background image

Appendix A:   Glossary

IP

Internet Protocol

J

JCA

Java Cryptography Architecture

JCE

Java Cryptography Extension

K

Keyset

A keyset is the definition given to an allocated memory space on the HSM. It contains the key information for a spe-
cific user

KWRAP

Key Wrapping Key

M

MAC

Message authentication code. A mechanism that allows a recipient of a message to determine if a message has been
tampered with. Broadly there are two types of MAC algorithms, one is based on symmetric encryption algorithms and
the second is based on Message Digest algorithms. This second class of MAC algorithms are known as HMAC
algorithms. A DES based MAC is defined in FIPS PUB 113, see http://www.itl.nist.gov/div897/pubs/fip113.htm. For
information on HMAC algorithms see RFC-2104 at http://www.ietf.org/rfc/rfc2104.txt

Message Digest

A condensed representation of a data stream. A message digest will convert an arbitrary data stream into a fixed size
output. This output will always be the same for the same input stream however the input cannot be reconstructed
from the digest

MSCAPI

Microsoft Cryptographic API

MSDN

Microsoft Developer Network

SafeNet ProtectToolkit 5.4 Installation Guide

007-013682-002 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto

24

Summary of Contents for SafeNet ProtectServer PCIe HSM 5.4

Page 1: ...SafeNet ProtectServer PCIe HSM 5 4 INSTALLATION GUIDE ...

Page 2: ...es This document shall not be posted on any publicly accessible network computer or broadcast in any media and no modification of any part of this document shall be made Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities The information contained in this document is provided AS IS without any warranty of any kind Unless otherwise expressly agr...

Page 3: ...ct indirect incidental or consequential damages that result from any use of its products It is further stressed that independent testing and verification by the person using the product is particularly encouraged especially in any application in which defective incorrect or insecure functioning could result in damage to persons or property denial of service or loss of privacy All intellectual prop...

Page 4: ...lation 12 Adapter Features 13 The Card Faceplate 13 The Rear Face 13 Installing the Adapter 14 PCIe HSM Access Provider Installation 14 Smart Card Reader Installation 15 Installing the USB smart card reader 15 Installing the legacy card reader 15 Completing Installation 16 Chapter 2 Troubleshooting 17 Known Issues 17 Simple Fault Diagnosis 17 Chapter 3 Hardware Reference 19 Adapter Modification fo...

Page 5: ...sections SafeNet ProtectServer PCIe HSM Hardware Installation on page 10 Troubleshooting on page 17 Hardware Reference on page 19 This appendix provides the adapter s serial port specifications and instructions for modifying the circuit board to use external tamper detectors Glossary on page 21 This preface also includes the following information about this document Customer Release Notes below Ge...

Page 6: ... SafeNet ProtectToolkit FM SDK NOTE These branding changes apply to the documentation only The SafeNet HSM software and utilities continue to use the old names Audience This document is intended for personnel responsible for maintaining your organization s security infrastructure This includes SafeNet ProtectToolkit users and security officers key manager administrators and network administrators ...

Page 7: ...ion bold The bold attribute is used to indicate the following Command line commands and options Type dir p Button names Click Save As Check box and radio button names Select the Print Duplex check box Dialog box titles On the Protect Document dialog box click Yes Field names User Name Enter the name of the user Menu names On the File menu click Save Click Menu Go To Folders User input In the Date ...

Page 8: ...and line argument enclosed within the braces Choices are separated by vertical OR bars a b c a b c Represent optional alternate keywords or variables in a command line description Choose one command line argument enclosed within the braces if desired Choices are separated by vertical OR bars SafeNet ProtectToolkit 5 4 Installation Guide 007 013682 002 Rev A 08 January 2020 Copyright 2009 2020 Gema...

Page 9: ... Sweden 020 791 028 Switzerland 0800 564 849 United Kingdom 0800 056 3158 United States 800 545 6608 Web https safenet gemalto com Technical Support Customer Portal https supportportal gemalto com Existing customers with a Technical Support Customer Portal account can log in to manage incidents get the latest software upgrades and access the Knowledge Base To create a new account click the Registe...

Page 10: ...the following tasks in the order indicated 1 Ensure that you have all of the required components as listed in SafeNet ProtectServer PCIe HSM Required Items on the next page 2 Install and connect the hardware as described in SafeNet ProtectServer PCIe HSM Installation on page 12 SafeNet ProtectToolkit 5 4 Installation Guide 007 013682 002 Rev A 08 January 2020 Copyright 2009 2020 Gemalto 10 ...

Page 11: ...CIe HSM order Contents Received The following table contains the standard items you received with your order Qty Item 1 SafeNet ProtectServer PCIe HSM Adapter Card short form factor performance level 25 220 or 1500 as ordered indicated on label 1 Smart card reader 2 Smart cards in a single media case SafeNet ProtectToolkit 5 4 Installation Guide 007 013682 002 Rev A 08 January 2020 Copyright 2009 ...

Page 12: ...FF position to the ON position see The Battery Jumper Header on page 14 3 If you plan to use an external tamper detector ensure that it has a two conductor cable compatible with the tamper detect connector on the SafeNet adapter detailed in Adapter Modification for External Tamper Detectors on page 19 4 Install the SafeNet ProtectServer PCIe HSM card in the host computer system See Installing the ...

