Gemalto SafeNet ProtectToolkitSafeNet Operator's manual
SafeNet ProtectToolkitSafeNet
ProtectServer Network HSM
Installation and Configuration Guide
Document Information
Product Version 5.3
Document Part Number 007-013682-001
Release Date 05 December 2016
Revision History
Revision Date Reason
Rev. A 05 December 2016 Initial release
Trademarks, Copyrights, and Third-Party Software
Copyright 2009-2016 Gemalto. All rights reserved. Gemaltoand the Gemalto logo are trademarks and service marks of
Gemaltoand/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether
registered or not in specific countries, are the property of their respective owners.
Disclaimer
All information herein is either public information or is the property of and owned solely by Gemalto and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property
protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any
intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal, and personal use only provided that:
•The copyright notice, the confidentiality and proprietary legend and this full warning notice appear in all copies.
•This document shall not be posted on any publicly accessible network computer or broadcast in any media, and no
modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise
expressly agreed in writing, Gemaltomakes no warranty as to the value or accuracy of information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to the
information herein. Furthermore, Gemaltoreserves the right to make any change or improvement in the specifications
data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all
implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall
Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any
damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or
customers, arising out of or in connection with the use or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and
disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the
date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security
and notably under the emergence of new attacks. Under no circumstances, shall Gemaltobe held liable for any third
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 2
party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto
products. Gemaltodisclaims any liability with respect to security for direct, indirect, incidental or consequential
damages that result from any use of its products. It is further stressed that independent testing and verification by the
person using the product is particularly encouraged, especially in any application in which defective, incorrect or
insecure functioning could result in damage to persons or property, denial of service, or loss of privacy.
All intellectual property is protected by copyright. All trademarks and product names used or referred to are the
copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or
transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without
the prior written permission of Gemalto.
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 3
CONTENTS
PREFACE About the SafeNet ProtectServer Network HSM Installation and Configuration
Guide 6
Customer Release Notes 6
Gemalto Rebranding 6
Audience 7
Document Conventions 7
Notes 7
Cautions 7
Warnings 8
Command Syntax and Typeface Conventions 8
Support Contacts 8
1 Product Overview 10
Front panel view 10
Rear panel view 11
Cryptographic architecture 12
Summary of Cryptographic Service Provider setup 13
2 Hardware Installation 14
Installation procedure 14
3 Testing and Configuration 16
Step 1: Access the Console 16
Step 2: Power on and Log in 17
Step 3: Run System Test 18
hsmstate 18
psesh:> hsm state 18
Step 4: Network Configuration 18
Setting the IP address 19
Setting the hostname and default gateway 19
Setting a name server 20
Setting access control 20
Restarting networking 21
Step 5: SSH Network Access 21
Powering off the SafeNet ProtectServer Network HSM 21
Upgrading the SafeNet ProtectServer Network HSM 21
Troubleshooting 22
4 PSESH Command Reference 23
About PSESH 24
Accessing PSESH 25
exit 26
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 4
files 27
help 28
hsm 29
network 30
network dns 32
network interface 33
network interface delete 34
network interface dhcp 35
network interface static 36
network iptables 37
network iptables addrule 39
network iptables delrule 40
network route 41
network route add 42
network route clear 43
network route delete 44
network route show 45
package 46
service 47
status 49
sysconf 53
sysconf appliance 54
sysconf snmp 55
sysconf snmp config 57
sysconf timezone 58
syslog 59
syslog export 60
syslog period 61
syslog remotehost 62
syslog remotehost add 63
syslog remotehost clear 64
syslog remotehost delete 65
syslog remotehost list 66
syslog rotate 67
syslog rotations 68
syslog show 69
syslog tail 70
syslog tarlogs 71
user password 72
APPENDIX A Technical Specifications 73
APPENDIX B Glossary of terms 74
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 5
PREFACE About the SafeNet ProtectServer Network HSM Installation and Configuration Guide
PREFACE
About the SafeNet ProtectServer Network
HSM Installation and Configuration Guide
This Guide is provided as an instructional aid for the installation and configuration of a SafeNet ProtectServer Network
HSM cryptographic services hardware security module (HSM). It contains the following sections:
•"Product Overview"on page 10
•"Hardware Installation"on page 14
•"Testing and Configuration"on page 16
•"PSESH Command Reference"on page 23
•"Technical Specifications"on page 73
