Set Up Connectivity with a SafeNet Network HSM

Define connection settings for each SafeNet Network HSM.
Log in to the firewall web interface and select
Device
Setup
HSM
.
Edit the Hardware Security Module Provider section and set the
Provider Configured
to
SafeNet Network HSM
.
Add
each HSM server as follows. A high availability (HA) HSM configuration requires two servers.
Enter a
Module Name
for the HSM server. This can be any ASCII string of up to 31 characters.
Enter an IPv4 address for the HSM
Server Address
.
(
HA only
) Select
High Availability
, specify the
Auto Recovery Retry
value, and enter a
High Availability Group Name
.
If two HSM servers are configured, the best practice is to enable
High Availability
. Otherwise the second HSM server is not used.
Click
OK
and
Commit
.
(
Optional
) Configure a service route to connect to the HSM if you don’t want the firewall to connect through the Management interface (default).
If you configure a service route for the HSM, running the
clear session all
CLI command clears all existing HSM sessions, bringing all HSM states down and then up again. During the several seconds required for HSM to recover, all SSL/TLS operations will fail.
Select
Device
Setup
Services
and click
Service Route Configuration
.
Customize
a service route. The
IPv4
tab is active by default.
Click
HSM
in the
Service
column.
Select a
Source Interface
for the HSM.
Click
OK
and
Commit
.
Configure the firewall to authenticate to the HSM.
Select
Device
Setup
HSM
and
Setup Hardware Security Module
.
Select the HSM
Server Name
.
Enter the
Administrator Password
to authenticate the firewall to the HSM.
Click
OK
.
The firewall tries to authenticate to the HSM and displays a status message.
Click
OK
.
Register the firewall as an HSM client with the HSM server and assign the firewall to a partition on the HSM server.
If the HSM already has a firewall with the same
<cl-name>
registered, you must first remove the duplicate registration by running the
client delete -client
<cl-name>
command, where
<cl-name>
is the name of the client (firewall) registration you want to delete.
Log in to the HSM from a remote system.
Register the firewall using the
client register -c
<cl-name>
-ip
<fw-ip-addr>
command, where
<cl-name>
is a name that you assign to the firewall for use on the HSM and
<fw-ip-addr>
is the firewall IP address.
Assign a partition to the firewall using the
client assignpartition -c
<cl-name>
-p
<partition-name>
command, where
<cl-name>
is the name assigned to the firewall in the
client register
command and
<partition-name>
is the name of a previously configured partition that you want to assign to the firewall.
Configure the firewall to connect to the HSM partition.
Select
Device
Setup
HSM
and click the Refresh icon.
Setup HSM Partition
in the Hardware Security Operations section.
Enter the
Partition Password
to authenticate the firewall to the partition on the HSM.
Click
OK
.
(
HA only
) Repeat the previous authentication, registration, and partition connection steps to add another HSM to the existing HA group.
If you remove an HSM from your configuration, repeat the previous partition connection step to remove the deleted HSM from the HA group.
Verify firewall connectivity and authentication with the HSM.
Select
Device
Setup
HSM
and check the authentication and connection Status:
Green
—The firewall is successfully authenticated and connected to the HSM.
Red
—The firewall failed to authenticate to the HSM or network connectivity to the HSM is down.
View the following columns in the Hardware Security Module Status section to determine the authentication status:
Serial Number
—The serial number of the HSM partition if the firewall successfully authenticated to the HSM.
Partition
—The partition name on the HSM that is assigned on the firewall.
Module State
—The current state of the HSM connection. The value is always
Authenticated
if the Hardware Security Module Status section displays the HSM.