Configuring the Gemalto HSM Environment

This section describes how to configure the Check Point environment to work with the Gemalto Luna SP SafeNet HSM.

The SafeNet Cryptographic Engine enables the SafeNet Network HSM functionality by providing:

  • Secure cryptographic storage.

  • Cryptographic acceleration.

  • Administrative access control.

  • Policy management.

  • Detection of modifications done to the data.

Workflow

Use this workflow to configure your Check Point Security GroupClosed A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. to work with the Gemalto HSM Server:

Step 1: Extract the Gemalto Help Package

Step 2: Configure the Gemalto HSM Server to Work with Check Point Security Group

Step 3: Configure the Gemalto HSM Client Workstation

Step 4: Create the CA Certificate on the Gemalto HSM Server

Step 5: Configure the Check Point Security Group to Work with the Gemalto HSM Server

Step 1: Extract the Gemalto Help Package

You must use the Gemalto configuration documents to configure the Gemalto HSM environment.

Step

Instructions

1

Use a Window-based computer.

2

Download this package:

Gemalto SafeNet HSM Help package

Note - Software Subscription or Active Support plan is required to download this package.

3

Extract the Gemalto HSM Help package to some folder.

4

Open the extracted Gemalto HSM Help folder.

5

Double-click the START_HERE.html file.

The Gemalto SafeNet Network HSM 6.2.2 Product Documentation opens.

Step 2: Configure the Gemalto HSM Server to Work with Check Point Security Group

Use the Gemalto Help documents to install and configure the HSM Server.

Step

Instructions

1

Install the Gemalto HSM Appliance.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to Installation Guide > SafeNet Network HSM Hardware Installation.

2

Perform the initial configuration of the Gemalto HSM Appliance and the Gemalto HSM Server.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to Configuration Guide > and follow from [Step 1] to [Step 6].

3

Run the "sysconf recenCert" command in LunaSH to generate a new Gemalto HSM Server certificate (server.pem).

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other.

4

Complete the configuration of the Gemalto HSM Server to work with Check Point Security Group.

Run these commands in LunaSH:

  • Set the applicable partition to be active and auto-activated:

    lunash:> partition showPolicies -partition <Partition Name>

    lunash:> partition changePolicy -partition <Partition Name> -policy 22 -value 1

    lunash:> partition changePolicy -partition <Partition Name> -policy 23 -value 1

    lunash:> partition showPolicies -partition <Partition Name>

    Note - If you do not set the partition to stay auto-activated, the partition does not stay activated when the machine is shut down for more than two hours.

  • Disable the client source IP address validation by NTLS upon an NTLA client connection:

    lunash:> ntls ipcheck disable

    Note - This allows the Gemalto HSM Server to accept traffic from Check Point ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members that is hidden behind a Cluster VIP address, and from Check Point Security Group hidden behind NAT.

Step 3: Configure the Gemalto HSM Client Workstation

You use the Gemalto HSM Client Workstation to create a CA Certificate on the Gemalto HSM Server.

Check Point Security Group uses this CA Certificate for Outbound HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. when it stores and accesses SSL keys on the Gemalto HSM Server.

Step

Instructions

1

Install a Windows-based or Linux-based computer to use as an HSM Client workstation.

2

Download and install this software package on the HSM Client workstation computer:

SafeNet HSM Client for Workstation

Note - Software Subscription or Active Support plan is required to download this package.

From Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Installation Guide > SafeNet HSM Client Software Installation.

3

Establish a Trust Link between the HSM Client workstation and the HSM Server.

On the HSM Client workstation, run in LunaCM:

lunacm:> clientconfig deploy ...

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other.

Note - The configuration will not work on Linux OS with glibc version lower than 2.7 (for example: Red Hat 5 or lower, GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. R77.20 or lower). In such case, follow the instructions in Step 5 > Establish a Trust Link between the Check Point Security Group and the Gemalto HSM Server..

Step 4: Create the CA Certificate on the Gemalto HSM Server

Step

Instructions

1

On the HSM Client workstation computer, open a command prompt or a terminal window.

2

Use the "cmu generatekeypair" command to create a key pair.

Example:

[Expert@MyChassis-ch0x-0x:0]# cd /usr/safenet/lunaclient/bin

[Expert@MyChassis-ch0x-0x:0]# ./cmu generatekeypair -modulusBits=2048 -publicExponent=65537 -labelPublic="CAPublicKeyPairLabel" -labelPrivate="CAPrivateKeyPairLabel" -sign=T -verify=T

3

When prompted, enter a password:

Example:

Enter a password for the token in slot 0: <Password for the partition on HSM Server that you configured in Step 2>

4

Select the RSA mechanism by entering the corresponding number:

[1] PKCS [2] FIPS 186-3 Only Primes [3] FIPS 186-3 Auxiliary Primes

5

Run the cmu list command to view the handles of the key pair you created.

