ProtectServer 3 HSM and ProtectToolkit 7
Customer release notes
- ProtectToolkit 7 releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 HSM firmware releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 Network HSM Appliance Software releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- Supported ProtectToolkit 7 platforms
- Supported ProtectServer 3 HSM firmware and boot loader versions
- Known and resolved issues
ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration
- ProtectServer 3 PCIe hardware installation
- ProtectServer 3 External installation and configuration
  - ProtectServer 3 External overview
  - ProtectServer 3 External required items
  - Installing the ProtectServer 3 External hardware
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3 External
  - Updating the ProtectServer 3 External appliance software image
- ProtectServer 3+ External installation and configuration
  - ProtectServer 3+ External overview
  - ProtectServer 3+ External required items
  - Installing the ProtectServer 3+ External in a server rack
  - Physical features
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3+ External
  - Updating the ProtectServer 3+ External appliance software image
- ProtectToolkit 7 software installation
  - Installing ProtectToolkit 7 on Windows
  - Installing ProtectToolkit 7 on Unix/Linux
  - Installing ProtectToolkit 7 on Unix/Linux manually
  - Deploying ProtectToolkit 7 in a Docker container on Linux
  - Available ProtectToolkit 7 components
- Configuration items
- Utilities command reference
PSESH command reference
- Using PSESH
- PSESH commands
  - audit
    - audit audit
      - audit audit changepwd
      - audit audit init
      - audit audit secret
    - audit log
      - audit log clear
      - audit log rotation
      - audit log show
      - audit log tarlogs
    - audit service
      - audit service enable
      - audit service disable
  - exit
  - files
    - files clear
    - files delete
    - files show
  - help
  - hsm
    - hsm cert
    - hsm factoryreset
    - hsm reset
    - hsm show
    - hsm state
  - network
    - network dns
      - network dns add
        
        network dns add nameserver
        
        network dns add searchdomain
      - network dns delete
        
        network dns delete nameserver
        
        network dns delete searchdomain
    - network domain
    - network hostname
    - network interface
      - network interface bonding
        
        network interface bonding config
        
        network interface bonding disable
        
        network interface bonding enable
        
        network interface bonding show
      - network interface delete
      - network interface dhcp
      - network interface ipv6
      - network interface static
    - network iptables
      - network iptables addrule
        
        network iptables addrule accept
        
        network iptables addrule drop
      - network iptables clear
      - network iptables delrule
      - network iptables save
      - network iptables show
    - network ping
    - network route
      - network route add
      - network route clear
      - network route delete
      - network route show
      - network route default
    - network show
  - package
    - package list
      - package list all
      - package list ptk
    - package install
    - package listfile
  - service
    - service list
    - service restart
    - service start
    - service status
    - service stop
  - status
    - status cpu
    - status date
    - status disk
    - status interface
    - status mac
    - status mem
    - status netstat
    - status ps
    - status time
    - status zone
  - sysconf
    - sysconf appliance
      - sysconf appliance factory
      - sysconf appliance poweroff
      - sysconf appliance reboot
      - sysconf appliance backup create
      - sysconf appliance backup restore
    - sysconf etnetcfg
      - sysconf etnetcfg set
      - sysconf etnetcfg show
    - sysconf snmp
      - sysconf snmp config
      - sysconf snmp disable
      - sysconf snmp enable
      - sysconf snmp show
    - sysconf time
    - sysconf timezone
      - sysconf timezone set
      - sysconf timezone show
  - syslog
    - syslog cleanup
    - syslog export
    - syslog period
    - syslog remotehost
      - syslog remotehost add
      - syslog remotehost clear
      - syslog remotehost delete
      - syslog remotehost list
    - syslog rotate
    - syslog rotations
    - syslog show
    - syslog tail
    - syslog tarlogs
  - user password
ProtectServer HSM migration
- Migrating keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs
- Migrating functionality modules from ProtectServer 2 HSMs to ProtectServer 3 HSMs
ProtectToolkit-C administration
- Introduction
- Cryptoki configuration
  - ProtectToolkit-C model
  - Initial configuration
    - Trust management
    - ProtectServer owner and identity certificates
    - Secure messaging
    - Token replication
  - Changing the Cryptoki provider
  - Work Load Distribution and High Availability
    - WLD system setup
    - Operation in WLD Mode
    - Operation in High Availability Mode
  - Real-time clock
  - ProtectToolkit-C configuration items
- Security policies and user roles
  - Typical security policies
  - Security flags
  - Security policy options
  - User roles
- Audit logging
  - Audit logging overview
  - Configuring and using audit logging
  - Audit log entries and structure
- SNMP monitoring
- Self-tests
- Operational tasks
  - Changing a user or Security Officer PIN
  - Secure key backup and restoration
  - Adding and removing slots
  - Re-initializing a token
  - Multifactor authentication (one-time password)
  - Connecting and removing smart card readers
  - Using Transport Mode to avoid a board removal tamper
  - Adjusting the HSM clock
  - Changing secure messaging mode
  - Using the system event log
  - Updating the HSM firmware or boot loader
  - Installing a functionality module
  - Key entry via PIN pad
  - Resetting the HSM to factory settings
  - Resetting the ProtectServer 3 Network HSM appliance to factory settings
  - Tampering or decommissioning the HSM
  - RMA and shipping back to Thales
- Command-line utilities reference
  - ctcert
  - ctcheck
  - ctconf
  - ctfm
  - ctident
  - ctlimits
  - ctmultitoken
  - ctotp
  - ctkmu
  - ctperf
  - ctstat
  - auditverify
  - ptk7tokmigration
- PKCS#11 attributes
- Sample EC domain parameter files
ProtectToolkit-C programming
- Introduction to PKCS#11
- Environments
- Object classes
  - Creating, modifying, copying, and deleting objects
  - Additional attribute types
  - Common attributes
  - Hardware feature objects
  - Clock objects
  - Monotonic counter objects
  - Storage objects
  - Data objects
  - Certificate objects
  - Key objects
    - Public key objects
    - Private key objects
    - Secret key objects
    - Key parameter objects
- ProtectToolkit-C mechanisms
  - CKM_AES_CBC
  - CKM_AES_CBC_ENCRYPT_DATA
  - CKM_AES_CBC_PAD
  - CKM_AES_CCM
  - CKM_AES_CMAC
  - CKM_AES_CMAC_GENERAL
  - CKM_AES_CTR
  - CKM_AES_ECB
  - CKM_AES_ECB_ENCRYPT_DATA
  - CKM_AES_GCM
  - CKM_AES_GCM_OLD
  - CKM_AES_GMAC
  - CKM_AES_KEY_GEN
  - CKM_AES_KEY_WRAP
  - CKM_AES_KEY_WRAP_PAD
  - CKM_AES_KW
  - CKM_AES_KWP
  - CKM_AES_MAC
  - CKM_AES_MAC_GENERAL
  - CKM_AES_OFB
  - CKM_ARDFP
  - CKM_ARIA_CBC
  - CKM_ARIA_CBC_PAD
  - CKM_ARIA_ECB
  - CKM_ARIA_KEY_GEN
  - CKM_ARIA_MAC
  - CKM_ARIA_MAC_GENERAL
  - CKM_BIP32_CHILD_DERIVE
  - CKM_BIP32_MASTER_DERIVE
  - CKM_CAST128_CBC
  - CKM_CAST128_CBC_PAD
  - CKM_CAST128_ECB
  - CKM_CAST128_ECB_PAD
  - CKM_CAST128_KEY_GEN
  - CKM_CAST128_MAC
  - CKM_CAST128_MAC_GENERAL
  - CKM_CONCATENATE_BASE_AND_DATA
  - CKM_CONCATENATE_BASE_AND_KEY
  - CKM_CONCATENATE_DATA_AND_BASE
  - CKM_DECODE_PKCS_7
  - CKM_DECODE_X_509
  - CKM_DES2_KEY_GEN
  - CKM_DES3_BCF
  - CKM_DES3_CBC
  - CKM_DES3_CBC_ENCRYPT_DATA
  - CKM_DES3_CBC_PAD
  - CKM_DES3_CMAC
  - CKM_DES3_CMAC_GENERAL
  - CKM_DES3_DDD_CBC
  - CKM_DES3_DERIVE_CBC_DEPRECATED
  - CKM_DES3_DERIVE_ECB_DEPRECATED
  - CKM_DES3_ECB
  - CKM_DES3_ECB_ENCRYPT_DATA
  - CKM_DES3_ECB_PAD
  - CKM_DES3_KEY_GEN
  - CKM_DES3_MAC
  - CKM_DES3_MAC_GENERAL
  - CKM_DES3_OFB64
  - CKM_DES3_RETAIL_CFB_MAC
  - CKM_DES3_X919_MAC
  - CKM_DES3_X919_MAC_GENERAL
  - CKM_DES_BCF
  - CKM_DES_CBC
  - CKM_DES_CBC_ENCRYPT_DATA
  - CKM_DES_CBC_PAD
  - CKM_DES_DERIVE_CBC_DEPRECATED
  - CKM_DES_DERIVE_ECB_DEPRECATED
  - CKM_DES_ECB
  - CKM_DES_ECB_ENCRYPT_DATA
  - CKM_DES_ECB_PAD
  - CKM_DES_KEY_GEN
  - CKM_DES_MAC
  - CKM_DES_MAC_GENERAL
  - CKM_DES_MDC_2_PAD1
  - CKM_DES_OFB64
  - CKM_DH_PKCS_DERIVE
  - CKM_DH_PKCS_KEY_PAIR_GEN
  - CKM_DH_PKCS_PARAMETER_GEN
  - CKM_DSA
  - CKM_DSA_KEY_PAIR_GEN
  - CKM_DSA_PARAMETER_GEN
  - CKM_DSA_SHA1
  - CKM_DSA_SHA1_PKCS
  - CKM_DSA_SHA224
  - CKM_DSA_SHA224_PKCS
  - CKM_DSA_SHA256
  - CKM_DSA_SHA256_PKCS
  - CKM_DSA_SHA384
  - CKM_DSA_SHA384_PKCS
  - CKM_DSA_SHA512
  - CKM_DSA_SHA512_PKCS
  - CKM_EC_EDWARDS_KEY_PAIR_GEN
  - CKM_EC_KEY_PAIR_GEN
  - CKM_EC_MONTGOMERY_KEY_PAIR_GEN
  - CKM_ECDH1_DERIVE
  - CKM_ECDSA
  - CKM_ECDSA_GBCS_SHA256
  - CKM_ECDSA_SHA1
  - CKM_ECDSA_SHA224
  - CKM_ECDSA_SHA256
  - CKM_ECDSA_SHA384
  - CKM_ECDSA_SHA3_224
  - CKM_ECDSA_SHA3_256
  - CKM_ECDSA_SHA3_384
  - CKM_ECDSA_SHA3_512
  - CKM_ECDSA_SHA512
  - CKM_ECIES
  - CKM_EDDSA
  - CKM_ENCODE_ATTRIBUTES
  - CKM_ENCODE_PKCS_10
  - CKM_ENCODE_PUBLIC_KEY
  - CKM_ENCODE_X_509
  - CKM_ENCODE_X_509_LOCAL_CERT
  - CKM_EXTRACT_KEY_FROM_KEY
  - CKM_GENERIC_SECRET_KEY_GEN
  - CKM_IDEA_CBC
  - CKM_IDEA_CBC_PAD
  - CKM_IDEA_ECB
  - CKM_IDEA_ECB_PAD
  - CKM_IDEA_KEY_GEN
  - CKM_IDEA_MAC
  - CKM_IDEA_MAC_GENERAL
  - CKM_KECCAK_1600
  - CKM_KEY_TRANSLATION
  - CKM_KEY_WRAP_SET_OAEP
  - CKM_MD2
  - CKM_MD2_HMAC
  - CKM_MD2_HMAC_GENERAL
  - CKM_MD2_KEY_DERIVATION
  - CKM_MD2_RSA_PKCS
  - CKM_MD5
  - CKM_MD5_HMAC
  - CKM_MD5_HMAC_GENERAL
  - CKM_MD5_KEY_DERIVATION
  - CKM_MD5_RSA_PKCS
  - CKM_MILENAGE_DERIVE
  - CKM_MILENAGE_SIGN
  - CKM_NVB
  - CKM_PBA_SHA1_WITH_SHA1_HMAC
  - CKM_PBE_MD2_DES_CBC
  - CKM_PBE_MD5_CAST128_CBC
  - CKM_PBE_MD5_DES_CBC
  - CKM_PBE_SHA1_CAST128_CBC
  - CKM_PBE_SHA1_DES2_EDE_CBC
  - CKM_PBE_SHA1_DES3_EDE_CBC
  - CKM_PBE_SHA1_RC2_128_CBC
  - CKM_PBE_SHA1_RC2_40_CBC
  - CKM_PBE_SHA1_RC4_128
  - CKM_PBE_SHA1_RC4_40
  - CKM_PKCS12_PBE_EXPORT
  - CKM_PKCS12_PBE_IMPORT
  - CKM_PP_LOAD_SECRET
  - CKM_PP_LOAD_SECRET_2
  - CKM_RC2_CBC
  - CKM_RC2_CBC_PAD
  - CKM_RC2_ECB
  - CKM_RC2_ECB_PAD
  - CKM_RC2_KEY_GEN
  - CKM_RC2_MAC
  - CKM_RC2_MAC_GENERAL
  - CKM_RC4
  - CKM_RC4_KEY_GEN
  - CKM_REPLICATE_TOKEN_RSA_AES
  - CKM_RIPEMD128
  - CKM_RIPEMD128_HMAC
  - CKM_RIPEMD128_HMAC_GENERAL
  - CKM_RIPEMD128_RSA_PKCS
  - CKM_RIPEMD160
  - CKM_RIPEMD160_HMAC
  - CKM_RIPEMD160_HMAC_GENERAL
  - CKM_RIPEMD160_RSA_PKCS
  - CKM_RSA_9796
  - CKM_RSA_FIPS_186_4_PRIME_KEY_PAIR_ GEN
  - CKM_RSA_PKCS
  - CKM_RSA_PKCS_KEY_PAIR_GEN
  - CKM_RSA_PKCS_OAEP
  - CKM_RSA_PKCS_PSS
  - CKM_RSA_X9_31_KEY_PAIR_GEN
  - CKM_RSA_X_509
  - CKM_SECRET_RECOVER_WITH_ATTRIBUTES
  - CKM_SECRET_SHARE_WITH_ATTRIBUTES
  - CKM_SEED_CBC
  - CKM_SEED_CBC_PAD
  - CKM_SEED_ECB
  - CKM_SEED_ECB_PAD
  - CKM_SEED_KEY_GEN
  - CKM_SEED_MAC
  - CKM_SEED_MAC_GENERAL
  - CKM_SET_ATTRIBUTES
  - CKM_SHA1
  - CKM_SHA1_EDDSA
  - CKM_SHA1_HMAC
  - CKM_SHA1_HMAC_GENERAL
  - CKM_SHA1_KEY_DERIVATION
  - CKM_SHA1_RSA_PKCS
  - CKM_SHA1_RSA_PKCS_PSS
  - CKM_SHA1_RSA_PKCS_TIMESTAMP
  - CKM_SHA224
  - CKM_SHA224_EDDSA
  - CKM_SHA224_HMAC
  - CKM_SHA224_HMAC_GENERAL
  - CKM_SHA224_KEY_DERIVATION
  - CKM_SHA224_RSA_PKCS
  - CKM_SHA224_RSA_PKCS_PSS
  - CKM_SHA256
  - CKM_SHA256_EDDSA
  - CKM_SHA256_HMAC
  - CKM_SHA256_HMAC_GENERAL
  - CKM_SHA256_KEY_DERIVATION
  - CKM_SHA256_RSA_PKCS
  - CKM_SHA256_RSA_PKCS_PSS
  - CKM_SHA384
  - CKM_SHA384_EDDSA
  - CKM_SHA384_HMAC
  - CKM_SHA384_HMAC_GENERAL
  - CKM_SHA384_KEY_DERIVATION
  - CKM_SHA384_RSA_PKCS
  - CKM_SHA384_RSA_PKCS_PSS
  - CKM_SHA3_224
  - CKM_SHA3_224_EDDSA
  - CKM_SHA3_224_HMAC
  - CKM_SHA3_224_HMAC_GENERAL
  - CKM_SHA3_224_KEY_DERIVE
  - CKM_SHA3_224_RSA_PKCS
  - CKM_SHA3_224_RSA_PKCS_PSS
  - CKM_SHA3_256
  - CKM_SHA3_256_EDDSA
  - CKM_SHA3_256_HMAC
  - CKM_SHA3_256_HMAC_GENERAL
  - CKM_SHA3_256_KEY_DERIVE
  - CKM_SHA3_256_RSA_PKCS
  - CKM_SHA3_256_RSA_PKCS_PSS
  - CKM_SHA3_384
  - CKM_SHA3_384_EDDSA
  - CKM_SHA3_384_HMAC
  - CKM_SHA3_384_HMAC_GENERAL
  - CKM_SHA3_384_KEY_DERIVE
  - CKM_SHA3_384_RSA_PKCS
  - CKM_SHA3_384_RSA_PKCS_PSS
  - CKM_SHA3_512
  - CKM_SHA3_512_EDDSA
  - CKM_SHA3_512_HMAC
  - CKM_SHA3_512_HMAC_GENERAL
  - CKM_SHA3_512_KEY_DERIVE
  - CKM_SHA3_512_RSA_PKCS
  - CKM_SHA3_512_RSA_PKCS_PSS
  - CKM_SHA512
  - CKM_SHA512_EDDSA
  - CKM_SHA512_HMAC
  - CKM_SHA512_HMAC_GENERAL
  - CKM_SHA512_KEY_DERIVATION
  - CKM_SHA512_RSA_PKCS
  - CKM_SHA512_RSA_PKCS_PSS
  - CKM_SSL3_KEY_AND_MAC_DERIVE
  - CKM_SSL3_MASTER_KEY_DERIVE
  - CKM_SSL3_MD5_MAC
  - CKM_SSL3_PRE_MASTER_KEY_GEN
  - CKM_SSL3_SHA1_MAC
  - CKM_TDEA_TKW
  - CKM_TUAK_DERIVE
  - CKM_TUAK_SIGN
  - CKM_UNWRAP_TR31
  - CKM_VISA_CVV
  - CKM_WRAP_TR31_DERIVE
  - CKM_WRAP_TR31_VARIANT
  - CKM_WRAPKEY_AES_CBC
  - CKM_WRAPKEY_AES_KWP
  - CKM_WRAPKEY_DES3_CBC
  - CKM_WRAPKEY_DES3_ECB
  - CKM_WRAPKEYBLOB_AES_CBC
  - CKM_WRAPKEYBLOB_DES3_CBC
  - CKM_X9_42_DH_DERIVE
  - CKM_X9_42_DH_KEY_PAIR_GEN
  - CKM_X9_42_DH_PARAMETER_GEN
  - CKM_XOR_BASE_AND_DATA
  - CKM_XOR_BASE_AND_KEY
  - CKM_ZKA_MDC_2_KEY_DERIVATION
  - PTK-C vendor-defined error codes
- Supported ECC curves
- C sample programs
- Best practice guidelines
  - Application security
  - Application usability
  - Performance
  - Capacity
  - Setup and configuration
  - Maintainability
  - Debugging
  - Interoperability
  - Programming in FIPS Mode
  - Key management
  - Hierarchical deterministic wallets in ProtectToolkit
- ctbrowse - token browser
- API tutorial: development of a sample application
- PKCS#11 logger library
- PKCS#11 command reference
  - General purpose functions
  - Slot and token management functions
  - Session management functions
  - Object management functions
  - Encryption functions
  - Decryption functions
  - Message digesting functions
  - Signing and MACing functions
  - Functions for verifying signatures and MACs
  - Dual-function cryptographic functions
  - Key management functions
  - Random number generation functions
  - Parallel function management functions
  - Extra functions
- ctutil.h functionality reference
- ctextra.h library reference
- hex2bin.h library reference
- hsmadmin.h library reference
- Attribute certificate
ProtectToolkit-C management libraries programming
- KMLIB sample applications
- KMLIB callback prototypes reference
- KMLIB function reference
ProtectToolkit-J reference
- ProtectToolkit-J overview
- JCA/JCE API overview
  - Encryption and decryption
  - Message digests
  - Message authentication code (MAC)
  - Authentication
  - Key management
  - Error handling and exceptions
- Supported ciphers
  - DES
  - DESede
  - AES
  - IDEA
  - CAST128
  - RC2
  - RC4
  - PBE ciphers
  - RSA
- Supported signature algorithms
- Supported MAC algorithms
- Supported message digest algorithms
- Key Management Utility (KMU) reference
  - Compatibility issues
  - Main KMU interface
  - Logging into and out from tokens
  - Creating keys
  - Editing key attributes
  - Deleting a key
  - Display key check value
  - Importing and exporting keys
  - Key backup feature tutorial
- Administration Utility (gCTAdmin) reference
  - Logging in and out
  - Main gCTAdmin Interface
  - Slot and token management
  - HSM management
- KMU key check value (KCV) calculation
- Key generation
- Key management
- Best practice guidelines
- Java sample programs
- JCA/JCE API tutorial
  - Public key cryptography
  - FileCrypt application
  - File encryption
  - File decryption
  - Accessing public keys
  - Main()
- Random number generation
- References
ProtectToolkit-M reference
- Overview
- Setup and configuration
  - User roles
  - Initial configuration: mandatory steps
  - Security mode descriptions
  - Security mode flag descriptions
  - Allocating keyset space
  - Configuration options
  - SafeNet KSP for CNG registration utilities
  - Configuring IIS7 (Win2008) with CNG
- Administrative tasks
  - Changing the device administrator password
  - Allocating keyset space
  - De-allocating keyset space
  - Creating user keysets
  - Deleting a keyset
  - Setting the adapter Transport Mode
  - Correcting clock drift
  - Viewing and purging the HSM event log
  - Checking and upgrading HSM firmware
  - Tampering the HSM
  - Backing up a keyset
  - Restoring a keyset
  - Enabling private key clear export
- User tasks
- Administration and user utilities
  - Administration Utility
  - Keyset Management Utility
  - createcert
- Integration with Microsoft CA
  - Setting up a CA with ProtectToolkit-M
  - Certificate template support for SafeNet CSPs
  - CA replication (key backup and recovery)
  - Private key archiving and recovery
- Integration with IIS
  - Creating a certificate
  - Installing a certificate for use with IIS
- Work Load Distribution
- Registry configuration
FM SDK programming
- Overview
- FM architecture
- FM development
- FM samples
- Building sample FMs in Emulation Mode on Windows
- Configuring WSL 2 for FM development and deployment
- FM deployment
- Utilities reference
- Cipher object
  - FmCreateCipherObject
  - Cipher object functions
  - Algorithm-specific cipher information
- Hash object
  - FmCreateHashObject
  - Hash object functions
- Setting privilege level
- SMFS reference
- FMDEBUG reference
- Message Dispatch API reference
- HSM functions reference
  - HIFACE reply management functions
  - Functionality module dispatch switcher function
  - Serial communication functions
  - High resolution timer functions
  - Cprov function patching helper function
  - Current application ID functions
  - PKCS#11 state management functions
  - Functionality module header definition macro
- USB API reference
ProtectServer 3 HSM and ProtectToolkit 7 troubleshooting
- Installation troubleshooting
- ProtectToolkit-J troubleshooting
- ProtectToolkit-M troubleshooting
Third-Party Software Licenses

Known and resolved issues

This section lists known issues in all released versions of ProtectToolkit 7, the ProtectServer 3 HSM Firmware, and the ProtectServer 3 Network HSM Appliance Software. Workarounds are provided where available and issues that have been resolved are listed along with the component and version that includes the fix.

Select Client, Firmware, or Appliance to filter issues that appear on the page by product component.

All Client Firmware Appliance

ProtectToolkit 7 issues

The issues described below are applicable to ProtectToolkit 7.

PSR-8825

In PTK 7.2.3, FM Emulation limits messages to 64Kb instead of 64Mb.

Workaround

Update the limit in emulation libraries.

Resolved

Fixed in ProtectToolkit 7.3.1.

PSR-8739

etnetclient and etnetserver failures.

Workaround

None

Resolved

Fixed in ProtectToolkit 7.3.1.

PSR-8687

Unable to login to admin slot using KMU

Workaround

None

Resolved

Fixed in ProtectToolkit 7.3.1.

PSR-8648

Data objects whose size is 32/128Kb can be created but disappear after HSM reset.

Workaround

None

Resolved

Fixed with combination of ProtectToolkit 7.3.1 and ProtectServer 3 HSM Firmware 7.03.01.

PSR-8645

printf calls in an FM would not show up in the hsmtrace.

Workaround

Prevent the compiler from this optimization by explicitly asking to not use the normal libc.

Resolved

Fixed in ProtectToolkit 7.3.1.

PSR-8576

MKFM fails to sign in FIPS 140-3

Workaround

None

Resolved

Fixed in ProtectToolkit 7.3.1.

PSR-8575

jcprov crashes for messages greater than 64KB

Workaround

None

Resolved

Fixed in ProtectToolkit 7.3.1.

PSR-8562

ctkmu xtr31 (PTK 7.3.0) does not work.

Workaround

None

Resolved

Fixed in ProtectToolkit 7.3.1.

PSR-8546

network show does not show updated Hostname

Workaround

None

Resolved

Fixed in ProtectToolkit 7.3.1.

PSR-8542

fcrypt C sample program fails to compile.

Workaround

None

Resolved

Fixed in ProtectToolkit 7.2.3.

Note

This issue is unresolved in ProtectToolkit 7.3.0 and some ProtectToolkit 7 versions older than ProtectToolkit 7.2.3.

PSR-8533

Unresolved externals when building FM sample on PTK 7.3.0

Workaround

None

Resolved

Fixed in ProtectToolkit 7.3.1.

PSR-8417

FM samples fail to compile or run in Emulation Mode.

Workaround

None

Resolved

Fixed in ProtectToolkit 7.2.3.

Note

This issue is unresolved in ProtectToolkit 7.3.0 and some ProtectToolkit 7 versions older than ProtectToolkit 7.2.3.

PSR-8397

Data objects (object class CKO_DATA) greater than 32 KB in size cannot be created.

Workaround

None

Resolved

Fixed in ProtectToolkit 7.2.3.

Note

This issue is unresolved in ProtectToolkit 7.3.0 and some ProtectToolkit 7 versions older than ProtectToolkit 7.2.3.

PSR-8356

ctotp fails to initialize multifactor authentication for a role and returns OTP Initialization failed. (signature invalid).

Workaround

None

Resolved

Fixed in ProtectToolkit 7.2.3.

PSR-8251

ctconf -v reports aborted sessions in Open Session Count until the HSM is reset.

Workaround

None

Resolved

Fixed with combination of ProtectToolkit 7.3.1 and ProtectServer 3 Network HSM Appliance Software 7.3.1.

PSR-8238

The SafeNetKSP.dll certificate is expired.

Workaround

None

Resolved

Fixed in ProtectToolkit 7.2.3.

Note

This issue is unresolved in ProtectToolkit 7.3.0 and some ProtectToolkit 7 versions older than ProtectToolkit 7.2.3.

PSR-8179

If you use GRUB to disable IPv6 on a Linux machine hosting a ProtectServer 3 PCIe for operation in Network Mode, SafeNet HSM Net Server (etnetserver) crashes.

Workaround

None

Resolved

Fixed in ProtectToolkit 7.2.3.

Note

This issue is unresolved in ProtectToolkit 7.3.0 and some ProtectToolkit 7 versions older than ProtectToolkit 7.2.3.

PSR-8132

eccdemo FM sample cannot be used.

Workaround

Add the following line to eccdemo.c:

#include <genmacro.h>

Resolved

Fixed in ProtectToolkit 7.3.0.

PSR-8044

Tokens that are approximately 64 KB or larger cannot be replicated.

Workaround

None

Resolved

Fixed with combination of ProtectToolkit 7.2.1 and ProtectServer 3 HSM Firmware 7.02.01.

PSR-7783

HA recovery does not work if there are two WLD slots

Workaround

None

Resolved

Fixed in ProtectToolkit 7.3.1.

PSR-7347

The first attempt at importing cryptographic objects from a smart card will fail when:

The objects are being imported using an N of M scheme, where N is greater than 2.
The objects are being imported after an HSM tamper.
Logging is enabled.

Workaround

Run ctkmu i a second time, immediately after the failed attempt, to successfully import the objects onto the HSM.

Resolved

Fixed in ProtectToolkit 7.2.0.

PSR-6852

cipherobj FM sample fails to run on Ubuntu systems.

Workaround

None

Resolved

Fixed in ProtectToolkit 7.3.0.

PSR-6810

ctident list all does not report any Peer Certs for HSMs that are part of a functioning trust relationship.

Workaround

None

Resolved

Fixed in ProtectToolkit 7.2.1.

PSR-6239

On Ubuntu systems, the Embedded Linux Development Kit (ELDK) package does not appear in the list of installed packages after it is installed.

Workaround

None

Resolved

Fixed in ProtectToolkit 7.2.0.

PSR-6137

After installing ProtectToolkit 7 on Windows, the SFNT_CRYPT system variable is not set to the correct value, preventing applications from accessing the Cryptoki library.

Workaround

Complete either one of the following steps:

Set the Cryptoki provider once again. For more information, refer to Changing the Cryptoki provider.
Insert the path to the Cryptoki library as the value of the SFNT_CRYPT variable by editing the system variable directly.

Resolved

Fixed in ProtectToolkit 7.2.1.

PSR-5958

In ProtectToolkit 7.1.0, an error occurs while deleting slots with gCTAadmin.

Workaround

Run ctconf -d<slot> to delete slots on the HSM.

Resolved

Fixed in ProtectToolkit 7.3.0.

PSR-5499

gCTAdmin does not run on Windows and Linux.

Workaround

Use the ctconf and ctkmu command-line utilities to complete administrative tasks.

Resolved

Fixed in ProtectToolkit 7.1.0.

PSR-5057

After upgrading the HSM firmware, the gmadmin UI remains outdated and continues to display the previous firmware version.

Workaround

Restart gmadmin.

Resolved

Fixed in ProtectToolkit 7.1.0.

PSR-4604

When configuring a smart card, setting a user name longer than the stated maximum of 20 characters causes undefined characters to be displayed at the end of the user name.

Workaround

Do not set a smart card user name longer than 20 characters.

Resolved

Fixed in ProtectToolkit 7.1.0.

PSR-4470

When the MSCA service is stopped and then quickly restarted, the Safenet KSP library does not release the service before it is started again, resulting in a duplicate endpoint error message.

Workaround

Wait approximately 5 minutes before restarting the MSCA service.

Resolved

Fixed in ProtectToolkit 7.1.0.

PSR-3414

When a new PCIe driver is installed on Windows, the driver file (PTK_K7.sys) is not updated automatically.

Workaround

Use the following procedure to allow the Device Manager to recognize the new driver:

Disable the ProtectServer 3 PCIe device in the Device Manager.
Copy PTK_K7.sys manually from the installation directory to System32/drivers.
Enable the ProtectServer 3 PCIe device in the Device Manager.

Resolved

Fixed in ProtectToolkit 7.1.0.

PSR-3219

Pressing Cancel on the legacy Verifone 1000SE PIN pad halts the HSM.

Workaround

Do not press Cancel when entering keys. Upgrade to a newer PIN pad.

PSR-2046

When using ProtectToolkit-J, stopping an application using Ctrl-C causes the HSM to crash. Log reports a "Segmentation Fault".

Workaround

None

ProtectServer 3 HSM Firmware issues

The issues described below are applicable to the ProtectServer 3 HSM Firmware.

PSR-8648

Data objects whose size is 32/128Kb can be created but disappear after HSM reset.

Workaround

None

Resolved

Fixed with combination of ProtectToolkit 7.3.1 and ProtectServer 3 HSM Firmware 7.03.01.

PSR-8531

Generating RSA keys with invalid public exponent sizes will halt HSM in FIPS mode

Workaround

None

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.03.01.

PSR-8166

Incorrect length prediction of output when CKM_AES_GCM operations call C_Decrypt and the input data size is not a multiple of 16 bytes.

Workaround

Avoid using length prediction and set the size the C_Decrypt buffer to the size of the encrypted data.

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.02.02.

Note

This issue is unresolved in ProtectServer 3 HSM Firmware 7.03.00 and some firmware versions older than ProtectServer 3 HSM Firmware 7.02.02.

PSR-8044

Tokens that are approximately 64 KB or larger cannot be replicated.

Workaround

None

Resolved

Fixed with combination of ProtectToolkit 7.2.1 and ProtectServer 3 HSM Firmware 7.02.01.

PSR-7940

When using an IDPrime smart card, the user is not locked out of the smart card after seven failed log on attempts.

Workaround

None

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.01.02.

PSR-6598

CKM_DECODE_X_509 cannot be used to derive a public key from a certificate request.

Workaround

None

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.02.01.

PSR-6518

C_Sign() returns an invalid signature when used with length prediction and if the data size is greater than 64 KB.

Workaround

Do not use length prediction with C_Sign() if the data size is greater than 64 KB.

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.01.02.

PSR-6494

If you are specifying a DES3 key as the wrapping key for an export key operation, by using the ctkmu x command with the -w option, and do not include the -3 option, the HSM halts.

Workaround

Include the -3 option to avoid halting the HSM or encountering an error.

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.01.00.

PSR-6150

When importing a certificate object onto the HSM alongside an RSA key object, the import operation fails and returns an error.

Workaround

None

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.01.01.

PSR-6088

Some ECDSA signatures that are valid in OpenSSL fail to verify.

Workaround

None

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.01.02.

PSR-6087

Specifying a custom ECC curve by parameter, rather than OID, returns an error.

Workaround

Specify the custom ECC curve by OID.

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.01.01.

PSR-6001

The ProtectServer 3 HSM crashes when attempting to decrypt a message with size of zero using an RSA key.

Workaround

None

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.01.01.

PSR-5999

FM_GetCurrentPid, FM_GetCurrentOid, FM_SetCurrentPid, and FM_SetCurrentOid (current application ID functions) cannot be used.

Workaround

None

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.01.01.

PSR-5731

When using the Secure memory file system (SMFS), the SmFsReadFile function receives a different value from the one written by SmFsWriteFile.

Workaround

Modify the functionality module (FM) to only write data sizes that will be padded to a byte size that is divisible by 16. Thales recommends using a helper macro similar to the one shown below.

Example helper macro

In the following example snippet, the code will encrypt 47 bytes (33 + 14) which will then get correctly padded to 48 bytes (a multiple of 16).

#define FILE_SIZE(x)      (((x) + 16 - ((x)%16)) - 1)

//Need 33 bytes
#define MAX_LENGTH  FILE_SIZE(33)

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.01.00.

PSR-5727

When using the SMFS, the SVC_GetReplyBuffer HIFACE replay management function returns more data than requested.

Workaround

Reconfigure FMs that are calling SVC_GetReplyBuffer to call SVC_ResizeReplyBuffer instead.

Example FM reconfiguration

//SVC_GetReplyBuffer has an issue in PTK 7.00.00 FW
//Use SVC_ResizeReplyBuffer instead

outBuf = SVC_ResizeReplyBuffer(token, outBufLen);
//outBuf =  SVC_GetReplyBuffer(token, outBufLen);

In the preceding example, SVC_ResizeReplyBuffer serves the same purpose as SVC_GetReplyBuffer but does not lead to the abovementioned error.

Resolved

Fixed in ProtectServer 3 HSM Firmware 7.01.00.

Suggest A Change

Known and resolved issues

ProtectToolkit 7 issues

PSR-8825

Workaround

Resolved

PSR-8739

Workaround

Resolved

PSR-8687

Workaround

Resolved

PSR-8648

Workaround

Resolved

PSR-8645

Workaround

Resolved

PSR-8576

Workaround

Resolved

PSR-8575

Workaround

Resolved

PSR-8562

Workaround

Resolved

PSR-8546

Workaround

Resolved

PSR-8542

Workaround

Resolved

PSR-8533

Workaround

Resolved

PSR-8417

Workaround

Resolved

PSR-8397

Workaround

Resolved

PSR-8356

Workaround

Resolved

PSR-8251

Workaround

Resolved

PSR-8238

Workaround

Resolved

PSR-8179

Workaround

Resolved

PSR-8132

Workaround

Resolved

PSR-8044

Workaround

Resolved

PSR-7783

Workaround

Resolved

PSR-7347

Workaround

Resolved

PSR-6852

Workaround

Resolved

PSR-6810

Workaround

Resolved

PSR-6239

Workaround

Resolved

PSR-6137

Workaround

Resolved

PSR-5958

Workaround