Thales SafeNet ProtectServer Network HSM Plus 5.8 Скачать руководство пользователя страница 23 | Manualshive

Страница: 23 / 42

Thales SafeNet ProtectServer Network HSM Plus 5.8 Скачать руководство пользователя страница 23

CHAPTER 3:

Deployment Guidelines

Users must consider the following best practices for security and compliance when deploying SafeNet
ProtectServer Network HSMs for their network/application environment:

>

"Secure Messaging System (SMS)" below

>

"Networking and Firewall Configuration" on the next page

>

"Separation of Roles" on the next page

Secure Messaging System (SMS)

SafeNet ProtectServer HSMs store cryptographic keys and objects in tamper-resistant secure memory, which
is erased when a tamper is detected. The stored keys are accessed through PKCS#11 calls from the client.
Client calls to a Network HSM traverse the network layer (TCP/IP). In the default security mode, this
communication channel between the HSM and the client is unencrypted. Configure the HSM security policy to
improve this channel's security. Refer to

"Security Flags" on page 1

in the

PTK-C Administration Guide

for

descriptions of the available flags and how they affect your implementation.

The Secure Messaging System (SMS) enhances the security of the client-HSM channel. SMS provides an
encrypted channel between the client and the HSM and authenticates messages on that channel using a
Message Authentication Code (MAC) approved by the FIPS 140-2 standard. Refer to

"Secure Messaging" on

in the

PTK-C Administration Guide

for a detailed description of SMS functionality.

NOTE

SMS encrypts and authenticates messages between the client and HSM, but does

not provide means for the HSM to authenticate client credentials or vice-versa.

The HSM supports the following SMS modes:

>

HIMK

>

ADH

>

ADH2 (PTK 5.4 and above)

For secure deployment, use ADH or ADH2. Refer to

"Secure Messaging" on page 1

in the

PTK-C

Administration Guide

for descriptions of the difference between these modes.

The SMS feature is flexible and can be configured to:

>

Encrypt/decrypt all messages

>

Sign/verify all messages

>

Allow only FIPS-approved mechanisms

>

Rotate signing and encryption keys after a specified number of packets or hours

>

All of the above

SafeNet ProtectToolkit 5.8 Installation and Configuration Guide

007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto

23

«
...
21
22
23
24
25
...
»

Содержание SafeNet ProtectServer Network HSM Plus 5.8

Страница 1: ...SafeNet ProtectServer Network HSM Plus 5 8 INSTALLATION AND CONFIGURATION GUIDE ...

Страница 2: ...that The copyright notice the confidentiality and proprietary legend and this full warning notice appear in all copies This document shall not be posted on any publicly accessible network computer or broadcast in any media and no modification of any part of this document shall be made Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities The info...

Страница 3: ...stems or equipment incorporating Gemalto products Gemalto disclaims any liability with respect to security for direct indirect incidental or consequential damages that result from any use of its products It is further stressed that independent testing and verification by the person using the product is particularly encouraged especially in any application in which defective incorrect or insecure f...

Страница 4: ...g the SafeNet ProtectServer Network HSM Plus Hardware 19 Chapter 3 Deployment Guidelines 23 Secure Messaging System SMS 23 Networking and Firewall Configuration 24 Separation of Roles 24 Chapter 4 Testing and Configuration 26 First Login and System Test 26 Access the Console 26 Power on and Log in 27 Run System Test 27 Network Configuration 28 Gathering Appliance Network Information 28 Configuring...

Страница 5: ...Appendix A Technical Specifications 35 Glossary 36 SafeNet ProtectToolkit 5 8 Installation and Configuration Guide 007 013682 006 Rev A 08 January 2020 Copyright 2009 2020 Gemalto 5 ...

Страница 6: ...t page Support Contacts on page 9 For information regarding the document status and revision history see Document Information on page 2 Gemalto Rebranding In early 2015 Gemalto completed its acquisition of SafeNet Inc As part of the process of rationalizing the product portfolios between the two organizations the SafeNet name has been retained As a result the product names for SafeNet HSMs have ch...

Страница 7: ...nformation processes and procedures contained in this document are intended for use by trained and qualified personnel only It is assumed that the users of this document are proficient with security concepts Document Conventions This document uses standard conventions for describing the user interface and for alerting you to important information Notes Notes are used to alert you to important or h...

Страница 8: ...or to indicate a related document See the Installation Guide for more information variable In command descriptions angle brackets represent variables You must substitute a value for command line arguments that are enclosed in angle brackets optional optional Represent optional keywords or variables in a command line description Optionally enter the keyword or variable that is enclosed in square br...

Страница 9: ...can find solutions for most common problems The Customer Support Portal is a comprehensive fully searchable database of support resources including software and firmware downloads release notes listing known problems and workarounds a knowledge base FAQs product documentation technical notes and more You can also use the portal to create and manage support cases NOTE You require an account to acce...

Страница 10: ...ation and key management with a tamper resistant and battery backed key storage The SafeNet ProtectServer Network HSM Plus must be used with one of SafeNet s high level cryptographic APIs The following table shows the provider types and their corresponding SafeNet APIs API SafeNet Product Required PKCS 11 SafeNet ProtectToolkit C JCA JCE SafeNet ProtectToolkit J Microsoft IIS and CA SafeNet Protec...

Страница 11: ...ge the mounting posts at the left and right ends of the appliances front panel f Rack mount tabs removable Use the tabs on the front and the sliding tabs towards the rear of the appliance to support your SafeNet appliance in a compatible equipment rack g Securing screw for fan bay Torx screw secures the fan bay CAUTION Opening the fan bay will trigger a tamper event on the device h i USB ports Unc...

Страница 12: ...r decommissioning of the appliance to destroy any keys currently stored on the HSM CAUTION Activating the tamper switch deletes any keys currently stored on the HSM Deleted keys are not recoverable Ensure that you always back up your keys To avoid accidentally deleting the keys on an operational SafeNet ProtectServer Network HSM Plus ensure the users with access to the appliance are familiar with ...

Страница 13: ... HSMs for key processing and storage High level cryptographic API software This software uses the HSM s cryptographic capabilities to provide security services to applications Access provider software to allow communication between the API software and the HSMs Operating in network mode a standalone SafeNet ProtectServer Network HSM Plus can provide key processing and storage In network mode acces...

Страница 14: ...s Provider Installation Guide 5 Install the high level cryptographic API software Please refer to the relevant installation guide supplied with the product SafeNet ProtectToolkit C Administration Guide SafeNet ProtectToolkit J Installation Guide SafeNet ProtectToolkit M User Guide 6 Configure the high level cryptographic API to allow preferred operating modes Some of these tasks may include establ...

Страница 15: ...tasks in the order indicated 1 Ensure that you have all of the required components as listed in SafeNet ProtectServer Network HSM Plus Required Items on the next page 2 Install and connect the hardware as described in Installing the SafeNet ProtectServer Network HSM Plus Hardware on page 19 SafeNet ProtectToolkit 5 8 Installation and Configuration Guide 007 013682 006 Rev A 08 January 2020 Copyrig...

Страница 16: ...st to verify that you have all of the items required for the installation Qty Item 1 SafeNet ProtectServer Network HSM Plus Appliance 1 Null Modem Serial Cable 1 USB 2 0 to RS232 Serial Adapter 1 Smart card reader SafeNet ProtectToolkit 5 8 Installation and Configuration Guide 007 013682 006 Rev A 08 January 2020 Copyright 2009 2020 Gemalto 16 ...

Страница 17: ...for final deployment to different countries which has resulted in many wasted power cables that are incorrect format for destination countries Please source your power cables locally for the deployment destination Software is available by download from Gemalto Physical media for software and documentation are special request items Optional Items The following table describes additional items which...

Страница 18: ...ns Gemalto recommends ordering at least two 2 OTP tokens for each slot on the HSM one each for the Security Officer and Token User PN 955 000237 001 1 ProtectServer compatible Verifone PIN pad enables manual key component entry PN 934 000087 001 SafeNet ProtectToolkit 5 8 Installation and Configuration Guide 007 013682 006 Rev A 08 January 2020 Copyright 2009 2020 Gemalto 18 ...

Страница 19: ...nd UNIX platforms 3 All two tasks Client and administration can be performed on a single computer but in normal practice they are often separate tasks for separate computers Installing the SafeNet ProtectServer Network HSM Plus Hardware You can optionally install the brackets if they suit your equipment rack The front brackets can be installed with their tabs forward for flush mount of the applian...

Страница 20: ...rear panel The SafeNet ProtectServer Network HSM Plus is equipped with two NICs eth0 and eth1 incorporating an IPv4 IPv6 dual stack allowing you to configure both an IPv4 and IPv6 address on each interface If you intend to use both NICs connect Ethernet cables to both LAN connectors For proper redundancy and best reliability the power cables should connect to two independent power sources 4 Press ...

Страница 21: ...reader into the HSM USB port on the back of the device as illustrated below Installing the legacy card reader To install the smart card reader connect it to the HSM USB port with the included USB to serial cable The legacy card reader must also be connected to a PS 2 port for its power Many newer servers have USB ports but do not provide a PS 2 connection If there is no available PS 2 connection t...

Страница 22: ...ctServer Network HSM Plus Hardware Installation Next see Testing and Configuration on page 26 SafeNet ProtectToolkit 5 8 Installation and Configuration Guide 007 013682 006 Rev A 08 January 2020 Copyright 2009 2020 Gemalto 22 ...

Страница 23: ...he Secure Messaging System SMS enhances the security of the client HSM channel SMS provides an encrypted channel between the client and the HSM and authenticates messages on that channel using a Message Authentication Code MAC approved by the FIPS 140 2 standard Refer to Secure Messaging on page 1 in the PTK C Administration Guide for a detailed description of SMS functionality NOTE SMS encrypts a...

Страница 24: ... restrictions on communication between network segments can be enforced by means of static routes See Network Configuration on page 28 for instructions on setting up static routes The SafeNet ProtectServer Network HSM supports an iptables based firewall The firewall must be configured with appropriate rules to restrict access to identified network resources only See Network Configuration on page 2...

Страница 25: ...es See User Roles on page 1 in the PTK C Administration Guide for the responsibilities of each role SafeNet ProtectToolkit 5 8 Installation and Configuration Guide 007 013682 006 Rev A 08 January 2020 Copyright 2009 2020 Gemalto 25 ...

Страница 26: ...Console below Power on and Log in on the next page Run System Test on the next page Access the Console To test the system and configure the network you must first access the SafeNet ProtectServer Network HSM Plus console You must connect a terminal directly to the serial port on the front end of the appliance with a null modem serial cable Use the console port to configure at least one of the netw...

Страница 27: ...any time login to the account and use the command user password The admin user can reset all account passwords to their factory defaults at any time with the PSESH command sysconf appliance factory This command will also reset the SNMP and network settings to their factory defaults CAUTION Executing sysconf appliance factory over an SSH connection may cause you to lose connection with the applianc...

Страница 28: ... format for example 255 255 255 0 IPv6 devices can use full or shorthand syntax Static network route DNS configuration Although you configure DNS at the device level the settings you configure for a device are available to all devices on the appliance if the configured device is connected to the network To ensure DNS access it is recommended that you configure each device You can configure the fol...

Страница 29: ...r pseoperator 2 Configure the IP address network mask and gateway optional on at least one of the Ethernet LAN ports eth0 or eth1 You can specify a static address or retrieve one from a DHCP server You can configure each port to use an IPv4 or IPv6 address Static psesh network interface static device netdevice ip IP netmask IP gateway IP DHCP psesh network interface dhcp device netdevice Either of...

Страница 30: ...d by ARP negotiation The bonding driver intercepts the ARP replies sent by the appliance and overwrites the source hardware address with the unique hardware address of one of the bonded devices Different clients will therefore use different hardware addresses for the appliance 4 Optional Set the appliance hostname and domain name psesh network hostname hostname psesh network domain netdomain You m...

Страница 31: ...ion as you confirm the change of IP address from the default setting 7 Optional Add iptables ACCEPT and DROP rules to manage network access to the appliance By default the SafeNet ProtectServer Network HSM allows access to all networks and hosts The default policy for the INPUT and OUTPUT chain is set to ACCEPT The default policy for the FORWARD chain is set to DROP since the SafeNet ProtectServer...

