Hardware Security Module (HSM)

In This Section:

Why Use an HSM?

Hardware Security Module (HSM) is a device that is used to store cryptographic keys. HSM adds an extra layer of security to the network. HSM is designed to provide dedicated cryptographic functionality.

When Check Point Security Gateway uses an HSM, the HSM holds these objects for outbound HTTPS Inspection:

The Certificate Authority (CA) certificate (certificate buffer + key pair).
The administrator creates the CA certificate and key pair before configuring the Security Gateway to work with an HSM.
Two to three key pairs for fake certificates.
These keys are created during the initialization of the HTTPS Inspection daemon on the Security Gateway with 1024-bit, 2048-bit, or 4096-bit length.

You can use the Gemalto Luna SP SafeNet HSM to work with the Check Point Security Gateway. The SafeNet Cryptographic Engine enables the SafeNet Network HSM functionality by providing:

Secure cryptographic storage.
Cryptographic acceleration.
Administrative access control.
Policy management.
Detection of modifications done to the data.

The Check Point Environment with Gemalto SafeNet HSM Appliance

Item	Description
1	Internal computers that connect to HTTPS web sites through the Check Point Gateways & Servers.
2	Check Point Security Gateway with HTTPS Inspection enabled.
3	HTTPS web sites on the Internet.
4	Check Point Security Management Server that manages the Check Point Security Gateway.
5	Interconnecting Network.
6	Gemalto HSM Appliance Server that stores and serves the SSL keys and certificates to the Check Point Security Gateway.
7	Gemalto HSM Client workstation used for creating a CA certificate on the Gemalto HSM Appliance Server.

Note - Check Point Security Gateway uses the Gemalto HSM Appliance Server only for outbound HTTPS Inspection.

Workflow for Setting Up Your HSM Environment

Use this workflow to configure your Check Point Gateway to work with the HSM Appliance Server:

Step	Description
1	Extract the Gemalto Help package.
2	Configure the Gemalto HSM Appliance Server to work with Check Point Gateway.
3	Configure the Gemalto HSM Client workstation.
4	Create the CA Certificate on the Gemalto HSM Appliance Server.
5	Configure the Check Point Security Gateway to work with the Gemalto HSM Appliance Server>.

Step 1: Extracting the Gemalto Help Package

The Gemalto configuration documents have to be used to configure the Gemalto HSM environment.

Step	Description
1	Use a Windows-based computer.
2	Download this package: Gemalto SafeNet HSM Help package Note - Software Subscription or Active Support plan is required to download this package.
3	Extract the Gemalto HSM Help package to some folder.
4	Open the extracted Gemalto HSM Help folder.
5	Double-click `START_HERE.html` file. The Gemalto SafeNet Network HSM 6.2.2 Product Documentation opens.

Step 2: Configuring the Gemalto HSM Appliance Server to Work with Check Point Security Gateway

Use the Gemalto Help documents to install and configure the HSM Appliance Server.

Procedure:

Step	Description
1	Install the HSM Appliance. From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to Installation Guide > SafeNet Network HSM Hardware Installation
2	Do the initial configuration of the HSM Appliance and the HSM Appliance Server. From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to Configuration Guide > follow from [Step 1] to [Step 6]
3	Run the `sysconf recenCert` command in LunaSH to generate a new HSM Appliance Server certificate (`server.pem`). From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other
4	Complete the configuration of your HSM Appliance Server to work with Check Point Security Gateway. Run these commands in LunaSH:
4A	Set the applicable partition to be active and auto-activated: `lunash:> partition showPolicies -partition <`Partition Name`>` `lunash:> partition changePolicy -partition <`Partition Name`> -policy 22 -value 1` `lunash:> partition changePolicy -partition <`Partition Name`> -policy 23 -value 1` `lunash:> partition showPolicies -partition <`Partition Name`>` Note - If you do not set the partition to stay auto-activated, the partition does not stay activated when the machine is shut down for more than two hours.
4B	Disable the client source IP address validation by NTLS upon an NTLA client connection: `lunash:> ntls ipcheck disable` Note - This will allow HSM Appliance Server to accept traffic from Check Point Cluster members that is hidden behind Cluster VIP address, and from Check Point Security Gateways hidden behind NAT.

Step 3: Configuring the Gemalto HSM Client Workstation

You use the Gemalto HSM Client Workstation to create a CA Certificate on the Gemalto HSM Appliance Server.

Check Point Security Gateway uses this CA Certificate for HTTPS Inspection when storing and accessing SSL keys on the Gemalto HSM Appliance Server.

Workflow in this section:

Step	Description
1	Install a Windows-based or Linux-based computer to use as an HSM Client workstation.
2	Download and install this software package on the HSM Client workstation computer: SafeNet HSM Client for Workstation Note - Software Subscription or Active Support plan is required to download this package. From Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Installation Guide > SafeNet HSM Client Software Installation
3	Establish a Trust Link between the HSM Client workstation and the HSM Appliance Server. On the HSM Client workstation, run in LunaCM: `lunacm:> clientconfig deploy ...` From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other Note - The configuration will not work on Linux OS with glibc version lower than 2.7 (for example: Red Hat 5 or lower, Gaia R77.20 or lower). In such case, follow the instructions in Establishing a Trust Link between the Check Point Security Gateway and the Gemalto HSM Appliance Server.

