ProtectServer 3 HSM and ProtectToolkit 7
Customer release notes
- ProtectToolkit 7 releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 HSM firmware releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 Network HSM Appliance Software releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- Supported ProtectToolkit 7 platforms
- Supported ProtectServer 3 HSM firmware and boot loader versions
- Known and resolved issues
ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration
- ProtectServer 3 PCIe hardware installation
- ProtectServer 3 External installation and configuration
  - ProtectServer 3 External overview
  - ProtectServer 3 External required items
  - Installing the ProtectServer 3 External hardware
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3 External
  - Updating the ProtectServer 3 External appliance software image
- ProtectServer 3+ External installation and configuration
  - ProtectServer 3+ External overview
  - ProtectServer 3+ External required items
  - Installing the ProtectServer 3+ External in a server rack
  - Physical features
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3+ External
  - Updating the ProtectServer 3+ External appliance software image
- ProtectToolkit 7 software installation
  - Installing ProtectToolkit 7 on Windows
  - Installing ProtectToolkit 7 on Unix/Linux
  - Installing ProtectToolkit 7 on Unix/Linux manually
  - Deploying ProtectToolkit 7 in a Docker container on Linux
  - Available ProtectToolkit 7 components
- Configuration items
- Utilities command reference
PSESH command reference
- Using PSESH
- PSESH commands
  - audit
    - audit audit
      - audit audit changepwd
      - audit audit init
      - audit audit secret
    - audit log
      - audit log clear
      - audit log rotation
      - audit log show
      - audit log tarlogs
    - audit service
      - audit service enable
      - audit service disable
  - exit
  - files
    - files clear
    - files delete
    - files show
  - help
  - hsm
    - hsm cert
    - hsm factoryreset
    - hsm reset
    - hsm show
    - hsm state
  - network
    - network dns
      - network dns add
        
        network dns add nameserver
        
        network dns add searchdomain
      - network dns delete
        
        network dns delete nameserver
        
        network dns delete searchdomain
    - network domain
    - network hostname
    - network interface
      - network interface bonding
        
        network interface bonding config
        
        network interface bonding disable
        
        network interface bonding enable
        
        network interface bonding show
      - network interface delete
      - network interface dhcp
      - network interface ipv6
      - network interface static
    - network iptables
      - network iptables addrule
        
