Set Up Connectivity with an nCipher
nShield Connect HSM
You must set up a remote file system (RFS) as a hub to synchronize key data for all firewalls (HSM clients) in your organization that use the nCipher nShield Connect HSM. To ensure the nShield Connect client version on your firewalls is compatible with your nShield Connect server, see Set Up Connectivity with an HSM.
Before the HSM and firewalls connect, the HSM authenticates the firewalls based on their IP addresses. Therefore, you must configure the firewalls to use static IP addresses—not dynamic addresses assigned through DHCP. (Operations on the HSM stop working if a firewall IP address changes during runtime).
HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA configurations, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for failover to function properly.
- Define connection settings for each nCipher nShield Connect HSM.
- Log in to the firewall web interface and select.DeviceSetupHSM
- Edit the Hardware Security Module Provider settings and set theProvider ConfiguredtonShield Connect.
- Addeach HSM server as follows. An HA HSM configuration requires two servers.
- Enter aModule Namefor the HSM server. This can be any ASCII string of up to 31 characters.
- Enter an IPv4 address for the HSMServer Address.
- Enter an IPv4 address for theRemote Filesystem Address.
- ClickOKandCommityour changes.
- (Optional) Configure a service route to connect to the HSM if you don’t want the firewall to connect through the Management interface (default).If you configure a service route for the HSM, running theclear session allCLI command clears all existing HSM sessions, which brings all HSM states down and then up again. During the several seconds required for HSM to recover, all SSL/TLS operations will fail.
- Selectand clickDeviceSetupServicesService Route Configuration.
- Customizea service route. TheIPv4tab is active by default.
- ClickHSMin the Service column.
- Select aSource Interfacefor the HSM.
- ClickOKandCommityour changes.
- Register the firewall as an HSM client with the HSM server.This step briefly describes the procedure for using the front panel interface of the nShield Connect HSM. For more details, refer to nCipher documentation.
- Log in to the front panel display of the nCipher nShield Connect HSM.
- Use the right-hand navigation button to select.SystemSystem configurationClient configNew client
- Enter the firewall IP address.
- Selectand enter the IP address of the client computer where you set up the RFS.SystemSystem configurationClient configRemote file system
- Configure the RFS to accept connections from the firewall.
- Log in to the RFS from a Linux client.
- Obtain the electronic serial number (ESN) and the hash of the KNETIkey, which authenticates the HSM to clients, by running theanonknetiCLI command, where<ip-address><ip-address>is the HSM IP address.For example:anonkneti 192.0.2.1B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352cIn this example,B1E2-2D4C-E6A2is the ESN and5a2e5107e70d525615a903f6391ad72b1c03352cis the hash of the KNETIkey.
- Use the following command from a superuser account to set up the RFS:rfs-setup --force<ip-address><ESN><hash-Kneti-key>The<ip-address>is the IP address of the HSM,<ESN>is the electronic serial number, and<hash-Kneti-key>is the hash of the KNETIkey.The following example uses the values obtained in this procedure:rfs-setup --force 192.0.2.1 B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
- Use the following command to permit HSM client submissions on the RFS:rfs-setup --gang-client --write-noauth<FW-IPaddress>where<FW-IPaddress>is the firewall IP address.
- Authenticate the firewall to the HSM.
- In the firewall web interface, selectandDeviceSetupHSMSetup Hardware Security Module.
- ClickOK.The firewall tries to authenticate to the HSM and displays a status message.
- Synchronize the firewall with the RFS by selectingandDeviceSetupHSMSynchronize with Remote Filesystem.
- Verify firewall connectivity and authentication with the HSM.
- Selectand check the authentication and connection Status:DeviceSetupHSM
- Green—The firewall is successfully authenticated and connected to the HSM.
- Red—The firewall failed to authenticate to the HSM or network connectivity to the HSM is down.
- Check the Hardware Security Module Status to determine the authentication status.
- Name—The name of the HSM.
- IP address—The IP address of the HSM.
- Module State—The current state of the HSM connection:AuthenticatedorNotAuthenticated.
Recommended For You
Recommended videos not found.