Working with Gemalto HSM (Previous Procedure)

Important - There are two different procedures to configure a Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.) to work with the Gemalto HSM Server:

Environment

Procedure to Follow

R80.40 with the Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 53 or higher

Working with Gemalto HSM (New Procedure)

R80.40, or

R80.40 with the Jumbo HotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator Take lower than 53

Procedure below

Prerequisites

  1. R80.40 Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. (see sk160736).

  2. R80.40 Security Gateway or Cluster Members (see sk160736).

  3. Optional: R80.40 Jumbo Hotfix Accumulator Take lower than 53 (see Jumbo Hotfix Accumulator for R80.40).

Configuration Steps

Use the Gemalto configuration documents to configure the Gemalto HSM environment.

Step Instructions

1

Download this package:

Gemalto SafeNet HSM Help package

(007-011136-012_Net_HSM_6.2.2_Help_RevA)

Note - Software Subscription or Active Support plan is required to download this package.

2

Use a Windows-based computer.

3

Extract the Gemalto HSM Help package to some folder.

4

Open the extracted Gemalto HSM Help folder.

5

Double-click the START_HERE.html file.

The Gemalto SafeNet Network HSM 6.2.2 Product Documentation opens.

Use the Gemalto Help documents to install and configure the Gemalto HSM Appliance Server.

Step Instructions

1

Install the Gemalto HSM Appliance.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Installation Guide > SafeNet Network HSM Hardware Installation.

2

Do the initial configuration of the Gemalto HSM Appliance and the Gemalto HSM Server.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Configuration Guide > follow from [Step 1] to [Step 6].

3

In LunaSH, generate a new certificate for the Gemalto HSM Appliance Server (server.pem):

sysconf recenCert

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other.

4

Complete the configuration of the Gemalto HSM Appliance Server to work with the Check Point Security Gateway (Cluster):

  1. Set the applicable partition to be active and auto-activated.

    Run these commands in LunaSH:

    lunash:> partition showPolicies -partition <Partition Name>

    lunash:> partition changePolicy -partition <Partition Name> -policy 22 -value 1

    lunash:> partition changePolicy -partition <Partition Name> -policy 23 -value 1

    lunash:> partition showPolicies -partition <Partition Name>

    Note - If you do not set the partition to stay auto-activated, the partition does not stay activated when the machine is shut down for more than two hours.

  2. Disable the validation of the client source IP address by NTLS during an NTLA client connection.

    Run this command in LunaSH:

    lunash:> ntls ipcheck disable

    Note - This allows the HSM Server to accept traffic from Check Point Cluster Members that hide this traffic behind a Cluster VIP address, and from a Check Point Security Gateway hidden behind NAT.

You use the Gemalto HSM Client workstation to create a CA Certificate on the Gemalto HSM Server.

Check Point Security Gateway (Cluster Members) uses this CA Certificate for HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. to store and to access SSL keys on the Gemalto HSM Server.

Note - You can also use Check Point Security Gateway (Cluster Members) with the installed HSM Client package as an HSM Client workstation.
Step Instructions

1

Download this software package:

SafeNet HSM Client for Workstation

Note - Software Subscription or Active Support plan is required to download this package.

2

Install a Windows-based or Linux-based computer to use as a Gemalto HSM Client Workstation.

3

Install the HSM Client package on the computer:

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Installation Guide > SafeNet HSM Client Software Installation.

4

Establish a Trust Link between the Gemalto HSM Client Workstation and the Gemalto HSM Server.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other.

On the Gemalto HSM Client Workstation, run in LunaCM:

lunacm:> clientconfig deploy -c <IP Address of HSM Client Workstation> -n <IP Address of HSM Server> -par <Partition Name> -pw <Partition Password>

Note - The configuration will not work on Linux OS with glibc version lower than 2.7 (for example: Red Hat 5 or lower, GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. R77.20 or lower). In such case, follow the instructions in Step 5 of 5 > Sub-Step 5-C: Establishing a Trust Link between the Security Gateway (Cluster Members) and the Gemalto HSM Appliance Server.
Step Instructions

1

On the Gemalto HSM Client workstation, open a command prompt or a terminal window.

2

Use the "cmu generatekeypair" command to create a key pair.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities Reference Guide > Certificate Management Utility (CMU) > cmu generatekeypair.

Example:

# cd /usr/safenet/lunaclient/bin

# ./cmu generatekeypair -modulusBits=2048 -publicExponent=65537 -labelPublic="CAPublicKeyPairLabel" -labelPrivate="CAPrivateKeyPairLabel" -sign=T -verify=T

3

Enter the password for the partition on Gemalto HSM Server (you configured it in Step 2 of 5: Configuring the Gemalto HSM Appliance Server to Work with Security Gateway).

Example:

Enter a password for the token in slot 0:

4

Select the RSA mechanism by entering the corresponding number:

[1] PKCS [2] FIPS 186-3 Only Primes [3] FIPS 186-3 Auxiliary Primes

5

Examine the handles of the key pair you created.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities Reference Guide > Certificate Management Utility (CMU) > cmu list.