        network iptables addrule accept
        
        network iptables addrule drop
      - network iptables clear
      - network iptables delrule
      - network iptables save
      - network iptables show
    - network ping
    - network route
      - network route add
      - network route clear
      - network route delete
      - network route show
      - network route default
    - network show
  - package
    - package list
      - package list all
      - package list ptk
    - package install
    - package listfile
  - service
    - service list
    - service restart
    - service start
    - service status
    - service stop
  - status
    - status cpu
    - status date
    - status disk
    - status interface
    - status mac
    - status mem
    - status netstat
    - status ps
    - status time
    - status zone
  - sysconf
    - sysconf appliance
      - sysconf appliance factory
      - sysconf appliance poweroff
      - sysconf appliance reboot
      - sysconf appliance backup create
      - sysconf appliance backup restore
    - sysconf etnetcfg
      - sysconf etnetcfg set
      - sysconf etnetcfg show
    - sysconf snmp
      - sysconf snmp config
      - sysconf snmp disable
      - sysconf snmp enable
      - sysconf snmp show
    - sysconf time
    - sysconf timezone
      - sysconf timezone set
      - sysconf timezone show
  - syslog
    - syslog cleanup
    - syslog export
    - syslog period
    - syslog remotehost
      - syslog remotehost add
      - syslog remotehost clear
      - syslog remotehost delete
      - syslog remotehost list
    - syslog rotate
    - syslog rotations
    - syslog show
    - syslog tail
    - syslog tarlogs
  - user password
ProtectServer HSM migration
- Migrating keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs
- Migrating functionality modules from ProtectServer 2 HSMs to ProtectServer 3 HSMs
ProtectToolkit-C administration
- Introduction
- Cryptoki configuration
  - ProtectToolkit-C model
  - Initial configuration
    - Trust management
    - ProtectServer owner and identity certificates
    - Secure messaging
    - Token replication
  - Changing the Cryptoki provider
  - Work Load Distribution and High Availability
    - WLD system setup
    - Operation in WLD Mode
    - Operation in High Availability Mode
  - Real-time clock
  - ProtectToolkit-C configuration items
- Security policies and user roles
  - Typical security policies
  - Security flags
  - Security policy options
  - User roles
- Audit logging
  - Audit logging overview
  - Configuring and using audit logging
  - Audit log entries and structure
- SNMP monitoring
- Self-tests
- Operational tasks
  - Changing a user or Security Officer PIN
  - Secure key backup and restoration
  - Adding and removing slots
  - Re-initializing a token
  - Multifactor authentication (one-time password)
  - Connecting and removing smart card readers
  - Using Transport Mode to avoid a board removal tamper
  - Adjusting the HSM clock
  - Changing secure messaging mode
  - Using the system event log
  - Updating the HSM firmware or boot loader
  - Installing a functionality module
  - Key entry via PIN pad
  - Resetting the HSM to factory settings
  - Resetting the ProtectServer 3 Network HSM appliance to factory settings
  - Tampering or decommissioning the HSM
  - RMA and shipping back to Thales
- Command-line utilities reference
  - ctcert
  - ctcheck
  - ctconf
  - ctfm
  - ctident
  - ctlimits
  - ctmultitoken
  - ctotp
  - ctkmu
  - ctperf
  - ctstat
  - auditverify
  - ptk7tokmigration
- PKCS#11 attributes
- Sample EC domain parameter files
ProtectToolkit-C programming
- Introduction to PKCS#11
- Environments
- Object classes
  - Creating, modifying, copying, and deleting objects
  - Additional attribute types
  - Common attributes
  - Hardware feature objects
  - Clock objects
  - Monotonic counter objects
  - Storage objects
  - Data objects
  - Certificate objects
  - Key objects
    - Public key objects
    - Private key objects
    - Secret key objects
    - Key parameter objects
- ProtectToolkit-C mechanisms
  - CKM_AES_CBC
  - CKM_AES_CBC_ENCRYPT_DATA
  - CKM_AES_CBC_PAD
  - CKM_AES_CCM
  - CKM_AES_CMAC
  - CKM_AES_CMAC_GENERAL
  - CKM_AES_CTR
  - CKM_AES_ECB
  - CKM_AES_ECB_ENCRYPT_DATA
  - CKM_AES_GCM
  - CKM_AES_GCM_OLD
  - CKM_AES_GMAC
  - CKM_AES_KEY_GEN
  - CKM_AES_KEY_WRAP
  - CKM_AES_KEY_WRAP_PAD
  - CKM_AES_KW
  - CKM_AES_KWP
  - CKM_AES_MAC
  - CKM_AES_MAC_GENERAL
  - CKM_AES_OFB
  - CKM_ARDFP
  - CKM_ARIA_CBC
  - CKM_ARIA_CBC_PAD
  - CKM_ARIA_ECB
  - CKM_ARIA_KEY_GEN
  - CKM_ARIA_MAC
  - CKM_ARIA_MAC_GENERAL
  - CKM_BIP32_CHILD_DERIVE
  - CKM_BIP32_MASTER_DERIVE
  - CKM_CAST128_CBC
  - CKM_CAST128_CBC_PAD
  - CKM_CAST128_ECB
  - CKM_CAST128_ECB_PAD
  - CKM_CAST128_KEY_GEN
  - CKM_CAST128_MAC
  - CKM_CAST128_MAC_GENERAL
  - CKM_CONCATENATE_BASE_AND_DATA
  - CKM_CONCATENATE_BASE_AND_KEY
  - CKM_CONCATENATE_DATA_AND_BASE
  - CKM_DECODE_PKCS_7
  - CKM_DECODE_X_509
  - CKM_DES2_KEY_GEN
  - CKM_DES3_BCF
  - CKM_DES3_CBC
  - CKM_DES3_CBC_ENCRYPT_DATA
  - CKM_DES3_CBC_PAD
