Configure Hardware Security Model (HSM)
Refer to the following sections that provide details about HSM Group, its limitations, and instructions on how to configure HSM Group in Flexible Inline Canvas:
About HSM
Hardware Security Modules (HSMs) are specialized systems that logically and physically safeguard cryptographic operations and cryptographic keys. HSMs protect sensitive data from being stolen by providing a highly secure operation structure. HSMs are comprehensive, self-contained solutions for cryptographic processing, key generation, and key storage. The hardware and firmware (i.e., software) required for these functions are automatically included in these appliances.
Some enterprises where security is paramount use Entrust nShield HSM to keep sensitive information such as private keys safe.
Starting in software version 6.4, the current Inline TLS/SSL is enhanced to include Thales-Luna Network HSM support in addition to the already supported Entrust nShield HSM solution.
.
|
1
|
ISSL with Thales Luna - Inbound support |
Thales -Luna Network HSM allows a single physical HSM to be divided into logical HSM partitions, each with independent data, access controls, and administrative policies. HSM partitions allow separate data storage and administration policies that would be maintained by multiple applications sharing one HSM without compromising other partitions residing on it. Each HSM partition has its own access control.
HSM Group - Limitations
Keep in mind the following limitations when configuring an HSM Group:
|
■
|
Entrust nShield HSM and Thales-Luna Network HSM cannot be configured together in a HSM Group configuration. |
|
■
|
Thales-Luna Network HSM features like cluster, standby, and non HA are not supported. |
|
■
|
IPv6 support for Thales-Luna Network HSM server configuration will not be done along with IPv6 stack port support. |
|
■
|
When uploading RSA and ECDSA keys, validity check for protocol mismatch cannot be performed since the private keys are available on the HSM server. |
|
■
|
The network connectivity between the HSM and GigaSMART must use a static IP address. Do not use DHCP because the IP address needs to remain the same. |
Note: If the GigaSMART® engine is configured using DHCP, the following issues may arise:
1. Whenever a new DHCP IP is assigned to the GigaSMART® engine, the user must delete and re-create the ISSL App and deploy the solution.
2. Additionally, the user needs to register the new DHCP IP with the HSM server for client use.
Supported Platforms
HSM Group is supported in the following platforms:
|
■
|
GigaVUE-HCT ( Out-Band tools /Passive SSL decryption) |
Configure HSM Group
To configure HSM Group:
|
1.
|
On the left navigation pane, go to Physical > Orchestrated Flows > Inline Flow, and then click Configuration Canvas to create a new Flexible Inline Canvas. |
|
2.
|
In the Flexible Inline Canvas that appears, select the required device for which you want to configure the HSM Group. |
|
3.
|
Click the ‘+’ icon next to the HSM Group option to create a new HSM. |
|
4.
|
In the HSM Group properties pane that appears on the right, enter the name and description of the HSM Group alias in the Alias and Description fields. |
|
5.
|
Select the required vendor type from the options (Entrust-nShield or Thales-Luna) to create the respective HSM Group. |
Note: You can create a maximum of 16 HSM units per device for Thales-Luna Network HSM.
|
6.
|
Click Apply to save the configurations. All the individual HSM units that you create will be listed under the configured HSM Group. Refer below for detailed information on the configuration details for Entrust nShield and Thales-Luna.
|
Note: If the operational status of the HSM Group is 'Registration pending'. Please execute the below steps to register the HSM client (GigaSMART engine) in the HSM Server.
1) Register the GigaSMART engine IP address in the HSM Server
2) Assign the HSM partition to the GigaSMART engine IP address.
Configure Entrust nShield HSM:
|
1.
|
Click the ‘+’ icon next to the configured nShield HSM. |
|
2.
|
In the HSM pop-up pane, choose one of the following methods to install the key handler file: |
|
o
|
Install from URL—Enter a valid directory path including the file name and enter the password to access the server. |
Note: SCP, SFTP, HTTP, and FTP are the supported protocols from where you can select the key handler file.
|
o
|
Install from Local Directory—Browse and select the key handler file from your local directory. |
Note: Ensure that the file name is "world".
|
3.
|
In the Alias field, enter a name for the HSM appliance. |
|
4.
|
Enter a valid IP address and Port Number details. |
Note: If the IP address of the GigaSMART engine is changed, the GigaSMART engine needs a reboot to complete the HSM registration with the new IP address.
|
5.
|
By default, Entrust nShield is selected and Thales-Luna is disabled in the Vendor type when configuring Entrust nShield. |
|
6.
|
Enter the ESN and KNETI that you obtained from the HSM administrator. |
|
7.
|
Choose one of the following methods to select the required key handler file: |
|
o
|
Install from URL—Enter a valid directory path including the file name and enter the password to access the server. |
|
o
|
Install from Local Directory—Browse and select the key handler file from your local directory. |
|
8.
|
Click OK to save the configuration. |
To configure through GigaVUE-OS CLI refer to Entrust nShield HSM for SSL Decryption for Out-of-Band Tools
Configure Thales-Luna HSM:
|
1.
|
Click the ‘+’ icon next to the configured Thales-Luna Network HSM. |
|
2.
|
In the HSM pop-up that appears, enter a name for the HSM appliance in the Alias field. |
|
3.
|
Enter a valid IP address and Port Number details. |
Note: For the Thales Luna HSM group, it is preferable to use a static IP address to prevent the Thales Luna registration from expiring.
Note: If the IP address of the GigaSMART engine is changed, the GigaSMART engine needs a reboot to complete the HSM registration with the new IP address.
|
4.
|
By default, Thales-Luna is selected and Entrust nShield is disabled in the Vendor type when configuring Thales-Luna. |
|
5.
|
Enter the valid username and password in the Server Username and Server Password fields. |
|
6.
|
Enter the valid details in the Partition Label and Partition Password fields. |
Note: When adding multiple HSM appliances, make sure to keep the Partition Password same for all the partitions.
|
7.
|
Click OK to save the configuration. |
|
8.
|
Drag the Inline Network object to the canvas and click Deploy. |
Note: Monitor the HSM Group status by utilizing the tooltip provided on the HSM Group in GigaVUE‑FM or the show apps hsm-groups status command. Once the status turns to 'RegisterPending', register your client in the Luna server within 10 minutes. In case of a reload, wait up to 90 seconds before you proceed with the registration.
To configure through GigaVUE-OS CLI refer to Entrust nShield HSM for SSL Decryption for iSSL.
Modifying a HSM Decryption Deployment
If an HSM Decryption deployment is modified follow the below steps:
|
1.
|
Move the Inline Network traffic path to bypass mode. |
|
2.
|
Make the desired deployment change such as: |
|
a.
|
A non-HSM based decryption to HSM Luna based decryption. |
|
b.
|
A non-HSM based decryption to HSM Entrust nShield based decryption. |
|
c.
|
An HSM Entrust nShield based decryption to HSM Thales-Luna Network based decryption |
|
3.
|
. Reboot the GigaSMART card. |
|
4.
|
Move the Inline Network out of bypass mode to ‘To Inline Tool’ mode. |