Entrust nShield HSM for SSL Decryption for Out-of-Band Tools
Required License: Included with SSL Decryption for Out-of-Band Tools
Starting in software version 5.3, Entrust nShield Hardware Security Module (HSM) is integrated with SSL decryption for out-of-band tools. Hardware Security Modules offer secure storage, management, and operation of cryptographic material, such as private keys and pass-phrases. The HSM stores and manages the keys in a safe and secure environment. Since the keys reside on the HSM in the network, they are offloaded from an application on a network device.
The application could be a web server or a database server, but, in the case of SSL decryption for out-of-band tools, the application is GigaSMART. The application interfaces with HSM to use the keys that are stored. There must be network connectivity between the HSM and the application.
Keys are added to the HSM by an administrator. When an application’s key is on the HSM, the HSM creates an application key token. The key token is sent to the application. When the application wants to use a key, the application sends the token to HSM, which establishes a session with the HSM to use the key. In this way, the use of keys by the application is secure because only key tokens are exchanged.
Entrust nShield HSM is supported on GigaVUE‑HC1, and GigaVUE‑HC3.
Refer to the following limitations:
GigaSMART uses keys that are already stored on the HSM. There is no key generation. |
The key token that is uploaded to GigaSMART can only be in PKCS11 format. |
Only RSA keys (private keys) are supported. |
Keys are module-protected. With module-protection, the application is a registered client that does not need to log in to the HSM. |
The network connectivity between the HSM and GigaSMART must use a static IP address. Do not use DHCP because the IP address needs to remain the same. |
Only IPv4 addresses are supported. |
Each GigaSMART card that interfaces with the Entrust nShield HSM will use one Entrust nShield license. |
Clustering is not supported. |
When uploading RSA and ECDSA keys, validity check for protocol mismatch cannot be performed since the private keys are available on the HSM server. |
The following is a configuration example of the Hardware Security Module (HSM).
For details on the CLI commands used in the following examples, refer to the following commands in the reference section:
apps hsm |
apps hsm-group |
apps keystore |
apps ssl |
gigasmart |
gsgroup |
gsop |
gsparams |
map |
Step |
Description |
Command |
|||
|
Configure at least one HSM by specifying an alias, a static IP address, type of HSM, and port number. Obtain the ESN and KNETI from your HSM administrator. |
(config) # apps hsm alias hsm1 hsm-ip 10.115.176.5 hsm-port 9004 esn FBC5-F777-2A93 kneti 30eab672d888d22eab811755d5938981ca5c8f18 |
|||
|
Create an HSM group alias and add at least one HSM to it. |
(config) # apps hsm-group alias hsm-set hsm-alias add hsm1 |
|||
|
Fetch HSM group key handler binary files. Fetch one World file for an HSM group and one Module file for each HSM in the group. |
(config) # apps hsm-group alias hsm-set fetch key-handler http://10.115.0.100/tftpboot/temp/hsm/world (config) # apps hsm-group alias hsm-set fetch key-handler http://10.115.0.100/tftpboot/temp/hsm/module_FBC5-F777-2A93 |
|||
|
Configure the stack port interface IP address for Internet connectivity. |
(config) # gigasmart engine 1/1/e1 interface 10.115.182.81 /24 gateway 10.1115.182.1 dns 10.1115.182.1 |
|||
|
Configure a GigaSMART group. |
(config) # gsgroup alias gsgrp port-list 1/1/e1 |
|||
|
Configure the GigaSMART operation for Passive SSL decryption. |
(config) # gsop alias gsop_hsm ssl-decrypt in-port any out-port auto port-list gsgrp |
|||
|
Assign the HSM group to the GigaSMART group. |
(config) # gsparams gsgroup gsgrp hsm-group add hsm-set |
|||
|
Configure a service by adding a server IP address and optionally, a server port number. |
(config) # apps ssl service server_3 server-ip 20.1.1.3 server-port 200 |
|||
|
Configure the keys residing on ncipher-HSM. |
(config) # apps keystore rsa key1 private-key download url http://10.115.0.100/tftpboot/myname/hsm/key_pkcs11_ua88af6e573c9c6c39b245a15edfc3ebcbebbdae4f type ncipher-hsm |
|||
|
Map the key to the service. |
(config) # gsparams gsgroup gsgrp ssl-decrypt key-map add service server_3 key key1 |
|||
|
Optionally, configure other GigaSMART parameters. |
(config) # gsparams gsgroup gsgrp ssl-decrypt hsm-timeout 3600 (config) # gsparams gsgroup gsgrp resource hsm-ssl buffer 2 (config) # gsparams gsgroup gsgrp resource hsm-ssl packet-buffer 600 |
|||
|
Configure source and destination ports and enable them. |
(config) # port 1/1/x1 type network (config) # port 1/1/x1 params admin enable (config) # port 1/1/x3 type tool (config) # port 1/1/x3 params admin enable |
|||
|
Configure a map. |
(config) # map alias hsm_map (config map alias hsm_map) # type regular byRule (config map alias hsm_map) # use gsop gsop_hsm (config map alias hsm_map) # rule add pass ipver 4 (config map alias hsm_map) # to 1/1/x3 (config map alias hsm_map) # from 1/1/x1 (config map alias hsm_map) # exit (config) # |
|||
|
Display HSM configuration. |
(config) # show apps hsm all (config) # show gsparams (config) # show apps hsm-group status |
|||
|
Display HSM statistics. |
(config) # show apps hsm-group session-stats (config) # show apps hsm-group buffer-stats |