SafeNet ProtectServer Internal Express 2 User manual
ProtectServer Internal Express 2 (PSI-E2)
Installation Guide
© 2000-2015 SafeNet, Inc. All rights reserved.
Part Number 007-002924-006
Version 5.1
Trademarks
All intellectual property is protected by copyright. All trademarks and product names used or referred to are the
copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or
transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without
the prior written permission of SafeNet.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of
the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential
installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in
accordance with the instructions, may cause harmful interference to radio communications.
However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause
harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the
user is encouraged to try and correct the interference by one or more of the following measures.
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
To ensure FCC compliance only devices also known to comply should be connected to the adapter’s serial ports. If
such devices do not feature their own cables shielded cables must be used.
Disclaimer
SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims
any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right
to revise this publication and to make changes from time to time in the content hereof without the obligation upon
SafeNet to notify any person or organization of any such revisions or changes.
We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be
perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in
succeeding releases of the product.
SafeNet invites constructive comments on the contents of this document. Send your comments, together with your
personal and/or company details to the address below:
SafeNet, Inc.
4690 Millennium Drive
Belcamp, Maryland USA 21017
Technical Support
If you encounter a problem while installing, registering or operating this product, please make sure that you have read
the documentation. If you cannot resolve the issue, please contact your supplier or SafeNet support. SafeNet support
operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan
arrangements made between SafeNet and your organization. Please consult this support plan for further information
about your entitlements, including the hours when telephone support is available to you.
Contact method
Contact
Address
SafeNet, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Phone
Global
+1 410-931-7520
Australia
1800.020.183
China
(86) 10 8851 9191
France
0825 341000
Germany
01803 7246269
India
000.800.100.4290
Netherlands
0800.022.2996
New Zealand
0800.440.359
Portugal
800.1302.029
Singapore
800.863.499
Spain
900.938.717
Sweden
020.791.028
Switzerland
0800.564.849
United Kingdom
0800.056.3158
United States
(800) 545-6608
Web
www.safenet-inc.com
Support and Down-
loads
www.safenet-inc.com/support
Provides access to the SafeNet Knowledge Base and quick downloads for various
products.
Technical Support
Customer Portal
https://serviceportal.safenet-inc.com
Existing customers with a Technical Support Customer Portal account can log in to
manage incidents, get the latest software upgrades, and access the SafeNet
Knowledge Base.
Revision History
Revision
Date
Reason
A
27 October 2014
Release 5.0
B
07 November 2014
Corrected jumper header illustration.
C
12 August 2015
Release 5.1
Table of Contents
FCC Compliance.........................................................................................................................ii
Technical Support .......................................................................................................................ii
Chapter 1 Introduction................................................................................................................... 1
Product Overview ........................................................................................................................... 1
About This Manual ......................................................................................................................... 1
Chapter 2 ProtectServer Internal Express 2 (PSI-E2) Installation ................................................3
Installation Summary......................................................................................................................3
Adapter Features.............................................................................................................................3
The Card Faceplate .....................................................................................................................3
Battery and Jumper Headers.......................................................................................................4
Installing the Adapter...................................................................................................................... 5
PCI HSM Access Provider Installation........................................................................................... 5
Smart Card Reader Installation.......................................................................................................5
Completing Installation................................................................................................................... 6
Chapter 3 Troubleshooting............................................................................................................7
Overview......................................................................................................................................... 7
Known Issues.................................................................................................................................. 7
Problem....................................................................................................................................... 7
Solution....................................................................................................................................... 7
Problem....................................................................................................................................... 7
Solution....................................................................................................................................... 7
Problem....................................................................................................................................... 7
Solution....................................................................................................................................... 8
Problem....................................................................................................................................... 8
Solution....................................................................................................................................... 8
Simple Fault Diagnosis................................................................................................................... 8
Fault Diagnosis Utilities ............................................................................................................. 8
Fault Diagnosis Procedure..........................................................................................................8
Chapter 4 Hardware Reference...................................................................................................... 9
Adapter Modification for External Tamper Detectors....................................................................9
The Battery...................................................................................................................................... 9
Testing the battery.....................................................................................................................10
Port Specifications........................................................................................................................10
THIS PAGE INTENTIONALLY LEFT BLANK
Chapter 1
Introduction
Product Overview
The ProtectServer Internal Express 2 (PSI-E2) is the second-generation intelligent
cryptographic services PCI-E adapter, replacing the ProtectServer PSI-E.
When using the ProtectServer, generic processing or high-speed DES and RSA
hardware acceleration may be employed. Secure key storage is provided using
persistent, tamper protected memory. In addition, multiple adapters may be used in a
single host computer in order to improve throughput or to provide redundancy.
About This Manual
This manual is provided as an instructional aid for the installation of a ProtectServer
cryptographic services hardware adapter.
Installation of the associated SafeNet PCI HSM Access Provider package
(PTKpcihsm2) is described in the companion manual, ProtectServer HSM Access
Provider Installation Guide. The Safenet PCI HSM Access Provider package includes
the device driver.
Chapter 2 provides the overall installation procedure.