Страница 32: ...ectServer Network HSM Plus is tested during manufacture to ensure a high level of quality In the unlikely event the unit is not functioning correctly please re check the installation procedure paying particular attention to the power source and network cable connection Running the diagnostic command hsm state as described in First Login and System Test on page 1 is the only method available to tes...

Страница 33: ... not need to apply this patch Prerequisites Download the patch SPKG 0 1 1 i386 rpm from the Gemalto Customer Support Portal see Support Contacts on page 9 Ensure that you have admin access to the appliance To install the secure package update patch 1 Use scp Linux UNIX or pscp Windows to securely transfer the patch file to the appliance filesystem Enter the admin password when prompted pscp filepa...

Страница 34: ... appliance_hostname IP scp filepath filename admin appliance_hostname IP 2 Connect to the appliance using a monitor and keyboard serial connection or SSH and log in as admin 3 Optional Confirm that the package is available to install psesh package listfile 4 Install the secure package specifying the package filename and the authorization code If the HSM is initialized enter the Admin Token PIN whe...

Страница 35: ...Software Linux operating system SafeNet PCI HSM Access Provider software SafeNet HSM Net Server software Power Supply Nominal power consumption 156 W Input AC voltage range 100 240 V Input frequency range 50 60 Hz Physical properties 482 mm W x 533 mm D x 44 mm H 1U 19 rack mounting brackets included Weight 12 7 kg 28 lb Operating Environment Temperature 0 to 40 C 32 to 104 F Relative Humidity 5 t...

Страница 36: ...B Block Cipher A cipher that processes input in a fixed block size greater than 8 bits A common block size is 64 bits Bus One of the sets of conductors wires PCB tracks or connections in an IC C CA Certification Authority CAST Encryption algorithm developed by Carlisle Adams and Stafford Tavares Certificate A binding of an identity individual group etc to a public key which is generally signed by ...

Страница 37: ...t and to ensure that the doc ument has not be altered in transit DLL Dynamically Linked Library A library which is linked to application programs when they are loaded or run rather than as the final phase of compilation DSA Digital Signature Algorithm E Encryption The process of converting the plaintext data into the ciphertext so that the content of the data is no longer obvious Some algorithms p...

Страница 38: ...y Module Dispatch Switcher H HA High Availability HIFACE Host Interface It is used to communicate with the host system HSM Hardware Security Module I IDEA International Data Encryption Algorithm IIS Microsoft Internet Information Services IP Internet Protocol J JCA Java Cryptography Architecture SafeNet ProtectToolkit 5 8 Installation and Configuration Guide 007 013682 006 Rev A 08 January 2020 Co...

Страница 39: ... gov div897 pubs fip113 htm For information on HMAC algorithms see RFC 2104 at http www ietf org rfc rfc2104 txt Message Digest A condensed representation of a data stream A message digest will convert an arbitrary data stream into a fixed size output This output will always be the same for the same input stream however the input cannot be reconstructed from the digest MSCAPI Microsoft Cryptograph...

Страница 40: ...ntimes including software only hardware adapter and host security module based variants A Remote client and server are also available ProtectToolkit J SafeNet s implementation of JCE Runs on top of ProtectToolkit C R RC2 RC4 Ciphers designed by RSA Data Security Inc RFC Request for Comments proposed specifications for various protocols and algorithms archived by the Internet Engin eering Task Forc...

Страница 41: ...slot which is capable of holding a token SlotPKCS 11 Slot which is capable of holding a token SO Security Officer Symmetric Cipher An encryption algorithm that uses the same key for encryption and decryption DES RC4 and IDEA are all sym metric algorithms T TC Trusted Channel TCP IP Transmission Control Protocol Internet Protocol Token PKCS 11 token that provides cryptographic services and access c...

Страница 42: ...rtificate as user certificate public key certificate certificate The public keys of a user together with some other information rendered unforgeable by encipherment with the private key of the cer tification authority which issued it SafeNet ProtectToolkit 5 8 Installation and Configuration Guide 007 013682 006 Rev A 08 January 2020 Copyright 2009 2020 Gemalto 42 ...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды