Thales SafeNet ProtectServer Network HSM 5.9 Installation And Configuration Manual Download | Manualshive

Page: 1 / 37

background image

SafeNet ProtectServer Network HSM 5.9

INSTALLATION AND CONFIGURATION GUIDE

1
2
3
...
»

Summary of Contents for SafeNet ProtectServer Network HSM 5.9

Page 1: ...SafeNet ProtectServer Network HSM 5 9 INSTALLATION AND CONFIGURATION GUIDE ...

Page 2: ...ocument shall not be posted on any publicly accessible network computer or broadcast in any media and no modification of any part of this document shall be made Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities The information contained in this document is provided AS IS without any warranty of any kind Unless otherwise expressly agreed in wr...

Page 3: ...t incidental or consequential damages that result from any use of its products It is further stressed that independent testing and verification by the person using the product is particularly encouraged especially in any application in which defective incorrect or insecure functioning could result in damage to persons or property denial of service or loss of privacy All intellectual property is pr...

Page 4: ...Messaging System SMS 17 Networking and Firewall Configuration 18 Separation of Roles 18 Chapter 4 Testing and Configuration 20 First Login and System Test 20 Access the Console 20 Power on and Login 21 Run System Test 22 Network Configuration 22 Gathering Appliance Network Information 23 Configuring the Network Parameters 24 SSH Network Access 26 Powering off the ProtectServer Network HSM 27 Troub...

Page 5: ...ent status and revision history see Document Information on page 2 Gemalto Rebranding In early 2015 Gemalto completed its acquisition of SafeNet Inc As part of the process of rationalizing the product portfolios between the two organizations the SafeNet name has been retained As a result the product names for SafeNet HSMs have changed as follows Old product name New product name ProtectServer Exte...

Page 6: ...document are proficient with security concepts Document Conventions This document uses standard conventions for describing the user interface and for alerting you to important information Notes Notes are used to alert you to important or helpful information They use the following format NOTE Take note Contains important or helpful information Cautions Cautions are used to alert you to important in...

Page 7: ...command descriptions angle brackets represent variables You must substitute a value for command line arguments that are enclosed in angle brackets optional optional Represent optional keywords or variables in a command line description Optionally enter the keyword or variable that is enclosed in square brackets if it is necessary or desirable to complete the task a b c a b c Represent required alt...

Page 8: ...ailable to you Customer Support Portal The Customer Support Portal at https supportportal thalesgroup com is where you can find solutions for most common problems The Customer Support Portal is a comprehensive fully searchable database of support resources including software and firmware downloads release notes listing known problems and workarounds a knowledge base FAQs product documentation tech...

Page 9: ...eneration and verification and key management with a tamper resistant and battery backed key storage The ProtectServer Network HSM must be used with one of SafeNet s high level cryptographic APIs The following table shows the provider types and their corresponding SafeNet APIs API SafeNet Product Required PKCS 11 SafeNet ProtectToolkit C JCA JCE SafeNet ProtectToolkit J Microsoft IIS and CA SafeNe...

Page 10: ...erial port pinout LEDs The front panel is equipped with the following LEDs Power Illuminates green to indicate that the unit is powered on HDD Flashes amber to indicate hard disk activity Status Flashes green on startup Reset button The reset button is located between the USB and Ethernet ports Pressing the reset button forces an immediate restart of the appliance Although it does not power off th...

Page 11: ...sists of three general components One or more hardware security modules HSMs for key processing and storage High level cryptographic API software This software uses the HSM s cryptographic capabilities to provide security services to applications Access provider software to allow communication between the API software and the HSMs Operating in network mode a standalone ProtectServer Network HSM ca...

Page 12: ... Installation Guide 5 Install the high level cryptographic API software Please refer to the relevant installation guide supplied with the product SafeNet ProtectToolkit C Administration Guide SafeNet ProtectToolkit J Installation Guide SafeNet ProtectToolkit M User Guide 6 Configure the high level cryptographic API to allow preferred operating modes Some of these tasks may include establishing a t...

Page 13: ...tasks in the order indicated 1 Ensure that you have all of the required components as listed in ProtectServer Network HSM Required Items on the next page 2 Install and connect the hardware as described in Installing the ProtectServer Network HSM Hardware on page 15 SafeNet ProtectToolkit 5 9 Installation and Configuration Guide 007 013682 007 Rev A 08 January 2020 Copyright 2009 2020 Thales 13 ...

Page 14: ...r included with the shipment from our factory Please source your power cables locally for the intended deployment destination To configure your ProtectServer Network HSM you will need to supply and connect a keyboard mouse and display monitor After the appliance is placed into service the keyboard mouse and monitor can be disconnected from the appliance Optional Items The following table describes...