Step

Description

Install a Windows-based or Linux-based computer to use as an HSM Client workstation.

Download and install this software package on the HSM Client workstation computer:

SafeNet HSM Client for Workstation

Note - Software Subscription or Active Support plan is required to download this package.

From Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Installation Guide > SafeNet HSM Client Software Installation

Establish a Trust Link between the HSM Client workstation and the HSM Appliance Server.

On the HSM Client workstation, run in LunaCM:

lunacm:> clientconfig deploy ...

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other

Note - The configuration will not work on Linux OS with glibc version lower than 2.7 (for example: Red Hat 5 or lower, Gaia R77.20 or lower). In such case, follow the instructions in Establishing a Trust Link between the Check Point Security Gateway and the Gemalto HSM Appliance Server.

Step 4: Creating the CA Certificate on the Gemalto HSM Appliance Server

Step	Description
1	On the HSM Client workstation computer, open a command prompt or a terminal window.
2	Use the `cmu generatekeypair` command to create a key pair. Example: `# cd /usr/safenet/lunaclient/bin` `# ./cmu generatekeypair -modulusBits=2048 -publicExponent=65537 -labelPublic="`CAPublicKeyPairLabel`" -labelPrivate="`CAPrivateKeyPairLabel`" -sign=T -verify=T`
3	When prompted, enter a password: Example: `Enter a password for the token in slot 0: <`Password for the partition on HSM Appliance Server that you configured in Step 2`>`
4	Select the RSA mechanism by entering the corresponding number: `[1] PKCS [2] FIPS 186-3 Only Primes [3] FIPS 186-3 Auxiliary Primes`
5	Run the `cmu list` command to view the handles of the key pair you created. Example: `Enter password for token in slot 0 : <`Password for the partition on HSM Appliance Server that you configured in Step 2`>` handle=17 label=CAPrivateKeyPairLabel handle=18 label=CAPublicKeyPairLabel
6	Use the handle numbers from the previous Step 5 to create the CA certificate. Example: `# ./cmu selfsigncertificate -privatehandle=17 -CN="www.myhsm.cp" -sha1WithRSA -startDate 20170720 -endDate 20190101 -serialNum=123456789abcdef`
7	Run the `cmu list` command to view the handles of the CA certificate you created. Example: `Please enter password for token in slot 0 : <`Password for the partition on HSM Appliance Server that you configured in Step 2`>` handle=13 label=www.myhsm.cp handle=17 label=CAPrivateKeyPairLabel handle=18 label=CAPublicKeyPairLabel Note - You use the numbers of these three handles later on the Check Point Security Gateway in the `$FWDIR/conf/hsm_configuration.C` file.

Step 5: Configuring the Check Point Security Gateway to Work with the Gemalto HSM Appliance Server

Workflow in this section:

Step	Description
A	Install the Gemalto HSM Simplified Client Software Packages on the Check Point Security Gateway.
B	Establish a Trust Link between the Check Point Security Gateway and the Gemalto HSM Appliance Server.
C	Configure HTTPS Inspection on the Security Gateway to work with the Gemalto HSM Appliance Server.

Note - If you have a Check Point Cluster environment, do this procedure on each cluster member.

(A) Installing the Gemalto HSM Simplified Client Software Packages on the Check Point Security Gateway

Step	Description
1	Download this software package: Gemalto SafeNet HSM Simplified Client for Check Point Security Gateway Note - Software Subscription or Active Support plan is required to download this package.
2	Copy the software package to the Check Point Security Gateway to some directory.
3	Connect to the command line on the Check Point Security Gateway.
4	Log in to the Expert mode.
5	Go to the directory, where you put the software package: `# cd /<`path_to`>/<`directory`>`
6	Extract the packages: `# tar -xvf <`Name of Package`>.tar`
7	Install these packages: `# rpm -Uvh configurator-6.2.2-4.i386.rpm` `# rpm -Uvh libcryptoki-6.2.2-4.i386.rpm` `# rpm -Uvh vtl-6.2.2-4.i386.rpm` Important - After you install these RPM packages, you do not need to reboot the Security Gateway.

(B) Establishing a Trust Link between the Check Point Security Gateway and the Gemalto HSM Appliance Server