•"Glossary of terms"on page 74
This preface also includes the following information about this document:
•"Customer Release Notes"below
•"Gemalto Rebranding"below
•"Audience"on the next page
•"Document Conventions"on the next page
•"Support Contacts"on page 8
For information regarding the document status and revision history, see "Document Information"on page 2
Customer Release Notes
The customer release notes (CRN) provide important information about this release that is not included in the customer
documentation. It is strongly recommended that you read the CRN to fully understand the capabilities, limitations, and
known issues for this release. You can view or download the latest version of the CRN for this release at the following
location:
http://www.securedbysafenet.com/releasenotes/ptk/crn_ptk_5-3.pdf
Gemalto Rebranding
In early 2015, Gemalto completed its acquisition of SafeNet, Inc. As part of the process of rationalizing the product
portfolios between the two organizations, the Luna name has been removed from the SafeNet HSM product line, with
the SafeNet name being retained. As a result, the product names for SafeNet HSMs have changed as follows:
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 6
PREFACE About the SafeNet ProtectServer Network HSM Installation and Configuration Guide
Old product name New product name
ProtectServer External 2 (PSE2) SafeNet ProtectServer Network HSM
ProtectServer Internal Express 2 (PSI-E2) SafeNet ProtectServer PCIe HSM
ProtectServer HSM Access Provider SafeNet ProtectServer HSM Access Provider
ProtectToolkit C (PTK-C) SafeNet ProtectToolkit-C
ProtectToolkit J (PTK-J) SafeNet ProtectToolkit-J
ProtectToolkit M (PTK-M) SafeNet ProtectToolkit-M
ProtectToolkit FM SDK SafeNet ProtectToolkit FM SDK
Note: These branding changes apply to the documentation only. The SafeNet HSM software
and utilities continue to use the old names.
Audience
This document is intended for personnel responsible for maintaining your organization's security infrastructure. This
includes SafeNet ProtectToolkit users and security officers, key manager administrators, and network administrators.
All products manufactured and distributed by Gemalto are designed to be installed, operated, and maintained by
personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them.
The information, processes, and procedures contained in this document are intended for use by trained and qualified
personnel only.
It is assumed that the users of this document are proficient with security concepts.
Document Conventions
This document uses standard conventions for describing the user interface and for alerting you to important information.
Notes
Notes are used to alert you to important or helpful information. They use the following format:
Note: Take note. Contains important or helpful information.
Cautions
Cautions are used to alert you to important information that may help prevent unexpected results or data loss. They use
the following format:
CAUTION: Exercise caution. Contains important information that may help prevent
unexpected results or data loss.
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 7
PREFACE About the SafeNet ProtectServer Network HSM Installation and Configuration Guide
Warnings
Warnings are used to alert you to the potential for catastrophic data loss or personal injury. They use the following
format:
WARNING! Be extremely careful and obey all safety and security measures. In this
situation you might do something that could result in catastrophic data loss or
personal injury.
Command Syntax and Typeface Conventions
Format Convention
bold The bold attribute is used to indicate the following:
•Command-line commands and options (Type dir /p.)
•Button names (Click Save As.)
•Check box and radio button names (Select the Print Duplex check box.)
•Dialog box titles (On the Protect Document dialog box, click Yes.)
•Field names (User Name: Enter the name of the user.)
•Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)
•User input (In the Date box, type April 1.)
italics In type, the italic attribute is used for emphasis or to indicate a related document. (See the
Installation Guide for more information.)
<variable> In command descriptions, angle brackets represent variables. You must substitute a value for
command line arguments that are enclosed in angle brackets.
[optional]
[<optional>]
Represent optional keywords or <variables> in a command line description. Optionally enter the
keyword or <variable> that is enclosed in square brackets, if it is necessary or desirable to
complete the task.
{a|b|c}
{<a>|<b>|<c>}
Represent required alternate keywords or <variables> in a command line description. You must
choose one command line argument enclosed within the braces. Choices are separated by vertical
(OR) bars.
[a|b|c]
[<a>|<b>|<c>]
Represent optional alternate keywords or variables in a command line description. Choose one
command line argument enclosed within the braces, if desired. Choices are separated by vertical
(OR) bars.
Support Contacts
If you encounter a problem while installing, registering or operating this product, please make sure that you have read
the documentation. If you cannot resolve the issue, please contact your supplier or Gemalto support. Gemalto support
operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan
arrangements made between Gemalto and your organization. Please consult this support plan for further information
about your entitlements, including the hours when telephone support is available to you.
