Entrust nShield HSM for SSL Decryption for iSSL
Hardware Security Modules (HSMs) are specialized systems that logically and physically safeguard cryptographic operations and cryptographic keys. HSMs protect sensitive data from being stolen by providing a highly secure operation structure. HSMs are comprehensive, self-contained solutions for cryptographic processing, key generation, and key storage. The hardware and firmware (i.e., software) required for these functions are automatically included in these appliances.
Some enterprises where security is paramount use Entrust nShield HSM to keep the sensitive information such as private keys safe. Starting in software version 6.4, current inline SSL is enhanced to include Thales-Luna HSM support in addition to the current already supported Entrust nShield HSM solution.
The following is the configuration example of the nCipher and Luna type HSM.
For details on the CLI commands used in the following examples, refer to the following commands in the reference section:
| apps hsm |
| apps hsm-group |
| apps keystore |
| apps ssl |
| gigasmart |
| gsgroup |
| gsop |
| gsparams |
| map |
ConfigureEntrust nShield HSM:
|
Step |
Description |
Command |
|||
|
Configure the stack port interface IP address. |
(config) # gigasmart engine 1/2/e1 interface eth2 10.115.74.60 255.255.248.0 gateway 10.115.71.1 dns 10.10.1.20 mtu 1500 or config # gigasmart engine 1/2/e1 interface dhcp Note: Make sure to configure the stack port first before you enable the HSM group in gsparams. |
|||
|
Configure at least one HSM by specifying an alias, a static IP address, type of HSM, and port number. Obtain the ESN and KNETI from your HSM administrator. |
(config) # apps hsm alias hsm1 hsm-ip 10.116.166.5 hsm-port 9004 type ncipher-hsm esn FBC5-F777-2A93 kneti 30eab672d888d22eab811755d5938981ca5c8f18 |
|||
|
Create an HSM group alias and add at least one HSM to it. |
(config) # apps hsm-group alias hsm-set device-type luna-hsm hsm-alias add hsm1 |
|||
|
Fetch HSM group key handler binary files. Fetch one World file for an HSM group and one Module file for each HSM in the group. |
(config) # apps hsm-group alias hsm-set fetch key-handler http://10.125.0.101/tftpboot/temp/hsm/world (config) # apps hsm-group alias hsm-set fetch key-handler http://10.115.0.100/tftpboot/temp/hsm/module_FBC5-F777-2A93 |
|||
|
Configure the the key label of the private key residing on ncipher-HSM. |
(config) # apps keystore rsa key1 private-key download url http://10.115.0.100/tftpboot/myname/hsm/key_pkcs11_ua88af6e573c9c6c39b245a15edfc3ebcbebbdae4f type ncipher-hsm |
|||
|
Configure an inline SSL profile. The profile specifies policy configuration, such as certificate handling and actions to take for the profile. |
(config) # apps inline-ssl profile alias sslprofile (config apps inline-ssl profile alias sslprofile) # certificate expired drop (config apps inline-ssl profile alias sslprofile) # certificate invalid decrypt (config apps inline-ssl profile alias sslprofile) # certificate revocation crl disable (config apps inline-ssl profile alias sslprofile) # certificate revocation ocsp disable (config apps inline-ssl profile alias sslprofile) # certificate self-signed decrypt (config apps inline-ssl profile alias sslprofile) # certificate unknown-ca decrypt (config apps inline-ssl profile alias sslprofile) # decrypt tcp inactive-timeout 5 (config apps inline-ssl profile alias sslprofile) # decrypt tcp portmap default-out-port disable (config apps inline-ssl profile alias sslprofile) # decrypt tool-bypass disable (config apps inline-ssl profile alias sslprofile) # default-action decrypt (config apps inline-ssl profile alias sslprofile) # no-decrypt tool-bypass disable (config apps inline-ssl profile alias sslprofile) # url-cache miss action decrypt (config apps inline-ssl profile alias sslprofile) # exit (config) # |
|||
|
Create a key map entry. |