# ./cmu list

Example output:

Enter password for token in slot 0 : <Password for the Partition>

handle=17      label=CAPrivateKeyPairLabel

handle=18      label=CAPublicKeyPairLabel

6

Use the handle numbers from the previous step to create the CA certificate.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities Reference Guide > Certificate Management Utility (CMU) > cmu selfsigncertificate

Example:

# ./cmu selfsigncertificate -privatehandle=17 -CN="www.myhsm.cp" -sha1WithRSA -startDate 20190720 -endDate 20240101 -serialNum=123456789abcdef

7

Examine the handles of the CA certificate you created.

# ./cmu list

Example output:

Enter password for token in slot 0 : <Password for the Partition>

handle=13     label=www.myhsm.cp

handle=17     label=CAPrivateKeyPairLabel

handle=18     label=CAPublicKeyPairLabel

Important - You use the numbers of these three handles when you configure the $FWDIR/conf/hsm_configuration.C file on the Check Point Security Gateway (Cluster Members).

Important - In a Cluster, you must configure all the Cluster Members in the same way.

This step has four sub-steps.

Important:

Step Instructions

1

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., enable and configure the HTTPS Inspection.

See the R80.40 Security Management Administration Guide > Chapter HTTPS Inspection.

2

On the Security Gateway (every Cluster Member), disable the HSM in the $FWDIR/conf/hsm_configuration.C file.

  1. Connect to the command line.

  2. Log in to the Expert mode.

  3. Edit the file:

    vi $FWDIR/conf/hsm_configuration.C

  4. Configure the value "no" for the parameter "enabled":

    :enabled ("no")

  5. Save the changes in the file and exit the editor.

3

In SmartConsole, install the applicable Access Control Policy on the Security Gateway (Cluster).

4

Make sure that HTTPS Inspection works correctly without the HSM Server:

  1. From an internal computer, connect to any HTTPS web site.

  2. On the internal computer, in the web browser, you must receive the signed CA certificate from the Security Gateway (Cluster).

Important:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • In a VSX environment, you must perform this step in the context of the VSX Gateway or every VSX Cluster Member (context of VS 0).

Step

Instructions

1

Download this software package:

Gemalto SafeNet HSM Simplified Client for Check Point Gateway

Note - Software Subscription or Active Support plan is required to download this package.

2

Transfer the software package to the Check Point Security Gateway (every Cluster Member) to some directory.

3

Connect to the command line on the Check Point Security Gateway (every Cluster Member).

4

Log in to the Expert mode.

5

Go to the directory with the packages:

# cd /<Path>/<To>/<Directory>

6

Extract the packages:

# tar -xvf <Name of Package>.tar

7

Install these packages:

# rpm -Uvh configurator-6.2.2-4.i386.rpm

# rpm -Uvh libcryptoki-6.2.2-4.i386.rpm

# rpm -Uvh vtl-6.2.2-4.i386.rpm

Important:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • In a VSX environment, you must perform this step in the context of the VSX Gateway or every VSX Cluster Member (context of VS 0).

Notes:

  • For more information, see the Gemalto SafeNet Network HSM 6.2.2 Product Documentation.

    For information about establishing a Trust Link, go to the Appliance Administration Guide > Configuration without One-step NTLS > [Step 7] Create a Network Trust Link Between the Client and the Appliance.

  • If it is necessary to establish new Trust Link, you have to delete the current Trust Link.

    See Deleting a Trust Link with the HSM Server.

Step

Instructions

1

Connect to the command line on the Check Point Security Gateway (every Cluster Member).

2

Log in to the Expert mode.

3

Go to the SafeNet HSM Simplified Client installation directory:

# cd /usr/safenet/lunaclient/bin/

4

Import the HSM Appliance Server certificate (server.pem) from the HSM Appliance to the Security Gateway (Cluster Member):

Important - The period at the end is part of the syntax.

# scp admin@<IP Address of HSM Appliance>:server.pem .

5

Register the HSM Appliance Server certificate (server.pem) on the Security Gateway (Cluster Member):

# ./vtl addServer -n <IP Address of HSM Appliance> -c server.pem

6

Create a certificate and private key for the Check PointSecurity Gateway (Cluster Member):

# ./vtl createCert -n <IP Address of CP Gateway>

Notes:

  • Use the IP address of the interface that connects to the HSM Appliance.

    In a Check Point Cluster, use the IP address of the Cluster Member, and not the Cluster Virtual IP address.

  • The private key file is created and written to:

    /usr/safenet/lunaclient/cert/client/<IP Address of CP Gateway (Cluster Member)>Key.pem

  • The certificate file is created and written to:

    /usr/safenet/lunaclient/cert/client/<IP Address of CP Gateway (Cluster Member)>.pem

7

Transfer the certificate file that you created from the Security Gateway (Cluster Member) to the HSM Appliance:

Important - The colon at the end is part of the syntax.

# scp <IP Address of CP Gateway (Cluster Member)>.pem admin@<IP Address of HSM Appliance>:

8

Connect to the command line on the HSM Appliance and log in to LunaSH.

