Generic Workflow for HSM
This section contains generic workflows for an HSM environment.
Workflow for Configuring a Check Point Security Gateway to Work with HSM
Follow the steps below on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster
Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members / Scalable Platform Security Group
A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. that must work with an HSM.
|
Note - Instructions for specific HSM vendors are located in the corresponding sections. |

|
Important:
|
Step | Instructions | |||
---|---|---|---|---|
1 |
In SmartConsole See the R81.10 Security Management Administration Guide > Chapter HTTPS Inspection. |
|||
2 |
On the Security Gateway / each Cluster Member / Security Group, disable the HSM in the
|
|||
3 |
On the Security Gateway / each Cluster Member / Security Group, restart Check Point services:
|
|||
4 |
Make sure that HTTPS Inspection works correctly without the HSM Server:
|

|
Important:
|
Step | Instructions | ||
---|---|---|---|
1 |
Unpack and install the HSM Client package supplied by the HSM vendor. |
||
2 |
Transfer the required PKCS#11 library file to the /usr/lib/hsm_client/ directory.
|
||
3 |
Transfer other tools or files supplied by the HSM vendor that are required to configure the PKCS#11 library. |
||
4 |
Configure the required connection or trust between with the HSM Server. |
||
5 |
Optional: Make sure there is a trusted link with the HSM Server that is based on the PKCS#11 library.
|

|
Important:
|
|
Notes:
|
Configuration steps:
Step | Instructions | |||
---|---|---|---|---|
1 |
Connect to the command line on the Security Gateway / each Cluster Member / Security Group. |
|||
2 |
Log in to the Expert mode. |
|||
3 |
Back up the
|
|||
4 |
Edit the
|
|||
5 |
Configure the required values for these attributes (see the corresponding sections for HSM vendors): Copy
|
|||
|
Example: Copy
|
|||
6 |
On the Scalable Platform Security Group, copy the file to all Security Group Members:
|
|||
7 |
To apply the new configuration, restart all Check Point services with this command:
|
|||
8 |
Make sure that the Security Gateway / each Cluster Member / Security Group can connect to the HSM Server and that HTTPS Inspection is activated successfully on the outbound traffic.
The output must show:
For more information, see Monitoring HTTPS Inspection with HSM in CLI. |
|||
8 |
Make that HTTPS Inspection is activated successfully on the outbound traffic:
|
Workflow for Configuring an HSM Client Workstation
HSM Client workstation is an external computer, on which you install the HSM Client software of your HSM vendor.
HSM Client workstation can run on Windows, Linux, or other operating system, as required by the HSM vendor.
You use the HSM Client workstation to:
-
Create a CA Certificate on the HSM Server.
Check Point Security Gateways / Cluster Members / Security Groups use this CA Certificate for HTTPS Inspection when it needs to store and access SSL keys on the HSM Server.
-
Manage keys for a fake certificate created by the Check Point Security Gateway / Cluster Members / Security Group.
|
Important - You must get the HSM Client package from the HSM vendor. |