Product Overview

The ProtectServer External 2 is a self-contained, security-hardened server providing hardware-based cryptographic functionality through a TCP/IP network connection. Together with high-level SafeNet application programming interface (API) software, it provides cryptographic services for a wide range of secure applications.

The ProtectServer External 2 is PC-based. The enclosure is a heavy-duty steel case with common PC ports and controls. Necessary software components come pre-installed on a Linux operating system. Network setting configuration is required, as described in this document.

The full range of cryptographic services required by Public Key Infrastructure (PKI) users is supported by the ProtectServer External 2’s dedicated hardware cryptographic accelerator. These services include encryption, decryption, signature generation and verification, and key management with a tamper resistant and battery-backed key storage.

The ProtectServer External 2 must be used with one of SafeNet’s high-level cryptographic APIs. The following table shows the provider types and their corresponding SafeNet APIs:

API SafeNet Product Required
PKCS #11 ProtectToolkit-C
JCA / JCE ProtectToolkit-J
Microsoft IIS and CA ProtectToolkit-M

These APIs interface directly with the product’s FIPS 140-2 Level 3 certified core using high-speed hardware-based cryptographic processing. Key storage is tamper-resistant and battery-backed.

A smart card reader, supplied with the HSM, allows for the secure loading and backup of keys.

Front panel view

The features on the front panel of the ProtectServer External 2 are illustrated below:

Figure 1: ProtectServer External 2 front panel

Ports

The front panel is equipped with the following ports:

VGA Connects a VGA monitor to the appliance.
Console Provides console access to the appliance. See Access the Console.
USB Connects USB devices such as a keyboard or mouse to the appliance.
eth0
eth1
Autosensing 10/100/1000 Mb/s Ethernet RJ45 ports for connecting the appliance to the network.
HSM USB Connects a smart card reader to the appliance using the included USB-to-serial cable.

HSM serial port pin configuration

The serial port uses a standard RS232 male DB9 pinout. The USB-to-serial cable connects to this port.

Figure 2: HSM serial port pinout

LEDs

The front panel is equipped with the following LEDs:

Power Illuminates green to indicate that the unit is powered on.
HDD Flashes amber to indicate hard disk activity.
Status Flashes green on startup.

Reset button

The reset button is located between the USB and Ethernet ports. Pressing the reset button forces an immediate restart of the appliance. Although it does not power off the appliance, it does restart the software. Pressing the reset button is service-affecting and is not recommended under normal operating conditions.

Rear panel view

The features on the rear panel of the ProtectServer External 2 are illustrated below:

Figure 3: ProtectServer External 2 rear panel

protect_server_external_#C9.jpg

Tamper lock

The tamper lock is used during commissioning or decommissioning of the appliance to destroy any keys currently stored on the HSM.

With the key in the horizontal (Active) position, the HSM is in normal operating mode. Turning the key to the vertical (Tamper) position places the HSM in a tamper state, and any keys stored on the HSM are destroyed.

CAUTION!   Turning the tamper key from the Active position to the Tamper position deletes any keys currently stored on the HSM. Deleted keys are not recoverable. Ensure that you always back up your keys. To avoid accidentally deleting the keys on an operational ProtectServer External 2, remove the tamper key after commission and store it in a safe place.

Cryptographic Architecture

A hardware-based cryptographic system consists of three general components:

>One or more hardware security modules (HSMs) for key processing and storage.

>High-level cryptographic API software. This software uses the HSM's cryptographic capabilities to provide security services to applications.

>Access provider software to allow communication between the API software and the HSMs.

Operating in network mode, a standalone ProtectServer External 2 can provide key processing and storage.

In network mode, access provider software is installed on the machine hosting the cryptographic API software. The access provider allows communication between the API and the ProtectServer External 2 over a TCP/IP connection. The HSM can therefore be located remotely, improving the security of cryptographic key data

The figure below depicts a cryptographic service provider using the ProtectServer External 2 in network mode.

Figure 4: ProtectServer External 2 implementation

Technical Specifications

The ProtectServer External 2 specifications are as follows:

Hardware

>One smart card reader secure USB port (requires the included USB-to-serial cable)

>Protective, heavy duty steel, industrial PC case

>Intel® Atom™ CPU E3827 1.74GHz

>2 GB RAM

>4 GB solid state flash memory hard disk (DOM)

>10/100/1000 Mbps autosensing Network Interface with RJ45 LAN connector

Pre-installed Software

>Linux operating system

>ProtectServer HSM Access Provider software

>ProtectServer HSM Net Server software

Power Supply

>Nominal power consumption: 43 W

>Input AC voltage range: 100-240 V

>Input frequency range: 50-60 Hz

Physical properties

>437 mm (W) x 270 mm (D) x 44 mm (H) (1U)

>19” rack mounting brackets included

>Weight 5 kg (11 lb)

Operating Environment

>Temperature: 0 to 40°C (32 to 104°F)

>Relative Humidity: 5 to 85%