  - CKM_DES3_CMAC
  - CKM_DES3_CMAC_GENERAL
  - CKM_DES3_DDD_CBC
  - CKM_DES3_DERIVE_CBC_DEPRECATED
  - CKM_DES3_DERIVE_ECB_DEPRECATED
  - CKM_DES3_ECB
  - CKM_DES3_ECB_ENCRYPT_DATA
  - CKM_DES3_ECB_PAD
  - CKM_DES3_KEY_GEN
  - CKM_DES3_MAC
  - CKM_DES3_MAC_GENERAL
  - CKM_DES3_OFB64
  - CKM_DES3_RETAIL_CFB_MAC
  - CKM_DES3_X919_MAC
  - CKM_DES3_X919_MAC_GENERAL
  - CKM_DES_BCF
  - CKM_DES_CBC
  - CKM_DES_CBC_ENCRYPT_DATA
  - CKM_DES_CBC_PAD
  - CKM_DES_DERIVE_CBC_DEPRECATED
  - CKM_DES_DERIVE_ECB_DEPRECATED
  - CKM_DES_ECB
  - CKM_DES_ECB_ENCRYPT_DATA
  - CKM_DES_ECB_PAD
  - CKM_DES_KEY_GEN
  - CKM_DES_MAC
  - CKM_DES_MAC_GENERAL
  - CKM_DES_MDC_2_PAD1
  - CKM_DES_OFB64
  - CKM_DH_PKCS_DERIVE
  - CKM_DH_PKCS_KEY_PAIR_GEN
  - CKM_DH_PKCS_PARAMETER_GEN
  - CKM_DSA
  - CKM_DSA_KEY_PAIR_GEN
  - CKM_DSA_PARAMETER_GEN
  - CKM_DSA_SHA1
  - CKM_DSA_SHA1_PKCS
  - CKM_DSA_SHA224
  - CKM_DSA_SHA224_PKCS
  - CKM_DSA_SHA256
  - CKM_DSA_SHA256_PKCS
  - CKM_DSA_SHA384
  - CKM_DSA_SHA384_PKCS
  - CKM_DSA_SHA512
  - CKM_DSA_SHA512_PKCS
  - CKM_EC_EDWARDS_KEY_PAIR_GEN
  - CKM_EC_KEY_PAIR_GEN
  - CKM_EC_MONTGOMERY_KEY_PAIR_GEN
  - CKM_ECDH1_DERIVE
  - CKM_ECDSA
  - CKM_ECDSA_GBCS_SHA256
  - CKM_ECDSA_SHA1
  - CKM_ECDSA_SHA224
  - CKM_ECDSA_SHA256
  - CKM_ECDSA_SHA384
  - CKM_ECDSA_SHA3_224
  - CKM_ECDSA_SHA3_256
  - CKM_ECDSA_SHA3_384
  - CKM_ECDSA_SHA3_512
  - CKM_ECDSA_SHA512
  - CKM_ECIES
  - CKM_EDDSA
  - CKM_ENCODE_ATTRIBUTES
  - CKM_ENCODE_PKCS_10
  - CKM_ENCODE_PUBLIC_KEY
  - CKM_ENCODE_X_509
  - CKM_ENCODE_X_509_LOCAL_CERT
  - CKM_EXTRACT_KEY_FROM_KEY
  - CKM_GENERIC_SECRET_KEY_GEN
  - CKM_IDEA_CBC
  - CKM_IDEA_CBC_PAD
  - CKM_IDEA_ECB
  - CKM_IDEA_ECB_PAD
  - CKM_IDEA_KEY_GEN
  - CKM_IDEA_MAC
  - CKM_IDEA_MAC_GENERAL
  - CKM_KECCAK_1600
  - CKM_KEY_TRANSLATION
  - CKM_KEY_WRAP_SET_OAEP
  - CKM_MD2
  - CKM_MD2_HMAC
  - CKM_MD2_HMAC_GENERAL
  - CKM_MD2_KEY_DERIVATION
  - CKM_MD2_RSA_PKCS
  - CKM_MD5
  - CKM_MD5_HMAC
  - CKM_MD5_HMAC_GENERAL
  - CKM_MD5_KEY_DERIVATION
  - CKM_MD5_RSA_PKCS
  - CKM_MILENAGE_DERIVE
  - CKM_MILENAGE_SIGN
  - CKM_NVB
  - CKM_PBA_SHA1_WITH_SHA1_HMAC
  - CKM_PBE_MD2_DES_CBC
  - CKM_PBE_MD5_CAST128_CBC
  - CKM_PBE_MD5_DES_CBC
  - CKM_PBE_SHA1_CAST128_CBC
  - CKM_PBE_SHA1_DES2_EDE_CBC
  - CKM_PBE_SHA1_DES3_EDE_CBC
  - CKM_PBE_SHA1_RC2_128_CBC
  - CKM_PBE_SHA1_RC2_40_CBC
  - CKM_PBE_SHA1_RC4_128
  - CKM_PBE_SHA1_RC4_40
  - CKM_PKCS12_PBE_EXPORT
  - CKM_PKCS12_PBE_IMPORT
  - CKM_PP_LOAD_SECRET
  - CKM_PP_LOAD_SECRET_2
  - CKM_RC2_CBC
  - CKM_RC2_CBC_PAD
  - CKM_RC2_ECB
  - CKM_RC2_ECB_PAD
  - CKM_RC2_KEY_GEN
  - CKM_RC2_MAC
  - CKM_RC2_MAC_GENERAL
  - CKM_RC4
  - CKM_RC4_KEY_GEN
  - CKM_REPLICATE_TOKEN_RSA_AES
  - CKM_RIPEMD128
  - CKM_RIPEMD128_HMAC
  - CKM_RIPEMD128_HMAC_GENERAL
  - CKM_RIPEMD128_RSA_PKCS
  - CKM_RIPEMD160
  - CKM_RIPEMD160_HMAC
  - CKM_RIPEMD160_HMAC_GENERAL
  - CKM_RIPEMD160_RSA_PKCS
  - CKM_RSA_9796
  - CKM_RSA_FIPS_186_4_PRIME_KEY_PAIR_ GEN
  - CKM_RSA_PKCS
  - CKM_RSA_PKCS_KEY_PAIR_GEN
  - CKM_RSA_PKCS_OAEP
  - CKM_RSA_PKCS_PSS
  - CKM_RSA_X9_31_KEY_PAIR_GEN
  - CKM_RSA_X_509
  - CKM_SECRET_RECOVER_WITH_ATTRIBUTES
  - CKM_SECRET_SHARE_WITH_ATTRIBUTES
  - CKM_SEED_CBC
  - CKM_SEED_CBC_PAD
  - CKM_SEED_ECB
  - CKM_SEED_ECB_PAD
  - CKM_SEED_KEY_GEN
  - CKM_SEED_MAC
  - CKM_SEED_MAC_GENERAL
  - CKM_SET_ATTRIBUTES
  - CKM_SHA1
  - CKM_SHA1_EDDSA
  - CKM_SHA1_HMAC
  - CKM_SHA1_HMAC_GENERAL
  - CKM_SHA1_KEY_DERIVATION
  - CKM_SHA1_RSA_PKCS
  - CKM_SHA1_RSA_PKCS_PSS
  - CKM_SHA1_RSA_PKCS_TIMESTAMP
  - CKM_SHA224
  - CKM_SHA224_EDDSA
  - CKM_SHA224_HMAC
  - CKM_SHA224_HMAC_GENERAL
  - CKM_SHA224_KEY_DERIVATION
  - CKM_SHA224_RSA_PKCS
  - CKM_SHA224_RSA_PKCS_PSS
  - CKM_SHA256
  - CKM_SHA256_EDDSA
  - CKM_SHA256_HMAC
  - CKM_SHA256_HMAC_GENERAL
  - CKM_SHA256_KEY_DERIVATION
  - CKM_SHA256_RSA_PKCS
  - CKM_SHA256_RSA_PKCS_PSS
  - CKM_SHA384
  - CKM_SHA384_EDDSA
  - CKM_SHA384_HMAC
  - CKM_SHA384_HMAC_GENERAL
  - CKM_SHA384_KEY_DERIVATION
  - CKM_SHA384_RSA_PKCS
  - CKM_SHA384_RSA_PKCS_PSS
  - CKM_SHA3_224
  - CKM_SHA3_224_EDDSA
  - CKM_SHA3_224_HMAC
  - CKM_SHA3_224_HMAC_GENERAL
  - CKM_SHA3_224_KEY_DERIVE
  - CKM_SHA3_224_RSA_PKCS
  - CKM_SHA3_224_RSA_PKCS_PSS
  - CKM_SHA3_256
  - CKM_SHA3_256_EDDSA
  - CKM_SHA3_256_HMAC
  - CKM_SHA3_256_HMAC_GENERAL
  - CKM_SHA3_256_KEY_DERIVE
  - CKM_SHA3_256_RSA_PKCS
  - CKM_SHA3_256_RSA_PKCS_PSS
  - CKM_SHA3_384
  - CKM_SHA3_384_EDDSA
  - CKM_SHA3_384_HMAC
  - CKM_SHA3_384_HMAC_GENERAL
  - CKM_SHA3_384_KEY_DERIVE
  - CKM_SHA3_384_RSA_PKCS
  - CKM_SHA3_384_RSA_PKCS_PSS
  - CKM_SHA3_512
  - CKM_SHA3_512_EDDSA
  - CKM_SHA3_512_HMAC
  - CKM_SHA3_512_HMAC_GENERAL
  - CKM_SHA3_512_KEY_DERIVE
  - CKM_SHA3_512_RSA_PKCS
  - CKM_SHA3_512_RSA_PKCS_PSS
  - CKM_SHA512
  - CKM_SHA512_EDDSA
  - CKM_SHA512_HMAC
  - CKM_SHA512_HMAC_GENERAL
  - CKM_SHA512_KEY_DERIVATION
  - CKM_SHA512_RSA_PKCS
  - CKM_SHA512_RSA_PKCS_PSS
  - CKM_SSL3_KEY_AND_MAC_DERIVE
  - CKM_SSL3_MASTER_KEY_DERIVE
  - CKM_SSL3_MD5_MAC
  - CKM_SSL3_PRE_MASTER_KEY_GEN
  - CKM_SSL3_SHA1_MAC
  - CKM_TDEA_TKW
  - CKM_TUAK_DERIVE
  - CKM_TUAK_SIGN
  - CKM_UNWRAP_TR31
  - CKM_VISA_CVV
  - CKM_WRAP_TR31_DERIVE