Page 15: ...t the ProtectServer Network HSM in a standard 19 inch rack NOTE The power supply cord acts as the unit s disconnect device The main outlet socket to which the unit is connected must be easily accessible 2 Connect the ProtectServer Network HSM to the network by inserting standard Ethernet cables into the LAN connectors located on the unit s front face labelled eth0 and eth1 The client machine s wit...

Page 16: ...reader connect it to the HSM USB port with the included USB to serial cable The legacy card reader must also be connected to a PS 2 port for its power Many newer servers have USB ports but do not provide a PS 2 connection If there is no available PS 2 connection there are two options Connect a PS 2 to USB adapter pink in the image below between the card reader and a USB port on the ProtectServer N...

Page 17: ...Secure Messaging System SMS enhances the security of the client HSM channel SMS provides an encrypted channel between the client and the HSM and authenticates messages on that channel using a Message Authentication Code MAC approved by the FIPS 140 2 standard Refer to Secure Messaging on page 1 in the SafeNet ProtectToolkit C Administration Guide for a detailed description of SMS functionality NOT...

Page 18: ... times Further restrictions on communication between network segments can be enforced by means of static routes See Network Configuration on page 22 for instructions on setting up static routes The ProtectServer Network HSM supports an iptables based firewall The firewall must be configured with appropriate rules to restrict access to identified network resources only See Network Configuration on ...

Page 19: ...er Roles on page 1 in the SafeNet ProtectToolkit C Administration Guide for the responsibilities of each role SafeNet ProtectToolkit 5 9 Installation and Configuration Guide 007 013682 007 Rev A 08 January 2020 Copyright 2009 2020 Thales 19 ...

Page 20: ...e Console To test the system and configure the network you must first access the ProtectServer Network HSM console There are two options Direct access Connect a keyboard and monitor not included to the USB keyboard and VGA monitor ports located on the unit s front panel Console access Connect the RJ45 console port to a terminal emulation device such as a laptop or terminal server NOTE To access th...

Page 21: ...System is booting this may take few minutes SafeNet Protect Server System boot Successful If you are using a serial connection no startup messages are displayed Power up is complete when the login prompt appears Protect Server External 5 9 0 PSE II login You can login as admin or pseoperator to access the PSE shell PSESH which provides a CLI for configuring and managing the appliance See the PSESH...

Page 22: ...You can also use the PSESH command status to check each of the HSM s processes See the PSESH Command Reference Guide for command syntax Network Configuration The ProtectServer Network HSM is intended to be installed in a data center and accessed remotely over a network Network access is provided by two Ethernet LAN ports The ProtectServer Network HSM is also equipped with an RJ 45 console port use...

Page 23: ...nfigure the following settings DNS nameservers DNS search domains These settings apply to static network configurations only If you are using DHCP the DNS search domains and DNS nameservers configured on the DHCP server are used Network device bonding Gathering Appliance Network Information Before you begin obtain the following information see your network administrator for most of these items HSM...

Page 24: ...s improving bandwidth and providing redundancy NOTE Use network interface bonding with static IP addresses only If DHCP is used the bond will be broken if one interface is assigned a different IP psesh network interface bonding config ip IP netmask IP gateway IP mode mode psesh network interface bonding enable psesh sysconf appliance reboot Multiple bonding modes provide different options for load...

Page 25: ...omain name settings apply to static network configurations only If you are using DHCP the DNS name servers configured on the DHCP server are used When you add a DNS server to a specific network device it is added to the DNS table for the appliance and becomes available to both devices provided the device you added it to is connected to the network For example if you add a DNS server to eth0 eth1 w...

Page 26: ...sh network iptables addrule accept network net IP_address mask netmask b To add a DROP rule specify a host or network psesh network iptables addrule drop host ip IP_address psesh network iptables addrule drop network net IP_address mask netmask c To see the current list of rules psesh network iptables show d To delete a rule specify the rule s position on the list psesh network iptables delrule ru...

Page 27: ...ase do not disassemble the unit to resolve problems unless directed by a Thales support engineer If it ever becomes necessary to get into the BIOS press Delete as the ProtectServer Network HSM boots For further assistance contact your supplier or Thales support with the following details at hand The product serial number at the back of the unit A detailed description of the current system configur...

