Product Overview
The ProtectServer Network HSM Plus is a self-contained, security-hardened server providing hardware-based cryptographic functionality through a TCP/IP network connection. Together with high-level SafeNet application programming interface (API) software, it provides cryptographic services for a wide range of secure applications.
The ProtectServer Network HSM Plus is PC-based. The enclosure is a heavy-duty steel case with common PC ports and controls. Necessary software components come pre-installed on a Linux operating system. Network setting configuration is required, as described in this document.
The full range of cryptographic services required by Public Key Infrastructure (PKI) users is supported by theProtectServer Network HSM Plus’s dedicated hardware cryptographic accelerator. These services include encryption, decryption, signature generation and verification, and key management with a tamper resistant and battery-backed key storage.
The ProtectServer Network HSM Plus must be used with one of SafeNet’s high-level cryptographic APIs. The following table shows the provider types and their corresponding SafeNet APIs:
| API | SafeNet Product Required |
|---|---|
| PKCS #11 | SafeNet ProtectToolkit-C |
| JCA / JCE | SafeNet ProtectToolkit-J |
| Microsoft IIS and CA | SafeNet ProtectToolkit-M |
These APIs interface directly with the product’s FIPS 140-2 Level 3 certified core using high-speed DES and RSA hardware-based cryptographic processing. Key storage is tamper-resistant and battery-backed.
A smart card reader, supplied with the HSM, allows for the secure loading and backup of keys.
Physical Features
The standard appliance is the 1U-high, rack-mount device:
Here are some of the physical features of the ProtectServer Network HSM Plus:
Front panel view
The features on the front panel of the ProtectServer Network HSM Plus are illustrated below:
Figure 1: ProtectServer Network HSM Plus front panel
| Item | Name | Description |
|---|---|---|
| a | LCD system status screen | Displays "ProtectServer +" when system is operational. |
| b | Serial (console) port | Local connection for initial setup, and for admin account reset (local-only action for security purposes). |
| c | Ventilation fan-filter cover | Removable bracket allows cleaning of air filter. |
| d | Fan filter cover retaining screw | A captive thumb-screw (no tool needed). |
| e | Mounts for removable front bezel | The protective front bezel mounts on the appliance front panel. Spring clips behind the bezel engage the mounting posts at the left and right ends of the appliances front panel. |
| f | Rack-mount tabs (removable) | Use the tabs on the front and the sliding tabs towards the rear of the appliance to support your SafeNet appliance in a compatible equipment rack. |
| g | Securing screw for fan bay |
Torx screw secures the fan bay. CAUTION! Opening the fan bay will trigger a tamper event on the device. |
| h/i | USB ports | Unconfigured USB ports. These ports are not necessary for any ProtectServer operations and are left unconfigured for security purposes. |
HSM serial port pin configuration
The serial port on the USB-to-serial cable, illustrated below, uses a standard RS232 male DB9 pinout:
Figure 2: HSM serial port pinout
Rear panel view
The features on the rear panel of the ProtectServer Network HSM Plus are illustrated below:
Figure 3: ProtectServer Network HSM Plus rear panel
| Item | Name | Description |
|---|---|---|
| a | Kensington security slot | Attach an industry-standard locking cable for additional physical security. |
| b | Ethernet ports | For network connection of your SafeNet appliance. |
| c | Tamper switch |
Recessed for safety, the tamper switch is used during commissioning or decommissioning of the appliance to destroy any keys currently stored on the HSM. CAUTION! Activating the tamper switch deletes any keys currently stored on the HSM. Deleted keys are not recoverable. Ensure that you always back up your keys. To avoid accidentally deleting the keys on an operational SafeNet ProtectServer Network HSM Plus, ensure the users with access to the appliance are familiar with the switch. |
| d | Power supply release tab | Press tab to release the catch, and remove the power supply from the appliance. |
| e | Removable power supply | One of two redundant power supplies. |
| f | Second removable power supply | The other of two redundant power supplies. |
| g | Start/stop switch | Use to stop the system if the command-line shutdown is not available; use to restart the system if it has been switched off. |
| h | USB ports | Unconfigured USB ports. These ports are not necessary for any ProtectServer operations and are left unconfigured for security purposes. |
| i | HSM USB port | Connects USB devices such as the USB smart card reader and the legacy card reader to the HSM. |
| j | Unused port | This port is not used for the ProtectServer Network HSM Plus; we recommend that you do not remove the covers that are installed at the factory. |