  - CKM_WRAP_TR31_VARIANT
  - CKM_WRAPKEY_AES_CBC
  - CKM_WRAPKEY_AES_KWP
  - CKM_WRAPKEY_DES3_CBC
  - CKM_WRAPKEY_DES3_ECB
  - CKM_WRAPKEYBLOB_AES_CBC
  - CKM_WRAPKEYBLOB_DES3_CBC
  - CKM_X9_42_DH_DERIVE
  - CKM_X9_42_DH_KEY_PAIR_GEN
  - CKM_X9_42_DH_PARAMETER_GEN
  - CKM_XOR_BASE_AND_DATA
  - CKM_XOR_BASE_AND_KEY
  - CKM_ZKA_MDC_2_KEY_DERIVATION
  - PTK-C vendor-defined error codes
- Supported ECC curves
- C sample programs
- Best practice guidelines
  - Application security
  - Application usability
  - Performance
  - Capacity
  - Setup and configuration
  - Maintainability
  - Debugging
  - Interoperability
  - Programming in FIPS Mode
  - Key management
  - Hierarchical deterministic wallets in ProtectToolkit
- ctbrowse - token browser
- API tutorial: development of a sample application
- PKCS#11 logger library
- PKCS#11 command reference
  - General purpose functions
  - Slot and token management functions
  - Session management functions
  - Object management functions
  - Encryption functions
  - Decryption functions
  - Message digesting functions
  - Signing and MACing functions
  - Functions for verifying signatures and MACs
  - Dual-function cryptographic functions
  - Key management functions
  - Random number generation functions
  - Parallel function management functions
  - Extra functions
- ctutil.h functionality reference
- ctextra.h library reference
- hex2bin.h library reference
- hsmadmin.h library reference
- Attribute certificate
ProtectToolkit-C management libraries programming
- KMLIB sample applications
- KMLIB callback prototypes reference
- KMLIB function reference
ProtectToolkit-J reference
- ProtectToolkit-J overview
- JCA/JCE API overview
  - Encryption and decryption
  - Message digests
  - Message authentication code (MAC)
  - Authentication
  - Key management
  - Error handling and exceptions
- Supported ciphers
  - DES
  - DESede
  - AES
  - IDEA
  - CAST128
  - RC2
  - RC4
  - PBE ciphers
  - RSA
- Supported signature algorithms
- Supported MAC algorithms
- Supported message digest algorithms
- Key Management Utility (KMU) reference
  - Compatibility issues
  - Main KMU interface
  - Logging into and out from tokens
  - Creating keys
  - Editing key attributes
  - Deleting a key
  - Display key check value
  - Importing and exporting keys
  - Key backup feature tutorial
- Administration Utility (gCTAdmin) reference
  - Logging in and out
  - Main gCTAdmin Interface
  - Slot and token management
  - HSM management
- KMU key check value (KCV) calculation
- Key generation
- Key management
- Best practice guidelines
- Java sample programs
- JCA/JCE API tutorial
  - Public key cryptography
  - FileCrypt application
  - File encryption
  - File decryption
  - Accessing public keys
  - Main()
- Random number generation
- References
ProtectToolkit-M reference
- Overview
- Setup and configuration
  - User roles
  - Initial configuration: mandatory steps
  - Security mode descriptions
  - Security mode flag descriptions
  - Allocating keyset space
  - Configuration options
  - SafeNet KSP for CNG registration utilities
  - Configuring IIS7 (Win2008) with CNG
- Administrative tasks
  - Changing the device administrator password
  - Allocating keyset space
  - De-allocating keyset space
  - Creating user keysets
  - Deleting a keyset
  - Setting the adapter Transport Mode
  - Correcting clock drift
  - Viewing and purging the HSM event log
  - Checking and upgrading HSM firmware
  - Tampering the HSM
  - Backing up a keyset
  - Restoring a keyset
  - Enabling private key clear export
- User tasks
- Administration and user utilities
  - Administration Utility
  - Keyset Management Utility
  - createcert
- Integration with Microsoft CA
  - Setting up a CA with ProtectToolkit-M
  - Certificate template support for SafeNet CSPs
  - CA replication (key backup and recovery)
  - Private key archiving and recovery
- Integration with IIS
  - Creating a certificate
  - Installing a certificate for use with IIS
- Work Load Distribution
- Registry configuration
FM SDK programming
- Overview
- FM architecture
- FM development
- FM samples
- Building sample FMs in Emulation Mode on Windows
- Configuring WSL 2 for FM development and deployment
- FM deployment
- Utilities reference
- Cipher object
  - FmCreateCipherObject
  - Cipher object functions
  - Algorithm-specific cipher information
- Hash object
  - FmCreateHashObject
  - Hash object functions
- Setting privilege level
- SMFS reference
- FMDEBUG reference
- Message Dispatch API reference
- HSM functions reference
  - HIFACE reply management functions
  - Functionality module dispatch switcher function
  - Serial communication functions
  - High resolution timer functions
  - Cprov function patching helper function
  - Current application ID functions
  - PKCS#11 state management functions
  - Functionality module header definition macro
- USB API reference
ProtectServer 3 HSM and ProtectToolkit 7 troubleshooting
- Installation troubleshooting
- ProtectToolkit-J troubleshooting
- ProtectToolkit-M troubleshooting
Third-Party Software Licenses

Migrating keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs

This section describes how to migrate keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs.

You can migrate keys by backing up ProtectServer 2 HSM tokens to a file or smart card and then restoring them on ProtectServer 3 HSMs, or by replicating the ProtectServer 2 HSM tokens onto the ProtectServer 3 HSMs. Backup and restore procedures should be followed if none of the keys that must be migrated have their CKA_EXPORTABLE and CKA_MODIFIABLE attributes set to FALSE, while token replication should be used when some of the keys that must be migrated have their CKA_EXPORTABLE and CKA_MODIFIABLE attributes set to FALSE.

For detailed procedures, refer to the following subsections:

Migrating keys using backup and restore
Migrating keys using token replication

Migrating keys using backup and restore

This subsection describes how to migrate keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs using backup and restore. There are four recommended backup and restore methods. First, refer to the Prerequisites that apply to all of the procedures and then refer to one of the four following procedures:

Backup to file and restore
Backup to single-custodian smart card and restore
Backup to multiple-custodian smart cards and restore
Backup to N of M custodian smart cards and restore

Note

Smart card migration procedures can be performed with any smart card that is supplied by Thales with a ProtectServer Internal Express/ProtectServer External HSM or ProtectServer Internal Express 2/ProtectServer External 2/ProtectServer External 2+ HSM.

Prerequisites

Before you begin any of the following procedures, you must satisfy the prerequisites described below. Additional procedure-dependent prerequisites, where applicable, are described before each procedure.

Consider your existing ProtectToolkit 5 client configuration and how you want to transition to ProtectToolkit 7. Thales recommends migrating by using two separate client machines, so that you can ensure that the migration procedure is complete before transitioning your applications to the new client and HSM:
- ProtectToolkit 5 client connected to connected to the ProtectServer 2 HSMs.
- ProtectToolkit 7 client connected to connected to the ProtectServer 3 HSM}s.
You cannot use ProtectToolkit 5 with ProtectServer 3 HSMs. Thales recommends that you complete the backup portion of the migration procedure first with ProtectToolkit 5, upgrade your client software to ProtectToolkit 7 and provision your ProtectServer 3 HSM (or alternatively use a version of ProtectToolkit 7 that you have installed on another system), and finally perform the restore portion of the migration procedure.
Ensure that you have initialized the ProtectServer 3 Admin token and one or more User tokens to accept the migrated keys (For more information about token initialization, see Initial configuration).
The following migration scenarios use the key export function, and require all keys being migrated to have the attribute CKA_EXPORTABLE=TRUE. If any of your keys are not exportable, you must first change the attribute using ctkmu m. For more information, refer to ctkmu.
- If a key has the attributes CKA_EXPORTABLE=FALSE and CKA_MODIFIABLE=FALSE, it cannot be migrated using this procedure. Refer to Migrating keys using token replication instead.
- If a key has the attributes CKA_EXPORTABLE=TRUE and CKA_EXTRACTABLE=FALSE, you must log on as Security Officer (SO) to perform the migration operation.