Example:

Enter password for token in slot 0 : <Password for the partition on HSM Server that you configured in Step 2>

handle=17 label=CAPrivateKeyPairLabel

handle=18 label=CAPublicKeyPairLabel

6

Use the handle numbers from the previous Step 5 to create the CA certificate.

Example:

[Expert@MyChassis-ch0x-0x:0]# ./cmu selfsigncertificate -privatehandle=17 -CN="www.myhsm.cp" -sha1WithRSA -startDate 20170720 -endDate 20190101 -serialNum=123456789abcdef

7

Run the "cmu list" command to view the handles of the CA certificate you created.

Example:

Please enter password for token in slot 0 : <Password for the partition on HSM Server that you configured in Step 2>

handle=13 label=www.myhsm.cp

handle=17 label=CAPrivateKeyPairLabel

handle=18 label=CAPublicKeyPairLabel

Note - You will use the numbers of these three handles on the Check Point Security Group in the $FWDIR/conf/hsm_configuration.C file.

Step 5: Configure the Check Point Security Group to Work with the Gemalto HSM Server

Workflow:

  1. Install the Gemalto HSM Simplified Client software packages on the Check Point Security Group.

    Step

    Instructions

    1

    Download this software package:

    Gemalto SafeNet HSM Simplified Client for Check Point Security Gateway

    Note - Software Subscription or Active Support plan is required to download this package.

    2

    Copy the software package to the Check Point Security Group to some directory.

    3

    Connect to the command line on the Check Point Security Group.

    4

    Log in to the Expert mode.

    5

    Go to the directory with the packages:

    g_all cd /<Path>/<To>/<Directory>

    6

    Extract the packages:

    g_all tar -xvf <Name of Package>.tar

    7

    Install these packages:

    g_all rpm -Uvh configurator-6.2.2-4.i386.rpm

    g_all rpm -Uvh libcryptoki-6.2.2-4.i386.rpm

    g_all rpm -Uvh vtl-6.2.2-4.i386.rpm

  2. Establish a Trust Link between the Check Point Security Group and the Gemalto HSM Server.

    1. On the Check Point Security Group, follow these steps.

      1. Connect to the command line.

      2. Log in to the Expert mode.

      3. Go to the SafeNet HSM Simplified Client installation directory:

        g_all cd /usr/safenet/lunaclient/bin/

      4. Import the HSM Server certificate, server.pem, from the HSM Server to the Security Group:

        Important - The period at the end is part of the syntax.

        g_all scp admin@<IP Address of HSM Server>:server.pem .

      5. Register the HSM Server certificate, server.pem, with the Check Point Security Group:

        g_all ./vtl addServer -n <IP Address of HSM Server> -c server.pem

      6. Create a certificate and private key for the Check Point Security Group:

        g_all ./vtl createCert -n <IP Address of CP Security Group>

        Notes:

        • Use the IP address of the interface that connects to the HSM Server.

          In a Check Point Cluster, use the IP address of the Cluster MemberClosed Security Gateway that is part of a cluster., and not the Cluster Virtual IP address.

        • The command creates this private key file:

          /usr/safenet/lunaclient/cert/client/<IP Address of Check Point Security Group>Key.pem

        • The command creates this certificate file:

          /usr/safenet/lunaclient/cert/client/<IP Address of Check Point Security Group>.pem

      7. Copy the Check Point Security Group certificate file that you created to the HSM Server

        Important - The colon at the end is part of the syntax.

        g_all scp <IP Address of Check Point Security Group>.pem admin@<IP Address of HSM Server>:

    2. On the HSM Server, in LunaSH, perform these steps.

      1. Register the Check Point Security Group certificate with the HSM Server:

        lunash:> client register -client <Desired Name of HSM Client> -ip <IP Address of Check Point Security Group>

      2. Restart the Network Trust Link service:

        lunash:> service restart ntls

      3. Confirm the Check Point Security Group registration:

        lunash:> client list

      4. Assign the Check Point Security Group to the applicable partition:

        lunash:> client assignPartition -client <Configured Name of HSM Client> -partition <Partition Name>

      5. Examine the partition access:

        lunash:> client show -client <Configured Name of HSM Client>

    3. On the Check Point Security Group, perform this step.

      Examine the partition access:

      g_all ./vtl verify

    Notes:

    • For more information, see Gemalto SafeNet Network HSM 6.2.2 Product Documentation.

