Gemalto SafeNet ProtectServer Скачать руководство пользователя | Manualshive

Страница: 11 / 44

background image

5

Chapter 3

Implementation overview

Implementation architecture

To implement a hardware based cryptographic service provider, essentially three
elements are required.

1.

One or more hardware security modules (HSMs) for key processing and storage.

2.

High level cryptographic API software. This software uses HSM services when
providing “cryptographic service provider” functionality to applications.

3.

Access provider software to implement the connection between the cryptographic
API software and the HSMs.

Where key processing and storage is to be implemented using a standalone SafeNet
ProtectServer Network HSM, the cryptographic service provider will operate in
network mode.

In network mode, Network HSM Access Provider software is installed on the same
machine used to host the cryptographic API software. It is used to implement the
connection between and the SafeNet ProtectServer Network HSM and the
cryptographic host using a TCP/IP network connection. The SafeNet ProtectServer
Network HSM can then be located at any distance from the machine hosting the
access provider, cryptographic API and application software.

A network mode implementation of a cryptographic service provider using the
SafeNet ProtectServer Network HSMis shown in the next figure.

PC

– Network Client and Application Host

Crypto

API

Application

Network

Network HSM

Access

Provider

SafeNet ProtectServer
Network HSM

«
...
9
10
11
12
13
...
»

Содержание SafeNet ProtectServer

Страница 1: ...SafeNet ProtectServer Network HSM Installation and Configuration Guide ...

Страница 2: ...rt of this document shall be made Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities The information contained in this document is provided AS IS without any warranty of any kind Unless otherwise expressly agreed in writing Gemalto makes no warranty as to the value or accuracy of information contained herein The document could include technica...

Страница 3: ...pport plan arrangements made between Gemalto and your organization Please consult this support plan for further information about your entitlements including the hours when telephone support is available to you Contact method Contact Address Gemalto NV 4690 Millennium Drive Belcamp Maryland 21017 USA Phone Global 1 410 931 7520 Australia 1800 020 183 China 86 10 8851 9191 France 0825 341000 German...

Страница 4: ...iv Revision History Revision Date Reason A 14 March 2016 Release 5 2 ...

Страница 5: ...n 7 Chapter 5 Testing and configuration 9 Equipment requirements 9 Procedure overview 9 System testing 11 The PSE_status command 11 Network configuration 11 Using IPv6 addressing 12 Manually setting the IP address 12 Manually setting a hostname and default gateway 12 Setting a name server 13 Setting access control 13 SSH network access 14 Restarting networking 14 Powering off the SafeNet ProtectSe...

Страница 6: ... interface delete 23 network interface dhcp 23 network interface static 23 network iptables 24 network iptables addrule 24 network route 25 package 26 service 26 status 28 sysconf 31 sysconf appliance 31 sysconf snmp 31 sysconf snmp config 32 sysconf timezone 33 syslog 34 syslog tail 34 user password 35 Appendix A Technical specifications 37 ...

Страница 7: ...the product is used to implement a cryptographic service provider and the setup steps are given References to further documentation are cited where needed Chapter 4 describes the installation procedure Chapter 5 deals with testing and network setting configuration A troubleshooting section is included at the end of the chapter Chapter 6 provides a command reference for PSESH the appliance shell in...

Страница 8: ...erator These services include encryption decryption signature generation and verification and key management with a tamper resistant and battery backed key storage To implement a cryptographic service provider use the SafeNet ProtectServer Network HSM with one of SafeNet s high level cryptographic APIs The provider types that can be implemented and the corresponding SafeNet high level cryptographi...

Страница 9: ...0 eth1 Used to connect the appliance to the network HSM USB Used to connect a smart card reader to the appliance using the included USB to serial cable HSM serial port pin configuration The serial port on the USB to serial cable uses a standard RS232 male DB9 pinout as illustrated in Figure 2 Figure 2 HSM serial port pinout LEDs The front panel is equipped with the following LEDs Power Lights gree...

Страница 10: ...liance You can use the tamper lock during commissioning or decommisioning of the appliance to destroy any keys currently stored on the HSM When the key is in the horizontal Active position the HSM is in normal operating mode When the key is in the vertical Tamper position the HSM is in the tamper state and any keys previously stored on the HSM are destroyed CAUTION Turning the tamper key from the ...

