Gemalto Safenet protecttoolkitsafenet Operator's manual

SafeNet ProtectToolkitSafeNet

ProtectServer Network HSM

Installation and Configuration Guide

Document Information

Product Version 5.3

Document Part Number 007-013682-001

Release Date 05 December 2016

Revision History

Revision Date Reason

Rev. A 05 December 2016 Initial release

Trademarks, Copyrights, and Third-Party Software

Gemaltoand/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether

registered or not in specific countries, are the property of their respective owners.

Disclaimer

All information herein is either public information or is the property of and owned solely by Gemalto and/or its

subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property

protection in connection with such information.

Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any

intellectual and/or industrial property rights of or concerning any of Gemalto’s information.

This document can be used for informational, non-commercial, internal, and personal use only provided that:

•The copyright notice, the confidentiality and proprietary legend and this full warning notice appear in all copies.

•This document shall not be posted on any publicly accessible network computer or broadcast in any media, and no

modification of any part of this document shall be made.

Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.

The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise

expressly agreed in writing, Gemaltomakes no warranty as to the value or accuracy of information contained herein.

The document could include technical inaccuracies or typographical errors. Changes are periodically added to the

information herein. Furthermore, Gemaltoreserves the right to make any change or improvement in the specifications

data, information, and the like described herein, at any time.

Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all

implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall

Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any

damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or

customers, arising out of or in connection with the use or performance of information contained in this document.

Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and

disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the

date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security

and notably under the emergence of new attacks. Under no circumstances, shall Gemaltobe held liable for any third

SafeNet ProtectToolkit Installation and Configuration Guide

party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto

products. Gemaltodisclaims any liability with respect to security for direct, indirect, incidental or consequential

damages that result from any use of its products. It is further stressed that independent testing and verification by the

person using the product is particularly encouraged, especially in any application in which defective, incorrect or

insecure functioning could result in damage to persons or property, denial of service, or loss of privacy.

All intellectual property is protected by copyright. All trademarks and product names used or referred to are the

transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without

the prior written permission of Gemalto.

SafeNet ProtectToolkit Installation and Configuration Guide

CONTENTS

PREFACE About the SafeNet ProtectServer Network HSM Installation and Configuration

Guide 6

Customer Release Notes 6

Gemalto Rebranding 6

Audience 7

Document Conventions 7

Notes 7

Cautions 7

Warnings 8

Command Syntax and Typeface Conventions 8

Support Contacts 8

1 Product Overview 10

Front panel view 10

Rear panel view 11

Cryptographic architecture 12

Summary of Cryptographic Service Provider setup 13

2 Hardware Installation 14

Installation procedure 14

3 Testing and Configuration 16

Step 1: Access the Console 16

Step 2: Power on and Log in 17

Step 3: Run System Test 18

hsmstate 18

psesh:> hsm state 18

Step 4: Network Configuration 18

Setting the IP address 19

Setting the hostname and default gateway 19

Setting a name server 20

Setting access control 20

Restarting networking 21

Step 5: SSH Network Access 21

Powering off the SafeNet ProtectServer Network HSM 21

Upgrading the SafeNet ProtectServer Network HSM 21

Troubleshooting 22

4 PSESH Command Reference 23

About PSESH 24

Accessing PSESH 25

exit 26

SafeNet ProtectToolkit Installation and Configuration Guide

files 27

help 28

hsm 29

network 30

network dns 32

network interface 33

network interface delete 34

network interface dhcp 35

network interface static 36

network iptables 37

network iptables addrule 39

network iptables delrule 40

network route 41

network route add 42

network route clear 43

network route delete 44

network route show 45

package 46

service 47

status 49

sysconf 53

sysconf appliance 54

sysconf snmp 55

sysconf snmp config 57

sysconf timezone 58

syslog 59

syslog export 60

syslog period 61

syslog remotehost 62

syslog remotehost add 63

syslog remotehost clear 64

syslog remotehost delete 65

syslog remotehost list 66

syslog rotate 67

syslog rotations 68

syslog show 69

syslog tail 70

syslog tarlogs 71

user password 72

APPENDIX A Technical Specifications 73

APPENDIX B Glossary of terms 74

SafeNet ProtectToolkit Installation and Configuration Guide

PREFACE About the SafeNet ProtectServer Network HSM Installation and Configuration Guide

