Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

SafeNet IDPrime Virtual HSM Integration

HSM Configuration

search

HSM Configuration

This section describes configuration of Hardware Security Module (HSM).

This table lists the IDPV Server parameters that must be configured in the appsettings.yml file available under the /var/thales/config directory.

Parameters Description Example
TokenSerial - HSM partition serial number.
- Identifier for allocated slot in HSM.
- In case of KeySecure, this is empty.
Type: Mandatory		 TokenSerial: 00000000
TokenPin - HSM crypto officer (co) pin.
- In case of KeySecure this will contain user credential to access KeySecure device as mentioned in section Creating a Local User.
Type: Mandatory		 TokenPin: temp123#
For KeySecure -
TokenPin:
<User>:<Password>
The value inside angular braces is replaced by actual values.
TokenPin:
idprime:temp123#
HSMProvider - HSM Provider Name.
- Supported providers are Luna, Luna6, DPoD and KeySecure. KeySecure does not support offline virtual token.
- Full version only supports Luna 6/7.3/7.7.
Type: Mandatory (Case sensitive)		 For Luna 7.3 and 7.7
HSMProvider: Luna
For Luna 6
HSMProvider: Luna6
For Dpod
HSMProvider: DPod
For KeySecure
HSMProvider: KeySecure
For SoftHSM
HSMProvider: SoftHSM
TokenPasscode - This value is recommended for enhanced security. Additional passcode string value (any new value).
- This value is used to change the TokenPin by the IDPV server to take over the complete ownership of the HSM partition.
- Once this value is set, the HSM crypto officer pin is changed and the HSM partition can be accessed only by the IDPV server.
- If the value is not provided, the feature remains disabled.
Type: Optional
Note: This is not supported for Luna in HA Mode and KeySecure.
Caution: This is a one-time configuration value. Any modification or change in this value is not allowed as this may lead to the locking of the HSM partition.		 TokenPasscode: 00000000
UserGroup - This parameter is only required in case of KeySecure.
- The value will be the name of the group created in KeySecure device as mentioned in the section Creating a Local Group.
Type: Mandatory		 idpv

Configuring Luna HSM

This section describes the process to configure Luna HSM Luna HSM Compatibility Information

HSM Model Software Version Firmware Version
LunaSA 6.3.1 6.3.1 (PED and Password based) 6.27.0
LunaSA 7.3.0 7.3.0-165 (PED and Password based) 7.3.0
LunaSA 7.7.0 7.7.0-317 (PED and Password based) 7.7.0

Both FIPS and non-FIPS modes are supported by the SafeNet IDPrime Virtual Server. It is recommended to use FIPS-compliant HSM for enhanced security.

Using Existing Luna HSM Server

For an existing Luna HSM, you need to install Luna HSM client software on Server-1 (IDPV server machine) to connect with the Luna HSM server. The procedure to install the same is mentioned in the Luna HSM Client Software Installation.

You must apply policies to the HSM server for SafeNet IDPrime Virtual server operations.

HSM Level Policies

Policy 15 (Optional): If Policy 15 is enabled and the CO password is locked, the password can be reset.

Partition Level Policies

Ensure that the following partition policies are active on the partition to be used:

Clone Mode
Clone Mode

Export Mode
Export Mode

Configuring Luna Client on Host Machine

Install Luna Client on your host machine and configure one partition with the above mentioned policies. For more information on how to install the Luna Client, refer to Luna HSM Client Software Installation.

Collecting Files from Host Machine to Prepare Mapping Directory

  1. Use the following command to create a directory for mapping with the IDPV container:

    

    mkdir/var/thales/hsm

  2. Copy the client certificate files from your SafeNet Luna Client directory, (/usr/safenet/lunaclient/cert/client/), using the following commands:

    

    cp/usr/safenet/lunaclient/cert/client/*.pem/var/thales/hsm/
cp/usr/safenet/lunaclient/cert/server/CAFile.pem/var/thales/hsm/
cp/etc/Chrystoki.conf/var/thales/hsm/

    While copying the configuration files in the mkdir/var/thales/hsm directory, follow the instructions provided in the Installing the IDPV Server section.

  3. After copying the Chrystoki.conf file, run the following command to add read permission on the file:

    

    chmod a+r/var/thales/hsm/Chrystoki.conf

    At this stage, the directory /var/thales/hsm/ should contain the following files:

    • MachineIP/HostName.pem
    • MachineIPKey/HostName.pem
    • CAFile.pem
    • Chrystoki.conf

    In case of FIPS-supported HSM, the Chrystoki.conf file must have RSAKeyGenMechRemap=1 parameters under Miscellaneous section.

Setting up a New Luna HSM Server

Before using Luna HSM for SafeNet IDPrime Virtual Server, user must install and configure your HSM Server. For more information, refer to Installing and Configuring Your New Luna Network HSM.

After successful installation, user must perform the steps mentioned in Using Existing Luna HSM Server.

SoftHSM

SafeNet IDPrime Virtual supports SoftHSM v2.5.0 for the IDPV Server Evaluation Version only. SoftHSM-related configuration (HSMProvider, TokenSerial and TokenPin) is already configured in the appsettings.yml file provided with the IDPV Evaluation package. The evaluation version also supports other crypto providers, i.e. Luna and DPoD. To configure other HSMProvider.

SoftHSM details are also stored in the /publish/SoftHsmDetails.txt file inside the container. To verify the details, execute the following commands after running the container:
- docker exec -it idprimevirtualserver sh
- cat SoftHsmDetails.txt
For RHEL 8 or 9 with podman environment, run the following commands:
- podman exec -it idprimevirtualserver sh
- cat SoftHsmDetails.txt

(Optional) Configuring SoftHSM Volume on the Host Machine

  1. Create one folder (for example, SoftHsmToken) with full permissions in the /var/thales/ directory.

  2. Run the following command to configure the folder:

    

    docker run --name SoftHSM_IDPV -itd -v /var/thales/softhsm:/publish/Config/ -v /var/thales/SoftHsmToken:/var/lib/softhsm/tokens -p 8050:5001 idprimevirtual_server_evaluation:2.4.1.24

  3. Run the following command to initialize the token:

    

    softhsm2-util --init-token --slot 0 --label "IDPV-Partition"

  4. After the token is initialized, run the following command to display the token serial number:

    

    softhsm2-util --show-slot

  5. Copy the serial number and update it in the TokenSerial parameter within the appsettings.yml file.

  6. Restart the container to apply the changes.

KeySecure

To use IDPrime Virtual (IDPV) server with KeySecure, access on the KeySecure device is required. To access KeySecure, you require the device IP Address and a user account with access privileges.

KeySecure must be configured in non-FIPS mode as IDPV product does not generate, and export keys when KeySecure is configured in FIPS mode. KeySecure is supported only with evaluation version.

Perform the following steps to configure KeySecure:

  1. Create a /var/thales/hsm/ directory.

  2. Download and extract the delivery package and copy IngrianNAE.properties file from config folder to the /var/thales/hsm/.

  3. Create a /var/thales/config directory, and copy the following files downloaded from the delivery package provided with this solution:

    • appsettings.yml
    • policy-configuration.json
    • idp-configuration.json
    • log4net.config
    • servercertificate.pfx
    • IngrianNAE.properties

  4. Edit the IngrianNAE.properties file, and set the below parameters:

    Parameter Description Example
    NAE_IP KeySecure Device IP
    Type: Mandatory    		 10.164.41.78
    NAE_Port KeySecure Device Port
    Type: Mandatory    		 Default port is 9000
    Protocol KeySecure Device communication Protocol
    Type: Mandatory    		 TCP
    Log_Level This can be high, medium or low based on the severity
    Type: Mandatory    		 MEDIUM
    Log_File Path where the log file will be created
    Type: Mandatory    		 /publish/logs/PAConnector.log

  5. Perform the step on KeySecure device: Current IDPV Server works with KeySecure using NAE protocol only. The below screenshot shows a default configuration for KeySecure.

    Key Server Setting

    Use SSL option is recommended for extended security.

Creating a Local User

  1. Log on to the Management Console as an administrator with Users and Groups access control.

  2. Go to Security > Local Authentication > Local Users & Groups.

  3. Click Add.

  4. Enter a user name in the Username field and password in the Password field.

    For example, idprime is taken as a username and temp123# as a password in this document.

  5. Select the User Administration Permission and Change Password Permission check boxes.

  6. Click Save.

Creating a Local Group

  1. Navigate to the Local Groups section on the same page.

  2. Click Add.

  3. Enter a group name in the Group field.

    For example, idpv is taken as group name in this document.

  4. Click Save.

  5. Once group is created, select Group and click Properties.

    The Local Group Properties page is displayed.

  6. Click Add in User List section and type the username "idprime" as created in Creating a Local User.

User & Group Configuration

Data Protection on Demand (DPOD)

Ensure SafeNet Data Protection on Demand (DPoD) is set up correctly before it’s configured. For more information, refer to DPoD User Guide.

Currently, IDPV supports DPoD (Clone mode and Export mode) in Non-FIPS mode only. However, SWS supports DPoD (Clone and Export mode) in both FIPS and Non-FIPS mode.

Perform the following steps to configure DPoD:

  1. Download and extract the DPoD client package.

  2. Initialize the partition and set SO and CO (Crypto User) pin as given in the Thales DPoD Guide provided with the package.

  3. Copy following files from the DPOD package to /var/thales/hsm/ directory. This directory is mapped with IDPV container.

    • server-certificate.pem
    • partition-certificate.pem
    • partition-ca-certificate.pem
    • Chrystoki.conf

    Make sure that the Chrystoki.conf file has read permission for all users. Run the following command to give permission:
    chmod a+r /var/thales/hsm/Chrystoki.conf

  4. In the configuration, select DPoD as the HSMProvider DPoD.

    • If you select the HSM provider as Luna, Luna6, DPOD (with export feature) and configure Export ( -k ) as true for the tenant during Tenant creation, the user or subscriber keys will be stored in the database in encrypted format.

    • If you select the crypto provider as KeySecure, the user or subscriber keys are stored in KeySecure. Unlike Luna, where you can export the user keys to a database (in encrypted format) as KeySecure does not support the export functionality.

    • The SafeNet IDPrime Virtual client do not support DPoD in FIPS mode due to a known limitation of DPoD.

    • This release supports KeySecure 450v Software Version 8.4.2 with P11 connector version 8.8.0 and ProtectApp connector version 8.12.

In case of Docker deployments, specific credentials are stored in the form of plain text in the appsettings.yml file. Therefore, access to the system is important and must be monitored.

On this page