Step	Description
1	On the Check Point Security Gateway:
1A	Connect to the command line.
1B	Log in to the Expert mode.
1C	Go to the SafeNet HSM Simplified Client installation directory: `# cd /usr/safenet/lunaclient/bin/`
1D	Import the HSM Appliance Server certificate, server.pem, from the HSM Appliance to the Security Gateway (the period at the end is part of the syntax): `# scp admin@<`IP Address of HSM Appliance`>:server.pem .`
1E	Register the HSM Appliance Server certificate, server.pem, with the Check Point Security Gateway: `# ./vtl addServer -n <`IP Address of HSM Appliance`> -c server.pem`
1F	Create a certificate and private key for the Check Point Security Gateway: `# ./vtl createCert -n <`IP Address of CP Gateway`>` Notes: Use the IP address of the interface that connects to the HSM Appliance. In a Check Point cluster, use the IP address of the cluster member, and not the Cluster Virtual IP address. The private key file is created and written to: `/usr/safenet/lunaclient/cert/client/<`IP Address of CP Gateway`>Key.pem` The certificate file is created and written to: `/usr/safenet/lunaclient/cert/client/<`IP Address of CP Gateway`>.pem`
1G	Copy the Check Point Security Gateway certificate file that you created to the HSM Appliance (the colon at the end is part of the syntax): `# scp <`IP Address of CP Gateway`>.pem admin@<`IP Address of HSM Appliance`>:`
2	On the HSM Appliance, in LunaSH:
2A	Register the Check Point Security Gateway certificate with the HSM Appliance Server: `lunash:> client register -client <`Desired Name of HSM Client`> -ip <`IP Address of CP Gateway`>`
2B	Restart the Network Trust Link service: `lunash:> service restart ntls`
2C	Confirm the Check Point Security Gateway registration: `lunash:> client list`
2D	Assign the Check Point Security Gateway to the applicable partition: `lunash:> client assignPartition -client <`Configured Name of HSM Client`> -partition <`Partition Name`>`
2E	Examine the partition access: `lunash:> client show -client <`Configured Name of HSM Client`>`
3	On the Check Point Security Gateway: Examine the partition access: `# ./vtl verify`

Notes:

For more information, see Gemalto SafeNet Network HSM 6.2.2 Product Documentation.
For information about establishing a Trust Link, go to Appliance Administration Guide > Configuration without One-step NTLS > [Step 7] Create a Network Trust Link Between the Client and the Appliance.
If you need to establish new Trust Link, you have to delete the current Trust Link.

Configuring HTTPS Inspection on the Check Point Security Gateway to Work with the Gemalto HSM Appliance Server

Important:

Before configuring the HTTPS Inspection on the Security Gateway to work with the Gemalto HSM Appliance Server, you must enable and configure HTTPS Inspection on the Check Point Security Gateway, install policy, and confirm that HTTPS Inspection works correctly without the Gemalto HSM Appliance Server.
See Creating Shared Policies > Configuring HTTPS Inspection.
After any change in the $FWDIR/conf/hsm_configuration.C file on Check Point Security Gateway, you must fetch or install the policy on Security Gateway.
If the Gemalto HSM Appliance Server is not available when you fetch or install policy on Check Point Security Gateway, the HTTPS Inspection will not be able to inspect the outbound HTTPS traffic. As a result, internal computers will not be able to access HTTPS web sites.
To resolve this, make sure that the Gemalto HSM Appliance Server is up and running, there is physical connectivity between Check Point Security Gateway and Gemalto HSM Appliance, the Trust Link is established with the Gemalto HSM Appliance Server, and then fetch or install the policy on Security Gateway.

In addition, see Disabling Communication from the Check Point Gateway to the Gemalto HSM Appliance Server.

Procedure:

Note - If you have a Check Point Cluster environment, do this procedure on each cluster member.

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to the Expert mode.
3	Edit the configuration file $FWDIR/conf/hsm_configuration.C: `# vi $FWDIR/conf/hsm_configuration.C`
4	Based on the output of the cmu list ‎command from Step 4, add details of the CA certificate from the HSM Appliance Server to this configuration file. Example: `(` `:enabled ("yes") # "yes" / "no"` `:CA_cert_public_key_handle (18)` `:CA_cert_private_key_handle (17)` `:CA_cert_buffer_handle (13)` `:token_id ("<`Password for the partition on HSM Appliance Server that you configured in Step 2`>")` `)`
5	On the Security Gateway, fetch the local policy: `# fw fetch local`
6	Confirm that HTTPS Inspection is activated successfully on outbound traffic. From an internal computer, connect to any HTTPS web site. On the internal computer, in the web browser, you should receive the signed CA certificate from the HSM Appliance Server.

Additional Actions for a Gemalto HSM Appliance Server

Disabling Communication from the Check Point Gateway to the Gemalto HSM Appliance Server

You can disable communication from the Check Point Gateway to an HSM Appliance. For example, when the HSM Appliance is under maintenance.

To disable communication from the Check Point Security Gateway to the HSM Appliance:

Step	Description
1	Connect to the command line on the Check Point Security Gateway.
2	Log in to the Expert mode.
3	Edit the configuration file $FWDIR/conf/hsm_configuration.C: `# vi $FWDIR/conf/hsm_configuration.C`
4	Set the value of the "`:enabled`" attribute to "`no`": `:enabled ("no")`
5	Save the changes in the file and exit the Vi editor.
6	Fetch the local policy: `# fw fetch local`

Deleting a Trust Link with the HSM Appliance Server

If you need to establish new Trust Link between a Check Point Security Gateway and an HSM Appliance Server, you have to delete the current Trust Link. For example, when you replace or reconfigure a Check Point Security Gateway, or an HSM Appliance Server.