Chapter 3 provides some troubleshooting guidance.
Appendix A is a hardware reference. This provides instructions on how to modify the
adapter’s printed circuit board when external tamper detectors are to be used. The
adapter’s serial port specifications are also documented here.
THIS PAGE INTENTIONALLY LEFT BLANK
Chapter 2
ProtectServer Internal Express 2 (PSI-
E2) Installation
Installation Summary
To install and commission a PSI-E2 card and its associated software, follow the steps
below. Where required, these steps are covered in more detail in the sections that
follow.
1. Check the items received to ensure none are missing. A separate page that
lists the items included is provided for this purpose.
2. Move the battery jumper from the OFF position to the ON position (see “The
Battery Jumper Header” on page 4).
3. If an external tamper detector is to be used, ensure that the external device
has a two-conductor cable with a connector suitable to mate with the tamper-detect
connector on the ProtectServer adapter (detailed at the beginning of Appendix A).
4. Install the PSI-E2 card in the host computer system.
5. Install the PCI HSMAccess Provider package that includes the device driver
and confirm the correct operation of the adapter and driver installation.
6. Use the included USB-to-serial cable to attach a serial device Install the
smart card reader if provided.
7. Install the SafeNet application programming interface (API) or net server
software supplied with the product.
Adapter Features
The PSI-E2 HSM is a standard PCI-E device that can be fitted into any spare PCI -E
slot on the motherboard in formats x4, x8, or x16.
The Card Faceplate
The faceplate of the card provides two ports, as illustrated below:
The USB Port
The USB port is used to connect a serial device, such as a smart card reader, to the
card using the included USB-to-serial adapter.
The MSDM Connector
The micro-D subminiature (MDSM) connector is not used.
Battery and Jumper Headers
The card is also equipped with a battery and a series of jumper headers located at the
rear of the card, as illustrated below:
The Battery
The battery mounted directly to the PSI-E2 card and maintains the internal flash
memory. Transport mode requires that the battery remain connected.
If the HSM is to be kept in storage (without keys present) it is recommended that you
isolate or disconnect the battery to avoid wearing it down, thus extending its lifespan.
You can use the ctconf command to test the condition of the battery. If the Battery
Status indication does not report as GOOD, backup the HSM keys before powering
down the PC to avoid losing the keys.
Note: Disconnecting the battery deletes all key material on the HSM. Ensure that you
back up you HSM before disconnecting the power. The keys are not deleted
immediately. Capacitors continue to supply power for approximately 30 seconds after
battery disconnect.
The Battery Jumper Header
The battery jumper is a three-pin jumper that is used to engage or disengage the
battery.
The battery is in the ON position when a jumper is inserted on the center and right
pins, as shown above. The card ships with the jumper installed in the OFF position
The battery is in the OFF position when a jumper is inserted on the center and left
pins. This setting is not required for normal operation.
CAUTION! Do not change the jumper setting unless instructed by SafeNet support.
The Decommission Jumper Header
Place a jumper on the decommission jumper header to decommission the HSM.
Decommissioning deletes all of the key material on the HSM.
The Tamper Input Header
The tamper-input header used to connect an external tamper device to the card. By
default it has a jumper in place, across the two pins in the header. If an external
tamper detection device is to be used, run a two-wire cable to your chassis-tamper
switch or other device that must operate to open the circuit if a tamper event occurs.
The Polarity Jumper Header
The polarity jumper header is used to configure the operating mode of the card. Do
not change the jumper setting for this header.
Installing the Adapter
The adapter is a PCI Specification 2.2 compliant device. It may be fitted in any spare
PCI -E slot on the motherboard in formats x4, x8, or x16. If you are unsure which is a
PCI-E slot, please consult the documentation accompanying your host system
motherboard.
If you are using a tamper-detection device, route the cable to it before closing the
computer cover.
PCI HSM Access Provider Installation
After successful installation of the adapter, the next steps are to:
1. Install the SafeNet PSI-E2 HSM Access Provider package (PTKpcihsm2).
2. Confirm the correct operation of the adapter and driver package.
These steps are covered in the ProtectServer HSM Access Provider Installation Guide
for both Windows and Unix/Linux systems.
Smart Card Reader Installation
The ProtectServer offers functionality supporting the use of smart cards. To make use
of these features, a SafeNet-supplied smart card reader must be used. Smart card
readers, other than those supplied by SafeNet, are not supported.
To install the smart card reader, use the included USB-to-serial cable to connect it to
the USB port on the card faceplate.
The card reader qualified with the ProtectServer product also requires connection to a
PS/2 port for its power. Many newer servers have USB ports, but do not provide a
PS/2 connection.
The options are:
Connect a PS/2-to-USB adapter cable between the card reader and a USB port on
your computer.
If you prefer to not expose USB ports on your crypto server (for security reasons),
then connect a PS/2-to-USB adapter cable between the card reader and a
standalone powered USB hub.
Again, the USB connection is for power only. No data transfer occurs.
Completing Installation
Following the PCI HSM Access Provider installation, to make use of the
ProtectServer, you will need to install the supplied SafeNet API or net server
software.
