|
Home > |
Administration Guide > Public Key Infrastructure and Removable HSMs > PKI with SafeNet Enterprise HSM
|
|---|
The PKI feature with SafeNet Network HSM is summarized as follows:
• Legacy SafeNet PCM token HSMs can be configured as PKI devices via SafeNet Dock 2 (an external, USB-connected SafeNet card reader).
• SafeNet USB HSMs can be connected to the SafeNet Network HSM USB port and configured as a PKI device.
•Each PKI device can support only one partition.
• One SafeNet Network HSM can support up to six PCM token HSMs (via three SafeNet Dock 2 readers), or three SafeNet USB HSMs, or a mix of both (limited to three USB connections to the appliance).
If you are an end-user of SafeNet HSM products, then it is assumed that you are using your SafeNet HSM in conjunction with a third-party application that is HSM-aware. Simply follow the instructions and procedures associated with that application, once you have installed the SafeNet HSM and configured it (described in the Installation Guide and Configuration Guide).
If you are a developer or integrator of applications, then refer to the Software Development Kit Guide, along with the "Extensions to PKCS # 11" (SafeNet's augmentation of the PKCS # 11 standard API), and in particular to the token pki commands in the Reference section of this Help.
Special commands are provided under the token pki menu to perform HSM management operations on the removable HSMs (SafeNet tokens or SafeNet USB HSMs). Briefly, to make use of SafeNet tokens and SafeNet USB HSMs with SafeNet Network HSM, you need to use:
• similar to initializing the onboard SafeNet Network HSM, but prepares the removable token to be used in this context
•make the named token available to the SafeNet Network HSM appliance as an additional PKCS#11 slot (like an additional, removable HSM Partition)
•make the deployed token/slot available/accessible to Clients
•generate or clone to populate the token with the necessary keys, certs, etc.
The is used to make the inserted, deployed token unavailable, such as when preparing to remove it. The remaining commands, under token pki are for general management of the tokens, and are similar to equivalent HSM and Partition commands.
Lunash "token" command set provides 16 commands to administer the external PKI HSM (SafeNet USB HSM). You need just two of those "token" commands, plus one "client" command to make the PKI HSM ready to use, as follows:
1.Pre-deploy the external HSM, to prepare it. Type:
[mylunaSA] lunash:>token pki predeploy -l G5Pki -serial 475289
[mylunaSA] lunash:>token pki predeploy -l G5Pki -serial 475289 Please type "proceed" to continue, anything else to abort: proceed ********************************************** * * * About to factory Reset the HSM * * * ********************************************** ********************************************** * * * About to initialize the HSM * * Please pay attention to the PED * * * ********************************************** Do you want to use FIPS-approved algorithms and key strengths only (yes or no)? Yes ********************************************** * * * About to change the HSM FIPS policy * * Please pay attention to the PED * * * ********************************************** ********************************************** * * * About to create a partition on the HSM * * Please pay attention to the PED * * * ********************************************** ********************************************** * * * About to set the partition policies * * Please pay attention to the PED * * * ********************************************** ********************************************** * * * About to create a partition challenge * * and activate the partition. * * Please pay attention to the PED * * Please write down the PED secret! * * * ********************************************** Success predeploying the token!! Command Result : 0 (Success) [mylunaSA] lunash:>
2.Now deploy the pre-deployed HSM to make that HSM available to the SafeNet Network HSM as another application partition or PKCS#11 slot. Type :
[mylunaSA] lunash:>token pki deploy -label G5Pki -serial 475289
********************************************** * * * About to activate the token for testing. * * Please pay attention to the PED * * * ********************************************** Please enter the current user challenge: Success deploying token StellaG5Pki with serial num 475289 ! Command Result : 0 (Success) [StellaSA2] lunash:>token pki listDeployed Label Serial Num -------------------------------------------- StellaG5Pki 475289 Command Result : 0 (Success) [StellaSA2] lunash:>client assignPartition -partition StellaG5Pki -c StellaLap 'client assignPartition' successful. Command Result : 0 (Success)
The SafeNet Network HSM's HA (high availability) feature, when implemented for PCM tokens or SafeNet USB HSMs must be used only across multiple SafeNet Network HSM appliances. NEVER allow multiple SafeNet PCM tokens or SafeNet USB HSMs to be placed in an HA configuration on a single SafeNet Network HSM appliance. This is similar to the requirement to not include two partitions of the same HSM in a single HA group.