Configuring network Hardware Security Module (HSM) support

You can register a network HSM device with the local management interface. WebSEAL can then be configured to use this HSM for the secure storage of SSL keys.

About this task

The appliance supports the use of the following HSM devices:
  • Thales nShield Connect

    The appliance embeds Thales nShield client software v12.30 (hardserver version 3.67.11). This has been tested with nShield appliance firmware 2.61.2. Due to a limitation in key protection type support, the appliance does not support “HSM Pool mode”. The appliance continues to support high availability using the load sharing capabilities provided by nShield HSMs.

  • SafeNet Luna SA v5.x
Note: The appliance can connect to a maximum of one Thales nShield Connect device and multiple SafeNet Luna SA v5.x devices.

Perform the following steps to configure WebSEAL for the network HSM device.

Procedure

  1. Create a network key file with the local management interface.
    1. From the top menu, select Manage System Settings > Secure Settings > SSL Certificates.
    2. From the menu bar, click New.
    3. On the Create SSL Certificate Database page, enter the name of the certificate database that you want to create.
    4. Select Network as the type of the certificate database.
    5. Complete the Token Label and Passcode fields.
    6. Select the HSM type.
      • If you select Thales nShield Connect as the HSM type, complete the HSM IP Address and RFS IP Address fields on the Thales tab. The rest of the fields are optional.
      • If you select SafeNet Luna SA as the HSM type, complete the IP Address and Admin Password fields on the SafeNet tab.
        Note: You can use the appliance to manage the certificates that are contained on the HSM device. However, some operations, such as certificate extract, are not supported.
    7. Click Save.
  2. Edit the WebSEAL configuration file directly or through the Edit panel in the local management interface to make the following changes.
    1. Set the value of the pkcs11-keyfile configuration entry in the [ssl] stanza to be the name of the pkcs11 key file that contains the configuration information for the network HSM device.
    2. Set the webseal-cert-keyfile-label configuration entry in the [ssl] stanza, which defines the WebSEAL key file label, to use a key from the HSM device.
  3. Restart WebSEAL for the changes to take effect.
Parent topic: Cryptographic hardware for encryption and key storage