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 8
PREFACE About the SafeNet ProtectServer Network HSM Installation and Configuration Guide
Contact method Contact
Address Gemalto
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Phone Global +1 410-931-7520
Australia 1800.020.183
China (86) 10 8851 9191
France 0825 341000
Germany 01803 7246269
India 000.800.100.4290
Netherlands 0800.022.2996
New Zealand 0800.440.359
Portugal 800.1302.029
Singapore 800.863.499
Spain 900.938.717
Sweden 020.791.028
Switzerland 0800.564.849
United Kingdom 0800.056.3158
United States (800) 545-6608
Web https://safenet.gemalto.com
Support and Downloads https://safenet.gemalto.com/technical-support
Provides access to the Gemalto Knowledge Base and quick downloads for
various products.
Technical Support Customer
Portal
https://serviceportal.safenet-inc.com
Existing customers with a Technical Support Customer Portal account can log in
to manage incidents, get the latest software upgrades, and access the Gemalto
Knowledge Base.
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 9
1
Product Overview
The SafeNet ProtectServer Network HSM is a self-contained, security-hardened server providing hardware-based
cryptographic functionality through a TCP/IP network connection. Together with high-level SafeNet application
programming interface (API) software, it provides cryptographic services for a wide range of secure applications.
The SafeNet ProtectServer Network HSM is PC-based. The enclosure is a heavy-duty steel case with common PC
ports and controls. Necessary software components come pre-installed on a Linux operating system. Network setting
configuration is required, as described in this document.
The full range of cryptographic services required by Public Key Infrastructure (PKI) users is supported by the SafeNet
ProtectServer Network HSM’s dedicated hardware cryptographic accelerator. These services include encryption,
decryption, signature generation and verification, and key management with a tamper resistant and battery-backed key
storage.
The SafeNet ProtectServer Network HSM must be used with one of SafeNet’s high-level cryptographic APIs. The
following table shows the provider types and their corresponding SafeNet APIs:
API SafeNet Product Required
PKCS #11 SafeNet ProtectToolkit-C
JCA / JCE SafeNet ProtectToolkit-J
Microsoft IIS and CA SafeNet ProtectToolkit-M
These APIs interface directly with the product’s FIPS 140-2 Level 3 certified core using high-speed DES and RSA
hardware-based cryptographic processing. Key storage is tamper-resistant and battery-backed.
A smart card reader, supplied with the HSM, allows for the secure loading and backup of keys.
Front panel view
The features on the front panel of the SafeNet ProtectServer Network HSM are illustrated below:
Figure 1: SafeNet ProtectServer Network HSM front panel
Ports
The front panel is equipped with the following ports:
VGA Connects a VGA monitor to the appliance.
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 10
1 Product Overview
Console Provides console access to the appliance. See "Testing and Configuration"on page 16.
USB Connects USB devices such as a keyboard or mouse to the appliance.
eth0
eth1
Autosensing 10/100/1000 Mb/s Ethernet RJ45 ports for connecting the appliance to the network.
HSM USB Connects a smart card reader to the appliance using the included USB-to-serial cable.
HSM serial port pin configuration
The serial port on the USB-to-serial cable, illustrated below, uses a standard RS232 male DB9 pinout:
Figure 2: HSM serial port pinout
LEDs
The front panel is equipped with the following LEDs:
Power Illuminates green to indicate that the unit is powered on.
HDD Flashes amber to indicate hard disk activity.
Status Flashes green on startup.
Reset button
The reset button is located between the USB and Ethernet ports. Pressing the reset button forces an immediate restart
of the appliance. Although it does not power off the appliance, it does restart the software. Pressing the reset button is
service-affecting and is not recommended under normal operating conditions.
Rear panel view
The features on the rear panel of the SafeNet ProtectServer Network HSM are illustrated below:
Figure 3: SafeNet ProtectServer Network HSM rear panel
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 11
1 Product Overview
Tamper lock
The tamper lock is used during commissioning or decommissioning of the appliance to destroy any keys currently
stored on the HSM.
With the key in the horizontal (Active) position, the HSM is in normal operating mode. Turning the key to the vertical
(Tamper) position places the HSM in a tamper state, and any keys stored on the HSM are destroyed.