Backup to file and restore

In this procedure, you will back up a ProtectServer 2 HSM token to an encrypted file on your ProtectToolkit client machine, and restore it to your new ProtectServer 3 token.

To migrate keys by backing up to a file and restoring to the new HSM

Using the ProtectToolkit 5 client, create a wrapping key on the source token by entering key components. You can assign whatever key attributes you prefer, but sign, verify, wrap, and unwrap are all required (-k SVWU).

ctkmu c -t<keytype> -n<wrapping_keyname> -a<attributes> -k<#_of_components> -z<keysize>

]# ctkmu c -t AES -nAES_WRAP -a EDSVWUXT -u0000 -k 2 -z256
ProtectToolkit C Key Management Utility
Copyright (c) Safenet, Inc. 2009-2020

Enter Key Component 1 (Need to enter 64 HEX chars): 0832240A34365AEB8273A6535EF80FA99CB5FCE8D2A19EE1977CB8D664F86968
Component 1  KCV : 9C1884
Is this correct? [Y/n]: y

Enter Key Component 2 (Need to enter 64 HEX chars): 263FF91EE9C7A5ECC58AFFA35B4F6A5443F0DA3B5ABE60FB45260AEA8C9458F7
Component 2  KCV : 62A639
Is this correct? [Y/n]: Y

Key 'AES_256' KCV : 97498B
Is this correct? [Y/n]: Y

Key "AES_256" was created

Export all objects stored on the token to an encrypted file on the ProtectToolkit 5 client, using the new wrapping key.

Note

If you are migrating DH_PARAM or DSA_PARAM objects, include the -4 option when exporting the stored objects.

ctkmu x -s<slotnum> -w<wrapping_keyname> <backup_filename> [-4]
Securely transfer the wrapped file to the ProtectToolkit 7 client machine.
Using the ProtectToolkit 7 client, recreate the wrapping key on the destination token by entering the same key components.

ctkmu c -t<keytype> -n<wrapping_keyname> -a <attributes> -k<#_of_components> -z<keysize> [-4]
Import the wrapped file to the ProtectToolkit 7 token using the new wrapping key.

ctkmu i -s<slotnum> -w<wrapping_keyname> <backup_filename>

Backup to single-custodian smart card and restore

In this procedure, you will back up a ProtectServer 2 HSM token to a smart card and restore it to your new ProtectServer 3 token. The single-custodian scheme requires you to create and specify a wrapping key to encrypt the cryptographic objects.

Prerequisites

Ensure that both the source and destination HSMs have a smart card reader installed.
Ensure that you have enough blank smart cards available to store all objects on the token.

To migrate keys by backing up to a single-custodian smart card

Using the ProtectToolkit 5 client, create a wrapping key on the source token by entering key components. You can assign whatever key attributes you prefer, but sign, verify, wrap, and unwrap are all required (-k SVWU).

ctkmu c -t<keytype> -n<wrapping_keyname> -a<attributes> -k<#_of_components> -z<keysize>
Insert a blank smart card into the ProtectServer 2 HSM reader, and export all objects stored on the token to the smart card, using the new wrapping key.

Note

If you are migrating DH_PARAM or DSA_PARAM objects, include the -4 option when exporting the stored objects.

ctkmu x -s<slotnum> -w<wrapping_keyname> -c<SC_reader_slotnum> [-4]
Using the ProtectToolkit 7 client, recreate the wrapping key on the destination token by entering the same key components.

ctkmu c -t<keytype> -n<wrapping_keyname> -a<attributes> -k<#_of_components> -z<keysize>
Restore the contents of the smart card(s) to the destination ProtectServer 3 token by specifying the unwrapping key.

ctkmu i -s<slotnum> -w<wrapping_keyname> -c<SC_reader_slotnum>

Backup to multiple-custodian smart cards and restore

In this procedure, you will back up a ProtectServer 2 HSM token to smart cards held by multiple custodians in a standard key-splitting scheme, and restore it to your new ProtectServer 3 token.

Prerequisites

Ensure that both the source and destination HSMs have a smart card reader installed.
Ensure that you have enough blank smart cards available to store all objects on the token.
You require a minimum of two custodians to use the standard key-splitting scheme.
You must set the Weak Mechanisms flag to ON to use this backup method (For more information about this security flag, see Security Flags).

To migrate keys by backing up to multiple-custodian smart cards

Insert a blank smart card into the ProtectServer 2 HSM reader, and use the ProtectToolkit 5 client to export splits of all objects stored on the source token to the smart card.