Page 28: ...software 5 2 0 or 5 3 0 1 Use scp Linux UNIX or pscp Windows to securely transfer the patch file to the appliance filesystem Enter the root password when prompted pscp filepath SPKG 0 1 1 i386 rpm root appliance_hostname IP scp filepath SPKG 0 1 1 i386 rpm root appliance_hostname IP 2 Connect to the appliance using a monitor and keyboard serial connection or SSH and log in as root 3 Update the RPM...

Page 29: ...ppliance filesystem Enter the admin password when prompted pscp filepath filename admin appliance_hostname IP scp filepath filename admin appliance_hostname IP 2 Connect to the appliance using a monitor and keyboard serial connection or SSH and log in as admin 3 Optional Confirm that the package is available to install psesh package listfile 4 Install the secure package specifying the package file...

Page 30: ...45 LAN connector Pre installed Software Linux operating system ProtectServer HSM Access Provider software ProtectServer HSM Net Server software Power Supply Nominal power consumption 43 W Input AC voltage range 100 240 V Input frequency range 50 60 Hz Physical properties 437 mm W x 270 mm D x 44 mm H 1U 19 rack mounting brackets included Weight 5 kg 11 lb Operating Environment Temperature 0 to 40 ...

Page 31: ... B Block Cipher A cipher that processes input in a fixed block size greater than 8 bits A common block size is 64 bits Bus One of the sets of conductors wires PCB tracks or connections in an IC C CA Certification Authority CAST Encryption algorithm developed by Carlisle Adams and Stafford Tavares Certificate A binding of an identity individual group etc to a public key which is generally signed by...

Page 32: ...nt and to ensure that the doc ument has not be altered in transit DLL Dynamically Linked Library A library which is linked to application programs when they are loaded or run rather than as the final phase of compilation DSA Digital Signature Algorithm E Encryption The process of converting the plaintext data into the ciphertext so that the content of the data is no longer obvious Some algorithms ...

Page 33: ...y Module Dispatch Switcher H HA High Availability HIFACE Host Interface It is used to communicate with the host system HSM Hardware Security Module I IDEA International Data Encryption Algorithm IIS Microsoft Internet Information Services IP Internet Protocol J JCA Java Cryptography Architecture SafeNet ProtectToolkit 5 9 Installation and Configuration Guide 007 013682 007 Rev A 08 January 2020 Co...

Page 34: ...t gov div897 pubs fip113 htm For information on HMAC algorithms see RFC 2104 at http www ietf org rfc rfc2104 txt Message Digest A condensed representation of a data stream A message digest will convert an arbitrary data stream into a fixed size output This output will always be the same for the same input stream however the input cannot be reconstructed from the digest MSCAPI Microsoft Cryptograp...

Page 35: ...untimes including software only hardware adapter and host security module based variants A Remote client and server are also available ProtectToolkit J SafeNet s implementation of JCE Runs on top of ProtectToolkit C R RC2 RC4 Ciphers designed by RSA Data Security Inc RFC Request for Comments proposed specifications for various protocols and algorithms archived by the Internet Engin eering Task For...

Page 36: ...slot which is capable of holding a token SlotPKCS 11 Slot which is capable of holding a token SO Security Officer Symmetric Cipher An encryption algorithm that uses the same key for encryption and decryption DES RC4 and IDEA are all sym metric algorithms T TC Trusted Channel TCP IP Transmission Control Protocol Internet Protocol Token PKCS 11 token that provides cryptographic services and access c...

Page 37: ...rtificate as user certificate public key certificate certificate The public keys of a user together with some other information rendered unforgeable by encipherment with the private key of the cer tification authority which issued it SafeNet ProtectToolkit 5 9 Installation and Configuration Guide 007 013682 007 Rev A 08 January 2020 Copyright 2009 2020 Thales 37 ...

Reviews:

No comments

Related manuals for SafeNet ProtectServer Network HSM 5.9

Brand: ACTi Pages: 15

digitalSTROM-Server

Brand: aizo Pages: 2

Brand: Ganz Pages: 5

Brand: ONELAN Pages: 24

Brand: Qeedji Pages: 58

Brand: Acard Pages: 43

Brand: Hitachi Pages: 57

Brand: Hitachi Pages: 76

BladeSymphony 1000

Brand: Hitachi Pages: 52

Brand: Hitachi Pages: 91

Brand: Hitachi Pages: 174

HVM Navigator V03-06

Brand: Hitachi Pages: 312

NVM Navigator v03-07

Brand: Hitachi Pages: 316

Brand: Hitachi Pages: 129

Brand: Hitachi Pages: 466

Brand: Hitachi Pages: 530

Brand: CasaTunes Pages: 7

TourMaster MLA2504

Brand: Coachsound Pages: 22

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands