Configuring network Hardware Security Module (HSM) support

Edit online

You can register a network HSM device with the local management interface. WebSEAL can then be configured to use this HSM for the secure storage of SSL keys.

About this task

The appliance supports the use of the following HSM devices:
  • nCipher nShield Connect HSM

    The appliance supports the nCipher nShield Connect HSM device. To enable the integration with this device, the 'IBM® Verify Identity Access nCipher nShield Connect HSM Extension' must be installed on the appliance. This extension is available for download from the IBM Security App Exchange (https://exchange.xforce.ibmcloud.com).

    Due to a limitation in key protection type support, the appliance does not support “HSM Pool mode”. The appliance continues to support high availability by using the load sharing capabilities provided by nShield HSMs.

  • SafeNet Luna Network HSM

    The appliance supports the SafeNet Luna Network HSM device. To enable the integration with this device, the 'IBM Verify Identity Access SafeNet Luna Network HSM Extension' must be installed on the appliance. This extension is available for download from the IBM Security App Exchange. See https://exchange.xforce.ibmcloud.com.

    From Verify Identity Access 10.0.5.0 onwards, appliances support Luna SafeNet High Availability (HA) groups. One or more SafeNet devices can be grouped for redundancy and load-balancing purposes. For more information on setting up SafeNet hagroups, see the SafeNet product documentation.

Note: The appliance can connect to a maximum of one nCipher nShield Connect device and multiple SafeNet Luna SA devices. A SafeNet Luna SA device can be used only in one High Availability group.

Perform the following steps to configure WebSEAL for the network HSM device.

Procedure

  1. Create a network key file with the local management interface.
    1. From the menu, select System > Secure Settings > SSL Certificates.
    2. From the menu bar, click New.
    3. On the Create SSL Certificate Database page, enter the name of the certificate database that you want to create.
    4. Select Network as the type of the certificate database.
    5. Complete the Token Label and Passcode fields.
    6. Select the HSM type.
      • If you select nCipher nShield Connect as the HSM type, complete the HSM IP Address and RFS IP Address fields on the nCipher nShield Connect tab. The rest of the fields are optional.
      • If you select SafeNet Luna SA as the HSM type, complete the IP Address and Admin Password fields on the SafeNet tab.
      • If you select SafeNet Luna High Availability as the HSM type, complete the SafeNet Keystore List, Retry Count, Recovery Mode and HA Log Size fields in the SafeNet High Availability tab.
        Note: You can use the appliance to manage the certificates that are contained on the HSM device. However, some operations, such as certificate extract, are not supported.
    7. Click Save.
  2. Edit the WebSEAL configuration file directly or through the Edit pane in the local management interface to make the following changes.
    1. Set the value of the pkcs11-keyfile configuration entry in the [ssl] stanza to be the name of the pkcs11 key file that contains the configuration information for the network HSM device.
    2. Set the webseal-cert-keyfile-label configuration entry in the [ssl] stanza, which defines the WebSEAL key file label, to use a key from the HSM device.
  3. Restart WebSEAL for the changes to take effect.
    Note: If an HSM keystore is modified, then any Verify Identity Access components that are using the keystore must manually be restarted or reloaded for the changes to take effect.