Gemalto SafeNet ProtectServer Operator's manual
SafeNet ProtectServer
Network HSM
Installation and Configuration Guide
ii
© 2000-2016 Gemalto NV. All rights reserved.
Part Number 007-007474-008
Version 5.2
Trademarks
All intellectual property is protected by copyright. All trademarks and product names used or referred to are the
copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or
transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without
the prior written permission of Gemalto.
Gemalto Rebranding
In early 2015, Gemalto NV completed its acquisition of SafeNet, Inc. As part of the process of rationalizing the product
portfolios between the two organizations, the HSM product portfolio has been streamlined under the SafeNet brand. As
a result, the ProtectServer/ProtectToolkit product line has been rebranded as follows:
Old product name
New product name
Protect Server External 2 (PSE2)
SafeNet ProtectServer Network HSM
Protect Server Internal Express 2 (PSI-E2)
SafeNet ProtectServer PCIe HSM
ProtectToolkit
SafeNet ProtectToolkit
Disclaimer
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property
protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any
intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in
all copies.
This document shall not be posted on any network computer or broadcast in any media and no modification of
any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise
expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to the in-
formation herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications
data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all
implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall
Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any
damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or custom-
ers, arising out of or in connection with the use or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and
disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the
date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and
notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party
actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products.
Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that
result from any use of its products. It is further stressed that independent testing and verification by the person using the
product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning
could result in damage to persons or property, denial of service or loss of privacy.
© 2016 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto
N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether
registered or not in specific countries, are the property of their respective owners.
Technical Support
If you encounter a problem while installing, registering or operating this product, please make sure that you have read
the documentation. If you cannot resolve the issue, please contact your supplier or Gemalto support. Gemalto support
operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan
arrangements made between Gemalto and your organization. Please consult this support plan for further information
about your entitlements, including the hours when telephone support is available to you.
Contact method
Contact
Address
Gemalto NV
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Phone
Global
+1 410-931-7520
Australia
1800.020.183
China
(86) 10 8851 9191
France
0825 341000
Germany
01803 7246269
India
000.800.100.4290
Netherlands
0800.022.2996
New Zealand
0800.440.359
Portugal
800.1302.029
Singapore
800.863.499
Spain
900.938.717
Sweden
020.791.028
Switzerland
0800.564.849
United Kingdom
0800.056.3158
United States
(800) 545-6608
Web
www.safenet-inc.com
Support and Down-
loads
www.safenet-inc.com/support
Provides access to the Gemalto Knowledge Base and quick downloads for various
products.
Technical Support
Customer Portal
https://serviceportal.safenet-inc.com
Existing customers with a Technical Support Customer Portal account can log in to
manage incidents, get the latest software upgrades, and access the Gemalto
Knowledge Base.
iv
Revision History
Revision
Date
Reason
A
14 March 2016
Release 5.2
Contents
Contents.............................................................................................................................................v
Chapter 1 Introduction.................................................................................................................1
Chapter 2 Product overview ........................................................................................................2
Front panel view .............................................................................................................................2
Ports ............................................................................................................................................ 3
LEDs...........................................................................................................................................3
Reset button ................................................................................................................................4
Rear panel view............................................................................................................................... 4
Tamper lock ................................................................................................................................ 4
Chapter 3 Implementation overview...........................................................................................5
Implementation architecture ........................................................................................................... 5
Implementation steps ......................................................................................................................6
Chapter 4 Installation................................................................................................................... 7
Installation procedure...................................................................................................................... 7
To install the hardware................................................................................................................ 7
Smart Card Reader Installation................................................................................................... 7
Chapter 5 Testing and configuration...........................................................................................9
Equipment requirements.................................................................................................................9
Procedure overview ........................................................................................................................ 9
System testing............................................................................................................................... 11
The PSE_status command......................................................................................................... 11
Network configuration.................................................................................................................. 11
Using IPv6 addressing .............................................................................................................. 12
Manually setting the IP address ................................................................................................ 12
Manually setting a hostname and default gateway...................................................................12
Setting a name server................................................................................................................ 13
Setting access control................................................................................................................ 13
SSH network access...................................................................................................................... 14
Restarting networking................................................................................................................... 14
Powering off the SafeNet ProtectServer Network HSM ..............................................................14