Step	Description
1	Delete the current Trust Link on Check Point Security Gateway: Connect to the command line. Log in to the Expert mode. Go to the SafeNet HSM Simplified Client installation directory: `# cd /usr/safenet/lunaclient/bin/` Delete the old Trust Link: `# ./vtl deleteServer -n <`IP Address of HSM Appliance`>`
2	Delete the current Trust Link on the HSM Appliance: Connect to the HSM Appliance over SSH. Examine the list of configured HSM Clients: `lunash:> client list` Delete the Check Point HSM Client: `lunash:> client delete -client <`Name of HSM Client`>`

Step

Description

Delete the current Trust Link on Check Point Security Gateway:

Connect to the command line.
Log in to the Expert mode.
Go to the SafeNet HSM Simplified Client installation directory:
# cd /usr/safenet/lunaclient/bin/
Delete the old Trust Link:
# ./vtl deleteServer -n <IP Address of HSM Appliance>

Delete the current Trust Link on the HSM Appliance:

Connect to the HSM Appliance over SSH.
Examine the list of configured HSM Clients:
lunash:> client list
Delete the Check Point HSM Client:
lunash:> client delete -client <Name of HSM Client>

Note - For more information, see Gemalto SafeNet Network HSM 6.2.2 Product Documentation.

Configuring a Second Interface on a Gemalto HSM Appliance for NTLS

Step	Description
1	Connect to the HSM Appliance over SSH.
2	Examine all the configured interfaces: `lunash:> network show`
3	Add a new interface: `lunash:> network interface -device <`Name of Interface`> -ip <`IP Address`> -netmask <`NetMask`> [-gateway <`IP Address`>]`
4	Enable Network Trust Link Service (NTLS) on all the interfaces.

Note - For more information, see Gemalto SafeNet Network HSM 6.2.2 Product Documentation > LunaSH Command Reference Guide > LunaSH Commands.

Monitoring HTTPS Inspection on Check Point Gateway When Working with the Gemalto HSM Appliance Server

When HTTPS Inspection daemon wstlsd initializes on Check Point Gateway, it checks whether this Security Gateway is configured to with the Gemalto HSM Appliance Server.

You can see the applicable logs in SmartConsole > Logs & Monitor > Logs tab.
You can query the HTTPS Inspection on Security Gateway over SNMP.
You can run the cpstat https_inspection command on Security Gateway.

Note - To see detailed information about wstlsd initialization, follow sk105559: How to debug WSTLSD daemon.

SmartConsole logs

To see the HTTPS Inspection logs about the Gemalto HSM Appliance Server in SmartConsole:

Step	Description
1	Click Logs & Monitor > Logs tab.
2	In the search field, enter: `type:Control`
3	Double-click on the log.
4	In the log, refer to the More section.

Possible logs are:

Log Description	Log Additional Information	Explanation
`HSM is enabled for outbound HTTPS inspection`		The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway.
`HSM is disabled for outbound HTTPS inspection`		One of these: The value of the `:enabled()` attribute is set to `"no"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. Gemalto HSM Simplified Client software packages are not installed on Security Gateway. The `$FWDIR/conf/hsm_configuration.C` file does not exist on Security Gateway. The `:enabled()` attribute is corrupted in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. Important - In such cases, outbound HTTPS Inspection works without Gemalto HSM Appliance Server.
`Outbound HTTPS inspection works with HSM`	`Gateway is connected to HSM`	All these conditions were met: The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. Security Gateway was able to connect to the HSM Appliance Server.
`Outbound HTTPS inspection is off due to HSM error`	One of these strings: `HSM configuration file is corrupted` `Loading HSM library failed` `There is no trust or no connectivity with HSM server` `Login to HSM partition failed` `Error importing CA certificate from HSM server` `Error generating key pair on HSM server`	See the Log Additional Information.

Example:

HSM - SmartConsole logs

HSM - SmartConsole log - Log Details

SNMP

You can query the HTTPS Inspection status and the status of connection to the Gemalto HSM Appliance Server on Security Gateway over SNMP:

OID .iso.org.dod.internet.private.enterprises.checkpoint.products.httpsInspection (.1.3.6.1.4.1.2620.1.54).

To get HTTPS Inspection status, query this SNMP object:

SNMP OID	Returned strings	Explanation
`httpsInspectionStatus` .1.3.6.1.4.1.2620.1.54.1	`On`	HTTPS Inspection feature is configured on Security Gateway.
	`Off`	HTTPS Inspection feature is not configured on Security Gateway.

SNMP OID

Returned strings

Explanation

httpsInspectionStatus

.1.3.6.1.4.1.2620.1.54.1

On

HTTPS Inspection feature is configured on Security Gateway.

Off

HTTPS Inspection feature is not configured on Security Gateway.

To get HTTPS Inspection status description, query this SNMP object:

SNMP OID	Returned strings	Explanation
`httpsInspectionStatusDescription` .1.3.6.1.4.1.2620.1.54.2	`HTTPS Inspection is on`	HTTPS Inspection feature is configured on Security Gateway.
	`HTTPS Inspection is off`	HTTPS Inspection feature is not configured on Security Gateway.

SNMP OID

Returned strings

Explanation

httpsInspectionStatusDescription

.1.3.6.1.4.1.2620.1.54.2

HTTPS Inspection is on

HTTPS Inspection feature is configured on Security Gateway.

