ProtectServer PCIe HSM Installation

Follow these general steps to install and commission a ProtectServer PCIe HSM card and its associated software. More detailed instructions are provided in the following sections.

To install and commission a ProtectServer PCIe HSM card

1.Ensure you have all the necessary components on the list provided. For more information, see Adapter Features.

2.Move the battery jumper from the OFF position to the ON position (see The Battery Jumper Header).

3.If you plan to use an external tamper detector, ensure that it has a two-conductor cable compatible with the tamper-detect connector on the SafeNet adapter (detailed in Adapter Modification for External Tamper Detectors).

4.Install the ProtectServer PCIe HSM card in the host computer system. See Installing the Adapter.

5.Install the ProtectServer HSM Access Provider package and confirm that the adapter and driver are working correctly. See ProtectServer HSM Access Provider Installation.

6.Install the smart card reader if provided, or another serial device. See Smart Card Reader Installation.

7.Install the SafeNet application programming interface (API) or the supplied net server software. See Completing Installation.

Adapter Features

The ProtectServer PCIe HSM is a standard PCIe device that fits into any motherboard PCIe slot of formats x4, x8, or x16.

The Card Faceplate

The card faceplate has two ports:

The MDSM Connector

The micro-D subminiature (MDSM) connector is not used.

The USB Port

The USB port connects a serial device, such as a smart card reader, to the card with the included USB-to-serial adapter.

The Rear Face

The battery and a series of jumper headers are located on the rear face of the card.

The Battery

The battery maintains the internal flash memory. The battery must remain connected for transport mode.

When keeping the HSM in storage (without keys present) it is recommended that you isolate or disconnect the battery to extend its lifespan. You can use the ctcheck -b batterystatus command to test the battery's condition. If the Battery Status indication reports as LOW, back up the HSM keys before powering down the PC.

CAUTION!   Disconnecting the battery deletes all key material on the HSM. Ensure that you back up your HSM before disconnecting the power. The keys are not deleted immediately. Capacitors continue to supply power for approximately 30 seconds after battery disconnect.

The Battery Jumper Header

The battery jumper is a three-pin jumper used to engage or disengage the battery.

The battery is in the ON position when a jumper is inserted on the center and left pins, as shown in ProtectServer PCIe HSM Installation.

The battery is in the OFF position when a jumper is inserted on the center and right pins. This setting is not required for normal operation.

CAUTION!   Do not change the jumper setting unless instructed by Thales support.

The Decommission Jumper Header

This header is currently unused; do not change its default setting (open).

The Tamper-Input Header

The tamper-input header connects an external tamper device to the card. By default, it has a jumper in place across both pins. To use an external tamper device, run a two-wire cable to your chassis-tamper switch or similar device to open the circuit in the case of a tamper event.

The Polarity Jumper Header

The polarity jumper header is used to configure the card's operating mode. Do not change this jumper setting.

Installing the Adapter

The adapter is a PCI Express Specification 1.1-compliant device. It can be fitted in any spare PCIe slot on the motherboard of formats x4, x8, or x16. If necessary, please consult the documentation accompanying your host system motherboard to find the PCIe slots.

If you are using a tamper-detection device, route the cable to it before closing the computer cover.

ProtectServer HSM Access Provider Installation

After successful installation of the adapter:

1.Install the ProtectServer HSM Access Provider package (PTKpcihsm2).

2.Confirm the adapter and driver package are operating correctly.

These steps are covered in detail by the ProtectServer HSM Access ProviderInstallation Guide for both Windows and Unix/Linux systems.

Smart Card Reader Installation

The ProtectServer PCIe HSM supports the use of smart cards with a SafeNet-supplied smart card reader. Readers not supplied by Thales are unsupported.

The ProtectServer PCIe HSM supports two different card readers:

>the new USB card reader (introduced in 5.2)

>the legacy card reader, which provides a serial interface for data (via a USB-to-serial cable) and a PS/2 interface for power (direct or via a PS/2 to USB adapter)

Installing the USB smart card reader

To install the USB card reader, simply plug the card reader into the HSM USB port.

Installing the legacy card reader

To install the smart card reader, use the included USB-to-serial cable to connect it to the HSM USB port on the card faceplate as shown in The connected legacy card reader (The illustration shows the card reader connected to a ProtectServer Network HSM).

The legacy card reader must also be connected to a PS/2 port for power. Many newer servers have USB ports, but do not provide a PS/2 connection.

The options are:

>Use a PS/2-to-USB adapter (pink) to connect the card reader to a USB port on the host computer.

>If you prefer not to expose USB ports on your crypto server (for security reasons), use a PS/2-to-USB adapter to connect the card reader to a standalone powered USB hub.

The USB connection is for power only. No data transfer occurs.

Figure 1: The connected legacy card reader

Completing Installation

After you have installed the ProtectServer HSM Access Provider, install the supplied SafeNet API or net server software.

Please refer to the installation instructions in the appropriate manual:

>SafeNet ProtectToolkit-C Administration Guide

>SafeNet ProtectToolkit-J Reference Guide

>SafeNet ProtectToolkit-M User Guide


Customer Support Portal

SafeNet ProtectToolkit 5.9 Product Documentation  06 January 2020  Copyright 2009-2020 Thales. All rights reserved.