Upgrading the SafeNet ProtectServer Network HSM..................................................................14
Troubleshooting............................................................................................................................15
Chapter 6 PSESH Command Reference...................................................................................16
About PSESH................................................................................................................................ 16
Users .........................................................................................................................................16
vi
Features..................................................................................................................................... 16
Accessing PSESH.........................................................................................................................17
Command Reference..................................................................................................................... 17
exit............................................................................................................................................. 18
files............................................................................................................................................ 18
help............................................................................................................................................ 19
hsm............................................................................................................................................ 20
network .....................................................................................................................................21
network dns............................................................................................................................... 21
network interface ...................................................................................................................... 22
network interface delete............................................................................................................ 23
network interface dhcp.............................................................................................................. 23
network interface static............................................................................................................. 23
network iptables........................................................................................................................ 24
network iptables addrule........................................................................................................... 24
network route ............................................................................................................................25
package .....................................................................................................................................26
service.......................................................................................................................................26
status .........................................................................................................................................28
sysconf ...................................................................................................................................... 31
sysconf appliance...................................................................................................................... 31
sysconf snmp............................................................................................................................. 31
sysconf snmp config .................................................................................................................32
sysconf timezone....................................................................................................................... 33
syslog ........................................................................................................................................ 34
syslog tail .................................................................................................................................. 34
user password............................................................................................................................ 35
Appendix A Technical specifications........................................................................................ 37
1
Chapter 1
Introduction
This Guide is provided as an instructional aid for the installation and configuration of
a SafeNet ProtectServer Network HSM cryptographic services hardware security
module (HSM).
Chapter 2 gives an overview of the product. Both functionality and physical
characteristics are described.
Chapter 3 covers how the product is used to implement a cryptographic service
provider and the setup steps are given. References to further documentation are cited
where needed.
Chapter 4 describes the installation procedure.
Chapter 5 deals with testing and network setting configuration. A troubleshooting
section is included at the end of the chapter.
Chapter 6 provides a command reference for PSESH, the appliance shell interface,
which you use to configure, monitor, and maintain the applaince.
The technical specification for the product is in Appendix A.
2
Chapter 2
Product overview
The SafeNet ProtectServer Network HSM is a self-contained, security-hardened
server providing hardware based cryptographic functionality through a TCP/IP
network connection. The product is used, together with SafeNet high level application
programming interface (API) software, to implement cryptographic service providers
for a wide range of secure applications.
The SafeNet ProtectServer Network HSM is PC based. The enclosure is a heavy duty
steel case and common PC ports and controls are provided. The unit is delivered with
the necessary software components pre-installed on a Linux operating system, in a
“ready to operate” state. Network setting configuration is required, as described in this
document.
The full range of cryptographic services required by Public Key Infrastructure (PKI)
users is supported by using the SafeNet ProtectServer Network HSM’s dedicated
hardware cryptographic accelerator. These services include encryption, decryption,
signature generation and verification, and key management with a tamper resistant
and battery-backed key storage.
To implement a cryptographic service provider, use the SafeNet ProtectServer
Network HSM with one of SafeNet’s high level cryptographic APIs. The provider
types that can be implemented and the corresponding SafeNet high level
cryptographic API required are shown in the following table.
API
SafeNet Product Required
PKCS #11
ProtectToolkit C
JCA / JCE
ProtectToolkit J
Microsoft IIS and CA
ProtectToolkit M
To provide the highest level of security, these APIs interface directly with the
product’s FIPS 140-1 Level 3 certified core. High-speed DES and RSAhardware
based cryptographic processing is used. Key storage is tamper resistant and battery-
backed.
A smart card reader RS232 (V.24) serial port (male DB9 connector) is provided on the
processing module for the secure loading and backup of keys. One smart card reader
with smart cards is also supplied with the unit.
Front panel view
Figure 1 illustrates the front panel of the ProtectServer External 2 appliance.
3
Figure 1: SafeNet ProtectServer Network HSM front panel
Ports
The front panel is equipped with the following ports:
VGA
Used to connect a VGA monitor to the appliance.
Console
Used to provide console access to the appliance. See "Equipment
requirements" on page 9.
USB
Used to connect USB devices such as a keyboard or mouse to the
appliance.
eth0
eth1
Used to connect the appliance to the network.
HSM USB
Used to connect a smart card reader to the appliance using the
included USB-to-serial cable.
HSM serial port pin configuration
The serial port on the USB-to-serial cable uses a standard RS232 male DB9 pinout, as
illustrated in Figure 2.
Figure 2: HSM serial port pinout
LEDs
The front panel is equipped with the following LEDs:
Power
Lights green to indicate that the unit is powered on.
HDD
Flashes amber to indicate hard disk activity.
Status
Flashes green on startup. Otherwise not used.
4
Reset button
The reset button is located between the USB and Ethernet ports. Pressing the reset
button forces an immediate restart of the appliance. Although it does not power off the
appliance, it does restart the software. Pressing the reset button is service affecting
and is not recommended under normal operating conditions.
Rear panel view
Figure 3 illustrates the rear panel of the ProtectServer External 2 appliance.
Figure 3: SafeNet ProtectServer Network HSM rear panel
Tamper lock
The tamper lock allows you to set the tamper state of the HSM inside the appliance.
You can use the tamper lock during commissioning or decommisioning of the
appliance to destroy any keys currently stored on the HSM.
When the key is in the horizontal (Active) position, the HSM is in normal operating
mode. When the key is in the vertical (Tamper) position, the HSM is in the tamper
state, and any keys previously stored on the HSM are destroyed.
CAUTION!
Turning the tamper key from the Active position to the Tamper position causes any
keys currently stored on the HSM to be deleted. Once the keys are deleted they are
not recoverable. Ensure that you always back up your keys. To avoid accidentally
deleting the keys on an operational SafeNet ProtectServer Network HSM, remove the
tamper key after installation/commissioning and store it in a safe place.
5
Chapter 3
Implementation overview
Implementation architecture
To implement a hardware based cryptographic service provider, essentially three
elements are required.
1. One or more hardware security modules (HSMs) for key processing and storage.
2. High level cryptographic API software. This software uses HSM services when
providing “cryptographic service provider” functionality to applications.
3. Access provider software to implement the connection between the cryptographic
API software and the HSMs.
Where key processing and storage is to be implemented using a standalone SafeNet
ProtectServer Network HSM, the cryptographic service provider will operate in
network mode.
In network mode, Network HSM Access Provider software is installed on the same
machine used to host the cryptographic API software. It is used to implement the
connection between and the SafeNet ProtectServer Network HSM and the
cryptographic host using a TCP/IP network connection. The SafeNet ProtectServer
Network HSM can then be located at any distance from the machine hosting the
access provider, cryptographicAPI and application software.
A network mode implementation of a cryptographic service provider using the
SafeNet ProtectServer Network HSMis shown in the next figure.
PC –Network Client and Application Host
Crypto
API
Application
Network
Network HSM
Access
Provider
SafeNet ProtectServer
Network HSM
6
Implementation steps
The installation and configuration of the SafeNet ProtectServer Network HSM is part
of the setup of the overall network operating mode.
The following is a summary (with references to the location of detail) of the steps to
setup a cryptographic service provider, using the network operating mode and a
SafeNet ProtectServer Network HSM:
1. Install the SafeNet ProtectServer Network HSM
See "Installation" on page 7.
2. Test the SafeNet ProtectServer Network HSM
To confirm the correct operation of the unit, see "Testing and configuration" on
page 9.
3. Configure the SafeNet ProtectServer Network HSM network settings
See "Testing and configuration" on page 9 for details.
4. Install and configure the Network HSM Access Provider software
Network HSM Access Provider software must be installed on the network client
and configured to support operation in network mode. Full details are in the
SafeNet ProtectServer HSM Access Provider Installation Guide.
5. Install the high level cryptographic API
Install the high level cryptographic API to be used on the network client. Please
refer to the relevant installation guide supplied with the product for further
details.
6. Configure the high-level cryptographic API
Generally, further operating mode related configuration of the cryptographic API
might be needed to finalize installation. Tasks might include:
establishing a trusted channel (secure messaging system (SMS)) between the
API and the Protect Server External 2.
establishing network communication between the network client and the
Protect Server External 2.
For further information refer to the high-level cryptographicAPI documentation, such
as the ProtectToolkit C Administration Guide.
7
Chapter 4
Installation
This chapter provides information on how to install the SafeNet ProtectServer
Network HSM.
Since the SafeNet ProtectServer Network HSM is delivered with the necessary
software components pre-installed, no software installation is necessary on the unit
itself.
Once installation is complete, the unit can be tested to confirm correct operation and
to configure the network settings. These steps are covered in "Testing and
configuration" on page 9.
Installation procedure
To install the hardware
1. Choose a suitable location to site the equipment. You can mount the SafeNet ProtectServer
Network HSM in a standard 19-inch rack, as described in the Quickstart Guide.
Note:
The plug in the power supply cord is the disconnect device for this equipment.
The equipment must therefore be installed near to the mains outlet socket to which
it is connected and the mains outlet socket must be easily accessible.
2. Connect the SafeNet ProtectServer Network HSM to the network that hosts the client
machine(s) where the SafeNet cryptographicAPI software is installed. Connect the SafeNet
ProtectServer Network HSM to the network by inserting standard Ethernet cables into the LAN
connectors located on the front of the SafeNet ProtectServer Network HSM. The LAN connectors
are autosensing 10/100/1000 Mb/s Ethernet RJ45 ports.
Note:
The SafeNet ProtectServer Network HSM is equipped with two NICs (eth0 and
eth1), each of which can be configured with its own IP address. The NICs
incorporate an IPv4/IPv6 dual stack, allowing you to configure both an Ipv4 and
IPv6 address on each interface. If you intend to use both NICs, connect Ethernet
cables to both LAN connectors.
3. Connect the power cable to the unit and a suitable power source. The SafeNet ProtectServer
Network HSM is equipped with an autosensing power supply that can accept 100-240V at 50-
60Hz.
Smart Card Reader Installation
The ProtectServer offers functionality supporting the use of smart cards. To make use
of these features, you must use a SafeNet-supplied smart card reader. Smart card
readers, other than those supplied by SafeNet, are not supported.
The SafeNet ProtectServer Network HSM supports two different card readers, as
follows:
the new USB card reader (introduced in 5.2)
8
the legacy card reader, which provides a serial interface for data (via a USB-
to-serial cable) and a PS/2 inteface for power (direct or via a PS/2 to USB
adapter)
Installing the USB smart card reader
To install the USB card reader, simply plug the card reader into the HSM USB port, as
illustrated below.
Installing the legacy card reader
To install the smart card reader, use the included USB-to-serial cable to connect it to
the HSM USB port on the card faceplate.
The card reader qualified with the ProtectServer product also requires connection to a
PS/2 port for its power. Many newer servers have USB ports, but do not provide a
PS/2 connection.
The options are:
Connect a PS/2-to-USB adapter cable (pink) between the card reader and a
USB port on the SafeNet ProtectServer Network HSM.
If you prefer to not expose USB ports on your crypto server (for security
reasons), then connect a PS/2-to-USB adapter cable between the card reader
and a standalone powered USB hub.
Again, the USB connection is for power only. No data transfer occurs.
9
Chapter 5
Testing and configuration
This chapter provides information on how to:
test the SafeNet ProtectServer Network HSM to confirm correct operation
configure network settings.
The assumptions are:
The installation steps covered in the previous chapter are complete.
You are familiar with Unix/Linux operating systems and are experienced with
their configuration.
Troubleshooting information is at the end of this chapter.
Equipment requirements
To complete the system test and configure the network you must be able to access the
SafeNet ProtectServer Network HSM console. You can access the console directly by
connecting a keyboard and monitor (not included) to the USB (keyboard) and VGA
(monitor) ports located on the front panel of the SafeNet ProtectServer Network
HSM, or you can access the console remotely by connecting the RJ45 console port to
a terminal emulation device, such as a laptop or terminal server.
Note:
If you want to access the SafeNet ProtectServer Network HSM console remotely
using the console port, you will need a cable. If your terminal device is equipped with
a DB9 serial port, you require a cable with an RJ45 connector on one end and a DB9
serial port on the other end, as illustrated in Figure 4. If your terminal device is
equipped with an RJ45 serial port, you can use an RJ45-to-RJ45 cable, such as an
Ethernet cable. Serial cables are not included.
Figure 4: Serial cable: RJ45 to DB9
Procedure overview
Perform the following steps to complete system testing and network configuration.
Refer to the indicated sections for more detail if required.
1. Connect a keyboard/monitor or serial cable to the SafeNet
ProtectServer Network HSM
In order to access the SafeNet ProtectServer Network HSM console, you must do
one of the following:
10
connect a keyboard and monitor (not included) to the USB (keyboard) and
VGA (monitor) ports located on the front panel of the SafeNet
ProtectServer Network HSM.
use a serial cable (not included) to connect the RJ45 console port to a
terminal emulation device, such as a laptop or terminal server.
If you are using a serial connection, configure your local VT100 or terminal
emulator settings as follows:
Speed (bits per second)
115200
Word length (data bits)
8
Parity
No
Stop bit
1
2. Power on the SafeNet ProtectServer Network HSM
Power on the SafeNet ProtectServer Network HSM and the monitor (if
applicable). A green LED on the front of the device will come on and the startup
messages will be displayed to the screen. Power-on is complete when the SafeNet
ProtectServer Network HSM login: prompt is displayed.
3. Login to the console
Following boot up, the SafeNet ProtectServer Network HSM will prompt for login
credentials. If you are using a monitor/keyboard, you can log in as pseoperator,
admin or root. If you are using a serial connection, you can log in as pseoperator
or admin.
If you log in as pseoperator or admin, you are placed in the PSE shell
(PSESH), which provides a CLI for configuring and managing the
appliance. See “PSESH Command Reference” on page 15.
If you log in as root, you can manually congfigure the network settings
using standard Linux commands.
The default passwords for the root, admin, and pseoperator users are as follows:
User name
Default password
root
password
admin
password
pseoperator
password
We strongly recommend that you use enter a new password for the admin and
root users. Please remember the passwords. There is no recovery option if you
lose the system’s root password,other than to obtain an RMA number, ship the
unit back to us and have it re-imaged, which is not a warranty service.
4. Run the system test to confirm correct operation
Refer to "System testing" on page 11 for details.
11
5. Configure the network settings
Refer to “Network configuration” on page 11 for details.
6. Verify that you have SSH network access to the SafeNet
ProtectServer Network HSM (if required)
Refer to "SSH network access" on page 14 for details.
7. Detach keyboard and monitor if no longer required (if applicable)
System testing
Before field test and deployment we recommend that you run the diagnostic utility
hsmstate to ensure that the unit is functioning correctly. To do this type hsmstate at a
command line prompt.
If the unit is functioning correctly a message that includes the following is returned:
NORMAL MODE. RESPONDING.
You can also use the PSE_status command, or the PSESH status command (see
“PSESH Command Reference” on page 15) to verify that the PSE2 is functioning
correctly, as described below.
The PSE_status command
Syntax
PSE_status
Description
This utility displays the current status of the SafeNet ProtectServer Network HSM. It
provides the following information:
the status of the HSM installed in the SafeNet ProtectServer Network HSM. If
the unit is functioning correctly, a message that includes the following is
returned:
PSE status NORMAL
the status and process ID (pid) of the etnetserver process.
Example
[admin@PSe ~] PSE_status
1) HSM device 0: HSM in NORMAL MODE.
2) etnetserver (pid 1026) is running...
PSE status NORMAL
Network configuration
IPv4 or IPv6 addressing is supported:
•If you are using IPv4 addressing, you can configure the network settings
manually (as root) as described below, or using PSESH (as admin or
pseoperator) as described in “PSESH Command Reference” on page 15.
PSESH is recommended.
12
•If you are using IPv6 addressing, you must configure the network settings
manually (as root). See “Using IPv6 addressing”, below.
Using IPv6 addressing
IPv6 addressing is supported on the appliance, but must be configured manually by
logging in as root and using standard Linux commands.
IPv6 support is implemented as a dual stack, allowing the appliance to support both
IPv4 and IPv6 simultaneously. That is, you can configure both IPv4 and IPv6
addresses on the eth0 and eth1 interfaces.
Manually setting the IP address
You can configure the etho and eth1 interfaces with both an IPv4 and IPv6 IP address.
Refer to the Linux documentation for the commands required to set the IPv6 address,
if required.
Note: It is recommended that you use psesh:>network config interface to configure
the IPv4 IP address.
The SafeNet ProtectServer Network HSM is equipped with two NICs (eth0 and eth1),
each of which can be configured with its own IP address(es). The IP address for each
NIC is specified in the following files:
NIC
Configuration file
eth0
/etc/sysconfig/network-scripts/ifcfg-eth0
eth1
/etc/sysconfig/network-scripts/ifcfg-eth1
Note: If you want to use the eth1 interface, you must
create this file. The recommended method is to copy,
rename, and edit the ifcfg-eth0 file.
The entries in the ifcfg-eth[0|1] files are similar to the following:
DEVICE= "eth0"
BOOTPROTO="static"
HWADDR="00:0D:48:3B:15:30"
IPADDR="192.168.9.35"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2607:f0d0:1002:0011:0000:0000:0000:0002
IPV6_DEFAULTGW=2607:f0d0:1002:0011:0000:0000:0000:0001
Edit the files, as required, to specify an IP address and network mask for each NIC.
