Generic Workflow

This section contains generic workflows for an HSM environment.

Workflow for Configuring a Check Point Security Gateway to Work with HSM

Follow the steps below on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members that must work with an HSM.

Note - Instructions for specific HSM vendors are located in the corresponding sections.

Generic Step 1 of 3: Configure the HTTPS Inspection to work without the HSM Server

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. environment, you must perform this step in the context of each Virtual System (on the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or each VSX Cluster Member Security Gateway that is part of a cluster.).

Step Instructions

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., configure the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..

See the R80.40 Security Management Administration Guide > Chapter HTTPS Inspection.

On the Security Gateway / each Cluster Member, disable the HSM in the $FWDIR/conf/hsm_configuration.C file.

Connect to the command line.
Log in to the Expert mode.

Edit the file:

vi $FWDIR/conf/hsm_configuration.C

Configure the value "no" for the parameter "enabled":

:enabled ("no")

Save the changes in the file and exit the editor.

In SmartConsole, install the applicable Access Control Policy on the Security Gateway (Cluster).

Make sure that HTTPS Inspection works correctly without the HSM Server:

From an internal computer, connect to any HTTPS web site.
On the internal computer, in the web browser, you must receive the signed CA certificate from the Security Gateway (Cluster).

Generic Step 2 of 3: Install and configure the PKCS#11 library supplied by the HSM vendor

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of the VSX Gateway or each VSX Cluster Member (context of VS 0).
You must get the HSM Client package from the HSM vendor.

Step Instructions

Unpack and install the HSM Client package supplied by the HSM vendor.

Transfer the required PKCS#11 library file to the /usr/lib/hsm_client/ directory.

Important - For security reasons, only the root user has permissions to access this directory.

You must transfer the physical file into this directory. Do not create a symbolic link.

Transfer other tools or files supplied by the HSM vendor that are required to configure the PKCS#11 library.

Configure the required connection or trust between with the HSM Server.

Optional: Make sure there is a trusted link with the HSM Server that is based on the PKCS#11 library.

Note - Use the applicable tool supplied by the HSM vendor. You can also examine the trust with the Check Point command "cpstat").

Generic Step 3 of 3: Configure the HTTPS Inspection to work with the HSM Server for Outbound HTTPS Inspection

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of each Virtual System (on the VSX Gateway or each VSX Cluster Member).

Notes:

In this step, you configure the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / each Cluster Member.
After you apply the HSM configuration for the first time, you can get an HSM connection error.

Most common scenario is when you configure several Security Gateways (Cluster Members) to use the same HSM Server, and they access it at the same time.

In this case:
1. Run the "fw fetch local" command on the Security Gateway (Cluster Member) that has an HSM connection issue.
  
  In a VSX environment, run this command in the context of the problematic VSX Virtual System.
2. When you see "HSM on" on the screen, continue to configure the next Security Gateway, Cluster Member, or VSX Virtual System.
After any change in the $FWDIR/conf/hsm_configuration.C file, you must do one of these:
- Fetch the local policy with the "fw fetch local" command.
- In SmartConsole install the policy on the Security Gateway / Cluster / VSX Virtual System object.
If the HSM Server is not available when you fetch the local policy or install the policy in SmartConsole, the HTTPS Inspection cannot inspect the Outbound HTTPS traffic. As a result, internal computers behind the Security Gateway / Cluster / VSX Virtual System cannot access HTTPS web sites.

In addition, see Disabling Communication from the Security Gateway to the HSM Server.

Configuration steps:

Step Instructions

Connect to the command line on the Security Gateway / each Cluster Member.

Back up the $FWDIR/conf/hsm_configuration.C file.

Edit the $FWDIR/conf/hsm_configuration.C file.

Configure the required values for these attributes

(see the corresponding sections for HSM vendors):

Copy

(:enabled ("no") # "yes" / "no"
:hsm_vendor_name ("")
:lib_filename ("")
:CA_cert_public_key_handle (0)
:CA_cert_private_key_handle (0)
:CA_cert_buffer_handle (0)
:token_id ("")
)

Notes:

The ":enabled ()" attribute must have the value of either "yes" (to enable the HSM), or "no" (to disable the HSM).
The ":hsm_vendor_name ()" attribute must contain the required name of the HSM vendor.
The ":lib_filename ()" attribute must contain the name of the PKCS#11 library of your HSM vendor (located in the /usr/lib/hsm_client/ directory).
The ":CA_cert_<XXX> ()" attributes must have the required values of handles.
The ":token_id ()" attribute must contain the password for the partition on the HSM Server.

Example:

Copy

(:enabled ("yes")
:hsm_vendor_name ("FutureX HSM")
:lib_filename ("libfxpkcs11.so")
:CA_cert_public_key_handle (2)
:CA_cert_private_key_handle (1)
:CA_cert_buffer_handle (3)
:token_id ("safest")
)

To apply the new configuration, restart all Check Point services with this command:

cprestart

Important - This blocks all traffic until all services restart. In a cluster, this can cause a failover.

Make sure that the Security Gateway / each Cluster Member can connect to the HSM Server and that HTTPS Inspection is activated successfully on the outbound traffic.

Run this command:

cpstat https_inspection -f all

The output must show:

HSM partition access (Accessible/Not Accessible): Accessible
Outbound status (HSM on/HSM off/HSM error): HSM on

For more information, see Monitoring HTTPS Inspection with HSM in CLI.

Make that HTTPS Inspection is activated successfully on the outbound traffic:

From an internal computer, connect to any HTTPS web site.
On the internal computer, in the web browser, you must receive the signed CA certificate from the HSM Server.

Workflow for Configuring an HSM Client Workstation

HSM Client workstation is an external computer, on which you install the HSM Client software of your HSM vendor.

HSM Client workstation can run on Windows, Linux, or other operating system, as required by the HSM vendor.

You use the HSM Client workstation to:

Create a CA Certificate on the HSM Server.

Check Point Security Gateways / Cluster Members use this CA Certificate for HTTPS Inspection when it needs to store and access SSL keys on the HSM Server.
Manage keys for a fake certificate created by the Check Point Security Gateway / Cluster Members.

Important - You must get the HSM Client package from the HSM vendor.