Страница 11: ...er Network HSM the cryptographic service provider will operate in network mode In network mode Network HSM Access Provider software is installed on the same machine used to host the cryptographic API software It is used to implement the connection between and the SafeNet ProtectServer Network HSM and the cryptographic host using a TCP IP network connection The SafeNet ProtectServer Network HSM can...

Страница 12: ...Network HSM Access Provider software must be installed on the network client and configured to support operation in network mode Full details are in the SafeNet ProtectServer HSM Access Provider Installation Guide 5 Install the high level cryptographic API Install the high level cryptographic API to be used on the network client Please refer to the relevant installation guide supplied with the pro...

Страница 13: ...e the SafeNet cryptographic API software is installed Connect the SafeNet ProtectServer Network HSM to the network by inserting standard Ethernet cables into the LAN connectors located on the front of the SafeNet ProtectServer Network HSM The LAN connectors are autosensing 10 100 1000 Mb s Ethernet RJ45 ports Note The SafeNet ProtectServer Network HSM is equipped with two NICs eth0 and eth1 each o...

Страница 14: ...ct it to the HSM USB port on the card faceplate The card reader qualified with the ProtectServer product also requires connection to a PS 2 port for its power Many newer servers have USB ports but do not provide a PS 2 connection The options are Connect a PS 2 to USB adapter cable pink between the card reader and a USB port on the SafeNet ProtectServer Network HSM If you prefer to not expose USB p...

Страница 15: ...you can access the console remotely by connecting the RJ45 console port to a terminal emulation device such as a laptop or terminal server Note If you want to access the SafeNet ProtectServer Network HSM console remotely using the console port you will need a cable If your terminal device is equipped with a DB9 serial port you require a cable with an RJ45 connector on one end and a DB9 serial port...

Страница 16: ...t ProtectServer Network HSM will prompt for login credentials If you are using a monitor keyboard you can log in as pseoperator admin or root If you are using a serial connection you can log in as pseoperator or admin If you log in as pseoperator or admin you are placed in the PSE shell PSESH which provides a CLI for configuring and managing the appliance See PSESH Command Reference on page 15 If ...

Страница 17: ...Command Reference on page 15 to verify that the PSE2 is functioning correctly as described below The PSE_status command Syntax PSE_status Description This utility displays the current status of the SafeNet ProtectServer Network HSM It provides the following information the status of the HSM installed in the SafeNet ProtectServer Network HSM If the unit is functioning correctly a message that inclu...

Страница 18: ...ch can be configured with its own IP address es The IP address for each NIC is specified in the following files NIC Configuration file eth0 etc sysconfig network scripts ifcfg eth0 eth1 etc sysconfig network scripts ifcfg eth1 Note If you want to use the eth1 interface you must create this file The recommended method is to copy rename and edit the ifcfg eth0 file The entries in the ifcfg eth 0 1 f...

Страница 19: ...cess control on the SafeNet ProtectServer Network HSM is performed using iptables 8 Below is a list of iptables 8 commands iptables ADC chain rule specification options iptables I chain rulenum rule specification options iptables R chain rulenum rule specification options iptables D chain rulenum options iptables LFZ chain options iptables N chain iptables X chain iptables P chain target options i...

Страница 20: ...he following command to restart networking etc init d networking restart Powering off the SafeNet ProtectServer Network HSM Note It is recommended that you use psesh sysconf appliance poweroff to power off the appliance You can also manually power off the appliance You must be logged in as root to do so To manually power off the SafeNet ProtectServer Network HSM 1 Enter the shutdown or poweroff co...

Страница 21: ...lity and how it is detected Troubleshooting Each SafeNet ProtectServer Network HSM is tested during manufacture to ensure a high level of quality In the unlikely event the unit is not functioning correctly please re check the installation procedure paying particular attention to the power source and network cable connection Running the diagnostic utility program hsmstate as discussed in the System...

Страница 22: ...P addresses iptables and routes etc as well as appliance settings such as the date time SNMP configuration etc admin The admin user is responsible for managing the appliance The admin user is able to execute all of the PSESH commands available to the pseoperator as well as commands used to perform package upgrades installations troubleshooting viewing log files and extracting log files The admin u...

Страница 23: ...HSM for client access by configuring network parameters such as the IP addresses iptables routes etc as well as device s date time snmp settings etc admin In addition to the pseoperator commands admin user will be responsible for package upgrades installs admin will also be able to reset pseoperator password and run commands for troubleshooting and viewing and extracting log files 2 You are prompt...

Страница 24: ...nage the software packages installed the appliance service Manage the services on the appliance status Display the current status of the appliance sysconf Configure the appliance time date or SNMP settings or reboot or power off the appliance syslog Display or archive the syslog user Set or change the password of the current user exit Exit the PSESH shell This ends the PSESH session User access ad...

Страница 25: ...sult 0 Success psesh files delete PTKnetsrv 5 2 0 4 i386 rpm This will delete file PTKnetsrv 5 2 0 4 i386 rpm in the scp folder Continue y n y Proceeding File PTKnetsrv 5 2 0 4 i386 rpm deleted Command Result 0 Success psesh files clear This will delete all the files in the scp folder Continue y n y Proceeding All files deleted Command Result 0 Success help Display syntax help for the specified co...

Страница 26: ... the command to proceed silently without prompting you for input this is useful for scripting Command Result 0 Success psesh hsm Syntax hsm The following subcommands are available Name short Description state s Shows HSM State reset r Reset HSM Command Result 0 Success hsm Display the current state of the HSM or reset the HSM if it becomes unresponsive User access admin pseoperator Syntax hsm stat...

Страница 27: ...ce Enter this keyword followed by the domain name hostname h Set the hostname for the appliance interface in Configure the appliance network interfaces See network interface below iptables ip Configure the iptables firewall for the appliance You can use this command to configure the iptables ACCEPT and DROP rules See network iptables below ping p Test connectivity from the appliance to the specifi...

Страница 28: ... Example psesh net dns add nameserver 192 16 0 2 Success Nameserver 192 16 0 2 added psesh net dns add searchdomain 192 16 0 0 Success Searchdomain entry 192 16 0 0 added psesh net dns delete nameserver 192 16 0 2 Success Nameserver 192 16 0 2 deleted psesh net dns delete searchdomain 192 16 0 0 Success Searchdomain entry 192 16 0 0 deleted network interface Configure the appliance network interfa...

Страница 29: ...mic IP address Note DHCP is not recommended Syntax network interface dhcp device netdevice force Parameter Shortcut Description device netdevice d Specifies the interface you want to configure to use DHCP Valid values eth0 eth1 network interface static Configure a static IP address on the specified network interface Syntax network interface static device netdevice ip ipaddress netmask ipaddress ga...

Страница 30: ...to forward packets as in a router or proxy Syntax network iptables show addrule delrule save clear Parameter Shortcut Description addrule a Add an ACCEPT or DROP rule to the iptables firewall for the appliance See network iptables addrule below clear c Add a host or network DROP rule to the iptable for the appliance delrule ip_address d Specifies the IP address of the host you are adding the rule ...

Страница 31: ...e for the appliance CAUTION Use this command only under the advice and supervision of your network administrator Syntax network route add route_type ipaddress device interface metric metric netmask ipaddress gateway ipaddress force Parameter Shortcut Description route_type Specifies the type of route you want to add Valid values host network ip_address Specifies the IP address of the route you wan...

Страница 32: ...e appliance s SCP directory Example psesh package list ptk PTKpcihsmK6 5 2 0 4 i386 PTKnetsrv 5 2 0 4 i386 Command Result 0 Success psesh package update file PTKpcihsmK6 5 2 0 4 i386 service Manage the following services on the appliance network Network service needed for etnetserver ssh and scp etnetserver HSM service required for client connections iptables Firewall service snmp SNMP agent servi...

Страница 33: ...id values network etnetserver iptables snmp ssh syslog start service star Stop the specified service Valid values network etnetserver iptables snmp ssh syslog status service stat Display the status stopped not stopped of the specified service Valid values network etnetserver iptables snmp ssh syslog stop service sto Stop the specified service Valid values network etnetserver iptables snmp ssh sysl...

Страница 34: ... of five entries as follows 1 The average CPU load for the previous minute This value is 0 14 in the example below 2 The average CPU load for the previous five minutes This value is 0 10 in the example below 3 The average CPU load for the previous ten minutes This value is 0 08 in the example below 4 The number of currently running processes and the total number of processes The example below show...

Страница 35: ...sesh status interface eth0 Link encap Ethernet HWaddr 00 0D 48 3B 5E E4 inet addr 172 20 11 150 Bcast 172 20 11 255 Mask 255 255 255 0 inet6 addr fe80 20d 48ff fe3b 5ee4 64 Scope Link UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 1431830 errors 0 dropped 0 overruns 0 frame 0 TX packets 557730 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 1000 RX bytes 681075738 649 ...

Страница 36: ... Proto RefCnt Flags Type State I Node Path unix 5 DGRAM 10269 dev log unix 2 ACC STREAM LISTENING 8394 com ubuntu upstart unix 2 DGRAM 8828 org kernel udev udevd unix 2 DGRAM 24040 unix 2 DGRAM 24010 unix 2 DGRAM 10425 unix 3 DGRAM 8845 unix 3 DGRAM 8844 Command Result 0 Success psesh status ps USER PID CPU MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0 0 0 1 2900 1404 Ss Jan21 0 02 sbin init ro...

Страница 37: ...iance timezone See sysconf timezone below sysconf appliance Reboot or power off the appliance Syntax sysconf appliance poweroff reboot Parameter Shortcut Description poweroff p Power off the appliance reboot r Reboot the appliance sysconf snmp Enable or disable the SNMP service or display or configure the SNMP settings for the appliance Syntax sysconf snmp config disable enable show Parameter Shor...

Страница 38: ...slocation TESTLAB syscontact TESTCONTACT com2sec secName 192 168 11 17 COMMUNITY group secNameGroup v2c secName view systemview included 1 3 6 1 2 1 1 view systemview included 1 3 6 1 2 1 2 view systemview included 1 3 6 1 2 1 25 1 view systemview included 1 3 6 1 2 1 25 2 view systemview included 1 3 6 1 2 1 25 3 view systemview included 1 3 6 1 2 1 25 4 access secNameGroup any noauth exact syste...

Страница 39: ...t originate on the appliance location l Specifies the location of the SNMP server on the appliance Enter this keyword followed by the location string Enclose the string in quotes if it contains spaces sysconf timezone Display or set the timezone on the appliance Syntax sysconf timezone set show Parameter Shortcut Description set se Set the time zone on the appliance The appliance uses the Linux st...

Страница 40: ...slog tail Display the last entries of the syslog If no number is included the command displays the entire syslog Syntax syslog tail logname logname entries logentries search string Parameter Shortcut Description entries integer e Specifies the number of entries to display If this parameter is not specified the entire log is displayed Enter this keyword followed by the number of log entries you wan...

Страница 41: ...ion 5 8 10 x pid 927 x info http www rsyslog com rsyslogd was HUPed Feb 12 12 14 59 PSe II psesh 4341 info 0 Command syslog tail logname messages entries 10 admin 172 16 181 182 51177 Feb 12 12 15 16 PSe II psesh 4341 info 0 Command syslog tail logname messages entries 10 admin 172 16 181 182 51177 Command Result 0 Success user password Set or change the password for the current user The admin use...

Страница 42: ...word for user admin New password BAD PASSWORD it is based on a dictionary word Retype new password passwd all authentication tokens updated successfully Command Result 0 Success psesh user password user pseoperator Changing password for user pseoperator New password Retype new password passwd all authentication tokens updated successfully ...

Страница 43: ...ard disk DOM 10 100 1000 Mbps autosensing Network Interface with RJ45 LAN connector Pre installed Software Linux operating system SafeNet PCI HSM Access Provider software SafeNet HSM Net Server software Power Supply Nominal power consumption 43 W Input AC voltage range 100 240 V Input frequency range 50 60 Hz Physical properties 437 mm W x 270 mm D x 44 mm H 1U 19 rack mounting brackets included W...

Страница 44: ...END OF DOCUMENT ...

Отзывы:

Нет отзывов

Похожие инструкции для SafeNet ProtectServer

Leroy-Somer R180

Бренд: Nidec Страницы: 20

Бренд: Waterway Страницы: 16

Бренд: Panasonic Страницы: 72

Бренд: Panasonic Страницы: 45

Бренд: Panasonic Страницы: 24

Бренд: Rachio Страницы: 2

Бренд: Paradox Страницы: 2

Бренд: Eaton Страницы: 8

Бренд: ABB Страницы: 44

Бренд: Omega Страницы: 2

Бренд: Zmotion Страницы: 34

Бренд: GBD Страницы: 60

Бренд: HEIDENHAIN Страницы: 257

TempMaster M2 Plus Series

Бренд: Mold-Masters Страницы: 2

Бренд: Spirax Sarco Страницы: 24

Бренд: Trinamic Страницы: 30

Бренд: FUTABA Страницы: 16

Бренд: elsner elektronik Страницы: 148

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды