ProtectServer 3 HSM and ProtectToolkit 7
Customer release notes
- ProtectToolkit 7 releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 HSM firmware releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 Network HSM Appliance Software releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- Supported ProtectToolkit 7 platforms
- Supported ProtectServer 3 HSM firmware and boot loader versions
- Known and resolved issues
ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration
- ProtectServer 3 PCIe hardware installation
- ProtectServer 3 External installation and configuration
  - ProtectServer 3 External overview
  - ProtectServer 3 External required items
  - Installing the ProtectServer 3 External hardware
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3 External
  - Updating the ProtectServer 3 External appliance software image
- ProtectServer 3+ External installation and configuration
  - ProtectServer 3+ External overview
  - ProtectServer 3+ External required items
  - Installing the ProtectServer 3+ External in a server rack
  - Physical features
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3+ External
  - Updating the ProtectServer 3+ External appliance software image
- ProtectToolkit 7 software installation
  - Installing ProtectToolkit 7 on Windows
  - Installing ProtectToolkit 7 on Unix/Linux
  - Installing ProtectToolkit 7 on Unix/Linux manually
  - Deploying ProtectToolkit 7 in a Docker container on Linux
  - Available ProtectToolkit 7 components
- Configuration items
- Utilities command reference
PSESH command reference
- Using PSESH
- PSESH commands
  - audit
    - audit audit
      - audit audit changepwd
      - audit audit init
      - audit audit secret
    - audit log
      - audit log clear
      - audit log rotation
      - audit log show
      - audit log tarlogs
    - audit service
      - audit service enable
      - audit service disable
  - exit
  - files
    - files clear
    - files delete
    - files show
  - help
  - hsm
    - hsm cert
    - hsm factoryreset
    - hsm reset
    - hsm show
    - hsm state
  - network
    - network dns
      - network dns add
      - network dns delete
    - network domain
    - network hostname
    - network interface
      - network interface bonding
      - network interface delete
      - network interface dhcp
      - network interface ipv6
      - network interface static
    - network iptables
      - network iptables addrule
      - network iptables clear
      - network iptables delrule
      - network iptables save
      - network iptables show
    - network ping
    - network route
      - network route add
      - network route clear
      - network route delete
      - network route show
      - network route default
    - network show
  - package
    - package list
      - package list all
      - package list ptk
    - package install
    - package listfile
  - service
    - service list
    - service restart
    - service start
    - service status
    - service stop
  - status
    - status cpu
    - status date
    - status disk
    - status interface
    - status mac
    - status mem
    - status netstat
    - status ps
    - status time
    - status zone
  - sysconf
    - sysconf appliance
      - sysconf appliance factory
      - sysconf appliance poweroff
      - sysconf appliance reboot
      - sysconf appliance backup create
      - sysconf appliance backup restore
    - sysconf etnetcfg
      - sysconf etnetcfg set
      - sysconf etnetcfg show
    - sysconf snmp
      - sysconf snmp config
      - sysconf snmp disable
      - sysconf snmp enable
      - sysconf snmp show
    - sysconf time
    - sysconf timezone
      - sysconf timezone set
      - sysconf timezone show
  - syslog
    - syslog cleanup
    - syslog export
    - syslog period
    - syslog remotehost
      - syslog remotehost add
      - syslog remotehost clear
      - syslog remotehost delete
      - syslog remotehost list
    - syslog rotate
    - syslog rotations
    - syslog show
    - syslog tail
    - syslog tarlogs
  - user password
ProtectServer HSM migration
- Migrating keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs
- Migrating functionality modules from ProtectServer 2 HSMs to ProtectServer 3 HSMs
ProtectToolkit-C administration
- Introduction
- Cryptoki configuration
  - ProtectToolkit-C model
  - Initial configuration
    - Trust management
    - ProtectServer owner and identity certificates
    - Secure messaging
    - Token replication
  - Changing the Cryptoki provider
  - Work Load Distribution and High Availability
    - WLD system setup
    - Operation in WLD Mode
    - Operation in High Availability Mode
  - Real-time clock
  - ProtectToolkit-C configuration items
- Security policies and user roles
  - Typical security policies
  - Security flags
  - Security policy options
  - User roles
- Audit logging
  - Audit logging overview
  - Configuring and using audit logging
  - Audit log entries and structure
- SNMP monitoring
- Self-tests
- Operational tasks
  - Changing a user or Security Officer PIN
  - Secure key backup and restoration
  - Adding and removing slots
  - Re-initializing a token
  - Multifactor authentication (one-time password)
  - Connecting and removing smart card readers
  - Using Transport Mode to avoid a board removal tamper
  - Adjusting the HSM clock
  - Changing secure messaging mode
  - Using the system event log
  - Updating the HSM firmware or boot loader
  - Installing a functionality module
  - Key entry via PIN pad
  - Resetting the HSM to factory settings
  - Resetting the ProtectServer 3 Network HSM appliance to factory settings
  - Tampering or decommissioning the HSM
  - RMA and shipping back to Thales
- Command-line utilities reference
  - ctcert
  - ctcheck
  - ctconf
  - ctfm
  - ctident
  - ctlimits
  - ctmultitoken
  - ctotp
  - ctkmu
  - ctperf
  - ctstat
  - auditverify
  - ptk7tokmigration
- PKCS#11 attributes
- Sample EC domain parameter files
ProtectToolkit-C programming
- Introduction to PKCS#11
- Environments
- Object classes
  - Creating, modifying, copying, and deleting objects
  - Additional attribute types
  - Common attributes
  - Hardware feature objects
  - Clock objects
  - Monotonic counter objects
  - Storage objects
  - Data objects
  - Certificate objects
  - Key objects
    - Public key objects
    - Private key objects
    - Secret key objects
    - Key parameter objects
- ProtectToolkit-C mechanisms
  - CKM_AES_CBC
  - CKM_AES_CBC_ENCRYPT_DATA
  - CKM_AES_CBC_PAD
  - CKM_AES_CCM
  - CKM_AES_CMAC
  - CKM_AES_CMAC_GENERAL
  - CKM_AES_CTR
  - CKM_AES_ECB
  - CKM_AES_ECB_ENCRYPT_DATA
  - CKM_AES_GCM
  - CKM_AES_GCM_OLD
  - CKM_AES_GMAC
  - CKM_AES_KEY_GEN
  - CKM_AES_KEY_WRAP
  - CKM_AES_KEY_WRAP_PAD
  - CKM_AES_KW
  - CKM_AES_KWP
  - CKM_AES_MAC
  - CKM_AES_MAC_GENERAL
  - CKM_AES_OFB
  - CKM_ARDFP
  - CKM_ARIA_CBC
  - CKM_ARIA_CBC_PAD
  - CKM_ARIA_ECB
  - CKM_ARIA_KEY_GEN
  - CKM_ARIA_MAC
  - CKM_ARIA_MAC_GENERAL
  - CKM_BIP32_CHILD_DERIVE
  - CKM_BIP32_MASTER_DERIVE
  - CKM_CAST128_CBC
  - CKM_CAST128_CBC_PAD
  - CKM_CAST128_ECB
  - CKM_CAST128_ECB_PAD
  - CKM_CAST128_KEY_GEN
  - CKM_CAST128_MAC
  - CKM_CAST128_MAC_GENERAL
  - CKM_CONCATENATE_BASE_AND_DATA
  - CKM_CONCATENATE_BASE_AND_KEY
  - CKM_CONCATENATE_DATA_AND_BASE
  - CKM_DECODE_PKCS_7
  - CKM_DECODE_X_509
  - CKM_DES2_KEY_GEN
  - CKM_DES3_BCF
  - CKM_DES3_CBC
  - CKM_DES3_CBC_ENCRYPT_DATA
  - CKM_DES3_CBC_PAD
  - CKM_DES3_CMAC
  - CKM_DES3_CMAC_GENERAL
  - CKM_DES3_DDD_CBC
  - CKM_DES3_DERIVE_CBC_DEPRECATED
  - CKM_DES3_DERIVE_ECB_DEPRECATED
  - CKM_DES3_ECB
  - CKM_DES3_ECB_ENCRYPT_DATA
  - CKM_DES3_ECB_PAD
  - CKM_DES3_KEY_GEN
  - CKM_DES3_MAC
  - CKM_DES3_MAC_GENERAL
  - CKM_DES3_OFB64
  - CKM_DES3_RETAIL_CFB_MAC
  - CKM_DES3_X919_MAC
  - CKM_DES3_X919_MAC_GENERAL
  - CKM_DES_BCF
  - CKM_DES_CBC
  - CKM_DES_CBC_ENCRYPT_DATA
  - CKM_DES_CBC_PAD
  - CKM_DES_DERIVE_CBC_DEPRECATED
  - CKM_DES_DERIVE_ECB_DEPRECATED
  - CKM_DES_ECB
  - CKM_DES_ECB_ENCRYPT_DATA
  - CKM_DES_ECB_PAD
  - CKM_DES_KEY_GEN
  - CKM_DES_MAC
  - CKM_DES_MAC_GENERAL
  - CKM_DES_MDC_2_PAD1
  - CKM_DES_OFB64
  - CKM_DH_PKCS_DERIVE
  - CKM_DH_PKCS_KEY_PAIR_GEN
  - CKM_DH_PKCS_PARAMETER_GEN
  - CKM_DSA
  - CKM_DSA_KEY_PAIR_GEN
  - CKM_DSA_PARAMETER_GEN
  - CKM_DSA_SHA1
  - CKM_DSA_SHA1_PKCS
  - CKM_DSA_SHA224
  - CKM_DSA_SHA224_PKCS
  - CKM_DSA_SHA256
  - CKM_DSA_SHA256_PKCS
  - CKM_DSA_SHA384
  - CKM_DSA_SHA384_PKCS
  - CKM_DSA_SHA512
  - CKM_DSA_SHA512_PKCS
  - CKM_EC_EDWARDS_KEY_PAIR_GEN
  - CKM_EC_KEY_PAIR_GEN
  - CKM_EC_MONTGOMERY_KEY_PAIR_GEN
  - CKM_ECDH1_DERIVE
  - CKM_ECDSA
  - CKM_ECDSA_GBCS_SHA256
  - CKM_ECDSA_SHA1
  - CKM_ECDSA_SHA224
  - CKM_ECDSA_SHA256
  - CKM_ECDSA_SHA384
  - CKM_ECDSA_SHA3_224
  - CKM_ECDSA_SHA3_256
  - CKM_ECDSA_SHA3_384
  - CKM_ECDSA_SHA3_512
  - CKM_ECDSA_SHA512
  - CKM_ECIES
  - CKM_EDDSA
  - CKM_ENCODE_ATTRIBUTES
  - CKM_ENCODE_PKCS_10
  - CKM_ENCODE_PUBLIC_KEY
  - CKM_ENCODE_X_509
  - CKM_ENCODE_X_509_LOCAL_CERT
  - CKM_EXTRACT_KEY_FROM_KEY
  - CKM_GENERIC_SECRET_KEY_GEN
  - CKM_IDEA_CBC
  - CKM_IDEA_CBC_PAD
  - CKM_IDEA_ECB
  - CKM_IDEA_ECB_PAD
  - CKM_IDEA_KEY_GEN
  - CKM_IDEA_MAC
  - CKM_IDEA_MAC_GENERAL
  - CKM_KECCAK_1600
  - CKM_KEY_TRANSLATION
  - CKM_KEY_WRAP_SET_OAEP
  - CKM_MD2
  - CKM_MD2_HMAC
  - CKM_MD2_HMAC_GENERAL
  - CKM_MD2_KEY_DERIVATION
  - CKM_MD2_RSA_PKCS
  - CKM_MD5
  - CKM_MD5_HMAC
  - CKM_MD5_HMAC_GENERAL
  - CKM_MD5_KEY_DERIVATION
  - CKM_MD5_RSA_PKCS
  - CKM_MILENAGE_DERIVE
  - CKM_MILENAGE_SIGN
  - CKM_NVB
  - CKM_PBA_SHA1_WITH_SHA1_HMAC
  - CKM_PBE_MD2_DES_CBC
  - CKM_PBE_MD5_CAST128_CBC
  - CKM_PBE_MD5_DES_CBC
  - CKM_PBE_SHA1_CAST128_CBC
  - CKM_PBE_SHA1_DES2_EDE_CBC
  - CKM_PBE_SHA1_DES3_EDE_CBC
  - CKM_PBE_SHA1_RC2_128_CBC
  - CKM_PBE_SHA1_RC2_40_CBC
  - CKM_PBE_SHA1_RC4_128
  - CKM_PBE_SHA1_RC4_40
  - CKM_PKCS12_PBE_EXPORT
  - CKM_PKCS12_PBE_IMPORT
  - CKM_PP_LOAD_SECRET
  - CKM_PP_LOAD_SECRET_2
  - CKM_RC2_CBC
  - CKM_RC2_CBC_PAD
  - CKM_RC2_ECB
  - CKM_RC2_ECB_PAD
  - CKM_RC2_KEY_GEN
  - CKM_RC2_MAC
  - CKM_RC2_MAC_GENERAL
  - CKM_RC4
  - CKM_RC4_KEY_GEN
  - CKM_REPLICATE_TOKEN_RSA_AES
  - CKM_RIPEMD128
  - CKM_RIPEMD128_HMAC
  - CKM_RIPEMD128_HMAC_GENERAL
  - CKM_RIPEMD128_RSA_PKCS
  - CKM_RIPEMD160
  - CKM_RIPEMD160_HMAC
  - CKM_RIPEMD160_HMAC_GENERAL
  - CKM_RIPEMD160_RSA_PKCS
  - CKM_RSA_9796
  - CKM_RSA_FIPS_186_4_PRIME_KEY_PAIR_ GEN
  - CKM_RSA_PKCS
  - CKM_RSA_PKCS_KEY_PAIR_GEN
  - CKM_RSA_PKCS_OAEP
  - CKM_RSA_PKCS_PSS
  - CKM_RSA_X9_31_KEY_PAIR_GEN
  - CKM_RSA_X_509
  - CKM_SECRET_RECOVER_WITH_ATTRIBUTES
  - CKM_SECRET_SHARE_WITH_ATTRIBUTES
  - CKM_SEED_CBC
  - CKM_SEED_CBC_PAD
  - CKM_SEED_ECB
  - CKM_SEED_ECB_PAD
  - CKM_SEED_KEY_GEN
  - CKM_SEED_MAC
  - CKM_SEED_MAC_GENERAL
  - CKM_SET_ATTRIBUTES
  - CKM_SHA1
  - CKM_SHA1_EDDSA
  - CKM_SHA1_HMAC
  - CKM_SHA1_HMAC_GENERAL
  - CKM_SHA1_KEY_DERIVATION
  - CKM_SHA1_RSA_PKCS
  - CKM_SHA1_RSA_PKCS_PSS
  - CKM_SHA1_RSA_PKCS_TIMESTAMP
  - CKM_SHA224
  - CKM_SHA224_EDDSA
  - CKM_SHA224_HMAC
  - CKM_SHA224_HMAC_GENERAL
  - CKM_SHA224_KEY_DERIVATION
  - CKM_SHA224_RSA_PKCS
  - CKM_SHA224_RSA_PKCS_PSS
  - CKM_SHA256
  - CKM_SHA256_EDDSA
  - CKM_SHA256_HMAC
  - CKM_SHA256_HMAC_GENERAL
  - CKM_SHA256_KEY_DERIVATION
  - CKM_SHA256_RSA_PKCS
  - CKM_SHA256_RSA_PKCS_PSS
  - CKM_SHA384
  - CKM_SHA384_EDDSA
  - CKM_SHA384_HMAC
  - CKM_SHA384_HMAC_GENERAL
  - CKM_SHA384_KEY_DERIVATION
  - CKM_SHA384_RSA_PKCS
  - CKM_SHA384_RSA_PKCS_PSS
  - CKM_SHA3_224
  - CKM_SHA3_224_EDDSA
  - CKM_SHA3_224_HMAC
  - CKM_SHA3_224_HMAC_GENERAL
  - CKM_SHA3_224_KEY_DERIVE
  - CKM_SHA3_224_RSA_PKCS
  - CKM_SHA3_224_RSA_PKCS_PSS
  - CKM_SHA3_256
  - CKM_SHA3_256_EDDSA
  - CKM_SHA3_256_HMAC
  - CKM_SHA3_256_HMAC_GENERAL
  - CKM_SHA3_256_KEY_DERIVE
  - CKM_SHA3_256_RSA_PKCS
  - CKM_SHA3_256_RSA_PKCS_PSS
  - CKM_SHA3_384
  - CKM_SHA3_384_EDDSA
  - CKM_SHA3_384_HMAC
  - CKM_SHA3_384_HMAC_GENERAL
  - CKM_SHA3_384_KEY_DERIVE
  - CKM_SHA3_384_RSA_PKCS
  - CKM_SHA3_384_RSA_PKCS_PSS
  - CKM_SHA3_512
  - CKM_SHA3_512_EDDSA
  - CKM_SHA3_512_HMAC
  - CKM_SHA3_512_HMAC_GENERAL
  - CKM_SHA3_512_KEY_DERIVE
  - CKM_SHA3_512_RSA_PKCS
  - CKM_SHA3_512_RSA_PKCS_PSS
  - CKM_SHA512
  - CKM_SHA512_EDDSA
  - CKM_SHA512_HMAC
  - CKM_SHA512_HMAC_GENERAL
  - CKM_SHA512_KEY_DERIVATION
  - CKM_SHA512_RSA_PKCS
  - CKM_SHA512_RSA_PKCS_PSS
  - CKM_SSL3_KEY_AND_MAC_DERIVE
  - CKM_SSL3_MASTER_KEY_DERIVE
  - CKM_SSL3_MD5_MAC
  - CKM_SSL3_PRE_MASTER_KEY_GEN
  - CKM_SSL3_SHA1_MAC
  - CKM_TDEA_TKW
  - CKM_TUAK_DERIVE
  - CKM_TUAK_SIGN
  - CKM_UNWRAP_TR31
  - CKM_VISA_CVV
  - CKM_WRAP_TR31_DERIVE
  - CKM_WRAP_TR31_VARIANT
  - CKM_WRAPKEY_AES_CBC
  - CKM_WRAPKEY_AES_KWP
  - CKM_WRAPKEY_DES3_CBC
  - CKM_WRAPKEY_DES3_ECB
  - CKM_WRAPKEYBLOB_AES_CBC
  - CKM_WRAPKEYBLOB_DES3_CBC
  - CKM_X9_42_DH_DERIVE
  - CKM_X9_42_DH_KEY_PAIR_GEN
  - CKM_X9_42_DH_PARAMETER_GEN
  - CKM_XOR_BASE_AND_DATA
  - CKM_XOR_BASE_AND_KEY
  - CKM_ZKA_MDC_2_KEY_DERIVATION
  - PTK-C vendor-defined error codes
- Supported ECC curves
- C sample programs
- Best practice guidelines
  - Application security
  - Application usability
  - Performance
  - Capacity
  - Setup and configuration
  - Maintainability
  - Debugging
  - Interoperability
  - Programming in FIPS Mode
  - Key management
  - Hierarchical deterministic wallets in ProtectToolkit
- ctbrowse - token browser
- API tutorial: development of a sample application
- PKCS#11 logger library
- PKCS#11 command reference
  - General purpose functions
  - Slot and token management functions
  - Session management functions
  - Object management functions
  - Encryption functions
  - Decryption functions
  - Message digesting functions
  - Signing and MACing functions
  - Functions for verifying signatures and MACs
  - Dual-function cryptographic functions
  - Key management functions
  - Random number generation functions
  - Parallel function management functions
  - Extra functions
- ctutil.h functionality reference
- ctextra.h library reference
- hex2bin.h library reference
- hsmadmin.h library reference
- Attribute certificate
ProtectToolkit-C management libraries programming
- KMLIB sample applications
- KMLIB callback prototypes reference
- KMLIB function reference
ProtectToolkit-J reference
- ProtectToolkit-J overview
- JCA/JCE API overview
  - Encryption and decryption
  - Message digests
  - Message authentication code (MAC)
  - Authentication
  - Key management
  - Error handling and exceptions
- Supported ciphers
  - DES
  - DESede
  - AES
  - IDEA
  - CAST128
  - RC2
  - RC4
  - PBE ciphers
  - RSA
- Supported signature algorithms
- Supported MAC algorithms
- Supported message digest algorithms
- Key Management Utility (KMU) reference
  - Compatibility issues
  - Main KMU interface
  - Logging into and out from tokens
  - Creating keys
  - Editing key attributes
  - Deleting a key
  - Display key check value
  - Importing and exporting keys
  - Key backup feature tutorial
- Administration Utility (gCTAdmin) reference
  - Logging in and out
  - Main gCTAdmin Interface
  - Slot and token management
  - HSM management
- KMU key check value (KCV) calculation
- Key generation
- Key management
- Best practice guidelines
- Java sample programs
- JCA/JCE API tutorial
  - Public key cryptography
  - FileCrypt application
  - File encryption
  - File decryption
  - Accessing public keys
  - Main()
- Random number generation
- References
ProtectToolkit-M reference
- Overview
- Setup and configuration
  - User roles
  - Initial configuration: mandatory steps
  - Security mode descriptions
  - Security mode flag descriptions
  - Allocating keyset space
  - Configuration options
  - SafeNet KSP for CNG registration utilities
  - Configuring IIS7 (Win2008) with CNG
- Administrative tasks
  - Changing the device administrator password
  - Allocating keyset space
  - De-allocating keyset space
  - Creating user keysets
  - Deleting a keyset
  - Setting the adapter Transport Mode
  - Correcting clock drift
  - Viewing and purging the HSM event log
  - Checking and upgrading HSM firmware
  - Tampering the HSM
  - Backing up a keyset
  - Restoring a keyset
  - Enabling private key clear export
- User tasks
- Administration and user utilities
  - Administration Utility
  - Keyset Management Utility
  - createcert
- Integration with Microsoft CA
  - Setting up a CA with ProtectToolkit-M
  - Certificate template support for SafeNet CSPs
  - CA replication (key backup and recovery)
  - Private key archiving and recovery
- Integration with IIS
  - Creating a certificate
  - Installing a certificate for use with IIS
- Work Load Distribution
- Registry configuration
FM SDK programming
- Overview
- FM architecture
- FM development
- FM samples
- Building sample FMs in Emulation Mode on Windows
- Configuring WSL 2 for FM development and deployment
- FM deployment
- Utilities reference
- Cipher object
  - FmCreateCipherObject
  - Cipher object functions
  - Algorithm-specific cipher information
- Hash object
  - FmCreateHashObject
  - Hash object functions
- Setting privilege level
- SMFS reference
- FMDEBUG reference
- Message Dispatch API reference
- HSM functions reference
  - HIFACE reply management functions
  - Functionality module dispatch switcher function
  - Serial communication functions
  - High resolution timer functions
  - Cprov function patching helper function
  - Current application ID functions
  - PKCS#11 state management functions
  - Functionality module header definition macro
- USB API reference
ProtectServer 3 HSM and ProtectToolkit 7 troubleshooting
- Installation troubleshooting
- ProtectToolkit-J troubleshooting
- ProtectToolkit-M troubleshooting
Third-Party Software Licenses