(config apps inline-ssl profile alias sslprofile) # keymap add server server_001.autssl.qa.gigamon.com key server_key_001 |
|||
|
Configure GigaSMART group and associate it with a GigaSMART engine port. |
(config) # gsgroup alias issl1-gsgroup port-list 1/2/e1 |
|||
|
Configure the GigaSMART inline SSL operation, specify the profile, and assign the GigaSMART operation to the GigaSMART group. |
(config) # gsop alias issl1-gsop inline-ssl issl1_prof port-list issl1-gsgroup |
|||
|
Configure a virtual port. |
(config) # vport alias issl1-vport gsgroup issl1-gsgroup |
|||
|
Enable HSM group in gsparams. |
(config) # gsparams gsgroup issl1-gsgroup hsm-group add hsm-set |
|||
|
Configure source and destination ports and enable them. |
(config) # port 1/1/x1 type inline-network (config) # port 1/1/x1 params admin enable (config) # port 1/1/x9 type inline-tool (config) # port 1/1/x9 params admin enable
|
|||
|
Configure inline network. |
(config) # inline-network alias issl1-inline-network (config) # pair net-a 1/1/x1 and net-b 1/1/x2 (config) # physical-bypass disable (config) # traffic-path to-inline-tool (config) # exit |
|||
|
Configure inline tool and enable it. |
(config) # inline-tool alias issl1-inline-tool (config) # pair tool-a 1/1/x9 and tool-b 1/1/x10 (config) # enable (config) # failover-action tool-bypass (config) # shared true (config) # hb-profile default (config) # heart-beat (config) # hb-ip-addr-a 0.0.0.0 (config) # hb-ip-addr-b 0.0.0.0 (config) # exit |
|||
|
Configure map to replace roles from admin to owner |
(config) # map alias issl1_l1_map (config map alias issl1_l1_map) # roles replace admin to owner_roles (config map alias issl1_l1_map) # rule add pass protocol tcp (config map alias issl1_l1_map) # to issl1-vport (config map alias issl1_l1_map) # from issl1-inline-network (config) # exit
(config) # map alias issl1_l2_map (config map alias issl1_l2_map) # roles replace admin to owner_roles (config map alias issl1_l2_map) # use gsop issl1-gsop (config map alias issl1_l2_map) # to issl1-inline-tool (config map alias issl1_l2_map) # from issl1-vport (config) # exit (config map-scollector alias SCOL) # roles replace admin to owner_roles (config map-scollector alias SCOL) # from issl1-inline-network (config map-scollector alias SCOL) # collector bypass (config) # exit |
Configure Thales-Luna HSM:
|
Step |
Description |
Command |
||||||||||||
|
Configure the stack port interface IP address |
(config) # gigasmart engine 1/2/e1 interface eth2 10.117.72.60 255.255.248.0 gateway 10.115.71.1 dns 10.10.1.20 mtu 1500 or config # gigasmart engine 1/2/e1 interface dhcp Note: Make sure to configure the stack port first before you enable the HSM group in gsparams. |
||||||||||||
|
Configure at least one HSM by specifying an alias, a static IP address, type of HSM, and port number. The server-password and partition-password should be encrypted using the keychain password in the Keystore. The partition-password for all hsm within the same HA group should be the same. |
(config) # apps hsm alias hsm1 hsm-ip 10.126.62.11 hsm-port 1792 type luna-hsm server-username admin server-password ****** partition-label partition1 partition-password ******* |
||||||||||||
|
Create an HSM group alias and add at least one HSM to it. |
(config) # apps hsm-group alias hsm-set device-type luna-hsm hsm-alias add hsm1 |
||||||||||||
|
Configure the key label of the private key residing on Thales-Luna HSM. |
(config) # apps keystore rsa server_key_001 private-key key-label server1_key_label type luna-hsm (config) # apps keystore ecdsa server_key_001 private-key key-label server1_key_label type luna-hsm |
||||||||||||
|
Configure an inline SSL profile. The profile specifies policy configuration, such as certificate handling and actions to take for the profile. |
