Thales SafeNet ProtectServer Network HSM Plus 5.8 Operator's manual
SafeNet ProtectServer Network HSM Plus
5.8
INSTALLATION AND CONFIGURATION GUIDE
Document Information
Product Version 5.8
Document Part Number 007-013682-006
Release Date 08 January 2020
Revision History
Revision Date Reason
Rev. A 08 January 2020 Initial release
Trademarks, Copyrights, and Third-Party Software
Copyright 2009-2020 Gemalto. All rights reserved. Gemaltoand the Gemalto logo are trademarks and service
marks of Gemaltoand/or its subsidiaries and are registered in certain countries. All other trademarks and
service marks, whether registered or not in specific countries, are the property of their respective owners.
Disclaimer
All information herein is either public information or is the property of and owned solely by Gemalto and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual
property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise,
under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal, and personal use only provided that:
>The copyright notice, the confidentiality and proprietary legend and this full warning notice appear in all
copies.
>This document shall not be posted on any publicly accessible network computer or broadcast in any media,
and no modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless
otherwise expressly agreed in writing, Gemaltomakes no warranty as to the value or accuracy of information
contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to
the information herein. Furthermore, Gemaltoreserves the right to make any change or improvement in the
specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In
no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 2
consequential damages or any damages whatsoever including but not limited to damages resulting from loss
of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of
information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not
incur, and disclaims, any liability in this respect. Even if each product is compliant with current security
standards in force on the date of their design, security mechanisms' resistance necessarily evolves according
to the state of the art in security and notably under the emergence of new attacks. Under no circumstances,
shall Gemaltobe held liable for any third party actions and in particular in case of any successful attack against
systems or equipment incorporating Gemalto products. Gemaltodisclaims any liability with respect to security
for direct, indirect, incidental or consequential damages that result from any use of its products. It is further
stressed that independent testing and verification by the person using the product is particularly encouraged,
especially in any application in which defective, incorrect or insecure functioning could result in damage to
persons or property, denial of service, or loss of privacy.
All intellectual property is protected by copyright. All trademarks and product names used or referred to are the
copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system
or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or
otherwise without the prior written permission of Gemalto.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 3
CONTENTS
Preface: About the SafeNet ProtectServer Network HSM Plus Installation and Configuration
Guide 6
Gemalto Rebranding 6
Audience 7
Document Conventions 7
Support Contacts 9
Chapter 1: Product Overview 10
Physical Features 10
Front panel view 10
Rear panel view 12
Cryptographic architecture 13
Summary of Cryptographic Service Provider setup 14
Chapter 2: SafeNet ProtectServer Network HSM Plus Hardware Installation 15
SafeNet ProtectServer Network HSM Plus Required Items 16
Installing the SafeNet ProtectServer Network HSM Plus Hardware 19
Installation Notes 19
Installing the SafeNet ProtectServer Network HSM Plus Hardware 19
Chapter 3: Deployment Guidelines 23
Secure Messaging System (SMS) 23
Networking and Firewall Configuration 24
Separation of Roles 24
Chapter 4: Testing and Configuration 26
First Login and System Test 26
Access the Console 26
Power on and Log in 27
Run System Test 27
Network Configuration 28
Gathering Appliance Network Information 28
Configuring the Network Parameters 29
SSH Network Access 32
Powering off the SafeNet ProtectServer Network HSM Plus 32
Troubleshooting 32
Updating the Appliance Software Image 33
Installing the Secure Update Package Patch 33
Updating the Appliance Software 33
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 4
PREFACE: About the SafeNet ProtectServer
Network HSM Plus Installation and
Configuration Guide
This Guide is provided as an instructional aid for the installation and configuration of a SafeNet ProtectServer
Network HSM Plus cryptographic services hardware security module (HSM). It contains the following sections:
>"Product Overview"on page10
>"SafeNet ProtectServer Network HSM Plus Hardware Installation"on page15
>"Testing and Configuration"on page1
>"Technical Specifications"on page35
>"Updating the Appliance Software Image"on page33
This preface also includes the following information about this document:
>"Gemalto Rebranding"below
>"Audience"on the next page
>"Document Conventions"on the next page
>"Support Contacts"on page9
For information regarding the document status and revision history, see "Document Information"on page2.
Gemalto Rebranding
In early 2015, Gemalto completed its acquisition of SafeNet, Inc. As part of the process of rationalizing the
product portfolios between the two organizations, the SafeNet name has been retained. As a result, the
product names for SafeNet HSMs have changed as follows:
Old product name New product name
ProtectServer External 2 (PSE2) SafeNet ProtectServer Network HSM
ProtectServer Internal Express 2 (PSI-E2) SafeNet ProtectServer PCIe HSM
ProtectServer HSM Access Provider SafeNet ProtectServer HSM Access Provider
ProtectToolkit C (PTK-C) SafeNet ProtectToolkit-C
ProtectToolkit J (PTK-J) SafeNet ProtectToolkit-J
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 6
Preface: About the SafeNet ProtectServer Network HSM Plus Installation and Configuration Guide
Old product name New product name
ProtectToolkit M (PTK-M) SafeNet ProtectToolkit-M
ProtectToolkit FM SDK SafeNet ProtectToolkit FM SDK
NOTE These branding changes apply to the documentation only. The SafeNet HSM
software and utilities continue to use the old names.
Audience
This document is intended for personnel responsible for maintaining your organization's security
infrastructure. This includes SafeNet ProtectToolkit users and security officers, key manager administrators,
and network administrators.
All products manufactured and distributed by Gemalto are designed to be installed, operated, and maintained
by personnel who have the knowledge, training, and qualifications required to safely perform the tasks
assigned to them. The information, processes, and procedures contained in this document are intended for
use by trained and qualified personnel only.
It is assumed that the users of this document are proficient with security concepts.
Document Conventions
This document uses standard conventions for describing the user interface and for alerting you to important
information.
Notes
Notes are used to alert you to important or helpful information. They use the following format:
NOTE Take note. Contains important or helpful information.
Cautions
Cautions are used to alert you to important information that may help prevent unexpected results or data loss.
They use the following format:
CAUTION! Exercise caution. Contains important information that may help prevent
unexpected results or data loss.
Warnings
Warnings are used to alert you to the potential for catastrophic data loss or personal injury. They use the
following format:
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 7
Preface: About the SafeNet ProtectServer Network HSM Plus Installation and Configuration Guide
**WARNING** Be extremely careful and obey all safety and security measures. In
this situation you might do something that could result in catastrophic data loss or
personal injury.
Command Syntax and Typeface Conventions
Format Convention
bold The bold attribute is used to indicate the following:
>Command-line commands and options (Type dir /p.)
>Button names (Click Save As.)
>Check box and radio button names (Select the Print Duplex check box.)
>Dialog box titles (On the Protect Document dialog box, click Yes.)
>Field names (User Name: Enter the name of the user.)
>Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)
>User input (In the Date box, type April 1.)
italics In type, the italic attribute is used for emphasis or to indicate a related document. (See the
Installation Guide for more information.)
<variable> In command descriptions, angle brackets represent variables. You must substitute a value for
command line arguments that are enclosed in angle brackets.
[optional]
[<optional>]
Represent optional keywords or <variables> in a command line description. Optionally enter the
keyword or <variable> that is enclosed in square brackets, if it is necessary or desirable to
complete the task.
{a|b|c}
{<a>|<b>|<c>}
Represent required alternate keywords or <variables> in a command line description. You must
choose one command line argument enclosed within the braces. Choices are separated by vertical
(OR) bars.
[a|b|c]
[<a>|<b>|<c>]
Represent optional alternate keywords or variables in a command line description. Choose one
command line argument enclosed within the braces, if desired. Choices are separated by vertical
(OR) bars.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 8
Preface: About the SafeNet ProtectServer Network HSM Plus Installation and Configuration Guide
Support Contacts
If you encounter a problem while installing, registering, or operating this product, please refer to the
documentation before contacting support. If you cannot resolve the issue, contact your supplier or Gemalto
Customer Support.
Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between Gemalto and your organization. Please consult
this support plan for further information about your entitlements, including the hours when telephone support is
available to you.
Customer Support Portal
The Customer Support Portal, at https://supportportal.gemalto.com, is where you can find solutions for most
common problems. The Customer Support Portal is a comprehensive, fully searchable database of support
resources, including software and firmware downloads, release notes listing known problems and
workarounds, a knowledge base, FAQs, product documentation, technical notes, and more. You can also use
the portal to create and manage support cases.
NOTE You require an account to access the Customer Support Portal. To create a new
account, go to the portal and click on the REGISTER link.
Telephone Support
If you have an urgent problem, or cannot access the Customer Support Portal, you can contact Gemalto
Customer Support by telephone at +1 410-931-7520. Additional local telephone support numbers are listed on
the support portal.
Email Support
You can also contact technical support by email at technical.support@gemalto.com.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 9
CHAPTER 1: Product Overview
The SafeNet ProtectServer Network HSM Plus is a self-contained, security-hardened server providing
hardware-based cryptographic functionality through a TCP/IP network connection. Together with high-level
SafeNet application programming interface (API) software, it provides cryptographic services for a wide range
of secure applications.
The SafeNet ProtectServer Network HSM Plus is PC-based. The enclosure is a heavy-duty steel case with
common PC ports and controls. Necessary software components come pre-installed on a Linux operating
system. Network setting configuration is required, as described in this document.
The full range of cryptographic services required by Public Key Infrastructure (PKI) users is supported by the
SafeNet ProtectServer Network HSM Plus’s dedicated hardware cryptographic accelerator. These services
include encryption, decryption, signature generation and verification, and key management with a tamper
resistant and battery-backed key storage.
The SafeNet ProtectServer Network HSM Plus must be used with one of SafeNet’s high-level cryptographic
APIs. The following table shows the provider types and their corresponding SafeNet APIs:
API SafeNet Product Required
PKCS #11 SafeNet ProtectToolkit-C
JCA / JCE SafeNet ProtectToolkit-J
Microsoft IIS and CA SafeNet ProtectToolkit-M
These APIs interface directly with the product’s FIPS 140-2 Level 3 certified core using high-speed DES and
RSA hardware-based cryptographic processing. Key storage is tamper-resistant and battery-backed.
A smart card reader, supplied with the HSM, allows for the secure loading and backup of keys.
Physical Features
The standard appliance is the 1U-high, rack-mount device:
Here are some of the physical features of the SafeNetProtectServer NetworkHSMPlus:
Front panel view
The features on the front panel of the SafeNet ProtectServer Network HSM Plus are illustrated below:
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 10
Chapter 1: Product Overview
Figure 1: SafeNet ProtectServer Network HSM Plus front panel
Item Name Description
a LCDsystem status screen Displays "ProtectServer +" when system is operational.
b Serial (console) port Local connection for initial setup, and for admin account reset
(local-only action for security purposes).
c Ventilation fan-filter cover Removable bracket allows cleaning of air filter.
d Fan filter cover retaining screw A captive thumb-screw (no tool needed).
e Mounts for removable front bezel The protective front bezel mounts on the appliance front panel.
Spring clips behind the bezel engage the mounting posts at the
left and right ends of the appliances front panel.
f Rack-mount tabs (removable) Use the tabs on the front and the sliding tabs towards the rear of
the appliance to support your SafeNet appliance in a compatible
equipment rack.
g Securing screw for fan bay Torx screw secures the fan bay.
CAUTION! Opening the fan bay will trigger a tamper
event on the device.
h/i USB ports Unconfigured USBports. These ports are not necessary for any
ProtectServer operations and are left unconfigured for security
purposes.
HSM serial port pin configuration
The serial port on the USB-to-serial cable, illustrated below, uses a standard RS232 male DB9 pinout:
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 11
Chapter 1: Product Overview
Figure 2: HSM serial port pinout
Rear panel view
The features on the rear panel of the SafeNet ProtectServer Network HSM Plus are illustrated below:
Figure 3: SafeNet ProtectServer Network HSM Plus rear panel
Item Name Description
a Kensington security slot Attach an industry-standard locking cable for additional physical
security.
b Ethernet ports For network connection of your SafeNet appliance.
c Tamper switch Recessed for safety, the tamper switch is used during
commissioning or decommissioning of the appliance to destroy
any keys currently stored on the HSM.
CAUTION! Activating the tamper switch deletes
any keys currently stored on the HSM. Deleted keys
are not recoverable. Ensure that you always back up
your keys. To avoid accidentally deleting the keys on
an operational SafeNet ProtectServer Network HSM
Plus, ensure the users with access to the appliance
are familiar with the switch.
d Power supply release tab Press tab to release the catch, and remove the power supply
from the appliance.
e Removable power supply One of two redundant power supplies.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 12
Chapter 1: Product Overview
Item Name Description
f Second removable power supply The other of two redundant power supplies.
g Start/stop switch Use to stop the system if the command-line shutdown is not
available; use to restart the system if it has been switched off.
h USB ports Unconfigured USB ports. These ports are not necessary for any
ProtectServer operations and are left unconfigured for security
purposes.
i HSMUSBport Connects USB devices such as the USB smart card reader and
the legacy card reader to the HSM.
j Unused port This port is not used for the SafeNet ProtectServer Network
HSM Plus; we recommend that you do not remove the covers
that are installed at the factory.
Cryptographic architecture
A hardware-based cryptographic system consists of three general components:
>One or more hardware security modules (HSMs) for key processing and storage.
>High-level cryptographic API software. This software uses the HSM's cryptographic capabilities to provide
security services to applications.
>Access provider software to allow communication between the API software and the HSMs.
Operating in network mode, a standalone SafeNet ProtectServer Network HSM Plus can provide key
processing and storage.
In network mode, access provider software is installed on the machine hosting the cryptographic API software.
The access provider allows communication between the API and the SafeNet ProtectServer Network HSM Plus
over a TCP/IP connection. The HSM can therefore be located remotely, improving the security of cryptographic
key data
The figure below depicts a cryptographic service provider using the SafeNet ProtectServer Network HSM Plus
in network mode.
Figure 4: SafeNet ProtectServer Network HSM Plus implementation
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 13
Chapter 1: Product Overview
Summary of Cryptographic Service Provider setup
These steps summarize the overall procedure of setting up a cryptographic service provider using a SafeNet
ProtectServer Network HSM Plus in network mode. Relevant links to more detailed documentation are
provided at each step.
1. Install the SafeNet ProtectServer Network HSM (See "SafeNet ProtectServer Network HSM Plus
Hardware Installation"on page15).
2. Check that the SafeNet ProtectServer Network HSM is operating correctly (see "First Login and
System Test"on page26).
3. Configure the SafeNet ProtectServer Network HSM network settings (see "Network
Configuration"on page28).
4. Install and configure the Network HSM Access Provider software (see the SafeNet ProtectServer
HSM Access Provider Installation Guide).
5. Install the high-level cryptographic API software.
Please refer to the relevant installation guide supplied with the product:
•SafeNet ProtectToolkit-C Administration Guide
•SafeNet ProtectToolkit-J Installation Guide
•SafeNet ProtectToolkit-M User Guide
6. Configure the high-level cryptographic API to allow preferred operating modes. Some of these
tasks may include:
•establishing a trusted channel or secure messaging system (SMS) between the API and the Safenet
ProtectServer Network HSM Plus.
•establishing communication between the network client and the Safenet ProtectServer Network HSM
Plus.
Please refer to the relevant high-level cryptographic API documentation:
•SafeNet ProtectToolkit-C Administration Guide
•SafeNet ProtectToolkit-J Administration Guide
•SafeNet ProtectToolkit-M User Guide
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 14
CHAPTER 2: SafeNet ProtectServer
Network HSM Plus Hardware Installation
This chapter describes how to install and connect a SafeNet Protect Server Network HSM Plus. To ensure a
successful installation, perform the following tasks in the order indicated:
1. Ensure that you have all of the required components, as listed in "SafeNet ProtectServer Network HSM
Plus Required Items"on the next page.
2. Install and connect the hardware, as described in "Installing the SafeNet ProtectServer Network HSM Plus
Hardware"on page19.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 15
Chapter 2: SafeNet ProtectServer Network HSM Plus Hardware Installation
SafeNet ProtectServer Network HSM Plus Required Items
Follow this checklist to verify that you have all of the items required for the installation.
Qty Item
1 SafeNet ProtectServer Network HSM Plus Appliance
1 Null-Modem Serial Cable
1 USB 2.0 to RS232 Serial Adapter
1 Smart card reader
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 16
Chapter 2: SafeNet ProtectServer Network HSM Plus Hardware Installation
Qty Item
2 Smart cards (in a single media case)
1Set of:
>2 front Mounting Brackets with Screws
>2 Side Bracket Guides
>2 Sliding Rear Brackets (fit into the guides for rear support adjustable positioning).
1 Client / SDK Software
NOTE Power cables are no longer included with the shipment from our factory. Many
customers are buying HSMs from one country, but shipping them for final deployment to
different countries, which has resulted in many wasted power cables that are incorrect format
for destination countries. Please source your power cables locally for the deployment
destination.
Software is available by download from Gemalto. Physical media for software and
documentation are special-request items.
Optional Items
The following table describes additional items which you can use with your ProtectServer HSM. Contact your
Gemalto sales representative to order these items.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 17
Chapter 2: SafeNet ProtectServer Network HSM Plus Hardware Installation
Qty Item
1+ SafeNet 110 Time-Based OTP Token (enables multifactor authentication on ProtectServer HSM tokens)
Gemalto recommends ordering at least two (2) OTP tokens for each slot on the HSM (one each for the
Security Officer and Token User).
PN: 955-000237-001
1 ProtectServer-compatible Verifone PIN pad (enables manual key component entry)
PN: 934-000087-001
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 18
Chapter 2: SafeNet ProtectServer Network HSM Plus Hardware Installation
Installing the SafeNet ProtectServer Network HSM Plus Hardware
This section provides basic SafeNet Network HSM hardware installation instructions (mounting in a rack,
connecting cables, etc.). The SafeNet Network HSM appliance comes with front brackets and side-rails and
sliders for the rear brackets, packed separately in the carton.
Installation Notes
1. Any computer that is to act as a client to the SafeNet ProtectServer Network HSM Plus appliance must have
the Client software installed. Windows users should log in to your computer as a user with Administrator
privileges.
2. A computer that is to be used only for administering the SafeNet ProtectServer Network HSM Plus does not
need the Client software – only an SSH client such as the PuTTY program that we have provided for
Windows, or the SSH utilities that come standard with most Linux and UNIX platforms.
3. All two tasks (Client, and administration) can be performed on a single computer, but in normal practice they
are often separate tasks for separate computers.
Installing the SafeNet ProtectServer Network HSM Plus Hardware
You can optionally install the brackets if they suit your equipment rack. The front brackets can be installed with
their tabs forward (for flush-mount of the appliance) or reversed, to allow the front of the appliance to stand out
from the rack. The rear brackets install in either direction – as appropriate for your rack post spacing – with the
brackets simply sliding into the rails on each side of the appliance.
The supplied brackets are designed and intended for 4-point support of the appliance, in racks with rear-post
depth up to 22 inches.
CAUTION! Do not attempt to mount the appliance using only the front brackets – damage
can occur.
To install the SafeNet Network HSM hardware
1. Install and adjust rails and brackets to suit your equipment rack
.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 19
Chapter 2: SafeNet ProtectServer Network HSM Plus Hardware Installation
2. Mount the appliance in your equipment rack. Alternatively, ignore the rails and mounting tabs, and rest the
SafeNet ProtectServer Network HSM Plus appliance on a mounting tray or shelf suitable for your specific
style and brand of equipment rack.
CAUTION! Support the weight of the appliance until all four brackets are secured.
3. Insert the power (a) and network (b) cables at the rear panel.
The SafeNet ProtectServer Network HSM Plus is equipped with two NICs (eth0 and eth1) incorporating an
IPv4/IPv6 dual stack, allowing you to configure both an IPv4 and IPv6 address on each interface. If you
intend to use both NICs, connect Ethernet cables to both LAN connectors.
For proper redundancy and best reliability, the power cables should connect to two independent power
sources.
4. Press and release the Start/Stop switch, on the rear panel.
5. Connect a terminal to the serial connector on the front panel.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 20
Table of contents
Other Thales Security System manuals
Popular Security System manuals by other brands
Pittway
Pittway SYSTEM SENSOR SPECTRAlert SC2415W Installation and maintenance instructions
Samsung
Samsung SDR-B85300 quick start guide
Lorex
Lorex VANTAGE LH110 ECO SERIES Brochure & specs
Control Products
Control Products miniAlarm instructions
Zoom
Zoom Model 26 Specifications
Reporter
Reporter A1400 user manual