ProtectServer owner and identity certificates

This section describes ProtectServer owner and identity certificates, how you can use them to establish an HSM as a certificate authority (CA) that authenticates other HSMs in your deployment, and how to establish trust relationships between HSMs in your deployment.

Overview

ProtectToolkit 7 allows you to generate an identity key and certificate on the HSM, ensuring that cryptographic objects can be replicated only to other ProtectServer 3 HSMs you control, and to secure messages between the HSM and PTK. The identity keys and certificates described below are unaffected by tamper events; they remain consistent unless explicitly replaced by the HSM Administrator. The procedures described here should be completed by the Administrator after installing a new ProtectServer 3 HSM.

The new identity scheme uses the following objects:

ProtectServer Owner Key (POK): ECC P-521 private key to identify the ProtectServer 3 HSM owner. This allows you to use a ProtectServer 3 HSM as a Certificate Authority (CA) to authenticate the other ProtectServer 3 HSMs in your organization.
ProtectServer Owner Certificate (POC): Self-signed ECC P-521 certificate that identifies the ProtectServer 3 HSM owner on other HSMs in your organization. When this certificate is created, it is held in a POC-Pending state until the POK is used to sign a PIK for the same HSM.
ProtectServer Identity Key (PIK): ECC P-521 private key to identify the ProtectServer 3 HSM. Required for Secure messaging and Token replication. When Authenticating ProtectServer 3 HSMs with an offline HSM CA, the PIK of the HSM being authenticated is held in a PIK-Pending state until the HSM's PIC is signed by the HSM CA.
ProtectServer Identity Certificate (PIC): ECC P-521 certificate that identifies the ProtectServer 3 HSM. Can be self-signed or signed by a POK. Required for Secure messaging and Token replication.

Trust between HSMs is established by the exchange of PICs, used for wrapping tokens and verifying signed information. An identity key pair is generated on the administrative token of each device. The PIC is either self-signed by the PIK, or by a higher POK created on one of your ProtectServer 3 HSMs. The POK allows you to use a ProtectServer 3 HSM as a Certificate Authority to verify the other HSMs in your organization.

