SafeNet ProtectServer External 2 User manual

ProtectServer External 2 (PSE2)

Installation Guide

Part Number 007-007474-007

Version 5.1

Trademarks

All intellectual property is protected by copyright. All trademarks and product names used or referred to are the

transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without

the prior written permission of SafeNet.

FCC Compliance

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of

the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential

installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in

accordance with the instructions, may cause harmful interference to radio communications.

However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause

harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the

user is encouraged to try and correct the interference by one or more of the following measures.

Reorient or relocate the receiving antenna.

Increase the separation between the equipment and receiver.

Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

Consult the dealer or an experienced radio/TV technician for help.

To ensure FCC compliance only devices also known to comply should be connected to the adapter’s serial ports. If

such devices do not feature their own cables shielded cables must be used.

Disclaimer

SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims

any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right

to revise this publication and to make changes from time to time in the content hereof without the obligation upon

SafeNet to notify any person or organization of any such revisions or changes.

We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be

perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in

succeeding releases of the product.

SafeNet invites constructive comments on the contents of this document. Send your comments, together with your

personal and/or company details to the address below:

SafeNet, Inc.

4690 Millennium Drive

Belcamp, Maryland USA 21017

Technical Support

If you encounter a problem while installing, registering or operating this product, please make sure that you have read

the documentation. If you cannot resolve the issue, please contact your supplier or SafeNet support. SafeNet support

operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan

arrangements made between SafeNet and your organization. Please consult this support plan for further information

about your entitlements, including the hours when telephone support is available to you.

Contact method

Contact

Address

SafeNet, Inc.

4690 Millennium Drive

Belcamp, Maryland 21017

USA

iii

Phone

Global

+1 410-931-7520

Australia

1800.020.183

China

(86) 10 8851 9191

France

0825 341000

Germany

01803 7246269

India

000.800.100.4290

Netherlands

0800.022.2996

New Zealand

0800.440.359

Portugal

800.1302.029

Singapore

800.863.499

Spain

900.938.717

Sweden

020.791.028

Switzerland

0800.564.849

United Kingdom

0800.056.3158

United States

(800) 545-6608

Web

www.safenet-inc.com

Support and Down-

loads

www.safenet-inc.com/support

Provides access to the SafeNet Knowledge Base and quick downloads for various

products.

Technical Support

Customer Portal

https://serviceportal.safenet-inc.com

Existing customers with a Technical Support Customer Portal account can log in to

manage incidents, get the latest software upgrades, and access the SafeNet

Knowledge Base.

Revision History

Revision

Date

Reason

27 October 2014

Release 5.0

12 August 2015

Release 5.1

Contents

Contents............................................................................................................................................iv

Chapter 1 Introduction.................................................................................................................1

Chapter 2 Product overview ........................................................................................................ 2

Front panel view .............................................................................................................................2

Ports ............................................................................................................................................ 3

LEDs........................................................................................................................................... 3

Reset button ................................................................................................................................ 3

Rear panel view............................................................................................................................... 4

Tamper lock ................................................................................................................................4

Chapter 3 Implementation overview...........................................................................................5

Implementation architecture ........................................................................................................... 5

Implementation steps ......................................................................................................................6

Chapter 4 Installation................................................................................................................... 7

Installation procedure...................................................................................................................... 7

To install the hardware................................................................................................................ 7

Smart Card Reader Installation................................................................................................... 7

Chapter 5 Testing and configuration........................................................................................... 9

Equipment requirements................................................................................................................. 9

Procedure overview ........................................................................................................................9

System testing............................................................................................................................... 11

The PSE_status command......................................................................................................... 11

Setting the IP address.................................................................................................................... 11

Setting a hostname and default gateway....................................................................................... 12

Setting a name server....................................................................................................................12

Setting access control.................................................................................................................... 12

SSH network access...................................................................................................................... 13

Restarting networking................................................................................................................... 13

Powering off the PSE2.................................................................................................................. 13

Upgrading the PSe ........................................................................................................................ 13

Troubleshooting............................................................................................................................ 14

Appendix A Technical specifications........................................................................................15

Chapter 1

Introduction

This Guide is provided as an instructional aid for the installation and configuration of

a ProtectServer External 2 (PSE2) cryptographic services hardware security module

(HSM).

Chapter 2 gives an overview of the product. Both functionality and physical

characteristics are described.

Chapter 3 covers how the product is used to implement a cryptographic service

provider and the setup steps are given. References to further documentation are cited

where needed.

Chapter 4 describes the installation procedure.

Chapter 5 deals with testing and network setting configuration. A troubleshooting

section is included at the end of the chapter.

The technical specification for the product is in Appendix A.

NOTE:

This release applies to the second-generation ProtectServer External appliance, named

ProtectServer External 2 (PSE2). This new hardware variant is ROHS-compliant, and

uses all the software that accompanied the original PSE, namely Ptk-C, Ptk-J, Ptk-M,

and all of their documents, libraries, utilities, etc.

Chapter 2

Product overview

The Protect Server External 2 (PSE2) is a self-contained, security-hardened server

providing hardware based cryptographic functionality through a TCP/IP network

connection. The product is used, together with SafeNet high level application

programming interface (API) software, to implement cryptographic service providers

for a wide range of secure applications.

The PSE2 is PC based. The enclosure (pictured) is a heavy duty steel case and

common PC ports and controls are provided. The unit is delivered with the necessary

software components pre-installed on a Linux operating system, in a “ready to

operate” state. Network setting configuration is required, as described in this

document.

The full range of cryptographic services required by Public Key Infrastructure (PKI)

users is supported by using the PSE2’s dedicated hardware cryptographic accelerator.

These services include encryption, decryption, signature generation and verification,

and key management with a tamper resistant and battery-backed key storage.

To implement a cryptographic service provider, use the PSE2 with one of SafeNet’s

high level cryptographic APIs. The provider types that can be implemented and the

corresponding SafeNet high level cryptographicAPI required are shown in the

following table.

API

SafeNet Product Required

PKCS #11

ProtectToolkit C

JCA / JCE

ProtectToolkit J

Microsoft IIS and CA

ProtectToolkit M

To provide the highest level of security, these APIs interface directly with the

product’s FIPS 140-1 Level 3 certified core. High-speed DES and RSA hardware

based cryptographic processing is used. Key storage is tamper resistant and battery-

backed.

A smart card reader RS232 (V.24) serial port (male DB9 connector) is provided on the

processing module for the secure loading and backup of keys. One smart card reader

with smart cards is also supplied with the unit.

Front panel view

Figure 1 illustrates the front panel of the ProtectServer External 2 appliance.

Figure 1: PSE2 front panel

Ports

The front panel is equipped with the following ports:

VGA

Used to connect a VGA monitor to the appliance.

Console

Used to provide console access to the appliance. See "Equipment

requirements" on page 9.

USB

Used to connect USB devices such as a keyboard or mouse to the

appliance.

eth0

eth1

Used to connect the appliance to the network.

HSM USB

Used to connect a smart card reader to the appliance using the

included USB-to-serial cable.

HSM serial port pin configuration

The serial port on the USB-to-serial cable uses a standard RS232 male DB9 pinout, as

illustrated in Figure 2.

Figure 2: HSM serial port pinout

LEDs

The front panel is equipped with the following LEDs:

Power

Lights green to indicate that the unit is powered on.

HDD

Flashes amber to indicate hard disk activity.

Status

Flashes green on startup. Otherwise not used.

Reset button

The reset button is located between the USB and Ethernet ports. Pressing the reset

button forces an immediate restart of the appliance. Although it does not power off the

appliance, it does restart the software. Pressing the reset button is service affecting

and is not recommended under normal operating conditions.

Rear panel view

Figure 3 illustrates the rear panel of the ProtectServer External 2 appliance.

Figure 3: PSE2 rear panel

Tamper lock

The tamper lock allows you to set the tamper state of the HSM inside the appliance.

You can use the tamper lock during commissioning or decommisioning of the

appliance to destroy any keys currently stored on the HSM.

When the key is in the horizontal (Active) position, the HSM is in normal operating

mode. When the key is in the vertical (Tamper) position, the HSM is in the tamper

state, and any keys previously stored on the HSM are destroyed.

CAUTION!

Turning the tamper key from theActive position to the Tamper position causes any

keys currently stored on the HSM to be deleted. Once the keys are deleted they are

not recoverable. Ensure that you always back up your keys. To avoid accidentally

deleting the keys on an operational PSE2, remove the tamper key after

installation/commissioning and store it in a safe place.

This manual suits for next models

Table of contents

Other SafeNet Server manuals

SafeNet

SafeNet Luna SA User manual

Popular Server manuals by other brands

HP AlphaServer ES47 Cli reference manual

Dell

Dell PowerEdge R410 Getting started

PowerNAS

PowerNAS CMA quick start guide

Supero

Supero FatTwin F617R3-FT user manual

Dell

Dell PowerEdge XE9640 Installation and service manual

Dell

Dell PS4100 Hardware

EtroVISION

EtroVISION EV3151 user manual

HP ProLiant Gen9 user guide

Compaq

Compaq ProLiant 3000 Maintenance and service guide

Dell

Dell PowerEdge 3YPMN Getting started guide

iRobo

iRobo IPC2U user manual

Nortel

Nortel 1000 Con?guration guide user manual

Asus

Asus AP7500 Hardware reference guide

Avid Technology

Avid Technology AirSpeed 5000 manual

HP Integrity rx2600 overview

Milestone

Milestone Husky IVO 350T Getting started

Planet

Planet NAS-7410 user manual

Lenovo

Lenovo ThinkSystem SR635 V3 user guide