Home > |
Administration Guide > Public Key Infrastructure and Removable HSMs > Using SafeNet USB HSM or Token-format HSM with SafeNet Enterprise HSM Appliance
|
---|
Traditionally, Public Key Infrastructure (PKI) with SafeNet HSMs has been implemented using removable token-style (PCMCIA format) HSMs securely connected to a local workstation via a card reader. The portable HSM contained the PKI root certificate, and was inserted, read, updated, etc., as needed, then removed and returned to safe storage. This was a high-security, low-volume/low-speed environment and requirement.
This differed from the transaction-security world where HSMs needed to be network-available in order to perform and accelerate high volumes of secure transactions.
When those two applications began to converge, the SafeNet Network HSM, with its model of large, fast, network-connected HSM providing multiple virtual-HSM (Partition) workspaces, was adapted to support the addition of token-format PKI HSMs (such as SafeNet PCM or SafeNet CA4).
You can connect a SafeNet DOCK2 card reader for limited use with SafeNet Backup tokens (legacy G4 PCMCIA removable token-format HSMs). The removable-token backup HSM was used to backup legacy SafeNet Network 4.x HSMs and can be connected to SafeNet Network HSM 5.x or 6.x to restore the legacy key material as part of a one-way migration.
You can connect the more modern SafeNet USB HSM as an externally connected PKI slot, for use in the PKI Bundle option. Some customers use this arrangement to hold a root CA. The following caveats apply:
•The token backup commands can see and manage only the backup device, and not PKI devices.
• The token pki commands can see and manage only the PKI devices, and not backup devices.
•The PKI device must use PED authentication only, to be deployed.
• The token pki update commands update the capability and firmware for PKI devices.
• The process to move keys off G4 token HSMs (SafeNet CA4) is to migrate the keys to a K6 HSM (either the K6 inside SafeNet Network HSM, or the standalone K6 (SafeNet PCIe HSM inside a host computer)) and then to SafeNet USB HSM. Cloning between G4 and G5 devices is not supported.
CAUTION: Migration is not supported to firmware 6.22.0. Migrate first to an HSM at a firmware version older than 6.22.0, and then update the HSM firmware to version 6.22.0 or newer.
CAUTION: Beginning with SafeNet HSM 6, we do not support PKI bundle using removable PCMCIA token HSMs (SafeNet CA4) and the SafeNet DOCK 2 reader. The SafeNet DOCK 2 reader is supported only for migration. If you need the PKI bundle function from removable tokens, do not upgrade.
Note: PPSO is not supported for the PKI-bundle configuration using SafeNet USB HSM. There is no provision to apply PPSO capability via SafeNet Network HSM to the externally connected SafeNet USB HSM. If the SafeNet USB HSM was removed to a host computer and updated to firmware 6.22.0 and had the PPSO capability applied (destructive operation), then returned to the SafeNet Network HSM to resume PKI-bundle operation, the interface has no provision to create a PPSO partition in the external HSM. Rather, a legacy-style partition would be created for PKI-bundle operation.
To use an external PKI HSM directly with SafeNet Network HSM 5 requires a SafeNet USB HSM, or a SafeNet DOCK2 reader with SafeNet CA4 token-style HSM at firmware 4.8.7 or later.
Whether you are using the onboard HSM or not, in order to use a SafeNet Network HSM for PKI bundle operations (using Luna/HSM CA4 or Luna/HSM PCM tokens in the appliance's card-reader) you must at least initialize the onboard (K6) HSM in order to use the connected HSMs. Any further preparation of the onboard HSM depends on how (or if) you intend to make use of it, but having the main HSM initialized before you attempt operations with PKI HSMs connected to it is a minimum requirement.
You can combine the PKI bundle configuration (a SafeNet USB HSM, or a SafeNet DOCK2 with inserted SafeNet CA4, connected to your SafeNet Network HSM appliance) with the HA grouping functionality. That is, PKI can be part of HA redundancy and load balancing. However, by design, we do not support the assigning of two or more devices from the same SafeNet Network HSM to one HA group. That is:
•while SafeNet Network HSM supports multiple HSM partitions, you cannot combine two or more partitions from one SafeNet Network HSM into an HA group, and
•while you can attach a SafeNet USB HSM or a SafeNet CA4 token HSM to a SafeNet Network HSM, you cannot combine two (or more) HSMs or partitions, associated with a single SafeNet Network HSM, into a single HA group.
In either case, that sort of arrangement would allow the SafeNet Network HSM to become a potential single-point-of-failure, which defeats HA's redundancy.
Instead, if you have multiple SafeNet USB HSMs or SafeNet CA4 token HSMs that you wish to use in PKI bundling with SafeNet Network HSM, then you should connect each SafeNet USB HSM or SafeNet CA4 HSM to a separate SafeNet Network HSM. You should not attempt to include more than one SafeNet Network HSM partition, or a partition and an externally connected HSM, in a single HA group. The HA logic recognizes HA member slots from different NTLA/NTLS links, only. This is by design.
The client-side utility command "vtl listslot" shows all detected slots, including HSM partitions on the primary HSM, partitions on connected external HSMs, and HA virtual slots. Here is an example:
bash-3.2# ./vtl listslot
Number of slots: 11
The following slots were found:
Slot # Description Label Serial # Status
slot #1 LunaNet Slot - - Not present
slot #2 LunaNet Slot sa76_p1 150518006 Present
slot #3 LunaNet Slot sa77_p1 150475010 Present
slot #4 LunaNet Slot G5179 700179008 Present
slot #5 LunaNet Slot pki1 700180008 Present
slot #6 LunaNet Slot CA4223 300223001 Present
slot #7 LunaNet Slot CA4129 300129001 Present
slot #8 HA Virtual Card Slot - - Not present
slot #9 HA Virtual Card Slot - - Not present
slot #10 HA Virtual Card Slot ha3 343610292 Present
slot #11 HA Virtual Card Slot G5_HA 1700179008 Present
Note: The deploy/undeploy of a PKI device increments/decrements the SafeNet Network HSM client slot enumeration list (slots appear or disappear from the list, and the slot numbers adjust for the change). When the PKI slot is temporarily not available (e.g., due to NTLS stop, unplugging of LAN/USB cable, power off, etc.), the slot list does not shift.
Note: If you attempt to perform actions (such as deployment) that require PED operations, against a token/HSM, while other applications are accessing either the onboard HSM or another token in your appliance, then the PED-requiring operations might be noticeably slow. In general, try to reserve such maintenance operations for times when clients are not accessing the HSM or other token. The possible slowness is merely inconvenient and does no harm.
See also Card Reader (SafeNet DOCK 2) and Token-style HSMs.
Contact SafeNet Technical Support -- e-mail: support@safenet-inc.com or phone 800-545-6608 (+1 410-931-7520 International) for the relevant Key Migration document, which includes explicit instructions to migrate your cryptographic objects between different types of SafeNet HSM (generally from legacy models to current models of HSM).