nCipher HSM for SSL Decryption for Out-of-Band Tools

Required License: Included with SSL Decryption for Out-of-Band Tools

Starting in software version 5.3, nCipher Hardware Security Module (HSM) is integrated with out-of-band SSL decryption. Hardware Security Modules offer secure storage, management, and operation of cryptographic material, such as private keys and passphrases. The HSM stores and manages the keys in a safe and secure environment. Since the keys reside on HSM in the network, they are offloaded from an application on a network device.

The application could be a web server or a database server, but, in the case of SSL decryption for out-of-band tools, the application is GigaSMART. The application interfaces with HSM to use the keys that are stored. There must be network connectivity between HSM and the application.

Keys are added to the HSM by an administrator. When an application’s key is on HSM, the HSM creates an application key token. The key token is sent to the application. When the application wants to use a key, the application sends the token to HSM, which establishes a session with HSM to use the key. In this way, the use of keys by the application is secure because only key tokens are exchanged.

nCipher HSM is supported on GigaVUE‑HC1, GigaVUE-HC2, and GigaVUE-HC3.

Keep in mind the following rules and notes before you configure and use HSM to store and manage keys:

GigaSMART uses keys that are already stored on the HSM. There is no key generation.
The key token that is uploaded to GigaSMART can only be in PKCS11 format.
Only RSA keys (private keys) are supported.
Keys are module-protected. With module-protection, the application is a registered client that does not need to log in to the HSM.
The network connectivity between the HSM and GigaSMART must use a static IP address. Do not use DHCP because the IP address needs to remain the same.
Only IPv4 addresses are supported.
Each GigaSMART card that interfaces with the nCipher HSM will use one nCipher license.
Clustering is not supported.

This section provides topics on how to configure and use HSM for SSL decryption for out-of-band tools:

Add at least one HSM appliance by specifying an alias, a static IP address, and port number. Obtain the ESN and KNETI from your HSM administrator.

To access GigaSMART within GigaVUE-FM, access a device that has been added to GigaVUE-FM from the GigaVUE-FM interface. GigaSMART appears in the navigation pane of the device view on supported devices. Refer to the Access GigaSMART from GigaVUE-FM for details.

To add an HSM appliance, do the following:

  1. From the device view, go to GigaSMART> Passive SSL > HSM.
  2. Click Add.

Figure 117 Adding a New HSM Appliance
  1. In the Alias field, enter a name for the HSM appliance.
  2. Enter a valid IP address and Port Number.
  3. Enter the ESN and KNETI that you obtained from the HSM administrator.
  4. Choose one of the following methods to select the required key handler file:
    • Install from URL—Enter a valid directory path including the file name and enter the password to access the server.

      • Note:  SCP, SFTP, HTTP, FTP, and TFTP are the supported protocols from where you can select the key handler file.

    • Install from Local Directory—Browse and select the key handler file from your local directory.
  5. Click OK.
1.   From the device view, go to GigaSMART > Passive SSL > HSM.
2. Select the HSM appliance you just created.
3. Click Configure.
4. Choose one of the following methods to install the key handler file:
Install from URL—Enter a valid directory path including the file name and enter the password to access the server.

    Note:  SCP, SFTP, HTTP, FTP, and TFTP are the supported protocols from where you can select the key handler file.

Install from Local Directory—Browse and select the key handler file from your local directory.

Note:  Ensure that the file name is "world"

Figure 118 HSM-Configure Key Handler
5. Click OK.

Each GigaSMART card requires IP address configuration for network access. To configure IP address details:

1.   From the device view, go to GigaSMART > Passive SSL > Network Access.
2. Select the GigaSMART appliance.
3. Click Edit.
4. Enter IP Address, Netmask, Gateway, DNS, MTU and VLAN parameters.
5. Select the required management interface.

Figure 119 Passive SSL Network Access - IP Configuration
6. Click OK.

To configure a GigaSMART group for passive SSL:

1.   From the device view, go to GigaSMART > GigaSMART Groups.
2. Click New.
3. In the Alias field, enter a name for the GigaSMART group that you are creating for Passive SSL.
4. From the Port List drop-down list, select the required port you want to associate with this group.
5. Scroll down to the GigaSMART Parameters > Passive SSL section of the page, and then select the Enable HSM check box.

Figure 120 GigaSMART Group Setup Page
6. Click OK.

To create a GigaSMART operation with an SSL Decryption component:

1.   From the device view, go to GigaSMART > GigaSMART Operations (GSOP) > GigaSMART Operation.
2. Click New.
3. In the Alias field, enter a name for the GigaSMART operation.
4. From the GigaSMART Group drop-down list, select the GigaSMART group that you have created for passive SSL.
5. From the GigaSMART Operations (GSOP) drop-down list, select SSL Decryption.

Figure 121 GigaSMART Operations - Setup Page
6. Click OK.

Before uploading keys or configuring SSL, you must create an SSL keychain password. The password is used to encrypt the private keys that you upload to the node.

Note:  When uploading SSL keys, make sure that you are not creating a duplicate key. Adding a duplicate key can cause errors.

To create an SSL keychain password:

1.   From the device view, go to GigaSMART > Passive SSL > Key Store.
2. Click Keychain Password.

Figure 122 SSL Keychain Password Setup Page
3. In the Password and Confirm Password fields, enter a valid password. Ensure that the password meets the following specifications:
Password must be at least ten (10) characters in length.
Password must contain at least one:
uppercase letters
lowercase letters
numbers
special characters
4. Click Submit.

To upload an SSL private key:

1.   From the device view, go to GigaSMART >Passive SSL > Key Store to open the Key Store page.
2. Click Install. The SSL Key page appears.

Figure 123 SSL Key Page
3. In the Alias field, enter a name for the SSL key.
4. Select the Key Upload Type as Private Key. Ensure that the key token is in PKCS11 format.
5. Choose the file. The URL can be downloaded using HTTP, HTTPS, FTP, TFTP, SCP, and SFTP. It is recommended to use a secure protocol, such as HTTPS.
6. Click Save.

After you have uploaded a private key, you can add a service. A service maps to a physical server, such as an HTTP server. One server can run multiple services. A service is a combination of an IP address and a server port number. Also, the key and the service must be tied together.

To create an SSL service:

1.   From the device view, go to GigaSMART > Passive SSL > SSL Services.
2. Click New. The SSL Service page appears.

Figure 124 SSL Service
3. In the Alias field, enter a name for the SSL service.
4. Map the SSL service to a server IP address and a server port using one of the following methods:
Select the Enabled check box next to the Default Service field to dynamically map the server IP address and server port.

Note:  If you select the Enabled check box, the Server IP Address and Server Port fields are disabled.

In the Server IP Address and Server Port fields, enter an IP address and port to which you want to map the SSL service.
5. From the SSL Key Alias drop-down list, select the name of the SSL Key previously uploaded.
6. From the GS Group drop-down list, select the GigaSMART group with SSL decryption enabled to associate with this SSL service.
7. Click OK.
1.   From the device view, go to Maps > Maps.
2. Click New.
3. Configure the map.

Figure 125 Create New Map
Type map11 in the Alias field.
Select Regular for Type.
Select ByRule for Subtype.
Select the network port for the Source.
Select Tool port/Hybrid port for Destination.

Figure 126 Configure Map Details
4. Add a Rule.

Figure 127 Figure 20-123: Map Details - Create Rule
a. Click Add a Rule.
b. Select Pass.
c. Select IPv4 Version and set Version to v4.
5. Click Save.