 2 HSM in NORMAL MODE RESPONDING The command hsmstate d1 v will show a report with full details about device 1 For example HSM device 1 HSM in NORMAL MODE RESPONDING to requests State 0x8000 0x41403 I2O_INBOARD_MF_OFFSET 0kb R...

Page 84: ...without any options included f Force an HSM reset without prompting for confirmation h Display helpful usage information v Verbose flag This will display a more detailed report about the HSM Example The command hsmreset will reset the first HSM Upon execution the following message displays HSM is in normal mode Resetting it might disturb other applications Continue N Y Type Y to complete the opera...

Page 85: ...figuration levels When a configuration item is queried item locations are searched in order of level precedence 1 Temporary Any changes made at the temporary configuration level override any corresponding entries at the user system and default levels 2 User Changes made at the user level override any corresponding entries at the system and default levels 3 System System changes override default le...

Page 86: ...below Windows Temporary Temporary configuration changes are made using environment variables Since environment variables are not hierarchical the hierarchy is implicitly defined by the name of the variable In Network mode to temporarily change the length of time the HSM will wait before timing out a connection attempt In a command prompt enter set ET_HSM_NETCLIENT_CONNECT_TIMEOUT_SECS time_in_ sec...

Page 87: ... of the ProtectToolkit C file where the logger library writes log information ctlog log is stored in the etc default et_ptkc file as the entry ET_PTKC_LOGGER_FILE ctlog log ProtectServer External 2 Server Configuration Server configuration settings on the ProtectServer External 2 are edited by transferring a new configuration file to the appliance and applying it using PSESH To change the ProtectS...

Page 88: ...files show SCP Folder Content total 0 4K 0 4K et_hsm txt Command Result 0 Success 5 Set the etnetserver configuration file See sysconf etnetcfg in the PSESH Commands section of the PSESH Command Reference Guide for syntax psesh sysconf etnetcfg set filename psesh sysconf etnetcfg set et_hsm txt WARNING This command will modify the settings of the appliance It could affect client connections and re...

Page 89: ...ration item must be changed and no valid values are given contact Thales Customer Support for assistance For more information about using configuration items see Configuration Items on page 85 Configuration Item Meaning ET_HSM_PCICLIENT_READ_TIMEOUT_SECS Determines the time in seconds the PCI driver will wait before timing out on a read operation It should be set long enough to avoid an unintentio...

Page 90: ... alive Default 60 ET_HSM_NETCLIENT_LOG_CHANNEL Channel destination to write log entries to Values are platform dependent For Windows valid values are 0 Windows Event Log 1 Standard out 2 Standard error Default 0 For Unix valid values are from 0 to 7 inclusive and map to syslog LOG_LOCAL values Default 0 ET_HSM_NETCLIENT_LOG_NAME Name of application context to associate with log entries Default etn...

Page 91: ...he value of a configuration item must be changed and no valid values are given contact Thales Customer Support for assistance For more information about using configuration items see Configuration Items on page 85 Configuration Item Meaning ET_HSM_NETSERVER_OLD_WORKER_COUNT Number of threads to reserve for processing old ProtectToolkit C remote client connections Default 3 ET_HSM_NETSERVER_V2_WORK...

Page 92: ...ith the following valid values Always Always allow reset Never Never allow reset OnHalt default Allow reset only when the HSM is not in normal mode ET_HSM_NETSERVER_PORT TCP port number to use Default 12396 ET_HSM_NETSERVER_LOG_CHANNEL Channel destination to write log entries to Values are platform dependent For Windows valid values are 0 default Windows Event Log 1 Standard out 2 Standard error F...

Page 93: ...this proves to be an annoyance then peripheral detection can be disabled by creating the configuration item below and setting its value equal to FALSE ET_PTKC_SW_DETECTPERIPHERALS This change can be made at the temporary user or system levels on both UNIX and Windows platforms Refer to Configuration Items on page 85 for further details on how to go about this if required Enabling Smart Card Access...

Page 94: ...ng For example the following command is valid for a server with an IPv6 address of 2001 db8 221 5eff fe46 f17e export ET_HSM_NETCLIENT_SERVERLIST 2001 db8 221 5eff fe46 f17e Symbolic server names are also supported and they must be declared in the etc hosts and etc networks files For example if the etc hosts file contains the following entry 2001 db8 221 5eff fe46 f17e ServerV6 then you can run th...

Reviews:

No comments

Brands by name

Popular brands

Load more brands