Thales SafeNet ProtectServer Network HSM 5.8 Operator's manual
SafeNet ProtectServer Network HSM 5.8
INSTALLATION AND CONFIGURATION GUIDE
Document Information
Product Version 5.8
Document Part Number 007-013682-006
Release Date 08 January 2020
Revision History
Revision Date Reason
Rev. A 08 January 2020 Initial release
Trademarks, Copyrights, and Third-Party Software
Copyright 2009-2020 Gemalto. All rights reserved. Gemaltoand the Gemalto logo are trademarks and service
marks of Gemaltoand/or its subsidiaries and are registered in certain countries. All other trademarks and
service marks, whether registered or not in specific countries, are the property of their respective owners.
Disclaimer
All information herein is either public information or is the property of and owned solely by Gemalto and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual
property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise,
under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal, and personal use only provided that:
>The copyright notice, the confidentiality and proprietary legend and this full warning notice appear in all
copies.
>This document shall not be posted on any publicly accessible network computer or broadcast in any media,
and no modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless
otherwise expressly agreed in writing, Gemaltomakes no warranty as to the value or accuracy of information
contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to
the information herein. Furthermore, Gemaltoreserves the right to make any change or improvement in the
specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In
no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or
consequential damages or any damages whatsoever including but not limited to damages resulting from loss
of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of
information contained in this document.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 2
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not
incur, and disclaims, any liability in this respect. Even if each product is compliant with current security
standards in force on the date of their design, security mechanisms' resistance necessarily evolves according
to the state of the art in security and notably under the emergence of new attacks. Under no circumstances,
shall Gemaltobe held liable for any third party actions and in particular in case of any successful attack against
systems or equipment incorporating Gemalto products. Gemaltodisclaims any liability with respect to security
for direct, indirect, incidental or consequential damages that result from any use of its products. It is further
stressed that independent testing and verification by the person using the product is particularly encouraged,
especially in any application in which defective, incorrect or insecure functioning could result in damage to
persons or property, denial of service, or loss of privacy.
All intellectual property is protected by copyright. All trademarks and product names used or referred to are the
copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system
or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or
otherwise without the prior written permission of Gemalto.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 3
CONTENTS
Preface: About the SafeNet ProtectServer Network HSM Installation and Configuration Guide 5
Gemalto Rebranding 5
Audience 6
Document Conventions 6
Support Contacts 8
Chapter 1: Product Overview 9
Front panel view 9
Rear panel view 10
Cryptographic Architecture 11
Summary of Cryptographic Service Provider setup 12
Chapter 2: SafeNet ProtectServer Network HSM Hardware Installation 13
SafeNet ProtectServer Network HSM Required Items 14
Installing the SafeNet ProtectServer Network HSM Hardware 15
Chapter 3: Deployment Guidelines 17
Secure Messaging System (SMS) 17
Networking and Firewall Configuration 18
Separation of Roles 18
Chapter 4: Testing and Configuration 20
First Login and System Test 20
Access the Console 20
Power on and Login 21
Run System Test 22
Network Configuration 22
Gathering Appliance Network Information 23
Configuring the Network Parameters 24
SSH Network Access 26
Powering off the SafeNet ProtectServer Network HSM 27
Troubleshooting 27
Updating the Appliance Software Image 27
Installing the Secure Update Package Patch 28
Updating the Appliance Software 29
Appendix A: Technical Specifications 30
Glossary 31
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 4
PREFACE: About the SafeNet ProtectServer
Network HSM Installation and Configuration
Guide
This Guide is provided as an instructional aid for the installation and configuration of a SafeNet ProtectServer
Network HSM cryptographic services hardware security module (HSM). It contains the following sections:
>"Product Overview"on page9
>"SafeNet ProtectServer Network HSM Hardware Installation"on page13
>"Testing and Configuration"on page20
>"Technical Specifications"on page30
>"Updating the Appliance Software Image"on page27
This preface also includes the following information about this document:
>"Gemalto Rebranding"below
>"Audience"on the next page
>"Document Conventions"on the next page
>"Support Contacts"on page8
For information regarding the document status and revision history, see "Document Information"on page2.
Gemalto Rebranding
In early 2015, Gemalto completed its acquisition of SafeNet, Inc. As part of the process of rationalizing the
product portfolios between the two organizations, the SafeNet name has been retained. As a result, the
product names for SafeNet HSMs have changed as follows:
Old product name New product name
ProtectServer External 2 (PSE2) SafeNet ProtectServer Network HSM
ProtectServer Internal Express 2 (PSI-E2) SafeNet ProtectServer PCIe HSM
ProtectServer HSM Access Provider SafeNet ProtectServer HSM Access Provider
ProtectToolkit C (PTK-C) SafeNet ProtectToolkit-C
ProtectToolkit J (PTK-J) SafeNet ProtectToolkit-J
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 5
Preface: About the SafeNet ProtectServer Network HSM Installation and Configuration Guide
Old product name New product name
ProtectToolkit M (PTK-M) SafeNet ProtectToolkit-M
ProtectToolkit FM SDK SafeNet ProtectToolkit FM SDK
NOTE These branding changes apply to the documentation only. The SafeNet HSM
software and utilities continue to use the old names.
Audience
This document is intended for personnel responsible for maintaining your organization's security
infrastructure. This includes SafeNet ProtectToolkit users and security officers, key manager administrators,
and network administrators.
All products manufactured and distributed by Gemalto are designed to be installed, operated, and maintained
by personnel who have the knowledge, training, and qualifications required to safely perform the tasks
assigned to them. The information, processes, and procedures contained in this document are intended for
use by trained and qualified personnel only.
It is assumed that the users of this document are proficient with security concepts.
Document Conventions
This document uses standard conventions for describing the user interface and for alerting you to important
information.
Notes
Notes are used to alert you to important or helpful information. They use the following format:
NOTE Take note. Contains important or helpful information.
Cautions
Cautions are used to alert you to important information that may help prevent unexpected results or data loss.
They use the following format:
CAUTION! Exercise caution. Contains important information that may help prevent
unexpected results or data loss.
Warnings
Warnings are used to alert you to the potential for catastrophic data loss or personal injury. They use the
following format:
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 6
Preface: About the SafeNet ProtectServer Network HSM Installation and Configuration Guide
**WARNING** Be extremely careful and obey all safety and security measures. In
this situation you might do something that could result in catastrophic data loss or
personal injury.
Command Syntax and Typeface Conventions
Format Convention
bold The bold attribute is used to indicate the following:
>Command-line commands and options (Type dir /p.)
>Button names (Click Save As.)
>Check box and radio button names (Select the Print Duplex check box.)
>Dialog box titles (On the Protect Document dialog box, click Yes.)
>Field names (User Name: Enter the name of the user.)
>Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)
>User input (In the Date box, type April 1.)
italics In type, the italic attribute is used for emphasis or to indicate a related document. (See the
Installation Guide for more information.)
<variable> In command descriptions, angle brackets represent variables. You must substitute a value for
command line arguments that are enclosed in angle brackets.
[optional]
[<optional>]
Represent optional keywords or <variables> in a command line description. Optionally enter the
keyword or <variable> that is enclosed in square brackets, if it is necessary or desirable to
complete the task.
{a|b|c}
{<a>|<b>|<c>}
Represent required alternate keywords or <variables> in a command line description. You must
choose one command line argument enclosed within the braces. Choices are separated by vertical
(OR) bars.
[a|b|c]
[<a>|<b>|<c>]
Represent optional alternate keywords or variables in a command line description. Choose one
command line argument enclosed within the braces, if desired. Choices are separated by vertical
(OR) bars.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 7
Preface: About the SafeNet ProtectServer Network HSM Installation and Configuration Guide
Support Contacts
If you encounter a problem while installing, registering, or operating this product, please refer to the
documentation before contacting support. If you cannot resolve the issue, contact your supplier or Gemalto
Customer Support.
Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between Gemalto and your organization. Please consult
this support plan for further information about your entitlements, including the hours when telephone support is
available to you.
Customer Support Portal
The Customer Support Portal, at https://supportportal.gemalto.com, is where you can find solutions for most
common problems. The Customer Support Portal is a comprehensive, fully searchable database of support
resources, including software and firmware downloads, release notes listing known problems and
workarounds, a knowledge base, FAQs, product documentation, technical notes, and more. You can also use
the portal to create and manage support cases.
NOTE You require an account to access the Customer Support Portal. To create a new
account, go to the portal and click on the REGISTER link.
Telephone Support
If you have an urgent problem, or cannot access the Customer Support Portal, you can contact Gemalto
Customer Support by telephone at +1 410-931-7520. Additional local telephone support numbers are listed on
the support portal.
Email Support
You can also contact technical support by email at technical.support@gemalto.com.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 8
CHAPTER 1: Product Overview
The SafeNet ProtectServer Network HSM is a self-contained, security-hardened server providing hardware-
based cryptographic functionality through a TCP/IP network connection. Together with high-level SafeNet
application programming interface (API) software, it provides cryptographic services for a wide range of secure
applications.
The SafeNet ProtectServer Network HSM is PC-based. The enclosure is a heavy-duty steel case with common
PC ports and controls. Necessary software components come pre-installed on a Linux operating system.
Network setting configuration is required, as described in this document.
The full range of cryptographic services required by Public Key Infrastructure (PKI) users is supported by the
SafeNet ProtectServer Network HSM’s dedicated hardware cryptographic accelerator. These services include
encryption, decryption, signature generation and verification, and key management with a tamper resistant
and battery-backed key storage.
The SafeNet ProtectServer Network HSM must be used with one of SafeNet’s high-level cryptographic APIs.
The following table shows the provider types and their corresponding SafeNet APIs:
API SafeNet Product Required
PKCS #11 SafeNet ProtectToolkit-C
JCA / JCE SafeNet ProtectToolkit-J
Microsoft IIS and CA SafeNet ProtectToolkit-M
These APIs interface directly with the product’s FIPS 140-2 Level 3 certified core using high-speed DES and
RSA hardware-based cryptographic processing. Key storage is tamper-resistant and battery-backed.
A smart card reader, supplied with the HSM, allows for the secure loading and backup of keys.
Front panel view
The features on the front panel of the SafeNet ProtectServer Network HSM are illustrated below:
Figure 1: SafeNet ProtectServer Network HSM front panel
Ports
The front panel is equipped with the following ports:
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 9
Chapter 1: Product Overview
VGA Connects a VGA monitor to the appliance.
Console Provides console access to the appliance. See "Testing and Configuration"on page20.
USB Connects USB devices such as a keyboard or mouse to the appliance.
eth0
eth1
Autosensing 10/100/1000 Mb/s Ethernet RJ45 ports for connecting the appliance to the network.
HSM USB Connects a smart card reader to the appliance using the included USB-to-serial cable.
HSM serial port pin configuration
The serial port uses a standard RS232 male DB9 pinout. The USB-to-serial cable connects to this port.
Figure 2: HSM serial port pinout
LEDs
The front panel is equipped with the following LEDs:
Power Illuminates green to indicate that the unit is powered on.
HDD Flashes amber to indicate hard disk activity.
Status Flashes green on startup.
Reset button
The reset button is located between the USB and Ethernet ports. Pressing the reset button forces an
immediate restart of the appliance. Although it does not power off the appliance, it does restart the software.
Pressing the reset button is service-affecting and is not recommended under normal operating conditions.
Rear panel view
The features on the rear panel of the SafeNet ProtectServer Network HSM are illustrated below:
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 10
Chapter 1: Product Overview
Figure 3: SafeNet ProtectServer Network HSM rear panel
Tamper lock
The tamper lock is used during commissioning or decommissioning of the appliance to destroy any keys
currently stored on the HSM.
With the key in the horizontal (Active) position, the HSM is in normal operating mode. Turning the key to the
vertical (Tamper) position places the HSM in a tamper state, and any keys stored on the HSM are destroyed.
CAUTION! Turning the tamper key from the Active position to the Tamper position deletes
any keys currently stored on the HSM. Deleted keys are not recoverable. Ensure that you
always back up your keys. To avoid accidentally deleting the keys on an operational SafeNet
ProtectServer Network HSM, remove the tamper key after commission and store it in a safe
place.
Cryptographic Architecture
A hardware-based cryptographic system consists of three general components:
>One or more hardware security modules (HSMs) for key processing and storage.
>High-level cryptographic API software. This software uses the HSM's cryptographic capabilities to provide
security services to applications.
>Access provider software to allow communication between the API software and the HSMs.
Operating in network mode, a standalone SafeNet ProtectServer Network HSM can provide key processing
and storage.
In network mode, access provider software is installed on the machine hosting the cryptographic API software.
The access provider allows communication between the API and the SafeNet ProtectServer Network HSM
over a TCP/IP connection. The HSM can therefore be located remotely, improving the security of cryptographic
key data
The figure below depicts a cryptographic service provider using the SafeNet ProtectServer Network HSM in
network mode.
Figure 4: SafeNet ProtectServer Network HSM implementation
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 11
Chapter 1: Product Overview
Summary of Cryptographic Service Provider setup
These steps summarize the overall procedure of setting up a cryptographic service provider using a SafeNet
ProtectServer Network HSM in network mode. Relevant links to more detailed documentation are provided at
each step.
1. Install the SafeNet ProtectServer Network HSM (See "Installing the SafeNet ProtectServer Network
HSM Hardware"on page15).
2. Check that the SafeNet ProtectServer Network HSM is operating correctly (see "Testing and
Configuration"on page20).
3. Configure the SafeNet ProtectServer Network HSM network settings (see "Testing and
Configuration"on page20).
4. Install and configure the Network HSM Access Provider software (see the SafeNet HSM Access
Provider Installation Guide).
5. Install the high-level cryptographic API software.
Please refer to the relevant installation guide supplied with the product:
•SafeNet ProtectToolkit-C Administration Guide
•SafeNet ProtectToolkit-J Installation Guide
•SafeNet ProtectToolkit-M User Guide
6. Configure the high-level cryptographic API to allow preferred operating modes. Some of these
tasks may include:
•establishing a trusted channel or secure messaging system (SMS) between the API and the Safenet
ProtectServer Network HSM.
•establishing communication between the network client and the Safenet ProtectServer Network HSM.
Please refer to the relevant high-level cryptographic API documentation:
•SafeNet ProtectToolkit-C Administration Guide
•SafeNet ProtectToolkit-J Administration Guide
•SafeNet ProtectToolkit-M User Guide
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 12
CHAPTER 2: SafeNet ProtectServer
Network HSM Hardware Installation
This chapter describes how to install and connect a SafeNet Protect Server Network HSM. To ensure a
successful installation, perform the following tasks in the order indicated:
1. Ensure that you have all of the required components, as listed in "SafeNet ProtectServer Network HSM
Required Items"on the next page
2. Install and connect the hardware, as described in "Installing the SafeNet ProtectServer Network HSM
Hardware"on page15
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 13
Chapter 2: SafeNet ProtectServer Network HSM Hardware Installation
SafeNet ProtectServer Network HSM Required Items
This section provides a list of components that you should have received with your SafeNet ProtectServer
Network HSM order.
Contents Received
The following table contains the standard items you received with your order:
Qty Item
1 SafeNet ProtectServer Network HSM standalone appliance
1 Smart card reader
2 Smart cards (in a single media case)
NOTE Power cables are no longer included with the shipment from our factory. Please
source your power cables locally for the intended deployment destination.
To configure your SafeNet ProtectServer Network HSM you will need to supply and connect a
keyboard, mouse, and display monitor. After the appliance is placed into service, the
keyboard, mouse and monitor can be disconnected from the appliance.
Optional Items
The following table describes additional items which you can use with your ProtectServer HSM. Contact your
Gemalto sales representative to order these items.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 14
Chapter 2: SafeNet ProtectServer Network HSM Hardware Installation
Qty Item
1+ SafeNet 110 Time-Based OTP Token (enables multifactor authentication on ProtectServer HSM tokens)
Gemalto recommends ordering at least two (2) OTP tokens for each slot on the HSM (one each for the
Security Officer and Token User).
PN: 955-000237-001
1 ProtectServer-compatible Verifone PIN pad (enables manual key component entry)
PN: 934-000087-001
Installing the SafeNet ProtectServer Network HSM Hardware
Since the SafeNet ProtectServer Network HSM is delivered with the necessary software pre-installed, no
software installation is necessary on the unit itself.
After installation, confirm that the unit is operating correctly and configure the network settings. These steps
are covered in "Testing and Configuration"on page20.
To install the hardware
1. Choose a suitable location to site the equipment. You can mount the SafeNet ProtectServer Network HSM
in a standard 19-inch rack.
NOTE The power supply cord acts as the unit's disconnect device. The main outlet socket to
which the unit is connected must be easily accessible.
2. Connect the SafeNet ProtectServer Network HSM to the network by inserting standard Ethernet cables into
the LAN connectors located on the unit's front face (labelled eth0 and eth1). The client machine(s) with
SafeNet cryptographic API software installed should be hosted on the same network.
NOTE The SafeNet ProtectServer Network HSM is equipped with two NICs (eth0 and eth1)
incorporating an IPv4/IPv6 dual stack, allowing you to configure both an IPv4 and IPv6
address on each interface. If you intend to use both NICs, connect Ethernet cables to both
LAN connectors.
3. Connect the power cable to the unit and a suitable power source. The SafeNet ProtectServer Network HSM
is equipped with an autosensing power supply that can accept 100-240V at 50-60Hz.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 15
Chapter 2: SafeNet ProtectServer Network HSM Hardware Installation
Smart Card Reader Installation
The unit supports the use of smart cards with a SafeNet-supplied smart card reader. Other smart card readers
are not supported.
The SafeNet ProtectServer Network HSM supports two different card readers:
>the new USB card reader (introduced in 5.2)
>the legacy card reader, which provides a serial interface for data (via a USB-to-serial cable) and a PS/2
interface for power (direct or via a PS/2 to USB adapter)
To install the USB card reader
Simply plug the card reader into the HSM USB port, as illustrated below.
Installing the legacy card reader
To install the smart card reader, connect it to the HSM USB port with the included USB-to-serial cable.
The legacy card reader must also be connected to a PS/2 port for its power. Many newer servers have USB
ports, but do not provide a PS/2 connection.
If there is no available PS/2 connection, there are two options:
>Connect a PS/2-to-USB adapter (pink in the image below) between the card reader and a USB port on the
SafeNet ProtectServer Network HSM.
>If, for security reasons, you prefer to not expose USB ports on your crypto server, connect a PS/2-to-USB
adapter cable between the card reader and a standalone powered USB hub. It should be noted that the
USB connection is for power only. No data transfer occurs.
Next, see "Testing and Configuration"on page20.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 16
CHAPTER 3: Deployment Guidelines
Users must consider the following best practices for security and compliance when deploying SafeNet
ProtectServer Network HSMs for their network/application environment:
>"Secure Messaging System (SMS)"below
>"Networking and Firewall Configuration"on the next page
>"Separation of Roles"on the next page
Secure Messaging System (SMS)
SafeNet ProtectServer HSMs store cryptographic keys and objects in tamper-resistant secure memory, which
is erased when a tamper is detected. The stored keys are accessed through PKCS#11 calls from the client.
Client calls to a Network HSM traverse the network layer (TCP/IP). In the default security mode, this
communication channel between the HSM and the client is unencrypted. Configure the HSM security policy to
improve this channel's security. Refer to "Security Flags"on page1 in the PTK-C Administration Guide for
descriptions of the available flags and how they affect your implementation.
The Secure Messaging System (SMS) enhances the security of the client-HSM channel. SMS provides an
encrypted channel between the client and the HSM and authenticates messages on that channel using a
Message Authentication Code (MAC) approved by the FIPS 140-2 standard. Refer to "Secure Messaging"on
page1 in the PTK-C Administration Guide for a detailed description of SMS functionality.
NOTE SMS encrypts and authenticates messages between the client and HSM, but does
not provide means for the HSM to authenticate client credentials or vice-versa.
The HSM supports the following SMS modes:
>HIMK
>ADH
>ADH2 (PTK 5.4 and above)
For secure deployment, use ADH or ADH2. Refer to "Secure Messaging"on page1 in the PTK-C
Administration Guide for descriptions of the difference between these modes.
The SMS feature is flexible and can be configured to:
>Encrypt/decrypt all messages
>Sign/verify all messages
>Allow only FIPS-approved mechanisms
>Rotate signing and encryption keys after a specified number of packets or hours
>All of the above
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 17
Chapter 3: Deployment Guidelines
For maximum security, enable all of the above features. See "Security Flags"on page1 in the PTK-C
Administration Guide for flag descriptions and setup instructions.
NOTE Enabling FIPS mode will block all mechanisms that are not FIPS-approved. If you are
using unapproved mechanisms and understand the implications, do not enable FIPS mode.
Networking and Firewall Configuration
There is no means to authenticate the client to the HSM or vice-versa. It is therefore recommended that the
HSM and client are connected to the same secure network segment, to prevent sensitive data from traveling
through insecure intermediate network(s). This configuration prevents Man-in-the-Middle and other malicious
attacks. If possible, connect the HSM directly to the client using a cross-cable.
The SafeNet ProtectServer Network HSM includes two network ports, each of which can be connected to a
different network. It is highly recommended that you keep the management network and the network running
your applications isolated from each other at all times. Further restrictions on communication between network
segments can be enforced by means of static routes. See "Network Configuration"on page22 for instructions
on setting up static routes.
The SafeNet ProtectServer Network HSM supports an iptables-based firewall. The firewall must be configured
with appropriate rules to restrict access to identified network resources only. See "Network Configuration"on
page22 for details on setting iptables.
Separation of Roles
The SafeNet ProtectServer Network HSM has two role categories: Appliance and HSM users. For optimal
security, maintain these roles and their credentials separately; do not share between users. Do not share the
appliance management, HSM Administration, and User terminals.
Appliance Users
The following roles can log in to the PSE shell (PSESH) to configure and manage the appliance:
>admin
>pseoperator
>audit
See "Using PSESH"on page1 in the PSESH Command Reference Guide for the responsibilities of each role.
HSM Users
The following roles can log in to manage the HSM token and perform cryptographic operations:
>Administration Security Officer (ASO)
>Administrator
>Security Officer (SO)
>Token Owner (User)
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 18
Chapter 3: Deployment Guidelines
See "User Roles"on page1 in the PTK-C Administration Guide for the responsibilities of each role.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 19
CHAPTER 4: Testing and Configuration
This chapter provides a step-by-step overview of how to confirm correct operation of the Safenet ProtectServer
Network HSM, and configure its network settings. These instructions assume that the installation process
covered in "Installing the SafeNet ProtectServer Network HSM Hardware"on page15 is complete.
This chapter contains the following sections:
>"First Login and System Test"below
>"Network Configuration"on page22
>"Powering off the SafeNet ProtectServer Network HSM"on page27
>"Troubleshooting"on page27
First Login and System Test
When starting up your SafeNet ProtectServer Network HSM for the first time, follow these steps:
>"Access the Console"below
>"Power on and Login"on the next page
>"Run System Test"on page22
Access the Console
To test the system and configure the network, you must first access the SafeNet ProtectServer Network HSM
console. There are two options:
>Direct access. Connect a keyboard and monitor (not included) to the USB (keyboard) and VGA (monitor)
ports located on the unit's front panel.
>Console access. Connect the RJ45 console port to a terminal emulation device, such as a laptop or terminal
server.
NOTE To access the appliance through the console port, you will need the appropriate
cable. If your terminal device is equipped with a DB9 serial port, you require a cable with an
RJ45 connector on one end and a DB9 serial port on the other end (see "Serial cable: RJ45 to
DB9"on the next page). If your terminal device is equipped with an RJ45 serial port, you can
use a standard Ethernet cable. Serial cables are not included.
SafeNet ProtectToolkit 5.8 Installation and Configuration Guide
007-013682-006 Rev. A 08 January 2020 Copyright 2009-2020 Gemalto 20
Table of contents
Other Thales Server manuals
Thales
Thales ProtectServer 3 HSM Operator's manual
Thales
Thales SafeNet ProtectServer PCIe HSM 5.4 User manual
Thales
Thales SafeNet ProtectServer Network HSM 5.9 Operator's manual
Thales
Thales SafeNet ProtectServer Network HSM 5.5 Operator's manual
Thales
Thales SafeNet ProtectServer HSM 5.6 Operator's manual