Establishing a ProtectServer 3 HSM as the HSM certificate authority

You can use this procedure to create a POK/POC keypair on the ProtectServer 3 HSM that you plan to use as a Certificate Authority for the other ProtectServer 3 HSM in your organization. This HSM can be one that you use in production or keep separate from your production HSMs. This procedure is completed by the Administrator using the ctident tool.

Note

If you choose to use a POK/POC to authenticate HSMs for trust management, all HSMs that will trust each other must have their PIC signed by the same POK. Thales recommends using only one POK/POC, unless you wish to keep separate deployments of HSMs that explicitly cannot establish trust relationships between them.

A PTK client can hold only one POC at a time, so if you wish to maintain separate deployments, each deployment requires its own separate clients.

Prerequisites

The ProtectServer 3 HSM you wish to use as the HSM CA must be installed and available to your PTK client machine. You can authenticate any other ProtectServer 3 HSMs available to your PTK client as part of this procedure, or you can authenticate them later as they are added.
Ensure that you have initialized the ProtectServer Admin token on the certifying HSM CA and any others you wish to authenticate (see Initial configuration). You will need to provide the Admin PIN for each HSM being authenticated.
Ensure that you have synchronized the HSM clock(s) with the correct time on your PTK client (see Adjusting the HSM clock).
If you want to customize the location of the PTK client certificate store, edit the path in the ET_PTKC_GENERAL_CERT_STORE variable. For more information about editing the path in this variable, refer to General ProtectToolkit-C configuration items.

To establish a ProtectServer 3 HSM as the HSM certificate authority

(Optional) List the ProtectServer 3 HSMs available to the PTK client.

ctident list all
Generate the POK/POC by specifying the desired certifying HSM by its device or serial number (sn:<serialnum>) as listed in the PTK client.

ctident gen-owner <CA_devicenum>

You are prompted for the Admin PIN. The HSM generates the keypair and exports the self-signed POC to the PTK client certificate store (Owner_POC.crt).

If you run ctident list all again, you will see that there is a certificate in the POC-Pending state. To establish this cert as the ProtectServer Owner Certificate, you must use the POK to sign a ProtectServer Identity Certificate (PIC).
Generate the certifying HSM CA's PIK/PIC as follows:
- If you will use the HSM CA in production with other HSMs available to this PTK client: Specify the HSM CA's device or serial number (sn:<serialnum>), and a comma-separated list of other available HSMs you wish to authenticate (or all to authenticate all available HSMs). This list should include the HSM CA (which authenticates its own PIK/PIC).
ctident gen-key <CA_devicenum> <CA_devicenum,devicenum,devicenum... | all>

You are prompted for the Admin PIN of the certifying HSM CA, and for each HSM being authenticated in turn. Each HSM creates a PIK/PIC, and the PIC is signed by the HSM CA's POK. If any of the HSMs already have a PIK/PIC set, you are prompted to confirm that you wish to overwrite the existing PIK/PIC. The new PIC is exported to the PTK client certificate store.

To certify more ProtectServer 3 HSMs as they are added later, see Authenticating ProtectServer 3 HSMs with an HSM CA in production.

If you have other PTK clients that will access these HSMs using Secure messaging, see Importing the ProtectServer certificate chain to a new PTK client.
If you are keeping this HSM CA offline and separate from the other HSMs it will authenticate: Specify the HSM CA's device or serial number (sn:<serialnum>) twice, to indicate that the HSM CA should create a PIK/PIC for itself and use the POK to sign the PIC.

ctident gen-key <CA_devicenum> <CA_devicenum>

To certify ProtectServer 3 HSMs in production using the offline HSM CA, see Authenticating ProtectServer 3 HSMs with an offline HSM CA.

Authenticating ProtectServer 3 HSMs with an HSM CA in production

You can use this procedure to generate a PIK on a new HSM and have its PIC signed by your ProtectServer 3 HSM CA. Use this procedure when your HSM CA is used in production and it is available to the same PTK client as the new HSM. This procedure is completed by the Administrator using the ctident tool.

Prerequisites

The ProtectServer 3 HSM CA and the new HSM must be available to the same PTK client machine.
Ensure that you have initialized the Admin token on the new HSM(s) (see Initial configuration). You will need to provide the Admin PIN for each HSM being authenticated.
Ensure that you have synchronized the HSM clock(s) with the correct time on your PTK client (see Adjusting the HSM clock).
If you want to customize the location of the PTK client certificate store, edit the path in the ET_PTKC_GENERAL_CERT_STORE variable. For more information about editing the path in this variable, refer to General ProtectToolkit-C configuration items.

To create a PIK and sign its PIC with a ProtectServer 3 HSM CA in production

Generate the HSM's PIK/PIC by specifying the HSM CA's device or serial number (sn:<serialnum>), and the device or serial number of the HSM you wish to authenticate (or a comma-separated list of multiple HSMs, or all to certify all available HSMs).

ctident gen-key <CA_devicenum> <devicenum,devicenum,devicenum,... | all>

You are prompted for the Admin PIN of the HSM CA, and for each HSM being authenticated in turn. If any of the HSMs already have a PIK/PIC set, you are prompted to confirm that you wish to overwrite the existing PIK/PIC. The new PIC is exported to the PTK client certificate store.
If you have other PTK clients that will access this HSM using Secure messaging, see Importing the ProtectServer certificate chain to a new PTK client.

