6.2.1 Hardware Security Module Setup
6.2.1.1 Pre-Requisites
Software
The following software must be installed on the HSM:
Version 2.07 or higher of the SafeNet ProtectServer firmware
The following software must be installed on the machine on which HSM administration tasks will be carried out:
Network or PCI Access Provider v4.00
ProtectToolKit C Software Development Kit v4.00
Protect Processing Orange Software Development Kit v3.00 Administrator Account
The setup process requires administration privileges in at least one administration token and one user token on the Hardware Security Module.
Firmware Module
The VACMAN Controller Firmware Module file – aal2sdk - should be copied to the machine on which the HSM administration will take place.
6.2.1.2 Configuration
Hardware Security Module
1. Install the Hardware Security Module.
VACMAN Controller Firmware
To install VACMAN Controller Firmware Module in the Hardware Security Module:
2. Generate SSL certificate in the user slot:
a. At a command prompt, enter:
ctcert c -s<UserSlotID> -k -z<KeySize> -l<CertificateName>
where <UserSlotID> is the ID of the slot on which the certificate should be generated, <KeySize> is the length of private key required, and <CertificateName> is the name you want to give the certificate.
KeySize must be at least 1024.
b. Enter the requested information.
3. Transfer the certificate to admin slot:
a. To do this via command prompt, enter:
ctcert x -l<CertificateName> -s<UserSlotID> -f<CertExportFileName>
ctcert I -f<CertExportFileName> -s<AdminSlotID> -l<CertificateName>
where <CertificateName> is the name of the certificate that you entered when generating the certificate, <UserSlotID> is the ID of the slot in which the certificate was generated,
<CertExportFileName> is the filename of the certificate, and <AdminSlotID> is the ID of the administration slot to which the certificate is being copied.
4. Mark the certificate as trusted:
a. At a command prompt, enter:
ctcert t -l<CertificateName> -s<AdminSlotID>
where <CertificateName> is the name of the certificate that you entered when generating the certificate, and <AdminSlotID> is the ID of the administration slot to which the certificate has been copied.
5. Use the trusted certificate to sign the VACMAN Controller Firmware Module:
a. At a command prompt, enter:
mkfm -k"<UserSlotLabel>(<PIN>)/<CertificateName>" -faal2sdk -oaal2sdk.fm
where <UserSlotLabel> is the label for the user slot on which the certificate was generated, <PIN> is the administrator PIN for the token and <CertificateName> is the name of the certificate that you entered when generating the certificate.
6. Upload firmware module into HSM:
a. At a command prompt, enter:
ctconf -b<CertificateName> -jaal2sdk.fm
where <CertificateName> is the name of the certificate that you entered when generating the certificate
Create Storage Key
7. Using the Key Management Utility, create a secret key to use as IDENTIKEY Server's storage key. This will require an administrator login to the token. Note the token label and key label used.
Required key attributes:
double or triple DES sensitive
wrap and unwrap enabled private optional
exportable optional if key backup in use
Install IDENTIKEY Server in Advanced mode - ODBC
All other options disabled Create Sensitive Data Key
8. Using the Key Management Utility, create a sensitive data key. This will require an administrator login to the token, and can be created in the same or different slot to the storage key created earlier. Note the token label and key label used.
Required attributes:
If using multiple Hardware Security Modules with IDENTIKEY Server, the keys created above must be replicated to the other HSMs.
The following steps will require attributes specific to your HSM setup. Consult the PTK Administration Manual – typical file name ptk_c_administration_manual_rev-c.pdf – for more information.
9. Generate an identity keypair, using the ctident gen command.
10. Create a trust relationship, using the ctident trust command.
11. Replicate the token, using the ctkmu rt command.
6.2.2 IDENTIKEY Server Setup
6.2.2.1 Pre-requisites
The following software must be installed on the machine on which IDENTIKEY Server will be installed:
Network or PCI Access Provider v4.00 ProtectToolKit C Runtime Library v4.00
6.2.2.2 Configuration
1. Ensure that licensing for IDENTIKEY Server includes Hardware Security Module functionality.
2. Install IDENTIKEY Server.
3. Configure HSM encryption and connection details in the IDENTIKEY Server Configuration Wizard:
a. Select Use the available Hardware Security Module(s) in the Hardware Security Module screen.
b. Click on the Browse button and browse to the HSM connection library file. For Windows installations, this will typically be named cryptoki.dll and located in the PTKC runtime installation directory. For Linux installations, it will typically be named libcryptoki.so and copied automatically to the chroot environment – the location will be provided by default.
c. Click on Next.
d. Enter the name of the storage key created earlier, and the slot ID in which it was created.
e. If the key was set as private, enter the token label and PIN.
f. Click on Next.
g. Enter the name of the sensitive data key created earlier.
h. If the key was set as private, enter the token label and PIN.
i. Click on Next.
j. Continue with IDENTIKEY Server configuration.
4. Add environment variables:
a. ET_HSM_NETCLIENT_READ_TIMEOUT_SECS – set to value of 1 b. ET_HSM_NETCLIENT_WRITE_TIMEOUT_SECS – set to value of 1 c. ET_HSM_NETCLIENT_CONNECT_TIMEOUT_SECS – set to value of 1