Generic Workflow for HSM

This section contains generic workflows for an HSM environment.

Workflow for Configuring a Check Point Security Gateway to Work with HSM

Follow the steps below on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members / Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. that must work with an HSM.

Note - Instructions for specific HSM vendors are located in the corresponding sections.

Generic Step 1 of 3: Configure the HTTPS Inspection to work without the HSM Server

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. environment, you must perform this step in the context of each Virtual System (on the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or each VSX Cluster Member Security Gateway that is part of a cluster.).
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Step Instructions

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., configure the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..

See the R81.10 Security Management Administration Guide > Chapter HTTPS Inspection.

On the Security Gateway / each Cluster Member / Security Group, disable the HSM in the $FWDIR/conf/hsm_configuration.C file:

Connect to the command line.
Log in to the Expert mode.

Edit the file:

vi $FWDIR/conf/hsm_configuration.C

Configure the value "no" for the parameter "enabled":

:enabled ("no")

Save the changes in the file and exit the editor.

On the Scalable Platform Security Group, copy the file to all Security Group Members Member of a Security Group in ElasticXL Cluster, Maestro, and Scalable Chassis. Acronym: SGM.:

asg_cp2blades $FWDIR/conf/hsm_configuration.C

On the Security Gateway / each Cluster Member / Security Group, restart Check Point services:

cprestart

Important - Traffic does not flow through until the services start.

Make sure that HTTPS Inspection works correctly without the HSM Server:

From an internal computer, connect to any HTTPS web site.
On the internal computer, in the web browser, you must receive the signed CA certificate from the Security Gateway / Cluster.

Generic Step 2 of 3: Install and configure the PKCS#11 library supplied by the HSM vendor

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of the VSX Gateway or each VSX Cluster Member (context of VS 0).
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.
You must get the HSM Client package from the HSM vendor.

Step Instructions

Unpack and install the HSM Client package supplied by the HSM vendor.

Transfer the required PKCS#11 library file to the /usr/lib/hsm_client/ directory.

Important - For security reasons, only the root user has permissions to access this directory.

You must transfer the physical file into this directory. Do not create a symbolic link.

Transfer other tools or files supplied by the HSM vendor that are required to configure the PKCS#11 library.

Configure the required connection or trust between with the HSM Server.

Optional: Make sure there is a trusted link with the HSM Server that is based on the PKCS#11 library.

Note - Use the applicable tool supplied by the HSM vendor. You can also examine the trust with the Check Point command "cpstat").

Generic Step 3 of 3: Configure the HTTPS Inspection to work with the HSM Server for Outbound HTTPS Inspection

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of each Virtual System (on the VSX Gateway / each VSX Cluster Member / Security Group).

Notes:

In this step, you configure the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / each Cluster Member/ Security Group.
After you apply the HSM configuration for the first time, you can get an HSM connection error.

Most common scenario is when you configure several Security Gateways / Cluster Members / Security Groups to use the same HSM Server, and they access it at the same time.

In this case:
1. Run the "cprestart" command on the Security Gateway / Cluster Member / Security Group that has an HSM connection issue.
  
  In a VSX environment, run this command in the context of the problematic VSX Virtual System.
2. When you see "HSM on" on the screen, continue to configure the next Security Gateway / Cluster Member / Security Group / VSX Virtual System.
After any change in the $FWDIR/conf/hsm_configuration.C file, you must do one of these:
- Fetch the local policy with the "fw fetch local" command.
- In SmartConsole install the policy on the Security Gateway / Cluster / Security Group / VSX Virtual System object.
If the HSM Server is not available when you fetch the local policy or install the policy in SmartConsole, the HTTPS Inspection cannot inspect the Outbound HTTPS traffic. As a result, internal computers behind the Security Gateway / Cluster / Security Group / VSX Virtual System cannot access HTTPS web sites.

In addition, see Disabling Communication from the Security Gateway to the HSM Server.

Configuration steps:

Step Instructions

Connect to the command line on the Security Gateway / each Cluster Member / Security Group.

Back up the $FWDIR/conf/hsm_configuration.C file.

On the Security Gateway / each Cluster Member, run:

cp -v $FWDIR/conf/hsm_configuration.C{,_BKP}

On the Scalable Platform Security Group, run:

g_cp -v $FWDIR/conf/hsm_configuration.C{,_BKP}

Edit the $FWDIR/conf/hsm_configuration.C file:

vi $FWDIR/conf/hsm_configuration.C

Configure the required values for these attributes

(see the corresponding sections for HSM vendors):

Copy

(:enabled ("no") # "yes" / "no"
:hsm_vendor_name ("")
:lib_filename ("")
:CA_cert_public_key_handle (0)
:CA_cert_private_key_handle (0)
:CA_cert_buffer_handle (0)
:token_id ("")
)

Notes:

The ":enabled ()" attribute must have the value of either "yes" (to enable the HSM), or "no" (to disable the HSM).
The ":hsm_vendor_name ()" attribute must contain the required name of the HSM vendor.
The ":lib_filename ()" attribute must contain the name of the PKCS#11 library of your HSM vendor (located in the /usr/lib/hsm_client/ directory).
The ":CA_cert_<XXX> ()" attributes must have the required values of handles.
The ":token_id ()" attribute must contain the password for the partition on the HSM Server.

Example:

Copy

(:enabled ("yes")
:hsm_vendor_name ("FutureX HSM")
:lib_filename ("libfxpkcs11.so")
:CA_cert_public_key_handle (2)
:CA_cert_private_key_handle (1)
:CA_cert_buffer_handle (3)
:token_id ("safest")
)

On the Scalable Platform Security Group, copy the file to all Security Group Members:

asg_cp2blades $FWDIR/conf/hsm_configuration.C

To apply the new configuration, restart all Check Point services with this command:

cprestart

Important - This blocks all traffic until all services restart. In a cluster, this can cause a failover.

Make sure that the Security Gateway / each Cluster Member / Security Group can connect to the HSM Server and that HTTPS Inspection is activated successfully on the outbound traffic.

On the Security Gateway / each Cluster Member, run:

cpstat https_inspection -f all

On the Scalable Platform Security Group, run:

g_all cpstat https_inspection -f all

The output must show:

HSM partition access (Accessible/Not Accessible): Accessible
Outbound status (HSM on/HSM off/HSM error): HSM on

For more information, see Monitoring HTTPS Inspection with HSM in CLI.

Make that HTTPS Inspection is activated successfully on the outbound traffic:

From an internal computer, connect to any HTTPS web site.
On the internal computer, in the web browser, you must receive the signed CA certificate from the HSM Server.

Workflow for Configuring an HSM Client Workstation

HSM Client workstation is an external computer, on which you install the HSM Client software of your HSM vendor.

HSM Client workstation can run on Windows, Linux, or other operating system, as required by the HSM vendor.

You use the HSM Client workstation to:

Create a CA Certificate on the HSM Server.

Check Point Security Gateways / Cluster Members / Security Groups use this CA Certificate for HTTPS Inspection when it needs to store and access SSL keys on the HSM Server.
Manage keys for a fake certificate created by the Check Point Security Gateway / Cluster Members / Security Group.

Important - You must get the HSM Client package from the HSM vendor.