You must configure one of the NICs. You only need to configure the second NIC if
you intend to use it.
Manually setting a hostname and default gateway
Note: It is recommended that you use psesh:>network config interface and
psesh:>network config hostname to set the hostname and gateway, instead of using
the manual procedure below.
13
Set the default gateway (that this SafeNet ProtectServer Network HSM should use) by
editing the file /etc/sysconfig/network.
If you ever want to address the unit by its name using the loopback connection, you
can set the hostname by editing the /etc/hosts file and the
/etc/sysconfig/network file (which governs external connections).
Setting a name server
Note: It is recommended that you use psesh:>network config dns to set the name
server, instead of using the manual procedure below.
The SafeNet ProtectServer Network HSM processing modules do not have the
resources to operate as their own name servers. If name resolution is required, it needs
to be provided by a DNS server on the network. In order for the SafeNet
ProtectServer Network HSM to use the DNS server, you must add an entry for the
DNS server to the file /etc/resolv.conf, in the following format:
nameserver <IP-ADDRESS>
Setting access control
Note: It is recommended that you use psesh:>network config iptables to configure
the iptables, instead of using the manual procedure below.
Access control on the SafeNet ProtectServer Network HSM is performed using
iptables(8). Below is a list of iptables(8) commands:
iptables -[ADC] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target [options]
iptables –L [chain]
The following iptables configuration prevents access to all but one IP address:
1. iptables -F INPUT (deletes any previous chains in the INPUT table)
2. iptables -A INPUT -s [ip-address] -j ACCEPT (sets an IP address which
can be accepted)
3. iptables -A INPUT -j DROP (drops everything else)
Once a table configuration has been created that provides suitable network access, it
can be stored as the active network configuration using the following command:
/etc/init.d/iptables save active
Before iptables(8) is completely configured it should have an inactive table
defined. This is less critical as there is very little running in the operating system by
the time the inactive table is loaded. The following is a suitable inactive table:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
14
iptables -A FORWARD -j DROP
/etc/init.d/iptables save inactive
The active iptables configuration must be restored before connections to the SafeNet
ProtectServer Network HSM are allowed. The following command restores the
previously saved active configuration.
/etc/init.d/iptables stop
/etc/init.d/iptables start
SSH network access
After you have completed the network configuration, you can access the SafeNet
ProtectServer Network HSM over the network using the SSH protocol. To access the
SafeNet ProtectServer Network HSM using SSH, you require an SSH client such as
puTTY (available for free from www.putty.org).
Note: You cannot log in as root when accessing the SafeNet ProtectServer Network
HSM over an SSH connection.
Restarting networking
After making any change to the networking configuration, reboot the SafeNet
ProtectServer Network HSM or enter the following command to restart networking:
/etc/init.d/networking restart
Powering off the SafeNet ProtectServer Network HSM
Note: It is recommended that you use psesh:> sysconf appliance poweroff to power
off the appliance.
You can also manually power off the appliance. You must be logged in as root to do
so.
To manually power off the SafeNet ProtectServer Network HSM
1. Enter the shutdown or poweroff command to shut down the operating system. The
fan and LEDs will remain operational.
2. Toggle the power switch, located on the rear of the SafeNet ProtectServer
Network HSM, to the off position. The fan and LEDs will turn off.
Upgrading the SafeNet ProtectServer Network HSM
You can upgrade the SafeNet ProtectServer Network HSM to a later revision using
USB media, such as USB memory sticks or a USB-connected CDROM drive.
Process
1. Select and download the desired SafeNet ProtectServer Network HSM image
upgrade file from the SafeNet Web site at http://www.safenet-inc.com.
2. Place the upgrade files onto the root directory of a USB memory stick or onto a
CDROM.
Table of contents
Other Gemalto Control Unit manuals
Gemalto
Gemalto Cinterion EMS31-US Installation guide
Gemalto
Gemalto Cinterion ALAS5 User manual
Gemalto
Gemalto Cinterion EMS31-V Installation guide
Gemalto
Gemalto Cinterion BGS2-W miniPCIe User manual
Gemalto
Gemalto Cinterion EMS31 User manual
Gemalto
Gemalto Cinterion ELS81-US User manual
Gemalto
Gemalto Cinterion EHS6 Installation instructions
