Set Up Connectivity with a Thales nShield Connect HSM
You must set up a remote file system (RFS) as a hub to synchronize key data for all firewalls (HSM clients) in your organization that use the Thales nShield Connect HSM. To ensure the Thales nShield Connect client version on your firewalls is compatible with your Thales nShield Connect server, see Set Up Connectivity with an HSM.
Before the HSM and firewalls connect, the HSM authenticates the firewalls based on their IP addresses. Therefore, you must configure the firewalls to use static IP addresses—not dynamic addresses assigned through DHCP. (Operations on the HSM stop working if a firewall IP address changes during runtime).
HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA configurations, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for failover to function properly.
- Define connection settings for each Thales nShield
- Log in to the firewall web interface and select DeviceSetupHSM.
- Edit the Hardware Security Module Provider settings and set the Provider Configured to Thales nShield Connect.
- Add each HSM server as follows.
An HA HSM configuration requires two servers.
- Enter a Module Name for the HSM server. This can be any ASCII string of up to 31 characters.
- Enter an IPv4 address for the HSM Server Address.
- Enter an IPv4 address for the Remote Filesystem Address.
- Click OK and Commit your changes.
- (Optional) Configure a
service route to connect to the HSM if you don’t want the firewall
to connect through the Management interface (default).If you configure a service route for the HSM, running the clear session all CLI command clears all existing HSM sessions, which brings all HSM states down and then up again. During the several seconds required for HSM to recover, all SSL/TLS operations will fail.
- Select DeviceSetupServices and click Service Route Configuration.
- Customize a service route. The IPv4 tab is active by default.
- Click HSM in the Service column.
- Select a Source Interface for the HSM.
- Click OK and Commit your changes.
- Register the firewall as an HSM client with the HSM server.This step briefly describes the procedure for using the front panel interface of the Thales nShield Connect HSM. For more details, refer to Thales documentation.
- Log in to the front panel display of the Thales nShield Connect HSM.
- Use the right-hand navigation button to select SystemSystem configurationClient configNew client.
- Enter the firewall IP address.
- Select SystemSystem configurationClient configRemote file system and enter the IP address of the client computer where you set up the RFS.
- Configure the RFS to accept connections from the firewall.
- Log in to the RFS from a Linux client.
- Obtain the electronic serial number (ESN) and the
hash of the KNETI key, which authenticates the HSM to
clients, by running the anonkneti <ip-address> CLI command,
where <ip-address> is the HSM IP address.For example:
B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352cIn this example, B1E2-2D4C-E6A2 is the ESN and 5a2e5107e70d525615a903f6391ad72b1c03352c is the hash of the KNETI key.
- Use the following command from a superuser account
to set up the RFS:
rfs-setup --force <ip-address><ESN><hash-Kneti-key>The <ip-address> is the IP address of the HSM, <ESN> is the electronic serial number, and <hash-Kneti-key> is the hash of the KNETI key.The following example uses the values obtained in this procedure:
rfs-setup --force 192.0.2.1 B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
- Use the following command to permit HSM client submissions
on the RFS:
rfs-setup --gang-client --write-noauth <FW-IPaddress>where <FW-IPaddress> is the firewall IP address.
- Authenticate the firewall to the HSM.
- In the firewall web interface, select DeviceSetupHSM and Setup Hardware Security Module.
- Click OK.The firewall tries to authenticate to the HSM and displays a status message.
- Click OK.
- Synchronize the firewall with the RFS by selecting DeviceSetupHSM and Synchronize with Remote Filesystem.
- Verify firewall connectivity and authentication with
- Select DeviceSetupHSM and
check the authentication and connection Status:
- Green—The firewall is successfully authenticated and connected to the HSM.
- Red—The firewall failed to authenticate to the HSM or network connectivity to the HSM is down.
- Check the Hardware Security Module Status to determine
the authentication status.
- Name—The name of the HSM.
- IP address—The IP address of the HSM.
- Module State—The current state of the HSM connection: Authenticated or Not Authenticated.
- Select DeviceSetupHSM and check the authentication and connection Status:
Hardware Security Module Status
Hardware Security Module Status The Hardware Security Module Status includes the following information about HSMs that have been successfully authenticated. The display is different depending ...
Hardware Security Module Provider Configuration and Status
Hardware Security Module Provider Configuration and Status The Hardware Security Module Provider section shows the HSM configuration settings and the connectivity status of the HSM. ...
Hardware Security Operations
Hardware Security Operations To perform an operation on the Hardware Security Module (HSM) or the firewall connected to the HSM, select Device Setup HSM and ...
HSM Client Upgrade and SafeNet HSM Cluster Support
PAN-OS® 8.1 supports Thales nShield client 12.30 and SafeNet client versions 5.4.2 and 6.2.2. SafeNet HSM servers support an HA cluster of up to 16 ...
Hardware Security Module Provider Settings
Hardware Security Module Provider Settings To configure a Hardware Security Module (HSM) on the firewall, edit the Hardware Security Module Provider settings: Hardware Security Module ...
Set Up Connectivity with a SafeNet Network HSM
Set Up Connectivity with a SafeNet Network HSM To set up connectivity between the Palo Alto Networks firewall (HSM client) and a SafeNet Network HSM ...
Store Private Keys on an HSM
Store Private Keys on an HSM For added security, you can use an HSM to secure the private keys used in SSL/TLS decryption for: SSL ...
Set Up Connectivity with an HSM
Set Up Connectivity with an HSM HSM clients are integrated with PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, and VM-Series firewalls and ...
HSM Authentication Select Setup Hardware Security Module and configure the following settings to authenticate the firewall to the HSM. HSM Module Authentication Server Name Select ...