PREFACE

About the SafeNet ProtectServer Network

HSM Installation and Configuration Guide

This Guide is provided as an instructional aid for the installation and configuration of a SafeNet ProtectServer Network

HSM cryptographic services hardware security module (HSM). It contains the following sections:

•"Product Overview"on page 10

•"Hardware Installation"on page 14

•"Testing and Configuration"on page 16

•"PSESH Command Reference"on page 23

•"Technical Specifications"on page 73

•"Glossary of terms"on page 74

This preface also includes the following information about this document:

•"Customer Release Notes"below

•"Gemalto Rebranding"below

•"Audience"on the next page

•"Document Conventions"on the next page

•"Support Contacts"on page 8

For information regarding the document status and revision history, see "Document Information"on page 2

Customer Release Notes

The customer release notes (CRN) provide important information about this release that is not included in the customer

documentation. It is strongly recommended that you read the CRN to fully understand the capabilities, limitations, and

known issues for this release. You can view or download the latest version of the CRN for this release at the following

location:

http://www.securedbysafenet.com/releasenotes/ptk/crn_ptk_5-3.pdf

Gemalto Rebranding

In early 2015, Gemalto completed its acquisition of SafeNet, Inc. As part of the process of rationalizing the product

portfolios between the two organizations, the Luna name has been removed from the SafeNet HSM product line, with

the SafeNet name being retained. As a result, the product names for SafeNet HSMs have changed as follows:

SafeNet ProtectToolkit Installation and Configuration Guide

PREFACE About the SafeNet ProtectServer Network HSM Installation and Configuration Guide

Old product name New product name

ProtectServer External 2 (PSE2) SafeNet ProtectServer Network HSM

ProtectServer Internal Express 2 (PSI-E2) SafeNet ProtectServer PCIe HSM

ProtectServer HSM Access Provider SafeNet ProtectServer HSM Access Provider

ProtectToolkit C (PTK-C) SafeNet ProtectToolkit-C

ProtectToolkit J (PTK-J) SafeNet ProtectToolkit-J

ProtectToolkit M (PTK-M) SafeNet ProtectToolkit-M

ProtectToolkit FM SDK SafeNet ProtectToolkit FM SDK

Note: These branding changes apply to the documentation only. The SafeNet HSM software

and utilities continue to use the old names.

Audience

This document is intended for personnel responsible for maintaining your organization's security infrastructure. This

includes SafeNet ProtectToolkit users and security officers, key manager administrators, and network administrators.

All products manufactured and distributed by Gemalto are designed to be installed, operated, and maintained by

personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them.

The information, processes, and procedures contained in this document are intended for use by trained and qualified

personnel only.

It is assumed that the users of this document are proficient with security concepts.

Document Conventions

This document uses standard conventions for describing the user interface and for alerting you to important information.

Notes

Notes are used to alert you to important or helpful information. They use the following format:

Note: Take note. Contains important or helpful information.

Cautions

Cautions are used to alert you to important information that may help prevent unexpected results or data loss. They use

the following format:

CAUTION: Exercise caution. Contains important information that may help prevent

unexpected results or data loss.

SafeNet ProtectToolkit Installation and Configuration Guide

PREFACE About the SafeNet ProtectServer Network HSM Installation and Configuration Guide

Warnings

Warnings are used to alert you to the potential for catastrophic data loss or personal injury. They use the following

format:

WARNING! Be extremely careful and obey all safety and security measures. In this

situation you might do something that could result in catastrophic data loss or

personal injury.

Command Syntax and Typeface Conventions

Format Convention

bold The bold attribute is used to indicate the following:

•Command-line commands and options (Type dir /p.)

•Button names (Click Save As.)

•Check box and radio button names (Select the Print Duplex check box.)

•Dialog box titles (On the Protect Document dialog box, click Yes.)

•Field names (User Name: Enter the name of the user.)

•Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)

•User input (In the Date box, type April 1.)

italics In type, the italic attribute is used for emphasis or to indicate a related document. (See the

Installation Guide for more information.)

<variable> In command descriptions, angle brackets represent variables. You must substitute a value for

command line arguments that are enclosed in angle brackets.

