Home > |
Administration Guide > Public Key Infrastructure and Removable HSMs > Card Reader (SafeNet DOCK 2) and Token-style HSMs
|
---|
The card reader sold for use with SafeNet products (PKI) is the SafeNet DOCK 2.
Uses with SafeNet Network HSM 6 are:
• for migration from earlier backups or PKI tokens
•for current (limited) use of legacy PKI tokens (SafeNet CA4) with SafeNet Network HSM.
You can connect a SafeNet DOCK2 card reader for limited use with SafeNet Backup tokens (legacy G4 PCMCIA removable token-format HSMs). The removable-token backup HSM was used to backup legacy SafeNet Network 4.x HSMs and can be connected to SafeNet Network HSM 5.x or 6.x to restore the legacy key material as part of a one-way migration.
You can connect the more modern SafeNet USB HSM as an externally connected PKI slot, for use in the PKI Bundle option. Some customers use this arrangement to hold a root CA. The following caveats apply:
•The token backup commands can see and manage only the backup device, and not PKI devices.
• The token pki commands can see and manage only the PKI devices, and not backup devices.
•The PKI device must use PED authentication only, to be deployed.
• The token pki update commands update the capability and firmware for PKI devices.
• The process to move keys off G4 token HSMs (SafeNet CA4) is to migrate the keys to a K6 HSM (either the K6 inside SafeNet Network HSM, or the standalone K6 (SafeNet PCIe HSM inside a host computer)) and then to SafeNet USB HSM. Cloning between G4 and G5 devices is not supported.
CAUTION: Migration is not supported to firmware 6.22.0. Migrate first to an HSM at a firmware version older than 6.22.0, and then update the HSM firmware to version 6.22.0 or newer.
CAUTION: Beginning with SafeNet HSM 6, we do not support PKI bundle using removable PCMCIA token HSMs (SafeNet CA4) and the SafeNet DOCK 2 reader. The SafeNet DOCK 2 reader is supported only for migration. If you need the PKI bundle function from removable tokens, do not upgrade.
Note: PPSO is not supported for the PKI-bundle configuration using SafeNet USB HSM. There is no provision to apply PPSO capability via SafeNet Network HSM to the externally connected SafeNet USB HSM. If the SafeNet USB HSM was removed to a host computer and updated to firmware 6.22.0 and had the PPSO capability applied (destructive operation), then returned to the SafeNet Network HSM to resume PKI-bundle operation, the interface has no provision to create a PPSO partition in the external HSM. Rather, a legacy-style partition would be created for PKI-bundle operation.
Do not install SafeNet client software on the same system as legacy SafeNet CA3, SafeNet CA4, SafeNet PCM, or SafeNet PCI software. The software is intended for modern/current SafeNet HSMs, SafeNet Network HSM, SafeNet PCIe HSM, SafeNet USB HSM, SafeNet (Remote) Backup HSM.
Connect the SafeNet DOCK2 card reader:
a) to the AC main power, and
b) via supplied USB cable to the USB port of your SafeNet Network HSM 5.x.
If power is disconnected for any reason, you might need to restart your application.
The SafeNet PKI Bundle feature supports PED-authenticated PKI HSMs only (SafeNet CA4 for legacy, and SafeNet USB HSM for modern). Use of password-authenticated PKI tokens is not supported. There is no "pass-through" of PED data and commands from SafeNet Network HSM, so your SafeNet DOCK2 (or SafeNet USB HSM) must have its own SafeNet PED connected directly.
Your SafeNet Network HSM needs its own SafeNet PED.
SafeNet Network HSM can be served by a locally-connected PED, if the administrator is located near the appliance, or SafeNet Network HSM can be served by Remote PED, but SafeNet DOCK2 and any inserted token HSMs require a PED to be connected directly and locally to the reader - use of Remote PED to serve an external HSM (such as SafeNet USB HSM, SafeNet Backup HSM, or SafeNet CA4) connected to SafeNet Network HSM is not supported.
See also PKI - Using an external HSM with SafeNet Network HSM Appliance.
Contact SafeNet Technical Support -- e-mail: support@safenet-inc.com or phone 800-545-6608 (+1 410-931-7520 International) for the relevant Key Migration document, which includes explicit instructions to migrate your cryptographic objects between different types of SafeNet HSM (generally from legacy models to current models of HSM).