Authenticating ProtectServer 3 HSMs with an offline HSM CA

You can use this procedure to generate a PIK on a ProtectServer 3 HSM and have its PIC signed by your ProtectServer 3 HSM CA. Use this procedure if your HSM CA is kept offline and separate from the rest of the HSMs it will authenticate. This procedure is completed by the Administrator using the ctident and ctcert tools.

Note

A PTK client can hold only one POC at a time, so if you wish to maintain separate deployments, each deployment requires its own separate clients.

Prerequisites

The ProtectServer 3 HSM you wish to use as the HSM CA must be installed and available to PTK client machine A, with a valid POK/POC (see Establishing a ProtectServer 3 HSM as the HSM certificate authority).
The ProtectServer 3 HSM(s) you will authenticate must be installed and available to PTK client machine B.
Ensure that you have initialized the Admin token on the ProtectServer 3 HSM(s) you wish to authenticate (see Initial configuration). You will need to provide the Admin PIN for each HSM being authenticated.
You must have a secure method of transferring the certificates between client A and client B.
Ensure that you have synchronized the HSM clock(s) with the correct time on your PTK client (see Adjusting the HSM clock).
If you want to customize the location of the PTK client certificate store, edit the path in the ET_PTKC_GENERAL_CERT_STORE variable. For more information about editing the path in this variable, refer to General ProtectToolkit-C configuration items.

To create a PIK and sign its PIC with an offline ProtectServer 3 HSM CA

(Optional) List the ProtectServer 3 HSMs available to PTK client B.

ctident list all
On PTK client B, generate a PIK and Certificate Signing Request (CSR) for the HSM(s) you wish to authenticate by specifying its device or serial number (sn:<serialnum>), a comma-separated list of multiple HSMs, or all to generate CSRs for all available HSMs.

ctident gen-csr <devicenum,devicenum,devicenum,... | all>

The CSR is automatically stored on the client in the location reported by the ctident utility, named for the HSM serial number (HSM_<serialnum>.csr).

The PIK is held in a PIK-Pending state until the HSM's PIC is signed by the HSM CA.
Securely transfer the CSR file(s) from PTK client B to PTK client A.
On PTK client A, import the CSR to the Admin token on the ProtectServer 3 HSM CA by specifying the CSR filename, a label for the certificate, and the Admin slot.

ctcert i -f<CSR_filename> -l<label> -s<Admin_slot>
(Optional) Display the keys available on the HSM Admin token.

ctkmu l -s<Admin_slot>
Sign the CSR with the POK by specifying them by label as reported by cktmu.

ctcert c -l<CSR_label> -c<POK_label> -s<Admin_slot>

The PIC is automatically given the same label as the CSR.
Export the newly-signed PIC to PTK client A.

ctcert x -l<PIC_label> -f<filename> -s<Admin_slot>

When prompted, choose the signed PIC to export -- it will have the same label as the old CSR.

Repeat steps 5 to 7 for each additional CSR you want to authenticate with the HSM CA.
Export the HSM CA's POC to PTK client A (the default label is POC).

ctcert x -l<POC_label> -f<filename> -s<Admin_slot>
Securely transfer the POC and the newly-signed PIC(s) from PTK client A to PTK client B.
On PTK client B, import the POC to the HSM(s) being authenticated by specifying its device or serial number (sn:<serialnum>), a comma-separated list of multiple HSMs, or all to import the POC to all available HSMs.

ctident store-poc -p<POC_filename> <devicenum,devicenum,devicenum,... | all>
Import each HSM's newly-signed PIC by specifying its device or serial number (sn:<serialnum>).

ctident store-pic -p<PIC_filename> <devicenum>

Creating a PIK and self-signed PIC on a ProtectServer 3 HSM

If you decide not to use a ProtectServer 3 HSM as an HSM Certificate Authority, you must create self-signed PIK/PIC keypairs on each of your ProtectServer 3 HSMs. These PICs are exchanged between different ProtectServer 3 HSMs to establish trust for Secure messaging or Token replication. This procedure is completed by the Administrator for each individual HSM using the ctident tool. If you are the Administrator for multiple HSMs, you can use this procedure to generate PIK/PIC keypairs for all of them at once.

Prerequisites

Ensure that you have initialized the ProtectServer Admin token(s) (see Initial configuration).
Ensure that you have synchronized the HSM clock(s) with the correct time on your PTK client (see Adjusting the HSM clock).
If you want to customize the location of the PTK client certificate store, edit the path in the ET_PTKC_GENERAL_CERT_STORE variable. For more information about editing the path in this variable, refer to General ProtectToolkit-C configuration items.

To create a PIK and self-signed PIC

(Optional) List the ProtectServer 3 HSMs available to the PTK client.

ctident list all
Generate the PIK/PIC by specifying the HSM device or serial number (sn:<serialnum>), a comma-separated list of multiple HSMs, or all to generate PIK/PICs for all available HSMs.

ctident gen-selfsigned <devicenum,devicenum,devicenum,... | all>

You are prompted for the Admin PIN for each HSM in turn. If any of the HSMs already have a PIK/PIC set, you are prompted to confirm that you wish to overwrite the existing PIK/PIC. The new PIC is exported to the PTK client certificate store.
If you have other PTK clients that will access this HSM using Secure Messaging, see Importing the ProtectServer Certificate Chain to a New PTK Client.

Importing the ProtectServer certificate chain to a new PTK client

If you are setting up a new PTK client that will access a ProtectServer 3 HSM using Secure Messaging, you must first import the HSM's certificate chain to the client's certificate store.

Prerequisites

Ensure that the HSM has a valid PIC.
The PTK client software must be installed and the HSMs must be accessible via the client tools (see ProtectToolkit 7 software installation).
If you want to customize the location of the PTK client certificate store, edit the path in the ET_PTKC_GENERAL_CERT_STORE variable. For more information about editing the path in this variable, refer to General ProtectToolkit-C configuration items.

To import the ProtectServer certificate chain to a new PTK client

[Optional] List the ProtectServer 3 HSMs available to the PTK client.

ctident list all
Use the following command to fetch the certificate chain from any ProtectServer 3 HSM by specifying the device or serial number (sn:<serialnum>) as reported by ctident list all. You can perform this action even if SMS is already enabled on the HSM:

ctident fetch-certs <devicenum,devicenum,devicenum,... | all>

Establishing trust between ProtectServer 3 HSMs

This procedure allows you to establish trust relationships between ProtectServer 3 HSMs by exchanging their PICs. Refer to Trust management for an overview of different trust schemes and their benefits. A trust relationship is required for Token replication. The Administrator for both HSMs must complete this procedure using the ctident tool. The example below will create the trust relationship depicted in the following diagram:

Prerequisites

Ensure that you have initialized the ProtectServer Admin token(s) (see Initial configuration).
A PIK/PIC must exist on each HSM in the trust arrangement (see Establishing a ProtectServer 3 HSM as the HSM certificate authority or Creating a PIK and self-signed PIC on a ProtectServer 3 HSM).
All HSMs to be included in the trust arrangement must be accessible to the same PTK client machine.
If you are establishing trust for an HSM currently serving as a CA, that HSM must not have a Certificate in the POC-Pending state. All the HSMs being trusted must have their PICs signed by the current POK.

To establish trust between ProtectServer 3 HSMs

(Optional) List the ProtectServer 3 HSMs available to the PTK client.

ctident list all
Use the ctident tool to share an HSM's PIC with other HSMs that will trust it, by specifying their device or serial number (sn:<serialnum>) as described below. Thales recommends specifying HSMs by their serial number to ensure that correct relationships are established. If one HSM goes offline during the process, the device number assigned to other HSMs may change. Specify first the source HSMs (the trusted HSMs) and then the destination HSMs (those that will trust the former) in a comma-separated list (or all to specify every HSM available to the client -- ctident trust all all makes every available HSM trust every other available HSM).

ctident trust sn: <trusted_HSM(s)> sn:<trusting_HSM(s)>
```
# ctident trust sn:1197 sn:1111,sn:1310

# ctident trust sn:1111,sn:1310 sn:1197
```

Removing trust between ProtectServer 3 HSMs

You can use the following procedure to remove a trust relationship between HSMs that you no longer wish to use Token replication. This procedure is completed by the Administrator using the ctident tool.

To remove trust between ProtectServer 3 HSMs

(Optional )List the ProtectServer 3 HSMs available to the PTK client.

ctident list all
Use the ctident tool tool to remove an HSM's PIC from the HSM that will no longer trust it, by specifying their device or serial numbers (sn:<serialnum>) as described below. Thales recommends specifying HSMs by their serial number to ensure that correct relationships are established. If one HSM goes offline during the process, the device number assigned to other HSMs may change. Specify first the trusting HSM and then the HSM(s) to remove in a comma-separated list (or all to remove all trust from this HSM -- ctident remove all all removes all trust relationships between HSMs visible to the PTK client.

ctident remove sn: <trusting_HSM(s)> sn:<HSM(s)_being_removed_from_trust>
```
# ctident remove sn:1197 sn:1111,sn:1310
```

Suggest A Change

ProtectServer owner and identity certificates

Overview

Establishing a ProtectServer 3 HSM as the HSM certificate authority

Prerequisites

To establish a ProtectServer 3 HSM as the HSM certificate authority

Authenticating ProtectServer 3 HSMs with an HSM CA in production

Prerequisites

To create a PIK and sign its PIC with a ProtectServer 3 HSM CA in production

Authenticating ProtectServer 3 HSMs with an offline HSM CA

Prerequisites

To create a PIK and sign its PIC with an offline ProtectServer 3 HSM CA

Creating a PIK and self-signed PIC on a ProtectServer 3 HSM

Prerequisites

To create a PIK and self-signed PIC

Importing the ProtectServer certificate chain to a new PTK client

Prerequisites

To import the ProtectServer certificate chain to a new PTK client

Establishing trust between ProtectServer 3 HSMs

Prerequisites

To establish trust between ProtectServer 3 HSMs

Removing trust between ProtectServer 3 HSMs

To remove trust between ProtectServer 3 HSMs

On this page