ProtectServer PCIe HSM Installation
Follow these general steps to install and commission a ProtectServer PCIe HSM card and its associated software. More detailed instructions are provided in the following sections.
To install and commission a ProtectServer PCIe HSM card
1.Ensure you have all the necessary components on the list provided. For more information, see Adapter Features.
2.Move the battery jumper from the OFF position to the ON position (see The Battery Jumper Header).
3.If you plan to use an external tamper detector, ensure that it has a two-conductor cable compatible with the tamper-detect connector on the SafeNet adapter (detailed in Adapter Modification for External Tamper Detectors).
4.Install the ProtectServer PCIe HSM card in the host computer system. See Installing the Adapter.
5.Install the ProtectServer HSM Access Provider package and confirm that the adapter and driver are working correctly. See ProtectServer HSM Access Provider Installation.
6.Install the smart card reader if provided, or another serial device. See Smart Card Reader Installation.
7.Install the SafeNet application programming interface (API) or the supplied net server software. See Completing Installation.
Adapter Features
The ProtectServer PCIe HSM is a standard PCIe device that fits into any motherboard PCIe slot of formats x4, x8, or x16.
The Card Faceplate
The card faceplate has two ports:
The MDSM Connector
The micro-D subminiature (MDSM) connector is not used.
The USB Port
The USB port connects a serial device, such as a smart card reader, to the card with the included USB-to-serial adapter.
The Rear Face
The battery and a series of jumper headers are located on the rear face of the card.
The Battery
The battery maintains the internal flash memory. The battery must remain connected for transport mode.
When keeping the HSM in storage (without keys present) it is recommended that you isolate or disconnect the battery to extend its lifespan. You can use the ctcheck -b batterystatus command to test the battery's condition. If the Battery Status indication reports as LOW, back up the HSM keys before powering down the PC.
CAUTION! Disconnecting the battery deletes all key material on the HSM. Ensure that you back up your HSM before disconnecting the power. The keys are not deleted immediately. Capacitors continue to supply power for approximately 30 seconds after battery disconnect.
The Battery Jumper Header
The battery jumper is a three-pin jumper used to engage or disengage the battery.
The battery is in the ON position when a jumper is inserted on the center and left pins, as shown in ProtectServer PCIe HSM Installation.
The battery is in the OFF position when a jumper is inserted on the center and right pins. This setting is not required for normal operation.
CAUTION! Do not change the jumper setting unless instructed by Thales support.
The Decommission Jumper Header
This header is currently unused; do not change its default setting (open).
The Tamper-Input Header
The tamper-input header connects an external tamper device to the card. By default, it has a jumper in place across both pins. To use an external tamper device, run a two-wire cable to your chassis-tamper switch or similar device to open the circuit in the case of a tamper event.
The Polarity Jumper Header
The polarity jumper header is used to configure the card's operating mode. Do not change this jumper setting.
Installing the Adapter
The adapter is a PCI Express Specification 1.1-compliant device. It can be fitted in any spare PCIe slot on the motherboard of formats x4, x8, or x16. If necessary, please consult the documentation accompanying your host system motherboard to find the PCIe slots.
If you are using a tamper-detection device, route the cable to it before closing the computer cover.
ProtectServer HSM Access Provider Installation
After successful installation of the adapter:
1.Install the ProtectServer HSM Access Provider package (PTKpcihsm2).
2.Confirm the adapter and driver package are operating correctly.
These steps are covered in detail by the ProtectServer HSM Access ProviderInstallation Guide for both Windows and Unix/Linux systems.
Smart Card Reader Installation
The ProtectServer PCIe HSM supports the use of smart cards with a SafeNet-supplied smart card reader. Readers not supplied by Thales are unsupported.
The ProtectServer PCIe HSM supports two different card readers:
>the new USB card reader (introduced in 5.2)
>the legacy card reader, which provides a serial interface for data (via a USB-to-serial cable) and a PS/2 interface for power (direct or via a PS/2 to USB adapter)
Installing the USB smart card reader
To install the USB card reader, simply plug the card reader into the HSM USB port.
Installing the legacy card reader
To install the smart card reader, use the included USB-to-serial cable to connect it to the HSM USB port on the card faceplate as shown in The connected legacy card reader (The illustration shows the card reader connected to a ProtectServer Network HSM).
The legacy card reader must also be connected to a PS/2 port for power. Many newer servers have USB ports, but do not provide a PS/2 connection.
The options are:
>Use a PS/2-to-USB adapter (pink) to connect the card reader to a USB port on the host computer.
>If you prefer not to expose USB ports on your crypto server (for security reasons), use a PS/2-to-USB adapter to connect the card reader to a standalone powered USB hub.
The USB connection is for power only. No data transfer occurs.
Figure 1: The connected legacy card reader
Completing Installation
After you have installed the ProtectServer HSM Access Provider, install the supplied SafeNet API or net server software.
Please refer to the installation instructions in the appropriate manual:
>SafeNet ProtectToolkit-C Administration Guide
>SafeNet ProtectToolkit-J Reference Guide
>SafeNet ProtectToolkit-M User Guide