Page 13: ...15 Figure 1 The card faceplate The MSDM Connector The micro D subminiature MDSM connector is not used The USB Port The USB port connects a serial device such as a smart card reader to the card with the included USB to serial adapter The Rear Face The battery and a series of jumper headers are located on the rear face of the card as illustrated in Rear face of the card below Figure 2 Rear face of t...

Page 14: ...ng unless instructed by SafeNet support The Decommission Jumper Header Place a jumper on the decommission jumper header to decommission the HSM Decommissioning deletes all of the key material on the HSM The Tamper Input Header The tamper input header connects an external tamper device to the card By default it has a jumper in place across both pins To use an external tamper device run a two wire c...

Page 15: ...rd reader into the HSM USB port as illustrated in The card faceplate below Figure 3 The card faceplate Installing the legacy card reader To install the smart card reader use the included USB to serial cable to connect it to the HSM USB port on the card faceplate as shown in The connected legacy card reader on the next page The illustration shows the card reader connected to a SafeNet ProtectServer...

Page 16: ...Provider install the supplied SafeNet API or net server software Please refer to the installation instructions in the appropriate manual SafeNet ProtectToolkit C Administration Guide SafeNet ProtectToolkit J Installation Guide SafeNet ProtectToolkit M User Guide SafeNet ProtectToolkit 5 4 Installation Guide 007 013682 002 Rev A 08 January 2020 Copyright 2009 2020 Gemalto 16 ...

Page 17: ...ess Provider device driver package is installed This may happen if a prior version of the device driver exists on the system 1 Power down and remove the adapter 2 Power up 3 Uninstall all versions old and new of the HSM Access Provider device driver package 4 Power down and re install the adapter 5 Power up and reinstall the HSM Access Provider package Following re installation of a previously rem...

Page 18: ...tate The output from the utility should include NORMAL mode Responding If the utility reports HALTED due to a failure 1 Execute hsmreset 2 Following the reset check to see if the hsmstate is now reporting NORMAL operation If the utility reports waiting for tamper cause to be removed 1 Check to see that any connected external tamper detectors are correctly configured 2 Make sure the adapter is sitt...

Page 19: ...the shunt s place The cable end from your tamper detection device must match the Molex socket on the adapter which is designed to fit with an insertable connector housing Molex part 35507 0200 a Crimp a pair of 2mm WTB crimp terminals Molex part 50212 8100 to the ends of your tamper detector s two wire connector cable b Insert the crimped terminal sockets into the Molex connector housing 3 Plug th...

Page 20: ...software for more information The RealTime Clock and memory retain their data as long as the adapter is in a powered system The RTC performs a daily battery check If it detects a low battery warning the battery may need to be replaced If the adapter has been de powered or removed from its system the data in its memory is suspect If the adapter has been continuously powered then the data in memory ...

Page 21: ...d decryption These ciphers are usually also known as public key ciphers as one of the keys is generally public and the other is private RSA and ElGamal are two asym metric algorithms B Block Cipher A cipher that processes input in a fixed block size greater than 8 bits A common block size is 64 bits Bus One of the sets of conductors wires PCB tracks or connections in an IC C CA Certification Autho...

Page 22: ...graphic Token Interface Standard aka PKCS 11 CSA Cryptographic Services Adapter CSPs Microsoft Cryptographic Service Providers D Decryption The process of recovering the plaintext from the ciphertext DES Cryptographic algorithm named as the Data Encryption Standard Digital Signature A mechanism that allows a recipient or third party to verify the originator of a document and to ensure that the doc...

Page 23: ...ering the plaintext F FIPS Federal Information Protection Standards FM Functionality Module A segment of custom program code operating inside the CSA800 HSM to provide additional or changed functionality of the hardware FMSW Functionality Module Dispatch Switcher H HA High Availability HIFACE Host Interface It is used to communicate with the host system HSM Hardware Security Module I IDEA Internat...

Page 24: ...sed on Message Digest algorithms This second class of MAC algorithms are known as HMAC algorithms A DES based MAC is defined in FIPS PUB 113 see http www itl nist gov div897 pubs fip113 htm For information on HMAC algorithms see RFC 2104 at http www ietf org rfc rfc2104 txt Message Digest A condensed representation of a data stream A message digest will convert an arbitrary data stream into a fixe...

Page 25: ...ng PKCS 11 Cryptographic Token Interface Standard developed by RSA Laboratories PKI Public Key Infrastructure ProtectServer SafeNet HSM ProtectToolkit C SafeNet s implementation of PKCS 11 Protecttoolkit C represents a suite of products including various PKCS 11 runtimes including software only hardware adapter and host security module based variants A Remote client and server are also available P...

Page 26: ...tively The names Cprov and Pro tectToolkit C refer to the same device in the context of this or previous manuals The names Protect Toolkit J and ProtectToolkit J refer to the same device in the context of this or previous manuals Slot PKCS 11 slot which is capable of holding a token SlotPKCS 11 Slot which is capable of holding a token SO Security Officer Symmetric Cipher An encryption algorithm th...

Page 27: ...alidation Authority X X 509 Digital Certificate Standard X 509 Certificate Section 3 3 3 of X 509v3 defines a certificate as user certificate public key certificate certificate The public keys of a user together with some other information rendered unforgeable by encipherment with the private key of the cer tification authority which issued it SafeNet ProtectToolkit 5 4 Installation Guide 007 0136...

Reviews: