Thales SafeNet ProtectServer Network HSM 5.9 Скачать руководство пользователя страница 26 | Manualshive

Страница: 26 / 37

Thales SafeNet ProtectServer Network HSM 5.9 Скачать руководство пользователя страница 26

Chapter 4: Testing and Configuration

connected to the network. If eth0 is disconnected from the network, eth1 also loses DNS server access. To
ensure that any DNS server you add is available in the event of a network or port failure, it is recommended
that you add it to both network-connected devices.

If you have chosen to perform setup via SSH, you will likely lose your network connection as you confirm the
change of IP address from the default setting.

7.

[Optional] Add iptables ACCEPT and DROP rules to manage network access to the appliance.

By default, the ProtectServer Network HSM allows access to all networks and hosts. The default policy for
the INPUT and OUTPUT chain is set to ACCEPT. The default policy for the FORWARD chain is set to
DROP, since the ProtectServer Network HSM is not used to forward packets, as in a router or proxy.

CAUTION!

If you are configuring iptables via SSH, a malformed rule can cause a lockout.

a.

To add an ACCEPT rule, specify a host or network:

psesh:>

network iptables addrule accept host -ip

<IP_address>

psesh:>

network iptables addrule accept network -net

<IP_address>

-mask

<netmask>

b.

To add a DROP rule, specify a host or network:

psesh:>

network iptables addrule drop host -ip

<IP_address>

psesh:>

network iptables addrule drop network -net

<IP_address>

-mask

<netmask>

c.

To see the current list of rules:

psesh:>

network iptables show

d.

To delete a rule, specify the rule's position on the list:

psesh:>

network iptables delrule -rulenum

<number>

A rule's number is based on its current list position, so executing

network iptables delrule -rulenum 1

multiple times will eventually delete the entire list.

e.

Save your iptables changes:

psesh:>

network iptables save

You must execute this command, or any changes will be lost on the next appliance reboot.

8.

After making any change to the network configuration, reboot the appliance:

psesh:>

sysconf appliance reboot

9.

View the new network settings:

psesh:>

network show

SSH Network Access

After you have completed the network configuration, you can access the ProtectServer Network HSM over the
network using the SSH protocol. You need an SSH client such as puTTY (available for free from

).

SafeNet ProtectToolkit 5.9 Installation and Configuration Guide

007-013682-007 Rev. A 08 January 2020 Copyright 2009-2020 Thales

26

«
...
24
25
26
27
28
...
»

Содержание SafeNet ProtectServer Network HSM 5.9

Страница 1: ...SafeNet ProtectServer Network HSM 5 9 INSTALLATION AND CONFIGURATION GUIDE ...

Страница 2: ...ocument shall not be posted on any publicly accessible network computer or broadcast in any media and no modification of any part of this document shall be made Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities The information contained in this document is provided AS IS without any warranty of any kind Unless otherwise expressly agreed in wr...

Страница 3: ...t incidental or consequential damages that result from any use of its products It is further stressed that independent testing and verification by the person using the product is particularly encouraged especially in any application in which defective incorrect or insecure functioning could result in damage to persons or property denial of service or loss of privacy All intellectual property is pr...

Страница 4: ...Messaging System SMS 17 Networking and Firewall Configuration 18 Separation of Roles 18 Chapter 4 Testing and Configuration 20 First Login and System Test 20 Access the Console 20 Power on and Login 21 Run System Test 22 Network Configuration 22 Gathering Appliance Network Information 23 Configuring the Network Parameters 24 SSH Network Access 26 Powering off the ProtectServer Network HSM 27 Troub...

Страница 5: ...ent status and revision history see Document Information on page 2 Gemalto Rebranding In early 2015 Gemalto completed its acquisition of SafeNet Inc As part of the process of rationalizing the product portfolios between the two organizations the SafeNet name has been retained As a result the product names for SafeNet HSMs have changed as follows Old product name New product name ProtectServer Exte...

Страница 6: ...document are proficient with security concepts Document Conventions This document uses standard conventions for describing the user interface and for alerting you to important information Notes Notes are used to alert you to important or helpful information They use the following format NOTE Take note Contains important or helpful information Cautions Cautions are used to alert you to important in...

Страница 7: ...command descriptions angle brackets represent variables You must substitute a value for command line arguments that are enclosed in angle brackets optional optional Represent optional keywords or variables in a command line description Optionally enter the keyword or variable that is enclosed in square brackets if it is necessary or desirable to complete the task a b c a b c Represent required alt...

Страница 8: ...ailable to you Customer Support Portal The Customer Support Portal at https supportportal thalesgroup com is where you can find solutions for most common problems The Customer Support Portal is a comprehensive fully searchable database of support resources including software and firmware downloads release notes listing known problems and workarounds a knowledge base FAQs product documentation tech...

Страница 9: ...eneration and verification and key management with a tamper resistant and battery backed key storage The ProtectServer Network HSM must be used with one of SafeNet s high level cryptographic APIs The following table shows the provider types and their corresponding SafeNet APIs API SafeNet Product Required PKCS 11 SafeNet ProtectToolkit C JCA JCE SafeNet ProtectToolkit J Microsoft IIS and CA SafeNe...

Страница 10: ...erial port pinout LEDs The front panel is equipped with the following LEDs Power Illuminates green to indicate that the unit is powered on HDD Flashes amber to indicate hard disk activity Status Flashes green on startup Reset button The reset button is located between the USB and Ethernet ports Pressing the reset button forces an immediate restart of the appliance Although it does not power off th...

Страница 11: ...sists of three general components One or more hardware security modules HSMs for key processing and storage High level cryptographic API software This software uses the HSM s cryptographic capabilities to provide security services to applications Access provider software to allow communication between the API software and the HSMs Operating in network mode a standalone ProtectServer Network HSM ca...

Страница 12: ... Installation Guide 5 Install the high level cryptographic API software Please refer to the relevant installation guide supplied with the product SafeNet ProtectToolkit C Administration Guide SafeNet ProtectToolkit J Installation Guide SafeNet ProtectToolkit M User Guide 6 Configure the high level cryptographic API to allow preferred operating modes Some of these tasks may include establishing a t...

Страница 13: ...tasks in the order indicated 1 Ensure that you have all of the required components as listed in ProtectServer Network HSM Required Items on the next page 2 Install and connect the hardware as described in Installing the ProtectServer Network HSM Hardware on page 15 SafeNet ProtectToolkit 5 9 Installation and Configuration Guide 007 013682 007 Rev A 08 January 2020 Copyright 2009 2020 Thales 13 ...

Страница 14: ...r included with the shipment from our factory Please source your power cables locally for the intended deployment destination To configure your ProtectServer Network HSM you will need to supply and connect a keyboard mouse and display monitor After the appliance is placed into service the keyboard mouse and monitor can be disconnected from the appliance Optional Items The following table describes...

Страница 15: ...t the ProtectServer Network HSM in a standard 19 inch rack NOTE The power supply cord acts as the unit s disconnect device The main outlet socket to which the unit is connected must be easily accessible 2 Connect the ProtectServer Network HSM to the network by inserting standard Ethernet cables into the LAN connectors located on the unit s front face labelled eth0 and eth1 The client machine s wit...

Страница 16: ...reader connect it to the HSM USB port with the included USB to serial cable The legacy card reader must also be connected to a PS 2 port for its power Many newer servers have USB ports but do not provide a PS 2 connection If there is no available PS 2 connection there are two options Connect a PS 2 to USB adapter pink in the image below between the card reader and a USB port on the ProtectServer N...

Страница 17: ...Secure Messaging System SMS enhances the security of the client HSM channel SMS provides an encrypted channel between the client and the HSM and authenticates messages on that channel using a Message Authentication Code MAC approved by the FIPS 140 2 standard Refer to Secure Messaging on page 1 in the SafeNet ProtectToolkit C Administration Guide for a detailed description of SMS functionality NOT...

Страница 18: ... times Further restrictions on communication between network segments can be enforced by means of static routes See Network Configuration on page 22 for instructions on setting up static routes The ProtectServer Network HSM supports an iptables based firewall The firewall must be configured with appropriate rules to restrict access to identified network resources only See Network Configuration on ...

Страница 19: ...er Roles on page 1 in the SafeNet ProtectToolkit C Administration Guide for the responsibilities of each role SafeNet ProtectToolkit 5 9 Installation and Configuration Guide 007 013682 007 Rev A 08 January 2020 Copyright 2009 2020 Thales 19 ...

Страница 20: ...e Console To test the system and configure the network you must first access the ProtectServer Network HSM console There are two options Direct access Connect a keyboard and monitor not included to the USB keyboard and VGA monitor ports located on the unit s front panel Console access Connect the RJ45 console port to a terminal emulation device such as a laptop or terminal server NOTE To access th...

Страница 21: ...System is booting this may take few minutes SafeNet Protect Server System boot Successful If you are using a serial connection no startup messages are displayed Power up is complete when the login prompt appears Protect Server External 5 9 0 PSE II login You can login as admin or pseoperator to access the PSE shell PSESH which provides a CLI for configuring and managing the appliance See the PSESH...

Страница 22: ...You can also use the PSESH command status to check each of the HSM s processes See the PSESH Command Reference Guide for command syntax Network Configuration The ProtectServer Network HSM is intended to be installed in a data center and accessed remotely over a network Network access is provided by two Ethernet LAN ports The ProtectServer Network HSM is also equipped with an RJ 45 console port use...

Страница 23: ...nfigure the following settings DNS nameservers DNS search domains These settings apply to static network configurations only If you are using DHCP the DNS search domains and DNS nameservers configured on the DHCP server are used Network device bonding Gathering Appliance Network Information Before you begin obtain the following information see your network administrator for most of these items HSM...

Страница 24: ...s improving bandwidth and providing redundancy NOTE Use network interface bonding with static IP addresses only If DHCP is used the bond will be broken if one interface is assigned a different IP psesh network interface bonding config ip IP netmask IP gateway IP mode mode psesh network interface bonding enable psesh sysconf appliance reboot Multiple bonding modes provide different options for load...

Страница 25: ...omain name settings apply to static network configurations only If you are using DHCP the DNS name servers configured on the DHCP server are used When you add a DNS server to a specific network device it is added to the DNS table for the appliance and becomes available to both devices provided the device you added it to is connected to the network For example if you add a DNS server to eth0 eth1 w...

Страница 26: ...sh network iptables addrule accept network net IP_address mask netmask b To add a DROP rule specify a host or network psesh network iptables addrule drop host ip IP_address psesh network iptables addrule drop network net IP_address mask netmask c To see the current list of rules psesh network iptables show d To delete a rule specify the rule s position on the list psesh network iptables delrule ru...

Страница 27: ...ase do not disassemble the unit to resolve problems unless directed by a Thales support engineer If it ever becomes necessary to get into the BIOS press Delete as the ProtectServer Network HSM boots For further assistance contact your supplier or Thales support with the following details at hand The product serial number at the back of the unit A detailed description of the current system configur...

Страница 28: ...software 5 2 0 or 5 3 0 1 Use scp Linux UNIX or pscp Windows to securely transfer the patch file to the appliance filesystem Enter the root password when prompted pscp filepath SPKG 0 1 1 i386 rpm root appliance_hostname IP scp filepath SPKG 0 1 1 i386 rpm root appliance_hostname IP 2 Connect to the appliance using a monitor and keyboard serial connection or SSH and log in as root 3 Update the RPM...

Страница 29: ...ppliance filesystem Enter the admin password when prompted pscp filepath filename admin appliance_hostname IP scp filepath filename admin appliance_hostname IP 2 Connect to the appliance using a monitor and keyboard serial connection or SSH and log in as admin 3 Optional Confirm that the package is available to install psesh package listfile 4 Install the secure package specifying the package file...

Страница 30: ...45 LAN connector Pre installed Software Linux operating system ProtectServer HSM Access Provider software ProtectServer HSM Net Server software Power Supply Nominal power consumption 43 W Input AC voltage range 100 240 V Input frequency range 50 60 Hz Physical properties 437 mm W x 270 mm D x 44 mm H 1U 19 rack mounting brackets included Weight 5 kg 11 lb Operating Environment Temperature 0 to 40 ...

Страница 31: ... B Block Cipher A cipher that processes input in a fixed block size greater than 8 bits A common block size is 64 bits Bus One of the sets of conductors wires PCB tracks or connections in an IC C CA Certification Authority CAST Encryption algorithm developed by Carlisle Adams and Stafford Tavares Certificate A binding of an identity individual group etc to a public key which is generally signed by...

Страница 32: ...nt and to ensure that the doc ument has not be altered in transit DLL Dynamically Linked Library A library which is linked to application programs when they are loaded or run rather than as the final phase of compilation DSA Digital Signature Algorithm E Encryption The process of converting the plaintext data into the ciphertext so that the content of the data is no longer obvious Some algorithms ...

Страница 33: ...y Module Dispatch Switcher H HA High Availability HIFACE Host Interface It is used to communicate with the host system HSM Hardware Security Module I IDEA International Data Encryption Algorithm IIS Microsoft Internet Information Services IP Internet Protocol J JCA Java Cryptography Architecture SafeNet ProtectToolkit 5 9 Installation and Configuration Guide 007 013682 007 Rev A 08 January 2020 Co...

Страница 34: ...t gov div897 pubs fip113 htm For information on HMAC algorithms see RFC 2104 at http www ietf org rfc rfc2104 txt Message Digest A condensed representation of a data stream A message digest will convert an arbitrary data stream into a fixed size output This output will always be the same for the same input stream however the input cannot be reconstructed from the digest MSCAPI Microsoft Cryptograp...

Страница 35: ...untimes including software only hardware adapter and host security module based variants A Remote client and server are also available ProtectToolkit J SafeNet s implementation of JCE Runs on top of ProtectToolkit C R RC2 RC4 Ciphers designed by RSA Data Security Inc RFC Request for Comments proposed specifications for various protocols and algorithms archived by the Internet Engin eering Task For...

Страница 36: ...slot which is capable of holding a token SlotPKCS 11 Slot which is capable of holding a token SO Security Officer Symmetric Cipher An encryption algorithm that uses the same key for encryption and decryption DES RC4 and IDEA are all sym metric algorithms T TC Trusted Channel TCP IP Transmission Control Protocol Internet Protocol Token PKCS 11 token that provides cryptographic services and access c...

Страница 37: ...rtificate as user certificate public key certificate certificate The public keys of a user together with some other information rendered unforgeable by encipherment with the private key of the cer tification authority which issued it SafeNet ProtectToolkit 5 9 Installation and Configuration Guide 007 013682 007 Rev A 08 January 2020 Copyright 2009 2020 Thales 37 ...

Отзывы:

Нет отзывов