Note

If you are migrating DH_PARAM or DSA_PARAM objects, include the -4 option when exporting the stored objects.

ctkmu x -s<slotnum> -c<SC_reader_slotnum> [-4]
Follow the prompts to complete the backup using the multiple-custodian scheme.
Use the ProtectToolkit 7 client to restore the contents of the smart cards to the destination ProtectServer 3 token.

ctkmu i -s<slotnum> -c<SC_reader_slotnum>

Backup to N of M custodian smart cards and restore

In this procedure, you will back up a ProtectServer 2 HSM token to smart cards held by multiple custodians in an N of M key-splitting scheme, and restore it to your new ProtectServer 3 token.

Prerequisites

Ensure that both the source and destination HSMs have a smart card reader installed.
Ensure that you have enough blank smart cards available to store all objects on the token.
You require a minimum of three custodians to use the N of M key-splitting scheme, with a minimum of two required to restore keys to the destination token.

To migrate keys by backing up to multiple-custodian smart cards in an N of M scheme

Insert a blank smart card into the ProtectServer 2 HSM reader, and use the ProtectToolkit 5 client to export splits of all objects stored on the source token to the smart card, specifying the N of M scheme.

Note

If you are migrating DH_PARAM or DSA_PARAM objects, include the -4 option when exporting the stored objects.

ctkmu x -s<slotnum> -c<SC_reader_slotnum> -M [-4]
Follow the prompts to complete the backup using the N of M multiple-custodian scheme. N cannot be equal to M.
Use the ProtectToolkit 7 client to restore the contents of the smart cards to the destination ProtectServer 3 token by presenting cards from the minimum (N) number of custodians.

ctkmu i -s<slotnum> -c<SC_reader_slotnum>

Migrating keys using token replication

This subsection describes how to migrate keys from a ProtectServer 2 HSM to a ProtectServer 3 HSM by using token replication. First, refer to the Prerequisites and then refer to the following procedures in order:

Prerequisites

Before you migrate keys using token replication, you must satisfy the prerequisites described below.

Set up, initialize, provision, and prepare at least one ProtectServer 3 HSM for deployment. Refer to ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration for more information.

Note

The User and SO PINs of the destination slot on the ProtectServer 3 HSM must match the User and SO PINs of the source slot on the ProtectServer 2 HSM that will be replicated.
Update the firmware of the ProtectServer 3 HSM to ProtectServer 3 HSM Firmware 7.02.03 or newer. If there are multiple ProtectServer 3 HSMs, update the firmware of all the devices to ProtectServer 3 HSM Firmware 7.02.03 or newer. Refer to Updating the HSM firmware or boot loader for more information.

Note

ProtectServer 3 HSM Firmware 7.03.00 does not support key migration using token replication.
Download and install ProtectToolkit ProtectToolkit 7.2.3 or newer on another client machine to operate the ProtectServer 3 HSM. Refer to ProtectToolkit 7 software installation for more information.

Note

Thales recommends running ProtectToolkit 7 and ProtectToolkit 5 on separate client machines.

ProtectToolkit 7.2.3 includes ptk7tokmigration, which is a utility that is required to complete the procedures described below.
Copy the ptk7tokmigration binary from the ProtectToolkit 7 client machine to the ProtectToolkit 5 client machine. The ptk7tokmigration binary is located alongside other ProtectToolkit CLU binaries in the ProtectToolkit-C Runtime installation directory.
Ensure that the HSM real-time clocks (RTCs) are synchronized with the host system clocks. Refer to Adjusting the HSM clock and ProtectServer 2 HSM and ProtectToolkit 5 for information about synchronizing the RTCs of ProtectServer 3 HSMs and ProtectServer 2 HSMs, respectively.
Ensure that the ProtectServer 2 HSM has an HSM ID public key. If there are multiple ProtectServer 2 HSMs, ensure that they all have HSM ID public keys. Refer to ctident for information about generating HSM ID keys for a ProtectServer 2 HSM.

1. Establish mutual trust between the ProtectServer 2 HSM and ProtectServer 3 HSM

Note

This procedure assumes that tokens on one ProtectServer 2 HSM are being replicated to one ProtectServer 3 HSM. Refer to <targets> and <peers> for information about the values that should be used for these ptk7tokmigration command arguments in migration scenarios that involve multiple ProtectServer 2 HSMs or multiple ProtectServer 3 HSMs.

On the ProtectToolkit 7 client, generate an HSM ID public key for the ProtectServer 3 HSM.

ptk7tokmigration gen <targets>
```
ptk7tokmigration gen sn:5678
```
On the ProtectToolkit 7 client, copy the newly generated HSM ID public key to a public key file.

ptk7tokmigration getid <targets> -p<pubkey>
```
ptk7tokmigration getid sn:5678 -p/tmp/5678.pem
```
On the ProtectToolkit 7 client, securely copy the newly created public key file from the ProtectToolkit 7 client machine to the ProtectToolkit 5 client machine.

scp <ptk7/pem/file/path> <ptk5/pem/file/path>
```
scp /tmp/HSMID_5678.pem PTK5client:/tmp/HSMID_5678.pem
```
On the ProtectToolkit 5 client, instruct the ProtectServer 2 HSM to trust the HSM ID public key of the ProtectServer 3 HSM.

ptk7tokmigration trust <targets> <peers> -p<pubkey>
```
ptk7tokmigration trust sn:1234 sn:5678 -p/tmp/HSMID_5678.pem
```
On the ProtectToolkit 5 client, verify that HSM ID public key of the ProtectServer 3 HSM is recognized by the ProtectServer 2 HSM.

