Hardware Security Module and SafeNet Authentication Service

Introduction

A Hardware Security Module (HSM) is a physical crypto-processing device that securely manages and stores digital keys used during transactions, for identification, and applications’ access. The Hardware Security Modules (HSMs) act as trust anchors protecting things such as websites, banking systems, mobile devices, smart meters, medical devices, national identity cards, credit card data, PINs, mobile payments, digital documents, and passports. It protects the cryptographic infrastructure by provisioning encryption, decryption, authentication, and digital signing services.

Thales's SafeNet ProtectToolkit (PTK) is a Public Key Cryptography Standards (PKCS) compliant device that incorporates features developed through extensive experience, implementing best practices in hardware, software, and operations. The PTK HSMs are easy to deploy, and adhere to rigorous design requirements, stringent product verification, and testing.

The PTK supports two hardware components:

1. ProtectServer External (PSE): Cryptographic adapter; an external network device [Latest, supported version of the product is version 3 (v3)], and this integration section has all required configurations for PSEv2 and PSEv3.

2. ProtectServer Internal (PSI-E): Cryptographic adapter; a plug-in card.

Hardware Security Module with SafeNet Authentication Service

The SafeNet Authentication Service (SAS) server uses AES encryption key of the PTK HSMs for encrypting sensitive data.

Warning

Once an HSM is enabled, the operation cannot be undone since it is a one-way, irreversible process. Therefore, we recommend using a minimum of two HSM devices with appropriate backups.

This document provides information on the PSE 2 and PSE 3 configuration and its settings on the SAS server. The process broadly involves the following three steps:

1. Set up PSEv2 Device

2. Set up PSEv3 Device

3. Set up HSM Components

4. Configure HSM Settings in SAS

Compatibility information

Supported hardware versions

A PSE 2, with the following particulars, is compatible with the SAS solution:

Model: PSI-E2:PL1500

Firmware Version: 5.00.02

Note

Other minor firmware versions are also compatible.

A PSE 3, with the following particulars, is compatible with the SAS solution:

Firmware Version: 7.00

Models:

• ProtectServer 3 HSM PL-25

• ProtectServer 3 HSM PL-220

• ProtectServer 3 HSM PL-3500

Supported software versions

The following versions are compatible with the SAS solution:

• PTKnethsm Version 5.2.0

• PTKcpsdk Version 5.2.0

Supported databases

Refer to System Requirements section for information on SAS-supported databases.

Supported operating systems

Refer to System Requirements section to learn about supported operating systems.

Set up ProtectServer External 2 Device

The setup is a one-time activity and needs to be completed on the PSE 2 device. To set the network configurations, connect a monitor and a keyboard to the PSE device.

To set up a PSE 2 device, complete the following steps:

1. Login: Login as root with the default password (as password).

2. Adjust Network Configurations: Assign an IP address to ETH0 interface in

   /etc/sysconfig/network-scripts/ifcfg-eth0 file.

3. Add Hostname: Add a hostname of the system to /etc/sysconfig/network file. Example: HOSTNAME=examplename

4. Add Default Gateway: Add the default gateway to /etc/sysconfig/network file. Example: GATEWAY=192.168.1.

5. Add Domain Name System (DNS): Add DNS to /etc/resolv.conf file. Example: nameserver x.x.x.x

6. Add HSM: Add HSM servers to /etc/hosts file.
   Example: 192.168.1.x examplehost examplehost.domain.internal

7. Restart: Reboot the network (/etc/init.d/network restart) to set the changes.

   

   Note

   When the machine restarts, you can connect via Secure Shell (SSH) using the Administrator login details (default password: password).