9

Register the Check Point Security Gateway (every Cluster Member) on the HSM Appliance Server:

lunash:> client register -client <Desired Name of HSM Client> -ip <IP Address of CP Gateway (Cluster Member)>

10

Restart the Network Trust Link service:

lunash:> service restart ntls

11

Confirm the Check Point Security Gateway (Cluster Member) registration as a trusted HSM client:

lunash:> client list

12

Assign the Check Point Security Gateway (Cluster Member) to the applicable partition:

lunash:> client assignPartition -client <Configured Name of HSM Client> -partition <Partition Name>

13

Examine the partition access:

lunash:> client show -client <Configured Name of HSM Client>

14

On the Check Point Security Gateway (every Cluster Member), examine the access to its partition on the HSM Appliance Server :

# ./vtl verify

Important:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • In a VSX environment, you must perform this step in the context of the VSX Gateway or every VSX Cluster Member (context of VS 0).

Notes:

  • After you apply the HSM configuration for the first time, you can get an HSM connection error.

    Most common scenario is when you configure several Security Gateways (Cluster Members) to use the same HSM Server, and they access it at the same time.

    In this case:

    1. Run the "fw fetch local" command on the Security Gateway (Cluster Member) that has an HSM connection issue.

      In a VSX environment, run this command in the context of the problematic VSX Virtual System.

    2. When you see "HSM on" on the screen, continue to configure the next Security Gateway, Cluster Member, or VSX Virtual System.

  • After any change in the $FWDIR/conf/hsm_configuration.C file, you must fetch the local policy (with the "fw fetch local" command) or install the policy on the Security Gateway (Cluster, VSX Virtual System) in SmartConsole.

  • If the HSM Server is not available when you fetch the local policy or install the policy in SmartConsole, the HTTPS Inspection cannot inspect the Outbound HTTPS traffic. As a result, internal computers behind the Security Gateway (Cluster, VSX Virtual System) cannotaccess HTTPS web sites.

    In addition, see Disabling Communication from the Security Gateway to the HSM Server.
Step Instructions

1

Connect to the command line on the Security Gateway (every Cluster Member).

2

Log in to the Expert mode.

3

Back up the $FWDIR/conf/hsm_configuration.C file:

cp -v $FWDIR/conf/hsm_configuration.C{,_BKP}

4

Edit the $FWDIR/conf/hsm_configuration.C file:

vi $FWDIR/conf/hsm_configuration.C

5

Configure the required values for these attributes:

(

:enabled ("yes")

:CA_cert_public_key_handle (<Number of "Public" Handle for CA certificate>)

:CA_cert_private_key_handle (<Number of "Private" Handle for CA certificate>)

:CA_cert_buffer_handle (<Number of Handle for CA certificate>)

:token_id ("<Password for Partition on Gemalto HSM Server>")

)

 

Notes:

Example:

(

:enabled ("yes")

:CA_cert_public_key_handle (17)

:CA_cert_private_key_handle (18)

:CA_cert_buffer_handle (13)

:token_id ("p@ssw0rd")

)

6

Fetch the local policy:

fw fetch local

7

Make sure that the Security Gateway (every Cluster Member) can connect to the HSM Server and that HTTPS Inspection is activated successfully on the outbound traffic.

Run this command:

cpstat https_inspection -f all

The output must show:

  • HSM partition access (Accessible/Not Accessible): Accessible

  • Outbound status (HSM on/HSM off/HSM error): HSM on

For more information, see Monitoring HTTPS Inspection with HSM in CLI.

8

Make that HTTPS Inspection is activated successfully on the outbound traffic:

  1. From an internal computer, connect to any HTTPS web site.

  2. On the internal computer, in the web browser, you must receive the signed CA certificate from the HSM Server.

Additional Actions for a Gemalto HSM Server

If it is necessary to establish new Trust Link between a Check Point Security Gateway and an HSM Server, you have to delete the current Trust Link.

Use Case: When you replace or reconfigure a Check Point Security Gateway, or an HSM Server.

Step Instructions

1

Delete the current Trust Link on the Check Point Security Gateway (every Cluster Member):

  1. Connect to the command line.

  2. Log in to the Expert mode.

  3. Go to the SafeNet HSM Simplified Client installation directory:

    cd /usr/safenet/lunaclient/bin/

  4. Delete the current Trust Link:

    ./vtl deleteServer -n <IP Address of HSM Server>

2

Delete the current Trust Link on the HSM Appliance:

  1. Connect to the HSM Appliance over SSH.

  2. Examine the list of configured HSM Client Workstations:

    lunash:> client list

  3. Delete the Check Point HSM Client Workstation:

    lunash:> client delete -client <Name of HSM Client>

Note - For more information, see the Gemalto SafeNet Network HSM 6.2.2 Product Documentation.
Step Instructions

1

Connect to the HSM Appliance over SSH.

2

Examine all the configured interfaces:

lunash:> network show

3

Add a new interface:

lunash:> network interface -device <Name of Interface> -ip <IP Address> -netmask <NetMask> [-gateway <IP Address>]

4

Enable Network Trust Link Service (NTLS) on all the interfaces.

Note - For more information, see the Gemalto SafeNet Network HSM 6.2.2 Product Documentation > LunaSH Command Reference Guide > LunaSH Commands.