End-of-Life (EoL)

Set Up Connectivity with an nCipher nShield Connect HSM

You must set up a remote filesystem (RFS) as a hub to synchronize key data for all the firewalls (HSM clients) in your organization that use the nCipher nShield Connect HSM. To ensure the nCipher nShield Connect client version on your firewalls is compatible with your nCipher nShield Connect server, see Set up Connectivity with an HSM.
Before the HSM and firewalls connect, the HSM authenticates the firewalls based on their IP addresses. Therefore, you must configure the firewalls to use static IP addresses, not dynamic addresses assigned through DHCP. Operations on the HSM would stop working if the firewall IP addresses changed during runtime.
HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA deployments, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for the failover function.
  1. Define connection settings for each nShield Connect HSM.
    1. Log in to the firewall web interface and select
      Device
      Setup
      HSM
      .
    2. Edit the Hardware Security Module Provider section and set the
      Provider Configured
      to
      nShield Connect
      .
    3. Add
      each HSM server as follows. A high availability (HA) HSM configuration requires two servers.
      1. Enter a
        Module Name
        for the server. This can be any ASCII string of up to 31 characters.
      2. Enter an IPv4 address for the HSM
        Server Address
        .
    4. Enter an IPv4 address for the
      Remote Filesystem Address
      .
    5. Click
      OK
      and
      Commit
      .
  2. (
    Optional
    ) Configure a service route to connect to the HSM if you don’t want the firewall to connect through the Management interface (default).
    If you configure a service route for the HSM, running the
    clear session all
    CLI command clears all existing HSM sessions, bringing all HSM states down and then up again. During the several seconds required for the HSM to recover, all SSL/TLS operations will fail.
    1. Select
      Device
      Setup
      Services
      and click
      Service Route Configuration
      .
    2. Customize
      the service route. The
      IPv4
      tab is active by default.
    3. Click
      HSM
      in the Service column.
    4. Select a
      Source Interface
      for HSM.
    5. Click
      OK
      and
      Commit
      .
  3. Register the firewall as an HSM client with the HSM server.
    This step briefly describes the procedure for using the front panel interface of the nShield Connect HSM. For more details, refer to the nCipher documentation.
    1. Log in to the front panel display of the nShield Connect HSM unit.
    2. Use the right-hand navigation button to select
      System
      System configuration
      Client config
      New client
      .
    3. Enter the firewall IP address.
    4. Select
      System
      System configuration
      Client config
      Remote file system
      and enter the IP address of the client computer where you set up the RFS.
  4. Configure the RFS to accept connections from the firewall.
    1. Log in to the RFS from a Linux client.
    2. Obtain the electronic serial number (ESN) and the hash of the KNETI key, which authenticates the HSM to clients, by running the
      anonkneti
      <ip-address>
      command, where
      <ip-address>
      is the IP address of the HSM.
      The following is an example:
      anonkneti 192.0.2.1 B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
      In this example,
      B1E2-2D4C-E6A2
      is the ESN and
      5a2e5107e70d525615a903f6391ad72b1c03352c
      is the hash of the KNETI key.
    3. Use the following command from a superuser account to set up the RFS:
      rfs-setup --force
      <ip-address> <ESN> <hash-Kneti-key>
      The
      <ip-address>
      is the HSM IP address,
      <ESN>
      is the electronic serial number, and
      <hash-Kneti-key>
      is the hash of the KNETI key.
      The following example uses the values obtained in this procedure:
      rfs-setup --force 192.0.2.1 B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
    4. Use the following command to permit HSM client submissions on the RFS:
      rfs-setup --gang-client --write-noauth <FW-IPaddress>
      where
      <FW-IPaddress>
      is the firewall IP address.
  5. Authenticate the firewall to the HSM.
    1. In the firewall web interface, select
      Device
      Setup
      HSM
      and
      Setup Hardware Security Module
      .
    2. Click
      OK
      .
      The firewall tries to authenticate to the HSM and displays a status message.
    3. Click
      OK
      .
  6. Synchronize the firewall with the RFS.
    Select
    Device
    Setup
    HSM
    and
    Synchronize with Remote Filesystem
    .
  7. Verify firewall connectivity and authentication with the HSM.
    1. Select
      Device
      Setup
      HSM
      and check the authentication and connection Status:
      • Green
        —The firewall is successfully authenticated and connected to the HSM.
      • Red
        —The firewall failed to authenticate to the HSM or network connectivity to the HSM is down.
    2. Check the Hardware Security Module Status section to determine the authentication status.
      • Name
        —The name of the HSM.
      • IP address
        —The IP address of the HSM.
      • Module State
        —The current state of the HSM connection:
        Authenticated
        or
        NotAuthenticated
        .

Recommended For You