(config) # apps inline-ssl profile alias sslprofile (config apps inline-ssl profile alias sslprofile) # certificate expired drop (config apps inline-ssl profile alias sslprofile) # certificate invalid decrypt (config apps inline-ssl profile alias sslprofile) # certificate revocation crl disable (config apps inline-ssl profile alias sslprofile) # certificate revocation ocsp disable (config apps inline-ssl profile alias sslprofile) # certificate self-signed decrypt (config apps inline-ssl profile alias sslprofile) # certificate unknown-ca decrypt (config apps inline-ssl profile alias sslprofile) # decrypt tcp inactive-timeout 5 (config apps inline-ssl profile alias sslprofile) # decrypt tcp portmap default-out-port disable (config apps inline-ssl profile alias sslprofile) # decrypt tool-bypass disable (config apps inline-ssl profile alias sslprofile) # default-action decrypt (config apps inline-ssl profile alias sslprofile) # no-decrypt tool-bypass disable (config apps inline-ssl profile alias sslprofile) # url-cache miss action decrypt (config apps inline-ssl profile alias sslprofile) # exit (config) # |
||||||||||||
|
Create a key map entry. |
(config apps inline-ssl profile alias sslprofile) # keymap add server server_001.autssl.qa.gigamon.com key server_key_001 |
||||||||||||
|
Configure GigaSMART group and associate it with a GigaSMART engine port. |
(config) # gsgroup alias issl1-gsgroup port-list 1/2/e1 |
||||||||||||
|
Configure the GigaSMART inline SSL operation, specify the profile, and assign the GigaSMART operation to the GigaSMART group. |
(config) # gsop alias issl1-gsop inline-ssl issl1_prof port-list issl1-gsgroup |
||||||||||||
|
Configure a virtual port. |
(config) # vport alias issl1-vport gsgroup issl1-gsgroup |
||||||||||||
|
Enable HSM group in gsparams. |
(config) # gsparams gsgroup issl1-gsgroup hsm-group add hsm-set |
||||||||||||
|
Configure source and destination ports and enable them. |
(config) # port 1/1/x1 type inline-network (config) # port 1/1/x1 params admin enable (config) # port 1/1/x9 type inline-tool (config) # port 1/1/x9 params admin enable
|
||||||||||||
|
Configure inline network. |
(config) # inline-network alias issl1-inline-network (config) # pair net-a 1/1/x1 and net-b 1/1/x2 (config) # physical-bypass disable (config) # traffic-path to-inline-tool (config) # exit |
||||||||||||
|
Configure inline tool and enable it. |
(config) # inline-tool alias issl1-inline-tool (config) # pair tool-a 1/1/x9 and tool-b 1/1/x10 (config) # enable (config) # failover-action tool-bypass (config) # shared true (config) # hb-profile default (config) # heart-beat (config) # hb-ip-addr-a 0.0.0.0 (config) # hb-ip-addr-b 0.0.0.0 (config) # exit |
||||||||||||
|
Configure map to replace roles from admin to owner |
(config) # map alias issl1_l1_map (config map alias issl1_l1_map) # roles replace admin to owner_roles (config map alias issl1_l1_map) # rule add pass protocol tcp (config map alias issl1_l1_map) # to issl1-vport (config map alias issl1_l1_map) # from issl1-inline-network (config) # exit
(config) # map alias issl1_l2_map (config map alias issl1_l2_map) # roles replace admin to owner_roles (config map alias issl1_l2_map) # use gsop issl1-gsop (config map alias issl1_l2_map) # to issl1-inline-tool (config map alias issl1_l2_map) # from issl1-vport (config) # exit (config map-scollector alias SCOL) # roles replace admin to owner_roles (config map-scollector alias SCOL) # from issl1-inline-network (config map-scollector alias SCOL) # collector bypass (config) # exit |
||||||||||||
|
Register the configured GigaSMART client in the Luna server. |
Config # show gigasmart engine details lunash:>client register -client 10.115.74.195 -ip 10.115.54.168 lunash:>client assignpartition -client 10.115.74.195 -partition fqa-par1-1 Notes:
|
Related Commands
|
Task |
Command |
|---|---|
|
Displays the HSM Group status. Note: Before registering the client in the Luna server, the operational status will be displayed as Init. Once the client registration is complete, the status will be changed to Yes after 30 seconds. |
(config) # show apps hsm-group status |