[optional]

[<optional>]

Represent optional keywords or <variables> in a command line description. Optionally enter the

keyword or <variable> that is enclosed in square brackets, if it is necessary or desirable to

complete the task.

{a|b|c}

{<a>|<b>|<c>}

Represent required alternate keywords or <variables> in a command line description. You must

choose one command line argument enclosed within the braces. Choices are separated by vertical

(OR) bars.

[a|b|c]

[<a>|<b>|<c>]

Represent optional alternate keywords or variables in a command line description. Choose one

command line argument enclosed within the braces, if desired. Choices are separated by vertical

(OR) bars.

Support Contacts

If you encounter a problem while installing, registering or operating this product, please make sure that you have read

the documentation. If you cannot resolve the issue, please contact your supplier or Gemalto support. Gemalto support

operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan

arrangements made between Gemalto and your organization. Please consult this support plan for further information

about your entitlements, including the hours when telephone support is available to you.

SafeNet ProtectToolkit Installation and Configuration Guide

PREFACE About the SafeNet ProtectServer Network HSM Installation and Configuration Guide

Contact method Contact

Address Gemalto

4690 Millennium Drive

Belcamp, Maryland 21017

USA

Phone Global +1 410-931-7520

Australia 1800.020.183

China (86) 10 8851 9191

France 0825 341000

Germany 01803 7246269

India 000.800.100.4290

Netherlands 0800.022.2996

New Zealand 0800.440.359

Portugal 800.1302.029

Singapore 800.863.499

Spain 900.938.717

Sweden 020.791.028

Switzerland 0800.564.849

United Kingdom 0800.056.3158

United States (800) 545-6608

Web https://safenet.gemalto.com

Support and Downloads https://safenet.gemalto.com/technical-support

Provides access to the Gemalto Knowledge Base and quick downloads for

various products.

Technical Support Customer

Portal

https://serviceportal.safenet-inc.com

Existing customers with a Technical Support Customer Portal account can log in

to manage incidents, get the latest software upgrades, and access the Gemalto

Knowledge Base.

SafeNet ProtectToolkit Installation and Configuration Guide

Product Overview

The SafeNet ProtectServer Network HSM is a self-contained, security-hardened server providing hardware-based

cryptographic functionality through a TCP/IP network connection. Together with high-level SafeNet application

programming interface (API) software, it provides cryptographic services for a wide range of secure applications.

The SafeNet ProtectServer Network HSM is PC-based. The enclosure is a heavy-duty steel case with common PC

ports and controls. Necessary software components come pre-installed on a Linux operating system. Network setting

configuration is required, as described in this document.

The full range of cryptographic services required by Public Key Infrastructure (PKI) users is supported by the SafeNet

ProtectServer Network HSM’s dedicated hardware cryptographic accelerator. These services include encryption,

decryption, signature generation and verification, and key management with a tamper resistant and battery-backed key

storage.

The SafeNet ProtectServer Network HSM must be used with one of SafeNet’s high-level cryptographic APIs. The

following table shows the provider types and their corresponding SafeNet APIs:

API SafeNet Product Required

PKCS #11 SafeNet ProtectToolkit-C

JCA / JCE SafeNet ProtectToolkit-J

Microsoft IIS and CA SafeNet ProtectToolkit-M

These APIs interface directly with the product’s FIPS 140-2 Level 3 certified core using high-speed DES and RSA

hardware-based cryptographic processing. Key storage is tamper-resistant and battery-backed.

A smart card reader, supplied with the HSM, allows for the secure loading and backup of keys.

Front panel view

The features on the front panel of the SafeNet ProtectServer Network HSM are illustrated below:

Figure 1: SafeNet ProtectServer Network HSM front panel

Ports

The front panel is equipped with the following ports:

VGA Connects a VGA monitor to the appliance.

SafeNet ProtectToolkit Installation and Configuration Guide

1 Product Overview

Console Provides console access to the appliance. See "Testing and Configuration"on page 16.

USB Connects USB devices such as a keyboard or mouse to the appliance.

eth0

eth1

Autosensing 10/100/1000 Mb/s Ethernet RJ45 ports for connecting the appliance to the network.

HSM USB Connects a smart card reader to the appliance using the included USB-to-serial cable.

