HSM Migration
The ProtectServer Network and PCIe HSMs are direct replacements for the legacy PSE and PSI-E HSMs, which have been declared end of sale, and are no longer available for purchase.
Although the ProtectServer Network and PCIe HSMs are functionally equivalent to their legacy counterparts, the underlying hardware is significantly different. The major hardware change is to the embedded cryptographic engine used on the HSMs. The legacy PSE/PSI-E HSMs incorporate the K5 cryptographic engine. The ProtectServer Network and PCIe HSMs incorporate the more modern K6 cryptographic engine.
Although every effort has been made to mitigate the impact of these hardware changes, the introduction of a new cryptographic engine impacts the following:
>Functionality modules (FMs). The processor used on the ProtectServer Network and PCIe HSMs is different from the processor used on the legacy ProtectServer HSMs. As a result, you must rebuild your FMs to run on the new hardware.
>Serial devices. The serial port on the ProtectServer HSMs has been replaced on the ProtectServer Network and PCIe HSMs with a USB port and a USB-to-serial cable. Any serial devices that were previously attached to a ProtectServer HSM will continue to work on the ProtectServer Network and PCIe HSMs.
In addition to these changes, the SafeNet ProtectToolkit also includes some software fixes/enhancements, as described in Software Changes.
Functionality Modules
The K5 cryptographic engine is based on the ARM processor. The K6 cryptographic engine is based on the PowerPC processor. As a result, any FMs built for the PSE/PSI-E (K5) HSMs will not run on the ProtectServer Network and PCIe HSMs. You must rebuild your existing FMs to run on the PowerPC (K6) platform. This requires a Linux machine or VM and some changes to your source files, as described in FM Migration.
Software Changes
The software changes introduced in this release primarily affect the FM SDK, as detailed in FM Migration. Any additional changes are described in the following sections.
FM SDK (formerly PPO) is now included with the ProtectToolkit software
The latest versions of the client software and HSM firmware can be found on the Thales Technical Support Customer Portal. See Support Contacts for more information.
Installation Directories
The installation directories have been modified to conform to SafeNet standard conventions, as follows:
| Linux | /opt/safenet/protecttoolkit5/opt/safenet/fm-toolchain |
| Windows | C:\Program Files\SafeNet\Protect Toolkit 5 |
Environment Variables
Environment configuration for the ProtectToolkit-C SDK and FM SDK has been simplified in this release as follows. Manual setting of environment variables is no longer required.
| Linux | A configuration script (setvars.sh) is now included with ProtectToolkit-C to configure your development environment. You would typically run this script each time you open a new shell. See the installation documentation for more information. |
| Windows | The runtime environment is automatically configured as part of the installation process. The FM SDK installation directory includes a configuration batch (fmsdkvars.bat) file to configure your FM development environment. You would typically run this batch file each time you open a new shell. See the installation documentation for more information. |
Installer Directory Structure
├───<part_number>_sw_license_agreement.pdf ├───<part_number>_sw_license_agreement.txt ├───autorun.inf │ ├───firmware │ └──<firmware_upgrade_files> │ └───SDKs ├── safeNet-install.sh │ ├── AIX │ ├── PTKcprt │ │ └── PTKcprt.bff │ ├── PTKcpsdk │ │ └── PTKcpsdk.bff │ ├── PTKjprov │ │ └── PTKjprov.bff │ ├── PTKjpsdk │ │ └── PTKjpsdk.bff │ └── PTKnethsm │ └── PTKnethsm.bff │ ├── HP-UX │ ├── PTKcprt │ │ └── PTKcprt.depot │ ├── PTKcpsdk │ │ └── PTKcpsdk.depot │ ├── PTKjprov │ │ └── PTKjprov.depot │ ├── PTKjpsdk │ │ └── PTKjpsdk.depot │ └── PTKnethsm │ └── PTKnethsm.depot │ ├── Linux │ ├── fm_sdk │ │ └── PTKfmsdk-<version>.i386.rpm │ ├── fm_toolchain │ │ └── fm-toolchain-ppc440e-<version>.i686.rpm │ ├── hsm_net_server │ │ └── PTKnetsrv-<version>.i386.rpm │ ├── network_hsm_access_provider │ │ └── PTKnethsm-<version>.i386.rpm │ ├── pci_hsm_access_provider │ │ └── PTKpcihsmK6-<version>.i386.rpm │ ├── ptkc_runtime │ │ └── PTKcprt-<version>.i386.rpm │ ├── ptkc_sdk │ │ └── PTKcpsdk-<version>.i386.rpm │ ├── ptkj_runtime │ │ └── PTKjprov-<version>.i386.rpm │ └── ptkj_sdk │ └── PTKjpsdk-<version>.i386.rpm │ ├── Linux64 │ ├── fm_sdk │ │ └── PTKfmsdk-<version>.x86_64.rpm │ ├── fm_toolchain │ │ └── fm-toolchain-ppc440e-<version>.i686.rpm │ ├── hsm_net_server │ │ └── PTKnetsrv-<version>.x86_64.rpm │ ├── network_hsm_access_provider │ │ └── PTKnethsm-<version>.x86_64.rpm │ ├── pci_hsm_access_provider │ │ └── PTKpcihsmK6-<version>.x86_64.rpm │ ├── ptkc_runtime │ │ └── PTKcprt-<version>.x86_64.rpm │ ├── ptkc_sdk │ │ └── PTKcpsdk-<version>.x86_64.rpm │ ├── ptkj_runtime │ │ └── PTKjprov-<version>.x86_64.rpm │ └── ptkj_sdk │ └── PTKjpsdk-<version>.x86_64.rpm │ ├── Solaris │ ├── PTKcprt │ │ └── PTKcprt.pkg │ ├── PTKcpsdk │ │ └── PTKcpsdk.pkg │ ├── PTKjprov │ │ └── PTKjprov.pkg │ ├── PTKjpsdk │ │ └── PTKjpsdk.pkg │ └── PTKnethsm │ └── PTKnethsm.pkg │ ├── SolarisX86 │ ├── PTKcprt │ │ └── PTKcprt.pkg │ ├── PTKcpsdk │ │ └── PTKcpsdk.pkg │ ├── PTKjprov │ │ └── PTKjprov.pkg │ ├── PTKjpsdk │ │ └── PTKjpsdk.pkg │ └── PTKnethsm │ └── PTKnethsm.pkg │ ├───Win32 │ ├───fm_sdk │ │ └── PTKfmsdk.msi │ ├───hsm_net_server │ │ └── PTKnethsm.msi │ ├───network_hsm_access_provider │ │ └── PTKnethsm.msi │ ├───pci_hsm_access_provider │ │ └── PTKpcihsmK6.msi │ ├───ptkc_runtime │ │ └── PTKcprt.msi │ ├───ptkc_sdk │ │ └── PTKcpsdk.msi │ ├───PTKJ_Runtime │ │ └──PTKjprt.msi │ ├───PTKJ_SDK │ │ └── PTKjpsdk.msi │ └───Ptk-M │ └── SafenetKSP32.msi │ └───Win64 ├───fm_sdk │ └── PTKfmsdk.msi ├───hsm_net_server │ └── PTKnethsm.msi ├───network_hsm_access_provider │ └── PTKnethsm.msi ├───pci_hsm_access_provider │ └── PTKpcihsmK6.msi ├───ptkc_runtime │ └── PTKcprt.msi ├───ptkc_sdk │ └── PTKcpsdk.msi ├───PTKJ_Runtime │ └──PTKjprt.msi ├───PTKJ_SDK │ └── PTKjpsdk.msi └───Ptk-M ├── PTKmprt64.msi └── SafenetKSP64.msi
