Store System Certificates on a Hardware Security Module (HSM)
A Hardware Security Module (HSM) is a hardware-based security device that generates, stores, and protects cryptographic keys. Sterling Secure Proxy uses keys and certificates stored in its store or on an HSM. Sterling Secure Proxy maintains information in its store about all keys and certificates.
To access keys in an HSM, a reference to the keys and the passphrase protecting the key must be added to Sterling Secure Proxy. This reference is secure and cannot be used by an intruder to access the certificate information. You can configure keys on the HSM at CM, using command line scripts described in this chapter.
For more security, create the keys on the HSM and store them on the device. To import
externally-created keys into the HSM, first import the external keys into the HSM and then destroy
the files containing the external private key.
Note: Safenet does not allow you to import an
externally-created private key. You must create and store them on the HSM.
HSMs implement the Java JCE API. This interface accesses the keys
in the device. The JCE implementations for Safenet and Thales have
the following differences:
- Safenet uses slots, logical entities defined through the Safenet administration utility. Designate a slot for Sterling Secure Proxy and assign a user PIN. Configure Sterling Secure Proxy and identify the slot to use. Only one slot can be used by Sterling Secure Proxy.
- Safenet uses a single keystore for all keys in a slot. The user PIN protects all the keys in the slot. Each key within a slot must have a unique alias.
- Thales uses a security world that contains one or more HSM modules. The modules can reside on the same or different machines. The keys in the security world are protected by an operator smart card. Create an operator smart card set for Sterling Secure Proxy, identify “1 of N” for the cards, and assign a passphrase to each card. Before Sterling Secure Proxy can start, insert the operator smart card protecting the Sterling Secure Proxy keys into the card reader.
- Thales supports multiple keystores. Each keystore can contain multiple keys, but Sterling Secure Proxy only stores one key per keystore. With Thales, multiple keys can have the same alias. For example, on Sterling B2B Integrator, all keys on an Thales HSM have the alias Key. Each keystore has a unique instance ID defined as a 40-character hexadecimal string. The combination of the instance ID and the key alias makes each key unique.