CAUTION: Turning the tamper key from the Active position to the Tamper position deletes any
keys currently stored on the HSM. Deleted keys are not recoverable. Ensure that you always
back up your keys. To avoid accidentally deleting the keys on an operational SafeNet
ProtectServer Network HSM, remove the tamper key after commission and store it in a safe
place.
Cryptographic architecture
A hardware-based cryptographic system consists of three general components:
•One or more hardware security modules (HSMs) for key processing and storage.
•High-level cryptographic API software. This software uses the HSM's cryptographic capabilities to provide security
services to applications.
•Access provider software to allow communication between the API software and the HSMs.
Operating in network mode, a standalone SafeNet ProtectServer Network HSM can provide key processing and
storage.
In network mode, access provider software is installed on the machine hosting the cryptographic API software. The
access provider allows communication between the API and the SafeNet ProtectServer Network HSM over a TCP/IP
connection. The HSM can therefore be located remotely, improving the security of cryptographic key data
The figure below depicts a cryptographic service provider using the SafeNet ProtectServer Network HSM in network
mode.
Figure 1: SafeNet ProtectServer Network HSM implementation
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 12
1 Product Overview
Summary of Cryptographic Service Provider setup
These steps summarize the overall procedure of setting up a cryptographic service provider using a SafeNet
ProtectServer Network HSM in network mode. Relevant links to more detailed documentation are provided at each
step.
1. Install the SafeNet ProtectServer Network HSM (See "Hardware Installation"on page 14).
2. Check that the SafeNet ProtectServer Network HSM is operating correctly (see "Testing and
Configuration"on page 16).
3. Configure the SafeNet ProtectServer Network HSM network settings (see "Testing and Configuration"on
page 16).
4. Install and configure the Network HSM Access Provider software (see the SafeNet HSM Access Provider
Installation Guide).
5. Install the high-level cryptographic API software.
Please refer to the relevant installation guide supplied with the product:
–SafeNet ProtectToolkit-C Administration Guide
–SafeNet ProtectToolkit-J Installation Guide
–SafeNet ProtectToolkit-M User Guide
6. Configure the high-level cryptographic API to allow preferred operating modes. Some of these tasks may
include:
–establishing a trusted channel or secure messaging system (SMS) between the API and the Safenet
ProtectServer Network HSM.
–establishing communication between the network client and the Safenet ProtectServer Network HSM.
Please refer to the relevant high-level cryptographic API documentation:
–SafeNet ProtectToolkit-C Administration Guide
–SafeNet ProtectToolkit-J Administration Guide
–SafeNet ProtectToolkit-M User Guide
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 13
2
Hardware Installation
This chapter describes how to install the SafeNet ProtectServer Network HSM.
Since the SafeNet ProtectServer Network HSM is delivered with the necessary software pre-installed, no software
installation is necessary on the unit itself.
After installation, confirm that the unit is operating correctly and configure the network settings. These steps are
covered in "Testing and Configuration"on page 16.
Installation procedure
To install the hardware:
1. Choose a suitable location to site the equipment. You can mount the SafeNet ProtectServer Network HSM in a
standard 19-inch rack.
Note: The power supply cord acts as the unit's disconnect device. The main outlet socket to
which the unit is connected must be easily accessible.
2. Connect the SafeNet ProtectServer Network HSM to the network by inserting standard Ethernet cables into the
LAN connectors located on the unit's front face (labelled eth0 and eth1). The client machine(s) with SafeNet
cryptographic API software installed should be hosted on the same network.
Note: The SafeNet ProtectServer Network HSM is equipped with two NICs (eth0 and eth1)
incorporating an IPv4/IPv6 dual stack, allowing you to configure both an IPv4 and IPv6 address
on each interface. If you intend to use both NICs, connect Ethernet cables to both LAN
connectors.
3. Connect the power cable to the unit and a suitable power source. The SafeNet ProtectServer Network HSM is
equipped with an autosensing power supply that can accept 100-240V at 50-60Hz.
Smart Card Reader Installation
The unit supports the use of smart cards with a SafeNet-supplied smart card reader. Other smart card readers are not
supported.
The SafeNet ProtectServer Network HSM supports two different card readers:
•the new USB card reader (introduced in 5.2)
•the legacy card reader, which provides a serial interface for data (via a USB-to-serial cable) and a PS/2 interface for
power (direct or via a PS/2 to USB adapter)
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 14
2 Hardware Installation
Installing the USB smart card reader
To install the USB card reader, simply plug the card reader into the HSM USB port, as illustrated below.
Installing the legacy card reader
To install the smart card reader, connect it to the HSM USB port with the included USB-to-serial cable.
The legacy card reader must also be connected to a PS/2 port for its power. Many newer servers have USB ports, but
do not provide a PS/2 connection.
If there is no available PS/2 connection, there are two options:
•Connect a PS/2-to-USB adapter (pink in the image below) between the card reader and a USB port on the SafeNet
ProtectServer Network HSM.
•If, for security reasons, you prefer to not expose USB ports on your crypto server, connect a PS/2-to-USB adapter
cable between the card reader and a standalone powered USB hub. It should be noted that the USB connection is
for power only. No data transfer occurs.
Next, see "Testing and Configuration"on page 16.
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 15
3
Testing and Configuration
This chapter provides a step-by-step overview of how to confirm correct operation of the Safenet ProtectServer
Network HSM, and configure its network settings. These instructions assume that the installation process covered in
"Hardware Installation"on page 14 is complete, and that the user is experienced in configuring Unix/Linux operating
systems.
This chapter contains the following sections:
•"Step 1: Access the Console"below
•"Step 2: Power on and Log in"on the next page
•"Step 3: Run System Test"on page 18
•"Step 4: Network Configuration"on page 18
•"Step 5: SSH Network Access"on page 21
•"Powering off the SafeNet ProtectServer Network HSM"on page 21
•"Upgrading the SafeNet ProtectServer Network HSM"on page 21
•"Troubleshooting"on page 22
Step 1: Access the Console
To test the system and configure the network, you must first access the SafeNet ProtectServer Network HSM
console. There are two options:
•Direct access. Connect a keyboard and monitor (not included) to the USB (keyboard) and VGA (monitor) ports
located on the unit's front panel.
•Remote access. Connect the RJ45 console port to a terminal emulation device, such as a laptop or terminal server.
Note: To access the console remotely through the console port, you will need the appropriate
cable. If your terminal device is equipped with a DB9 serial port, you require a cable with an
RJ45 connector on one end and a DB9 serial port on the other end (see "Serial cable: RJ45 to
DB9"on the next page). If your terminal device is equipped with an RJ45 serial port, you can
use a standard Ethernet cable. Serial cables are not included.
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 16
3 Testing and Configuration
Figure 1: Serial cable: RJ45 to DB9
If you are using a serial connection, configure your local VT100 or terminal emulator settings as follows:
Speed (bits per second) 115200
Word length (data bits) 8
Parity No
Stop bit 1
Step 2: Power on and Log in
Power on the SafeNet ProtectServer Network HSM and the monitor (if applicable). A green LED on the front of the
device will illuminate and the startup messages will be displayed on the monitor.
Power-up is complete when the SafeNet ProtectServer Network HSM login prompt appears:
Protect Server External 5.3.0
PSe-II login:
If you are using a monitor/keyboard, you can log in as pseoperator,admin or root. If you are using a serial connection,
you can log in as pseoperator or admin.
•If you log in as pseoperator or admin, you are placed in the PSE shell (PSESH), which provides a CLI for
configuring and managing the appliance. See "PSESH Command Reference"on page 23.
•If you log in as root, you can manually configure the network settings using standard Linux commands.
The default passwords for the root,admin, and pseoperator users are as follows:
User name Default password
root password
admin password
pseoperator password
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 17
3 Testing and Configuration
CAUTION: We strongly recommend that you enter a new password for the admin and root
users. Please remember the passwords. There is no recovery option if you lose the system’s
root password other than to obtain an RMA number, ship the unit back to Gemalto and have it
re-imaged, which is not a warranty service.
Step 3: Run System Test
Before field testing and deployment, run the diagnostic utility.
hsmstate
As root, type hsmstate at a command line prompt. If the unit is functioning correctly, a message is returned that
includes the following:
HSM in NORMAL MODE. RESPONDING.
PSE_status
As root, you can also use the PSE_status command to verify that the HSM is functioning correctly.
This command displays the current status of the SafeNet ProtectServer Network HSM and the status and process ID
(pid) of the etnetserver process. If the unit is functioning correctly, a message is retuned that includes the following:
[admin@PSe ~] PSE_status
1) HSM device 0: HSM in NORMAL MODE.
2) etnetserver (pid 1026) is running...
PSE status NORMAL
psesh:> hsm state
If you logged in as admin or pseoperator, use the command hsm state to display the current status.
psesh:>hsm state
HSM device 0: HSM in NORMAL MODE. RESPONDING to requests. Usage Level=0%
State = (0x8000, 0xffffffff)
Host Interface = PSIe2
Command Result : 0 (Success)
You can also use the PSESH command status to check all the HSM's processes. For more information, see "PSESH
Command Reference"on page 23 and "status"on page 49.
Step 4: Network Configuration
IPv4 and IPv6 network addressing are supported. IPv4 addressing can be configured manually (as root) as described
below, or by using PSESH (as admin or pseoperator) as described in "PSESH Command Reference"on page 23.
IPv6 addressing must be configured manually by logging in as root and using standard Linux commands.
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 18
3 Testing and Configuration
Setting the IP address
With PSESH (recommended)
It is recommended that you use psesh:> network interface to configure the IPv4 address, instead of the manual
procedure below. See "network interface"on page 33 for command syntax.
Manually
The SafeNet ProtectServer Network HSM is equipped with two NICs (eth0 and eth1). Dual-stack support allows you to
configure the interfaces with both an IPv4 and IPv6 address. Refer to the Linux documentation for the commands
required to set the IPv6 address.
The IP address for each NIC is specified in these files:
NIC Configuration file
eth0 /etc/sysconfig/network-scripts/ifcfg-eth0
eth1 /etc/sysconfig/network-scripts/ifcfg-eth1
Note: If you want to use the eth1 interface, you must create this file. The
recommended method is to copy, rename, and edit the ifcfg-eth0 file.
The entries in the ifcfg-eth[0|1] files are similar to the following:
DEVICE= "eth0"
BOOTPROTO="static"
HWADDR="00:0D:48:3B:15:30"
IPADDR="192.168.9.35"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2607:f0d0:1002:0011:0000:0000:0000:0002
IPV6_DEFAULTGW=2607:f0d0:1002:0011:0000:0000:0000:0001
Edit the files as required to specify the IP address and network mask for each NIC. You must configure at least one of
the NICs. The second needs to be configured only if you want to use it.
Setting the hostname and default gateway
With PSESH (recommended)
It is recommended that you use psesh:> network interface dhcp or psesh:> network interface static to set the
hostname and gateway, instead of using the manual procedure below. See "network interface dhcp"on page 35 and
"network interface static"on page 36 for command syntax.
Manually
Set the default gateway (that this SafeNet ProtectServer Network HSM should use) by editing the file
/etc/sysconfig/network.
If you ever want to address the unit by its name using the loopback connection, you can set the hostname by editing the
/etc/hosts file and the /etc/sysconfig/network file (which governs external connections).
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 19
3 Testing and Configuration
Setting a name server
With PSESH (recommended)
It is recommended that you use psesh:> network dns to set the name server, instead of using the manual procedure
below. See "network dns"on page 32 for command syntax.
Manually
The SafeNet ProtectServer Network HSM processing modules do not have the resources to operate as their own name
servers. If name resolution is required, it needs to be provided by a DNS server on the network. In order for the SafeNet
ProtectServer Network HSM to use the DNS server, you must add an entry for the DNS server to the file
/etc/resolv.conf, in the following format:
nameserver <IP-ADDRESS>
Setting access control
With PSESH (recommended)
It is recommended that you use psesh:>network iptables to configure the iptables instead of using the manual
procedure below. See "network iptables"on page 37 for command syntax.
Manually
Access control on the SafeNet ProtectServer Network HSM is performed using iptables(8). Below is a list of iptables
(8) commands:
iptables -[ADC] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target [options]
iptables –L [chain]
The following iptables configuration prevents access to all but one IP address:
1. iptables -F INPUT (deletes any previous chains in the INPUT table)
2. iptables -A INPUT -s [ip-address] -j ACCEPT (sets an IP address which can be accepted)
3. iptables -A INPUT -j DROP (drops everything else)
Once a table configuration has been created that provides suitable network access, it can be stored as the active
network configuration using the following command:
/etc/init.d/iptables save active
Before iptables(8) is completely configured, it should have an inactive table defined. This is less critical, as there is
very little running in the operating system by the time the inactive table is loaded. The following is a suitable inactive
table:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
SafeNet ProtectToolkit Installation and Configuration Guide
Release 5.3 007-013682-001 Rev. A December 2016 Copyright 2009-2016 GemaltoAll rights reserved. 20
This manual suits for next models
20
Table of contents
Other Gemalto Server manuals