HTTPS Inspection is off

HTTPS Inspection feature is not configured on Security Gateway.

To get HSM configuration status, query this SNMP object:

SNMP OID	Returned strings	Explanation
`hsmStatus.hsmEnabled` .1.3.6.1.4.1.2620.1.54.3.1	`Enabled`	The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway.
	`Disabled`	One of these: The value of the `:enabled()` attribute is set to `"no"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. Gemalto HSM Simplified Client software packages are not installed on Security Gateway. The `$FWDIR/conf/hsm_configuration.C` file does not exist on Security Gateway. The `:enabled()` attribute is corrupted in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. Important - In such cases, outbound HTTPS Inspection works without Gemalto HSM Appliance Server, and SSL keys are stored on Security Gateway.

SNMP OID

Returned strings

Explanation

hsmStatus.hsmEnabled

.1.3.6.1.4.1.2620.1.54.3.1

Enabled

The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

Disabled

One of these:

The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.
Gemalto HSM Simplified Client software packages are not installed on Security Gateway.
The $FWDIR/conf/hsm_configuration.C file does not exist on Security Gateway.
The :enabled() attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

Important - In such cases, outbound HTTPS Inspection works without Gemalto HSM Appliance Server, and SSL keys are stored on Security Gateway.

To get HSM configuration status description, query this SNMP object:

SNMP OID	Returned strings	Explanation
`hsmStatus.hsmEnabledDescription` .1.3.6.1.4.1.2620.1.54.3.2	`HSM is enabled for HTTPS inspection`	The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway.
	`HSM is disabled for HTTPS inspection`	One of these: Gemalto HSM Simplified Client software packages are not installed on Security Gateway. The `$FWDIR/conf/hsm_configuration.C` file does not exist on Security Gateway. HTTPS Inspection daemon wstlsd was not able to read the value of the `:enabled()` attribute in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. The `:enabled()` attribute is corrupted in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. Important - In such cases, outbound HTTPS Inspection works without Gemalto HSM Appliance Server, and SSL keys are stored on Security Gateway.

SNMP OID

Returned strings

Explanation

hsmStatus.hsmEnabledDescription

.1.3.6.1.4.1.2620.1.54.3.2

HSM is enabled for HTTPS inspection

The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

HSM is disabled for HTTPS inspection

One of these:

Gemalto HSM Simplified Client software packages are not installed on Security Gateway.
The $FWDIR/conf/hsm_configuration.C file does not exist on Security Gateway.
HTTPS Inspection daemon wstlsd was not able to read the value of the :enabled() attribute in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.
The :enabled() attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

Important - In such cases, outbound HTTPS Inspection works without Gemalto HSM Appliance Server, and SSL keys are stored on Security Gateway.

To get HSM partition access status, query this SNMP object:

SNMP OID	Returned strings	Explanation
`hsmStatus.hsmPartitionAccess` .1.3.6.1.4.1.2620.1.54.3.3	`N/A`	Security Gateway could not check access its partition on HSM Appliance Server. Most probably, because HSM configuration is disabled on Security Gateway.
	`Accessible`	Security Gateway was able to access its partition on HSM Appliance Server.
	`Not Accessible`	Security Gateway was not able to access its partition on HSM Appliance Server due to an error.

SNMP OID

Returned strings

Explanation

hsmStatus.hsmPartitionAccess

.1.3.6.1.4.1.2620.1.54.3.3

N/A

Security Gateway could not check access its partition on HSM Appliance Server.
Most probably, because HSM configuration is disabled on Security Gateway.

Accessible

Security Gateway was able to access its partition on HSM Appliance Server.

Not Accessible

Security Gateway was not able to access its partition on HSM Appliance Server due to an error.

To get HSM partition access status description, query this SNMP object:

SNMP OID	Returned strings	Explanation
`hsmStatus.hsmPartitionAccessDescription` .1.3.6.1.4.1.2620.1.54.3.4	`HSM partition access cannot be checked`	Security Gateway could not check access its partition on HSM Appliance Server. Most probably, because HSM configuration is disabled on Security Gateway.
	`Gateway can access HSM partition for HTTPS inspection`	Security Gateway was able to access its partition on HSM Appliance Server.
	`Gateway cannot access HSM partition for HTTPS inspection: <error>` Possible errors are: `HSM configuration file is corrupted` `Loading HSM library failed` `There is no trust or no connectivity with HSM server` `Login to HSM partition failed`	Security Gateway was not able to access its partition on HSM Appliance Server due to an error.

SNMP OID

Returned strings

Explanation

hsmStatus.hsmPartitionAccessDescription

.1.3.6.1.4.1.2620.1.54.3.4

HSM partition access cannot be checked

Security Gateway could not check access its partition on HSM Appliance Server.
Most probably, because HSM configuration is disabled on Security Gateway.

Gateway can access HSM partition for HTTPS inspection

Security Gateway was able to access its partition on HSM Appliance Server.

Gateway cannot access HSM partition for HTTPS inspection: <error>

Possible errors are:

HSM configuration file is corrupted
Loading HSM library failed
There is no trust or no connectivity with HSM server
Login to HSM partition failed

Security Gateway was not able to access its partition on HSM Appliance Server due to an error.

To get Outbound HTTPS Inspection status, query this SNMP object:

SNMP OID	Returned strings	Explanation
`hsmStatus.outboundStatus` .1.3.6.1.4.1.2620.1.54.3.5	`HSM on`	All these conditions were met: 1. The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. 2. Security Gateway was able to connect to the HSM Appliance Server.
	`HSM off`	One of these: The value of the `:enabled()` attribute is set to `"no"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. Gemalto HSM Simplified Client software packages are not installed on Security Gateway. The `$FWDIR/conf/hsm_configuration.C` file does not exist on Security Gateway. The `:enabled()` attribute is corrupted in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. Important - In such cases, outbound HTTPS Inspection works without Gemalto HSM Appliance Server, and SSL keys are stored on Security Gateway.
	`HSM error`	All these conditions were met: 1. The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. 2. An error occurred. Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

SNMP OID

Returned strings

Explanation

hsmStatus.outboundStatus

.1.3.6.1.4.1.2620.1.54.3.5

HSM on

All these conditions were met:

1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

2. Security Gateway was able to connect to the HSM Appliance Server.

HSM off

One of these:

The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

Gemalto HSM Simplified Client software packages are not installed on Security Gateway.

The $FWDIR/conf/hsm_configuration.C file does not exist on Security Gateway.

The :enabled() attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

Important - In such cases, outbound HTTPS Inspection works without Gemalto HSM Appliance Server, and SSL keys are stored on Security Gateway.

HSM error

All these conditions were met:

1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

2. An error occurred.

Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

Note - The conditions for the returned strings are calculated on Security Gateway during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "hsmStatus.hsmEnabled = HSM enabled" and "hsmStatus.outboundStatus = HSM off", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled.

To get Outbound HTTPS Inspection status description, query this SNMP object:

SNMP OID	Returned strings	Explanation
`hsmStatus.outboundStatusDescription` .1.3.6.1.4.1.2620.1.54.3.6	`Outbound HTTPS inspection works with HSM`	All these conditions were met: 1. The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. 2. Security Gateway was able to connect to the HSM Appliance Server.
	`Outbound HTTPS inspection works without HSM`	The value of the `:enabled()` attribute is set to `"no"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway, or this file does not exist.
	`Outbound HTTPS inspection is off due to HSM error: <error>` Possible errors are: `HSM configuration file is corrupted` `Loading HSM library failed` `There is no trust or no connectivity with HSM server` `Login to HSM partition failed` `Error importing CA certificate from HSM server` `Error generating key pair on HSM server`	All these conditions were met: 1. The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. 2. An error occurred. Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

SNMP OID

Returned strings

Explanation

hsmStatus.outboundStatusDescription

.1.3.6.1.4.1.2620.1.54.3.6

Outbound HTTPS inspection works with HSM

All these conditions were met:

1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

2. Security Gateway was able to connect to the HSM Appliance Server.

Outbound HTTPS inspection works without HSM

The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on Security Gateway, or this file does not exist.

Outbound HTTPS inspection is off due to HSM error: <error>

Possible errors are:

HSM configuration file is corrupted
Loading HSM library failed
There is no trust or no connectivity with HSM server
Login to HSM partition failed
Error importing CA certificate from HSM server
Error generating key pair on HSM server

All these conditions were met:

1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

2. An error occurred.

Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

Note - The conditions for the returned strings are calculated on Security Gateway during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "hsmStatus.hsmEnabledDescription = HSM is enabled for HTTPS inspection" and "hsmStatus.outboundStatusDescription = Outbound HTTPS inspection works without HSM", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled.

Examples:

# snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -On -v 2c -c public localhost 1.3.6.1.4.1.2620.1.54

.1.3.6.1.4.1.2620.1.54.1.0 = STRING: On

.1.3.6.1.4.1.2620.1.54.2.0 = STRING: HTTPS Inspection is on

.1.3.6.1.4.1.2620.1.54.3.1.0 = STRING: Enabled

.1.3.6.1.4.1.2620.1.54.3.2.0 = STRING: HSM is enabled for HTTPS inspection

.1.3.6.1.4.1.2620.1.54.3.3.0 = STRING: Accessible

.1.3.6.1.4.1.2620.1.54.3.4.0 = STRING: Gateway can access HSM partition for HTTPS inspection

.1.3.6.1.4.1.2620.1.54.3.5.0 = STRING: HSM on

.1.3.6.1.4.1.2620.1.54.3.6.0 = STRING: Outbound HTTPS inspection works with HSM

# snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -Oa -v 2c -c public localhost 1.3.6.1.4.1.2620.1.54

CHECKPOINT-MIB::httpsInspectionStatus.0 = STRING: On

CHECKPOINT-MIB::httpsInspectionStatusDescription.0 = STRING: HTTPS Inspection is on

CHECKPOINT-MIB::hsmEnabled.0 = STRING: Enabled

CHECKPOINT-MIB::hsmEnabledDescription.0 = STRING: HSM is enabled for HTTPS inspection

CHECKPOINT-MIB::hsmPartitionAccess.0 = STRING: Accessible

CHECKPOINT-MIB::hsmPartitionAccessDescription.0 = STRING: Gateway can access HSM partition for HTTPS inspection

CHECKPOINT-MIB::outboundStatus.0 = STRING: HSM on

CHECKPOINT-MIB::outboundStatusDescription.0 = STRING: Outbound HTTPS inspection works with HSM

For more information about SNMP on Gaia OS, see sk90860: How to configure SNMP on Gaia OS.

cpstat https_inspection

You can see the HTTPS Inspection status and the status of connection to the HSM Appliance Server using the cpstat https_inspection command on the Security Gateway.