HSM serial port pin configuration

The serial port on the USB-to-serial cable, illustrated below, uses a standard RS232 male DB9 pinout:

Figure 2: HSM serial port pinout

LEDs

The front panel is equipped with the following LEDs:

Power Illuminates green to indicate that the unit is powered on.

HDD Flashes amber to indicate hard disk activity.

Status Flashes green on startup.

Reset button

The reset button is located between the USB and Ethernet ports. Pressing the reset button forces an immediate restart

of the appliance. Although it does not power off the appliance, it does restart the software. Pressing the reset button is

service-affecting and is not recommended under normal operating conditions.

Rear panel view

The features on the rear panel of the SafeNet ProtectServer Network HSM are illustrated below:

Figure 3: SafeNet ProtectServer Network HSM rear panel

SafeNet ProtectToolkit Installation and Configuration Guide

1 Product Overview

Tamper lock

The tamper lock is used during commissioning or decommissioning of the appliance to destroy any keys currently

stored on the HSM.

With the key in the horizontal (Active) position, the HSM is in normal operating mode. Turning the key to the vertical

(Tamper) position places the HSM in a tamper state, and any keys stored on the HSM are destroyed.

CAUTION: Turning the tamper key from the Active position to the Tamper position deletes any

keys currently stored on the HSM. Deleted keys are not recoverable. Ensure that you always

back up your keys. To avoid accidentally deleting the keys on an operational SafeNet

ProtectServer Network HSM, remove the tamper key after commission and store it in a safe

place.

Cryptographic architecture

A hardware-based cryptographic system consists of three general components:

•One or more hardware security modules (HSMs) for key processing and storage.

•High-level cryptographic API software. This software uses the HSM's cryptographic capabilities to provide security

services to applications.

•Access provider software to allow communication between the API software and the HSMs.

Operating in network mode, a standalone SafeNet ProtectServer Network HSM can provide key processing and

storage.

In network mode, access provider software is installed on the machine hosting the cryptographic API software. The

access provider allows communication between the API and the SafeNet ProtectServer Network HSM over a TCP/IP

connection. The HSM can therefore be located remotely, improving the security of cryptographic key data

The figure below depicts a cryptographic service provider using the SafeNet ProtectServer Network HSM in network

mode.

Figure 1: SafeNet ProtectServer Network HSM implementation

SafeNet ProtectToolkit Installation and Configuration Guide

1 Product Overview

Summary of Cryptographic Service Provider setup

These steps summarize the overall procedure of setting up a cryptographic service provider using a SafeNet

ProtectServer Network HSM in network mode. Relevant links to more detailed documentation are provided at each

step.

1. Install the SafeNet ProtectServer Network HSM (See "Hardware Installation"on page 14).

2. Check that the SafeNet ProtectServer Network HSM is operating correctly (see "Testing and

Configuration"on page 16).

3. Configure the SafeNet ProtectServer Network HSM network settings (see "Testing and Configuration"on

page 16).

4. Install and configure the Network HSM Access Provider software (see the SafeNet HSM Access Provider

Installation Guide).

5. Install the high-level cryptographic API software.

Please refer to the relevant installation guide supplied with the product:

–SafeNet ProtectToolkit-C Administration Guide

–SafeNet ProtectToolkit-J Installation Guide

–SafeNet ProtectToolkit-M User Guide

6. Configure the high-level cryptographic API to allow preferred operating modes. Some of these tasks may

include:

–establishing a trusted channel or secure messaging system (SMS) between the API and the Safenet

ProtectServer Network HSM.

–establishing communication between the network client and the Safenet ProtectServer Network HSM.

Please refer to the relevant high-level cryptographic API documentation:

–SafeNet ProtectToolkit-C Administration Guide

–SafeNet ProtectToolkit-J Administration Guide

–SafeNet ProtectToolkit-M User Guide

SafeNet ProtectToolkit Installation and Configuration Guide

Hardware Installation

This chapter describes how to install the SafeNet ProtectServer Network HSM.

Since the SafeNet ProtectServer Network HSM is delivered with the necessary software pre-installed, no software

installation is necessary on the unit itself.

After installation, confirm that the unit is operating correctly and configure the network settings. These steps are

covered in "Testing and Configuration"on page 16.

Installation procedure

To install the hardware:

1. Choose a suitable location to site the equipment. You can mount the SafeNet ProtectServer Network HSM in a

standard 19-inch rack.

Note: The power supply cord acts as the unit's disconnect device. The main outlet socket to

which the unit is connected must be easily accessible.

2. Connect the SafeNet ProtectServer Network HSM to the network by inserting standard Ethernet cables into the

LAN connectors located on the unit's front face (labelled eth0 and eth1). The client machine(s) with SafeNet

cryptographic API software installed should be hosted on the same network.

Note: The SafeNet ProtectServer Network HSM is equipped with two NICs (eth0 and eth1)

incorporating an IPv4/IPv6 dual stack, allowing you to configure both an IPv4 and IPv6 address

on each interface. If you intend to use both NICs, connect Ethernet cables to both LAN

connectors.

3. Connect the power cable to the unit and a suitable power source. The SafeNet ProtectServer Network HSM is

equipped with an autosensing power supply that can accept 100-240V at 50-60Hz.

Smart Card Reader Installation

The unit supports the use of smart cards with a SafeNet-supplied smart card reader. Other smart card readers are not

supported.

The SafeNet ProtectServer Network HSM supports two different card readers:

•the new USB card reader (introduced in 5.2)

•the legacy card reader, which provides a serial interface for data (via a USB-to-serial cable) and a PS/2 interface for

power (direct or via a PS/2 to USB adapter)

SafeNet ProtectToolkit Installation and Configuration Guide

2 Hardware Installation

Installing the USB smart card reader

To install the USB card reader, simply plug the card reader into the HSM USB port, as illustrated below.

Installing the legacy card reader

To install the smart card reader, connect it to the HSM USB port with the included USB-to-serial cable.

The legacy card reader must also be connected to a PS/2 port for its power. Many newer servers have USB ports, but

do not provide a PS/2 connection.

If there is no available PS/2 connection, there are two options:

•Connect a PS/2-to-USB adapter (pink in the image below) between the card reader and a USB port on the SafeNet

ProtectServer Network HSM.

•If, for security reasons, you prefer to not expose USB ports on your crypto server, connect a PS/2-to-USB adapter

cable between the card reader and a standalone powered USB hub. It should be noted that the USB connection is

for power only. No data transfer occurs.

Next, see "Testing and Configuration"on page 16.

SafeNet ProtectToolkit Installation and Configuration Guide

Testing and Configuration

This chapter provides a step-by-step overview of how to confirm correct operation of the Safenet ProtectServer

Network HSM, and configure its network settings. These instructions assume that the installation process covered in

"Hardware Installation"on page 14 is complete, and that the user is experienced in configuring Unix/Linux operating

systems.

This chapter contains the following sections:

•"Step 1: Access the Console"below

•"Step 2: Power on and Log in"on the next page

•"Step 3: Run System Test"on page 18

•"Step 4: Network Configuration"on page 18

•"Step 5: SSH Network Access"on page 21

•"Powering off the SafeNet ProtectServer Network HSM"on page 21

•"Upgrading the SafeNet ProtectServer Network HSM"on page 21

•"Troubleshooting"on page 22

Step 1: Access the Console

To test the system and configure the network, you must first access the SafeNet ProtectServer Network HSM

console. There are two options:

•Direct access. Connect a keyboard and monitor (not included) to the USB (keyboard) and VGA (monitor) ports

located on the unit's front panel.

•Remote access. Connect the RJ45 console port to a terminal emulation device, such as a laptop or terminal server.

Note: To access the console remotely through the console port, you will need the appropriate

cable. If your terminal device is equipped with a DB9 serial port, you require a cable with an

RJ45 connector on one end and a DB9 serial port on the other end (see "Serial cable: RJ45 to

DB9"on the next page). If your terminal device is equipped with an RJ45 serial port, you can

use a standard Ethernet cable. Serial cables are not included.

SafeNet ProtectToolkit Installation and Configuration Guide

3 Testing and Configuration

Figure 1: Serial cable: RJ45 to DB9

If you are using a serial connection, configure your local VT100 or terminal emulator settings as follows:

Speed (bits per second) 115200

Word length (data bits) 8

Parity No

Stop bit 1

Step 2: Power on and Log in

Power on the SafeNet ProtectServer Network HSM and the monitor (if applicable). A green LED on the front of the

device will illuminate and the startup messages will be displayed on the monitor.

Power-up is complete when the SafeNet ProtectServer Network HSM login prompt appears:

Protect Server External 5.3.0

PSe-II login:

If you are using a monitor/keyboard, you can log in as pseoperator,admin or root. If you are using a serial connection,

you can log in as pseoperator or admin.

•If you log in as pseoperator or admin, you are placed in the PSE shell (PSESH), which provides a CLI for

configuring and managing the appliance. See "PSESH Command Reference"on page 23.

•If you log in as root, you can manually configure the network settings using standard Linux commands.

The default passwords for the root,admin, and pseoperator users are as follows:

User name Default password

root password

admin password

pseoperator password

SafeNet ProtectToolkit Installation and Configuration Guide

3 Testing and Configuration

CAUTION: We strongly recommend that you enter a new password for the admin and root

users. Please remember the passwords. There is no recovery option if you lose the system’s

root password other than to obtain an RMA number, ship the unit back to Gemalto and have it

re-imaged, which is not a warranty service.

Step 3: Run System Test

Before field testing and deployment, run the diagnostic utility.

hsmstate

As root, type hsmstate at a command line prompt. If the unit is functioning correctly, a message is returned that

includes the following:

HSM in NORMAL MODE. RESPONDING.

PSE_status

As root, you can also use the PSE_status command to verify that the HSM is functioning correctly.

This command displays the current status of the SafeNet ProtectServer Network HSM and the status and process ID

(pid) of the etnetserver process. If the unit is functioning correctly, a message is retuned that includes the following:

[admin@PSe ~] PSE_status

1) HSM device 0: HSM in NORMAL MODE.

2) etnetserver (pid 1026) is running...

PSE status NORMAL

psesh:> hsm state

If you logged in as admin or pseoperator, use the command hsm state to display the current status.

psesh:>hsm state

HSM device 0: HSM in NORMAL MODE. RESPONDING to requests. Usage Level=0%

State = (0x8000, 0xffffffff)

Host Interface = PSIe2

Command Result : 0 (Success)

You can also use the PSESH command status to check all the HSM's processes. For more information, see "PSESH

Command Reference"on page 23 and "status"on page 49.

Step 4: Network Configuration

IPv4 and IPv6 network addressing are supported. IPv4 addressing can be configured manually (as root) as described

below, or by using PSESH (as admin or pseoperator) as described in "PSESH Command Reference"on page 23.

IPv6 addressing must be configured manually by logging in as root and using standard Linux commands.

SafeNet ProtectToolkit Installation and Configuration Guide

3 Testing and Configuration

Setting the IP address

With PSESH (recommended)

It is recommended that you use psesh:> network interface to configure the IPv4 address, instead of the manual

procedure below. See "network interface"on page 33 for command syntax.

Manually

The SafeNet ProtectServer Network HSM is equipped with two NICs (eth0 and eth1). Dual-stack support allows you to

configure the interfaces with both an IPv4 and IPv6 address. Refer to the Linux documentation for the commands

required to set the IPv6 address.

The IP address for each NIC is specified in these files:

NIC Configuration file

eth0 /etc/sysconfig/network-scripts/ifcfg-eth0

eth1 /etc/sysconfig/network-scripts/ifcfg-eth1

Note: If you want to use the eth1 interface, you must create this file. The

recommended method is to copy, rename, and edit the ifcfg-eth0 file.

The entries in the ifcfg-eth[0|1] files are similar to the following:

DEVICE= "eth0"

BOOTPROTO="static"

HWADDR="00:0D:48:3B:15:30"

IPADDR="192.168.9.35"

NETMASK="255.255.255.0"

NM_CONTROLLED="yes"

ONBOOT=yes

IPV6INIT=yes

IPV6ADDR=2607:f0d0:1002:0011:0000:0000:0000:0002

IPV6_DEFAULTGW=2607:f0d0:1002:0011:0000:0000:0000:0001

Edit the files as required to specify the IP address and network mask for each NIC. You must configure at least one of

the NICs. The second needs to be configured only if you want to use it.

Setting the hostname and default gateway

With PSESH (recommended)

It is recommended that you use psesh:> network interface dhcp or psesh:> network interface static to set the

hostname and gateway, instead of using the manual procedure below. See "network interface dhcp"on page 35 and

"network interface static"on page 36 for command syntax.

Manually

Set the default gateway (that this SafeNet ProtectServer Network HSM should use) by editing the file

/etc/sysconfig/network.

If you ever want to address the unit by its name using the loopback connection, you can set the hostname by editing the

/etc/hosts file and the /etc/sysconfig/network file (which governs external connections).

SafeNet ProtectToolkit Installation and Configuration Guide

3 Testing and Configuration

Setting a name server

With PSESH (recommended)

It is recommended that you use psesh:> network dns to set the name server, instead of using the manual procedure

below. See "network dns"on page 32 for command syntax.

Manually

The SafeNet ProtectServer Network HSM processing modules do not have the resources to operate as their own name

servers. If name resolution is required, it needs to be provided by a DNS server on the network. In order for the SafeNet

ProtectServer Network HSM to use the DNS server, you must add an entry for the DNS server to the file

/etc/resolv.conf, in the following format:

nameserver <IP-ADDRESS>

Setting access control

With PSESH (recommended)

It is recommended that you use psesh:>network iptables to configure the iptables instead of using the manual

procedure below. See "network iptables"on page 37 for command syntax.

Manually

Access control on the SafeNet ProtectServer Network HSM is performed using iptables(8). Below is a list of iptables

(8) commands:

iptables -[ADC] chain rule-specification [options]

iptables -I chain [rulenum] rule-specification [options]

iptables -R chain rulenum rule-specification [options]

iptables -D chain rulenum [options]

iptables -[LFZ] [chain] [options]

iptables -N chain

iptables -X [chain]

iptables -P chain target [options]

iptables –L [chain]

The following iptables configuration prevents access to all but one IP address:

1. iptables -F INPUT (deletes any previous chains in the INPUT table)

2. iptables -A INPUT -s [ip-address] -j ACCEPT (sets an IP address which can be accepted)

3. iptables -A INPUT -j DROP (drops everything else)

Once a table configuration has been created that provides suitable network access, it can be stored as the active

network configuration using the following command:

/etc/init.d/iptables save active

Before iptables(8) is completely configured, it should have an inactive table defined. This is less critical, as there is

very little running in the operating system by the time the inactive table is loaded. The following is a suitable inactive

table:

iptables -F INPUT

iptables -F OUTPUT

iptables -F FORWARD

iptables -A INPUT -j DROP

iptables -A OUTPUT -j DROP

SafeNet ProtectToolkit Installation and Configuration Guide

This manual suits for next models

Table of contents

Other Gemalto Server manuals

Gemalto

Gemalto SafeNet ProtectServer PCIe HSM User manual

Popular Server manuals by other brands

Supero

Supero SUPERSERVER 6027B-URF user manual

Dell

Dell PE R720XD Getting started guide

Digital Equipment

Digital Equipment Prioris XL 6000 Series installation guide

HPE

HPE 3PAR StoreServ Software user's guide

Obvius, LLC

Obvius, LLC AcquiLite A7810-0 Installation and operation manual

ICP DAS USA

ICP DAS USA PDS-700 Series user manual

Supermicro

Supermicro A+ AS-1125HS-TNR user manual

Comtech EF Data

Comtech EF Data CMR-8500 quick start guide

Avid Technology

Avid Technology AirSpeed 5000 Upgrade guide

QUANTA

QUANTA STRATOS S210 Series S210-X12RS user guide

IBM

IBM xSeries 380 Hardware Maintenance Manual

disguise

disguise 2x2plus Hardware guide

Intel

Intel P4308CP4MHEN Quick installation user's guide

Fujitsu

Fujitsu PRIMEQUEST 2000 Series manual

Nortel

Nortel CallPilot 1005r Hardware installation

Dell

Dell PowerEdge 4600 manual

Sun Microsystems

Sun Microsystems Sun SPARC Enterprise M4000 installation guide

Nortel

Nortel Enterprise Edge 2.0 Messaging user guide

Gemalto SafeNet ProtectToolkitSafeNet Operator's manual

Popular Server manuals by other brands