ptk7tokmigration list <targets> -tpeer
```
ptk7tokmigration list sn:1234 -tpeer
```
The preceding command outputs the HSM ID public key of the ProtectServer 3 HSM. Multiple keys are listed if the public key file contains the public keys of multiple ProtectServer 3 HSMs.
On the ProtectToolkit 5 client, copy the HSM ID public key of the ProtectServer 2 HSM to a public key file.

ptk7tokmigration getid <targets> -p<pubkey>
```
ptk7tokmigration getid sn:1234 -p/tmp/HSMID_1234.pem
```
On the ProtectToolkit 5 client, securely copy the newly created public key file from the ProtectToolkit 5 client machine to the ProtectToolkit 7 client machine.

scp <ptk5/pem/file/path> <ptk7/pem/file/path>
```
scp /tmp/HSMID_1234.pem PTK7client:/tmp/HSMID_1234.pem
```
On the ProtectToolkit 7 client, instruct the ProtectServer 3 HSM to trust the the HSM ID public key of the ProtectServer 2 HSM.

ptk7tokmigration trust <targets> <peers> -p<pubkey>
```
ptk7tokmigration trust sn:5678 sn:1234 -p/tmp/HSMID_1234.pem
```
On the ProtectToolkit 7 client, verify that HSM ID public key of the ProtectServer 2 HSM is recognized by the ProtectServer 3 HSM.

ptk7tokmigration list <targets> -tpeer
```
ptk7tokmigration list sn:5678 -tpeer
```
The preceding command outputs the HSM ID public key of the ProtectServer 2 HSM. Multiple keys are listed if the public key file contains the public keys of multiple ProtectServer 2 HSMs.

Mutual trust has been established between the ProtectServer 2 HSM and ProtectServer 3 HSM. After establishing mutual trust, proceed to 2. Replicate the token from the source slot on ProtectServer 2 HSM to the destination slot on the ProtectServer 3 HSM.

2. Replicate the token from the source slot on the ProtectServer 2 HSM to the destination slot on the ProtectServer 3 HSM

On the ProtectToolkit 5 client, create a token image file for the token that must be replicated.

ctkmu xt -s<slot> -S<ps3_serial> <token_image_filename>
```
ctkmu xt -s0 -S 5678 PSE2-token.bin
```
Refer to ctkmu for information about creating a token image file from a ProtectServer 2 HSM token.

Note

The serial number of the ProtectServer 3 HSM that will import the token image is specified when creating the token image file.

Tip

If you are replicating multiple tokens, create a token image file for each source slot.

If you are replicating a single token to multiple destination slots, which exist across multiple ProtectServer 3 HSMs, create a token image file for each ProtectServer 3 HSM.
On the ProtectToolkit 5 client, securely copy the newly created token image file from the ProtectToolkit 5 client machine to the ProtectToolkit 7 client machine.

scp <ptk5/token_image/file/path> <ptk7/token_image/file/path>
```
scp /tmp/PSE2-token.bin PTK7client:/tmp/PSE2-token.bin
```
Tip

If you have created multiple token image files, copy every token image file from the ProtectToolkit 5 client machine to the ProtectToolkit 7 client machine.
On the ProtectToolkit 7 client, import the copied token image file onto the ProtectServer 3 HSM.

ptk7tokmigration it -s<slot> <token_image/file/path>
```
ptk7tokmigration it -s1 /tmp/PSE2-token.bin
```
Tip

If you are replicating multiple tokens to one ProtectServer 3 HSM, import each token image file onto the ProtectServer 3 HSM.

If you are replicating a single token to multiple destination slots, which exist across multiple ProtectServer 3 HSMs, import each token image file onto the ProtectServer 3 HSM that has a serial number that matches the serial number specified when the token image file was created in step 1.

Note

Import will fail if the serial number of the ProtectServer 3 HSM that is importing the token does not match the serial number that was specified when the token image file was created in step 1.
Verify that you successfully replicated the token by running the following command on the ProtectToolkit 7 client, to display the contents of the destination slot, and ProtectToolkit 5 client, to display the contents of the source slot:

ctkmu l -s<slot>
```
ctkmu l -s0
```
The contents of the destination slot on the ProtectServer 3 HSM should match the contents of the source slot on the ProtectServer 2 HSM.

If the contents of the slots match, you have successfully migrated keys from a ProtectServer 2 HSM to a ProtectServer 3 HSM using token replication.

Suggest A Change

Migrating keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs

Migrating keys using backup and restore

Prerequisites

Backup to file and restore

To migrate keys by backing up to a file and restoring to the new HSM

Backup to single-custodian smart card and restore

Prerequisites

To migrate keys by backing up to a single-custodian smart card

Backup to multiple-custodian smart cards and restore

Prerequisites

To migrate keys by backing up to multiple-custodian smart cards

Backup to N of M custodian smart cards and restore

Prerequisites

To migrate keys by backing up to multiple-custodian smart cards in an N of M scheme

Migrating keys using token replication

Prerequisites

1. Establish mutual trust between the ProtectServer 2 HSM and ProtectServer 3 HSM

2. Replicate the token from the source slot on the ProtectServer 2 HSM to the destination slot on the ProtectServer 3 HSM

On this page