Syntax:

cpstat -h

cpstat https_inspection -f {default | hsm_status | all}

Example outputs:

[Expert@GW:0]# cpstat https_inspection -f default

HTTPS inspection status (On/Off): On

HTTPS inspection status description: HTTPS Inspection is on

[Expert@GW:0]#

[Expert@GW:0]# cpstat https_inspection -f hsm_status

HSM enabled (Enabled/Disabled): Enabled

HSM enabled description: HSM is enabled for HTTPS inspection

HSM partition access (Accessible/Not Accessible): Accessible

HSM partition access description: Gateway can access to HSM partition for HTTPS inspection

Outbound status (HSM on/HSM off/HSM error): HSM on

Outbound status description: Outbound HTTPS inspection works with HSM

[Expert@GW:0]#

[Expert@GW:0]# cpstat https_inspection -f all

HTTPS inspection status (On/Off): On

HTTPS inspection status description: HTTPS Inspection is on

HSM enabled (Enabled/Disabled): Enabled

HSM enabled description: HSM is enabled for HTTPS inspection

HSM partition access (Accessible/Not Accessible): Accessible

HSM partition access description: Gateway can access to HSM partition for HTTPS inspection

Outbound status (HSM on/HSM off/HSM error): HSM on

Outbound status description: Outbound HTTPS inspection works with HSM

[Expert@GW:0]#

Explanation about HTTPS Inspection status:

Item	Possible returned strings	Explanation
`HTTPS inspection status (On/Off)`	`On`	HTTPS Inspection feature is configured on the Security Gateway.
	`Off`	HTTPS Inspection feature is not configured on the Security Gateway.

Explanation about HTTPS Inspection status description:

Item	Possible returned strings	Explanation
`HTTPS inspection status description`	`HTTPS Inspection is on`	HTTPS Inspection feature is configured on the Security Gateway.
	`HTTPS Inspection is off`	HTTPS Inspection feature is not configured on the Security Gateway.

Explanation about HSM configuration status:

Item	Possible returned strings	Explanation
`HSM enabled (Enabled/Disabled)`	`Enabled`	The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway.
	`Disabled`	One of these: The value of the `:enabled()` attribute is set to `"no"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway. HSM Client software packages are not installed on the Security Gateway. The `$FWDIR/conf/hsm_configuration.C` file does not exist on the Security Gateway. The `:enabled()` attribute is corrupted in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway. Important - In such cases, outbound HTTPS Inspection works without the HSM Appliance Server, and SSL keys are stored on the Security Gateway.

Item

Possible returned strings

Explanation

HSM enabled (Enabled/Disabled)

Enabled

The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.

Disabled

One of these:

The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.
HSM Client software packages are not installed on the Security Gateway.
The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway.
The :enabled() attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.

Important - In such cases, outbound HTTPS Inspection works without the HSM Appliance Server, and SSL keys are stored on the Security Gateway.

Explanation about HSM configuration status description:

Item	Possible returned strings	Explanation
`HSM enabled description`	`HSM is enabled for HTTPS inspection`	The value of the `:enabled()` attribute is set to `"no"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway.
	`HSM is disabled for HTTPS inspection`	One of these: The value of the `:enabled()` attribute is set to `"no"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway. HSM Client software packages are not installed on the Security Gateway. The `$FWDIR/conf/hsm_configuration.C` file does not exist on the Security Gateway. The `:enabled()` attribute is corrupted in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway. Important - In such cases, outbound HTTPS Inspection works without the HSM Appliance Server, and SSL keys are stored on the Security Gateway.

Item

Possible returned strings

Explanation

HSM enabled description

HSM is enabled for HTTPS inspection

The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.

HSM is disabled for HTTPS inspection

One of these:

The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.
HSM Client software packages are not installed on the Security Gateway.
The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway.
The :enabled() attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.

Important - In such cases, outbound HTTPS Inspection works without the HSM Appliance Server, and SSL keys are stored on the Security Gateway.

Explanation about HSM partition access status:

Item	Possible returned strings	Explanation
`HSM partition access (Accessible/Not Accessible)`	`N/A`	The Security Gateway could not check access its partition on the HSM Appliance Server.
	`Accessible`	The Security Gateway was able to access its partition on the HSM Appliance Server.
	`Not Accessible`	The Security Gateway was not able to access its partition on the HSM Appliance Server due to an error. Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

Item

Possible returned strings

Explanation

HSM partition access (Accessible/Not Accessible)

N/A

The Security Gateway could not check access its partition on the HSM Appliance Server.

Accessible

The Security Gateway was able to access its partition on the HSM Appliance Server.

Not Accessible

The Security Gateway was not able to access its partition on the HSM Appliance Server due to an error.

Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

Explanation about HSM partition access status description:

Item	Possible returned strings	Explanation
`HSM partition access description`	`HSM partition access cannot be checked`	The Security Gateway could not check access its partition on the HSM Appliance Server. Most probable, because HSM configuration is disabled on the Security Gateway.
	`Gateway can access HSM partition for HTTPS inspection`	The Security Gateway was able to access its partition on the HSM Appliance Server.
	`Gateway cannot access HSM partition for HTTPS inspection: <error>` Possible errors are: `HSM configuration file is corrupted` `Loading HSM library failed` `There is no trust or no connectivity with HSM server` `Login to HSM partition failed`	The Security Gateway was not able to access its partition on the HSM Appliance Server due to an error. All these conditions were met: 1. The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway. 2. An error occurred. Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

Item

Possible returned strings

Explanation

HSM partition access description

HSM partition access cannot be checked

The Security Gateway could not check access its partition on the HSM Appliance Server.
Most probable, because HSM configuration is disabled on the Security Gateway.

Gateway can access HSM partition for HTTPS inspection

The Security Gateway was able to access its partition on the HSM Appliance Server.

Gateway cannot access HSM partition for HTTPS inspection: <error>

Possible errors are:

HSM configuration file is corrupted
Loading HSM library failed
There is no trust or no connectivity with HSM server
Login to HSM partition failed

The Security Gateway was not able to access its partition on the HSM Appliance Server due to an error.

All these conditions were met:

1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.

2. An error occurred.

Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

Explanation about Outbound HTTPS Inspection status:

Item	Possible returned strings	Explanation
`Outbound status (HSM on/HSM off/HSM error)`	`HSM on`	All these conditions were met: 1. The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway. 2. The Security Gateway was able to connect to the HSM Appliance Server.
	`HSM off`	One of these: The value of the `:enabled()` attribute is set to `"no"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway. HSM Client software packages are not installed on the Security Gateway. The `$FWDIR/conf/hsm_configuration.C` file does not exist on Security Gateway. The `:enabled()` attribute is corrupted in the `$FWDIR/conf/hsm_configuration.C` file on Security Gateway. Important - In such cases, outbound HTTPS Inspection works without the HSM Appliance Server, and SSL keys are stored on the Security Gateway.
	`HSM error`	All these conditions were met: 1. The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway. 2. An error occurred. Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

Item

Possible returned strings

Explanation

Outbound status (HSM on/HSM off/HSM error)

HSM on

All these conditions were met:

1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.

2. The Security Gateway was able to connect to the HSM Appliance Server.

HSM off

One of these:

The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.
HSM Client software packages are not installed on the Security Gateway.
The $FWDIR/conf/hsm_configuration.C file does not exist on Security Gateway.
The :enabled() attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on Security Gateway.

Important - In such cases, outbound HTTPS Inspection works without the HSM Appliance Server, and SSL keys are stored on the Security Gateway.

HSM error

All these conditions were met:

1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.

2. An error occurred.

Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

Note - The conditions for the returned strings are calculated on the Security Gateway during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "HSM enabled (Enabled/Disabled) = Enabled" and "Outbound status (HSM on/HSM off/HSM error) = HSM off", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled.

Explanation about Outbound HTTPS Inspection status description:

Item	Possible returned strings	Explanation
`Outbound status description`	`Outbound HTTPS inspection works with HSM`	All these conditions were met: 1. The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway. 2. The Security Gateway was able to connect to the HSM Appliance Server.
	`Outbound HTTPS inspection works without the HSM`	The value of the `:enabled()` attribute is set to `"no"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway, or this file does not exist.
	`Outbound HTTPS inspection is off due to HSM error: <error>` Possible errors are: `HSM configuration file is corrupted` `Loading HSM library failed` `There is no trust or no connectivity with HSM server` `Login to HSM partition failed` `Error importing CA certificate from HSM server` `Error generating key pair on HSM server`	All these conditions were met: 1. The value of the `:enabled()` attribute is set to `"yes"` in the `$FWDIR/conf/hsm_configuration.C` file on the Security Gateway. 2. An error occurred. Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

Item

Possible returned strings

Explanation

Outbound status description

Outbound HTTPS inspection works with HSM

All these conditions were met:

1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.

2. The Security Gateway was able to connect to the HSM Appliance Server.

Outbound HTTPS inspection works without the HSM

The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway, or this file does not exist.

Outbound HTTPS inspection is off due to HSM error: <error>

Possible errors are:

HSM configuration file is corrupted
Loading HSM library failed
There is no trust or no connectivity with HSM server
Login to HSM partition failed
Error importing CA certificate from HSM server
Error generating key pair on HSM server

All these conditions were met:

1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway.

2. An error occurred.

Important - In such case, outbound HTTPS Inspection will not work, and HTTPS traffic will not pass.

Note - The conditions for the returned strings are calculated on the Security Gateway during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "HSM enabled (Enabled/Disabled) = Enabled" and "Outbound status description = Outbound HTTPS inspection works without the HSM", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled.