Skip to main content

Preparing for Setup

Before configuring Key Manager with SafeNet Network HSM, note the following prerequisites and precautions:

  • Note the HSM policies in your corporate network environment. You should always consult your HSM department about the actual procedures required for setting up HSM support in your network environment.

  • Ensure that the SafeNet Network HSM version you are using is supported by Key Manager. Note that the instructions in this manual were specifically tested against Luna SA version 5.4.7-1, and may need to be adapted when using other product versions.

  • Ensure that you have the packages for installing the SafeNet HSM Client software. At least the following client-software packages are required for setting up Key Manager to operate with SafeNet Network HSM:

    • libcryptoki-*.x86_64.rpm
    • configurator-*.x86_64.rpm
    • lunacmu-*.x86_64.rpm
    • vtl-*.x86_64.rpm

These instructions assume that you have already uploaded the required packages to your Key Manager Servers.

  • To authenticate HSM clients to the HSM appliance, you will need to obtain the HSM Appliance Server Certificate. These instructions assume that you have already uploaded the HSM Appliance Server Certificate to your Key Manager Servers.

  • The target HSM service must provide a partition where management keys are to be stored. You will also need the PIN for accessing this partition.

    Instructions for setting up a partition are provided later in this chapter. These instructions assume that you have already set up a functioning SafeNet Network HSM Appliance.

  • Key Manager only reads management keys from its HSM partition. You must manually create any required management keys on the HSM partition. At least one SSH key pair must be present on the partition for Key Manager to function properly.

    Management keys stored in the HSM should have the attribute sign=true. Any management-key pairs stored in the HSM should also have unique label values. If more than one key exists on a partition, every key pair must have a unique id value. With Safenet HSM, key attributes can be checked with the following command:

    cmu getattribute

    The key attributes can be changed with the following command:

    cmu setattribute

  • Key Manager only performs sign operations on the HSM, and does not use any hashing algorithms provided by the HSM. Data hashing is handled internally by the SSH protocol.

  • Key Manager will attempt to establish management connections by iteratively authenticating with every key pair that is available on its designated HSM partition. Since SSH servers are typically configured to deny connections after a certain amount of authentication attempts, having too many keys on the HSM partition is likely to cause some management connections to fail. For this reason we recommend keeping the number of SSH key pairs on the HSM partition to a minimum.

    To prevent management-connection failures, you must ensure that the number of management-key pairs on the HSM partition is equal to or less than the number of authentication attempts allowed by the SSH servers in your environment. Note that each management-key pair can be used for more than one agentless host.

  • Key Manager interfaces with its designated HSM partition using PKCS #11. The libraries required for PKCS #11 authentication and access, and any other tools required for setting up client connections to HSM, are expected to be provided by the HSM service vendor.

  • Ensure that your network settings allow Key Manager to connect to the HSM.

  • Host deployment using HSM keys can only be performed via the command-line client (not the Key Manager GUI).