      For information about establishing a Trust Link, go to Appliance Administration Guide > Configuration without One-step NTLS > [Step 7] Create a Network Trust Link Between the Client and the Appliance.

    • If it is necessary to establish a new Trust Link, you have to delete the current Trust Link (see Deleting a Trust Link with the HSM Server).

  3. Configure HTTPS Inspection on the Check Point Security Group to work with the Gemalto HSM Server.

    • Before you configure the HTTPS Inspection on the Security Group to work with the Gemalto HSM Server, you must enable and configure HTTPS Inspection on the Check Point Security Group, install the applicable Access Control Policy, and confirm that HTTPS Inspection works correctly without the Gemalto HSM Server.

      See the R80.20 Security Management Administration Guide.

    • After any change in the $FWDIR/conf/hsm_configuration.C file on the Check Point Security Group, you must fetch or install the Access Control Policy on the Security Group.

    • If the Gemalto HSM Server is not available when you fetch or install policy on the Check Point Security Group, the HTTPS Inspection is not able to inspect the outbound HTTPS traffic.

      As a result, internal computers are not able to access HTTPS web sites.

      To resolve this, make sure that the Gemalto HSM Server is up and running, there is physical connectivity between the Check Point Security Group and the Gemalto HSM Server, the Trust Link is established with the Gemalto HSM Server, and then fetch or install the policy on the Security Group.

      In addition, see Disabling Communication from the Check Point Security Group to the Gemalto HSM Server.

    1. Connect to the command line on the Security Group.

    2. Log in to the Expert mode.

    3. Edit the configuration file $FWDIR/conf/hsm_configuration.C:

      g_all vi $FWDIR/conf/hsm_configuration.C

    4. Based on the output of the "cmu list" command from Step 4 above, add details of the CA certificate from the HSM Server to this configuration file.

      Example: 

      (
 :enabled ("yes") # "yes" / "no"
 :CA_cert_public_key_handle (18)
 :CA_cert_private_key_handle (17)
 :CA_cert_buffer_handle (13)
 :token_id ("<Password for the partition on HSM Server that you configured in Step 2>")
)

    5. On the Security Group, fetch the local policy:

      g_fw fetch local

    6. Confirm that HTTPS Inspection is activated successfully on outbound traffic.

    7. From an internal computer, connect to any HTTPS web site.

    8. On the internal computer, in the web browser, you should receive the signed CA certificate from the HSM Server.

Additional Actions for a Gemalto HSM Server

You can disable communication from the Check Point Security Group to an HSM Server.

For example, when the HSM Server is under maintenance.

Step

Instructions

1

Connect to the command line on the Check Point Security Group.

2

Log in to the Expert mode.

3

Back up the current configuration file $FWDIR/conf/hsm_configuration.C:

g_all cp -v $FWDIR/conf/hsm_configuration.C{,_BKP}

4

Edit the current configuration file $FWDIR/conf/hsm_configuration.C:

g_all vi $FWDIR/conf/hsm_configuration.C

5

Set the value of the ":enabled" attribute to "no":

:enabled ("no")

6

Save the changes in the file and exit the editor.

7

Fetch the local policy:

g_fw fetch local

If it is necessary to establish new Trust Link between a Check Point Security Group and an HSM Server, you must delete the current Trust Link.

For example, when you replace or reconfigure a Check Point Security Group, or an HSM Server.

Step

Instructions

1

Delete the current Trust Link on the Check Point Security Group:

  1. Connect to the command line.

  2. Log in to the Expert mode.

  3. Go to the SafeNet HSM Simplified Client installation directory:

    g_all cd /usr/safenet/lunaclient/bin/

  4. Delete the old Trust Link:

    g_all ./vtl deleteServer -n <IP Address of HSM Server>

2

Delete the current Trust Link on the HSM Server:

  1. Connect to the HSM Server over SSH.

  2. Examine the list of configured HSM Clients:

    lunash:> client list

  3. Delete the Check Point HSM Client:

    lunash:> client delete -client <Name of HSM Client>

Note - For more information, see Gemalto SafeNet Network HSM 6.2.2 Product Documentation.

Step

Instructions

1

Connect to the HSM Server over SSH.

2

Examine all the configured interfaces:

lunash:> network show

3

Add a new interface:

lunash:> network interface -device <Name of Interface> -ip <IP Address> -netmask <NetMask> [-gateway <IP Address>]

4

Enable Network Trust Link Service (NTLS) on all the interfaces.

Note - For more information, see Gemalto SafeNet Network HSM 6.2.2 Product Documentation > LunaSH Command Reference Guide > LunaSH Commands.