Please refer to the installation instructions in the appropriate manual, such as the
ProtectToolkit C Installation Guide.
Chapter 3
Troubleshooting
Overview
The most common problem encountered with installing the ProtectServer is that the
device driver is not loaded or functioning correctly.
Should you encounter any difficulties, first check that you have followed all the
installation instructions in this manual and the Hardware Security Module Access
Provider Install & Configuration Guide. The information provided below may be of
further assistance. If you still cannot resolve the issue, please contact your supplier or
SafeNet Support. See the Preface for further information.
Known Issues
Problem
The MSI (Microsoft Installer) application does not complete installation, or is left in
an unstable state.
Solution
This fault can occur if there are no free IRQs that can be assigned to the device. Make
sure the device is assigned an IRQ. The IRQs assigned to devices are usually
displayed when a system is powered up.
Problem
The system locks up after installation of the PCI HSM Access Provider device driver
package. This may happen if a prior version of the device driver exists on the system.
Solution
1. Power down and remove the adapter.
2. Power up.
3. Uninstall all versions (old and new) of the PCI HSM Access Provider /
device driver package.
4. Power down and re-install the adapter.
5. Power up and reinstall the PCI HSMAccess Provider package.
Problem
Following re-installation of a previously removed adapter or the addition of another
adapter, the device driver cannot find the device or an adapter is not responding.
Solution
Confirm that the adapter(s) are firmly seated in the PCI slot, then uninstall the PCI
HSM Access Provider package. Following this, perform a fresh install of the PCI
HSM Access Provider package.
Problem
When operating multiple adapters under Windows 2000 or later, the adapters run
slowly or even stall. Some commands may work correctly on one adapter, but not the
other.
Solution
This problem may be resolved by resetting the configuration data in the host system
BIOS.
Simple Fault Diagnosis
Fault Diagnosis Utilities
To carry out simple fault diagnosis, SafeNet hardware maintenance utilities can be
used. These are installed as part of the ProtectServer PCI HSM Access Provider
installation. There are two utilities: hsmstate and hsmreset
Further information about these utilities, beyond what is covered in this chapter, can
be found in the Hardware Security Module Access Provider Install & Configuration
Guide.
Fault Diagnosis Procedure
From a command prompt, execute hsmstate. The output from the utility should include
“... NORMAL mode, Responding”.
If the utility reports “... HALTED due to a failure”:
oExecute hsmreset.
oFollowing the reset, check to see if the hsmstate is now reporting
NORMAL operation.
If the utility reports “... waiting for tamper cause to be removed”:
oCheck to see that external tamper detectors connected to the board are correctly
configured if these are being used.
oMake sure the adapter is sitting firmly and correctly in the PCI slot.
Chapter 4
Hardware Reference
Adapter Modification for External Tamper Detectors
Provision has been made to allow users to connect additional tamper detection devices
using the tamper input header, located on the rear of the card, as illustrated below.
To fit an external tamper detection device, such as a micro switch on the cover of the
host system, first remove the default jumper/shunt that bridges the two posts in the
ProtectServer adapter's tamper input header. Connect your external tamper device in
place of that shunt. You will need the cable end from your tamper-detection device to
match the Molex socket on the adapter.
The required insertable shell, or connector housing is Molex part 35507-0200. It must
be installed on the end of your tamper-device's two-wire cable, in order to insert into
the tamper-detection socket on the ProtectServer adapter.
Crimp a pair of Molex 50212-8100, 2mm WTB crimp terminals to the ends of the
wires coming from your tamper switch, and insert the crimped terminal sockets into
the Molex connector housing.
Plug the connector end of the assembled cable into the tamper-detect socket on the
PSI-E adapter.
In the un-tampered condition, any external device must provide a low impedance path
(i.e., short circuit) between the posts of the tamper-detect connector.In the tampered
condition, the external device must show an open circuit.
The Battery
The adapter is fitted with a battery, which is used to maintain keys and the correct
time on the adapter when the PCI-E connector is un-powered (such as, when the Host
computer is shutdown).
The expected lifetime of the battery is 10 years, so it should not require replacement
in the normal lifetime of the adapter.
Testing the battery
You can use the utilities provided with the adapter to query the state of the battery, but
it reports only “low” or not (see below). For example, if Protect Toolkit C is being
used, then the ctconf utility displays the state of the battery (Good/Low). See the
Administration Guides for the software you are running for details on how you can
check the battery status.
The RealTime Clock and memory retain their data as long as the adapter is in a
powered system. The RTC performs a check of battery level daily. If a low-battery
warning is detected on a PSI-E2 adapter that has been un-powered/removed from a
system, then the data in the memory can be considered suspect. If a low-battery
warning is detected on a PSI-E2 adapter that has been continuously powered, then the
data in memory can be trusted (for you to make a backup before proceeding with
battery replacement).
Port Specifications
The USB-to-serial cable provides an RS232 port with pin outs as shown in Figure 6.
That port can be used for connecting a smart card reader or some other serial device.
Figure 6 –Adapter serial connector
END OF DOCUMENT
This manual suits for next models
1
Table of contents
