Working with FutureX HSM

Use this workflow to configure a Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / ClusterXL / Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. to work with the FutureX HSM Server.

Prerequisites

FutureX Software Packages

The FutureX vendor supplies all these packages.

Package	Files	Description
FutureX PKCS11 Library	`fxpkcs11-windows-4.20-4afd.zip` `fxpkcs11-redhat-4.20-4afd.tar` `fxpkcs11-linux-4.20-4afd.tar` `fxpkcs11-mac-4.20-4afd.tar`	Contains the FutureX PKCS #11 Library. Install on the: FutureX HSM Client Workstation Check Point Security Gateway / each Cluster Member Security Gateway that is part of a cluster. / Scalable Platform Security Group.
FutureX CLI Utility	`fxcl-hsm-windows-1.2.4.2-37a8.zip` `fxcl-hsm-redhat-1.2.4.2-37a8.tar` `fxcl-hsm-linux-1.2.4.2-37a8.tar` `fxcl-hsm-mac-1.2.4.2-37a8.tar` `fxcli-hsm-commands.txt`	Contains the FutureX CLI Utility to manage keys and certificates. Install on the FutureX HSM Client Workstation.
FutureX Certificates		FutureX certificates for trust between the FutureX HSM Client Workstation and the FutureX HSM Server.

Package

Files

Description

FutureX PKCS11 Library

fxpkcs11-windows-4.20-4afd.zip
fxpkcs11-redhat-4.20-4afd.tar
fxpkcs11-linux-4.20-4afd.tar
fxpkcs11-mac-4.20-4afd.tar

Contains the FutureX PKCS #11 Library.

Install on the:

FutureX HSM Client Workstation
Check Point Security Gateway / each Cluster Member Security Gateway that is part of a cluster. / Scalable Platform Security Group.

FutureX CLI Utility

fxcl-hsm-windows-1.2.4.2-37a8.zip
fxcl-hsm-redhat-1.2.4.2-37a8.tar
fxcl-hsm-linux-1.2.4.2-37a8.tar
fxcl-hsm-mac-1.2.4.2-37a8.tar
fxcli-hsm-commands.txt

Contains the FutureX CLI Utility to manage keys and certificates.

Install on the FutureX HSM Client Workstation.

FutureX Certificates

FutureX certificates for trust between the FutureX HSM Client Workstation and the FutureX HSM Server.

Configuration Steps

Use this workflow to configure a Check Point Security Gateway / ClusterXL / Scalable Platform Security Group to work with the FutureX HSM Server.

Important - Before you do the steps described below, read the FutureX integration guide.

Step 1 of 3: Configuring the FutureX HSM Client Workstation

You use the FutureX HSM Client Workstation to:

Create a CA Certificate on the FutureX HSM Server.

The Check Point Security Gateway / ClusterXL / Scalable Platform Security Group uses this CA Certificate for HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. to store and access SSL keys on the FutureX HSM Server.
Manage keys for fake certificate the Check Point Security Gateway / ClusterXL / Scalable Platform Security Group created.

Step Instructions

Install a computer to use as a FutureX HSM Client Workstation.

Get the applicable HSM Client package from the FutureX vendor.

A FutureX HSM Client Workstation can run these operating systems (for more information, contact the FutureX vendor):

Windows (contact FutureX vendor to download and install the “FXTools” package from the FutureX portal).
Red Hat Linux
Ubuntu Linux
Debian Linux
macOS

Transfer the applicable FutureX PKCS #11 Library package to the FutureX HSM Client Workstation.

For Windows OS:

fxpkcs11-windows-<BUILD>.zip
For Red Hat Linux OS:

fxpkcs11-redhat-<BUILD>.tar
For Ubuntu and Debian Linux OS:

fxpkcs11-linux-<BUILD>.tar
For macOS:

fxpkcs11-mac-<BUILD>.tar

Important - Make sure to transfer the file in the binary mode.

Extract the contents of the FutureX PKCS #11 Library package to some directory on the FutureX HSM Client Workstation.

In the instructions below, we show this directory as: <PKCS#11 Dir>.

Important:

The FutureX PKCS #11 Library package (fxpkcs11-<OS>-<BUILD>) contains the nested directory called "fxpkcs11".

You must extract the contents of this nested directory "fxpkcs11" into the <PKCS#11 Dir> directory.
The nested directory "fxpkcs11" contains the nested directories called "x64" (for 64-bit OS) and "x86" (for 32-bit OS).

You must extract the contents of the applicable nested directory "x64" or "x86" into the <PKCS#11 Dir> directory.

Transfer the certificates you received from the FutureX vendor to some directory on the FutureX HSM Client Workstation.

Prepare the HSM Client to work with the PKCS#11 manager:

On a Linux-based HSM Client, install the OpenSSL package:

On Ubuntu and Debian Linux, run:

sudo apt-get install openssl

On Red Hat Linux, run:

sudo yum install openssl

Make sure this FutureX PKCS #11 Library file is located in the <PKCS#11 Dir> directory:

On Linux OS:

libfxpkcs11.so

On Windows OS:

fxpkcs11.dll

Make sure the configuration file fxpkcs11.cfg is located in the applicable directory:
- On Linux OS:
  
  Transfer this file from the <PKCS#11 Dir> directory to the /etc/ directory
  
  (you must edit the copied file in the /etc/ directory).
- On Windows OS:
  
  Keep this file in the <PKCS#11 Dir> directory.
Configure these settings in the file fxpkcs11.cfg:
- <LOG-FILE>
  
  Set the path to the log file in this attribute.
- <ADDRESS>
  
  Set the IP address of the FutureX HSM Server in this attribute.
- <PROD-PORT>
  
  Set the port on the FutureX HSM Server in this attribute.
  
  You can use the default port 9100, or configure a different port.
  
  If you use a Cloud FutureX HSM, get the port number from the FutureX Support.
Additional related attributes:
- <PROD-TLS-CA>
  
  Contains the path to the Certificate Authority certificate file.
  
  This attribute can appear multiple times.
  
  You can put all the certificates of the CA chain.
- <PROD-TLS-CERT>
  
  Contains the path to the client certificate file.
- <PROD-TLS-KEY>
  
  Contains the path to the client private key file.

Test the PKCS#11 Library:

To test the configuration, run the tool configTest from the <PKCS#11 Dir> directory.
To manage keys, run the tool PKCS11Manager from the <PKCS#11 Dir> directory.
Examine the log file you configured in the <LOG-FILE> attribute in the fxpkcs11.cfg file.

Important - If you have problems with the location of the configuration file or the PKCS #11 Library file, you can set these environmental variables:

FXPKCS11_CFG to contain the full path to the configuration file fxpkcs11.cfg
FXPKCS11_MODULE to contain the full path to the PKCS #11 Library file

To set an environmental variable:

On Linux OS, use this command:

export VARIABLE=VALUE

Example:

export FXPKCS11_CFG=/home/user/fxpkcs11.cfg
On Windows OS, use this command:

set VARIABLE=VALUE

Example:

set FXPKCS11_CFG=C:\Users\Futurex\Desktop\fxpkcs11.cfg

For more information about the configuration of PKCS#11 on the FutureX HSM Client Workstation:

Log in to the FutureX portal.
Go to:

DEVELOPER DOCUMENTATION >

GENERAL PURPOSE >

General Purpose Technical Reference >

PKCS #11 Technical Reference

Transfer the applicable FutureX CLI Utility package to the FutureX HSM Client Workstation.

For Windows OS:

fxcl-hsm-windows-<BUILD>.zip
For Red Hat Linux OS:

fxcl-hsm-redhat-<BUILD>.tar
For Ubuntu and Debian Linux OS:

fxcl-hsm-linux-<BUILD>.tar
For macOS:

fxcl-hsm-mac-<BUILD>.tar

Important - Make sure to transfer the file in the binary mode.

Extract the contents of the FutureX CLI Utility package to some directory on the FutureX HSM Client Workstation.

In the instructions below, we show this directory as: <CLI Dir>.

Important:

The FutureX CLI Utility package (fxcl-hsm-<OS>-<BUILD>) contains the nested directory called "fxcl".
The nested directory fxcl contains the nested directories called "x64" (for 64-bit OS) and "x86" (for 32-bit OS).
The nested directories x64 and x86 contain the nested directories called "OpenSSL-1.0.x" and "OpenSSL-1.1.x".

You must extract the contents of the applicable nested directory "OpenSSL-1.0.x" or "OpenSSL-1.1.x" into the <CLI Dir> directory.

Administrator decides, which version of the OpenSSL to use (for more information, contact the FutureX vendor).

Transfer these certificates to the <CLI Dir> directory on the FutureX HSM Client Workstation:

The Client certificate (denoted below as <Client Certificate>)
The CA certificate (denoted below as <CA Certificate>)

Establish a connection between the FutureX HSM Client and the FutureX HSM Server:

Go to the <CLI Dir> directory.

Start the shell:

fxcli-hsm

Run these commands in the order they are listed:

tls pki -f <Client Certificate> -p safest

tls ca -f <CA Certificate>

connect tcp -c <IP Address of URL of HSM Server>:<Port on HSM Server>

login user -u <Username> -p <Password (default is "safest")>

exit

You can use these tools on the FutureX HSM Client Workstation to manage keys and certificates that are stored on the FutureX HSM Server:

PKCS11Manager
- Run this command from the <PKCS#11 Dir> directory.
- This tool can create keys and browse the content of the HSM partition (that stores keys and certificates).
- Follow the tool's menu to see the available options.
fxcli-hsm
- Run this command from the <CLI Dir> directory.
- To see all available commands in this shell, run: help
- To see all available options for a command in this shell, either run only the command, or the command with the "-h" option.

Step 2 of 3: Creating the CA Certificate on the FutureX HSM Server

Step Instructions

On the FutureX HSM Client Workstation, open the FutureX CLI utility.

Get the list of available slots.

Run one of these commands:

keytable list

keytable reload

Generate the key pair for the CA certificate:

generate -a rsa -b 2048 --slot <Slot or Label of CA Certificate> --name <Name of CA Certificate Private Key File> --tpk-slot <Slot or Label of CA Certificate Public Key> --tpk-name <Name of CA Certificate Public Key File> -u sign,verify

Example:

generate -a RSA -b 2048 --slot 0 --name CAPrivateKey --tpk-slot 1 --tpk-name CAPublicKey -u sign,verify

Important - Do not use the "... slot next" option, because it can override keys for a fake certificate the Check Point Security Gateway / ClusterXL / Scalable Platform Security Group created.

Generate the CA certificate:

x509 sign --private-slot <Slot or Label of Private Key> --dn "<Distinguished Name of CA Certificate>" --ca 1 --key-usage DigitalSignature --key-usage CrlSign --key-usage KeyCertSign --save-slot <Slot to Save the CA Certificate> --save-name <Label of CA Certificate File> -o <Full Path and Name of CA Certificate File>.cer --validity-period '<Period>'

Example:

x509 sign --private-slot 0 --dn "CN=www.futurexhsm.cp" --ca 1 --key-usage DigitalSignature --key-usage KeyCertSign --key-usage CrlSign --save-slot 2 --save-name CACert -o Z:\FutureXhsm.cer --validity-period '5 years'

Important - Do not use the "... slot next" option, because it can override keys for a fake certificate the Check Point Security Gateway / ClusterXL / Scalable Platform Security Group created.

Get the list of slots used for the CA certificate and CA certificate's key pair.

Run one of these commands:

keytable list

keytable reload

Note - The command "keytable list" shows the slot numbers as the PKCS#11 handles plus one. For example, it shows slot 0 as handle 1, slot 1 as handle 2, and so on.

Write down the handles of the:

CA certificate
CA certificate public key
CA certificate private key

Example:

CAPublicKey (1)

CAPrivateKey (2)

CACert (3)

Important - You use the numbers of these three handles when you configure the $FWDIR/conf/hsm_configuration.C file on the Check Point Security Gateway / ClusterXL / Scalable Platform Security Group.

Step 3 of 3: Configuring the Security Gateway to Work with the FutureX HSM Server

This step has four sub-steps.

Sub-Step 3-A: Configuring HTTPS Inspection on the Security Gateway / Cluster Members / Security Group to work without the FutureX HSM Server

Important:

In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.
In a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. environment, you must perform this step in the context of each Virtual System (on the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or each VSX Cluster Member).
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Step Instructions

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., configure the HTTPS Inspection.

See the R81.20 Security Management Administration Guide > Chapter HTTPS Inspection.

On the Security Gateway / each Cluster Member / Security Group, disable the HSM in the $FWDIR/conf/hsm_configuration.C file.

Connect to the command line.
Log in to the Expert mode.

Edit the file:

vi $FWDIR/conf/hsm_configuration.C

Configure the value "no" for the parameter "enabled":

:enabled ("no")

Save the changes in the file and exit the editor.

On the Scalable Platform Security Group, you must copy the updated file to all Security Group Members:

asg_cp2blades $FWDIR/conf/hsm_configuration.C

In SmartConsole, install the applicable Access Control Policy on the Security Gateway / ClusterXL object.

Make sure that HTTPS Inspection works correctly without the HSM Server:

From an internal computer, connect to any HTTPS web site.
On the internal computer, in the web browser, you must receive the signed CA certificate from the Security Gateway / ClusterXL / Security Group.

Sub-Step 3-B: Installing the required software packages on the Security Gateway / Cluster Members / Security Group)

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of the VSX Gateway or each VSX Cluster Member (context of VS 0).
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Step Instructions

Transfer the FutureX PKCS #11 binary files to the Security Gateway / each Cluster Member / Scalable Platform Security Group:

Open the FutureX PKCS#11 Library package on your computer.
Go to this folder:

fxpkcs11-linux-<BUILD> > fxpkcs11 > x86 > OpenSSL-1.1.x
Transfer these files to the Security Gateway / each Cluster Member / Security Group to the /usr/lib/hsm_client/ directory:
- libfxpkcs11.so
- configTest
Important - Make sure to transfer the files in the binary mode.

On the Scalable Platform Security Group, you must copy these files to all Security Group Members:

asg_cp2blades /usr/lib/hsm_client/libfxpkcs11.so

asg_cp2blades /usr/lib/hsm_client/configTest

Transfer the FutureX PKCS #11 configuration file to the Security Gateway / each Cluster Member / Scalable Platform Security Group:

Open the FutureX PKCS#11 Library package on your computer.
Go to this folder:

fxpkcs11-linux-<BUILD> > fxpkcs11
Transfer this file to the Security Gateway / each Cluster Member / Scalable Platform Security Group to the /etc/ directory:

fxpkcs11.cfg

On the Scalable Platform Security Group, you must copy this file to all Security Group Members:

asg_cp2blades /usr/lib/hsm_client/fxpkcs11.cfg

Sub-Step 3-C: Configuring a connection between the Security Gateway / Cluster Members / Security Group and the FutureX HSM Server

To establish a connection between a Check Point Security Gateway (HSM client) to a FutureX HSM server, you must create certificate files for the TLS authentication between the Check Point Security Gateway and the FutureX HSM server. These are the options to create the required certificate files:

Create the certificates on the HSM (the most common method).
Get the certificates from the FutureX vendor.
Enabling the "Anonymous" setting on the HSM server, so that mutual authentication is not required (see the FutureX Integration Guide).

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of the VSX Gateway or each VSX Cluster Member (context of VS 0).
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Step Instructions

Transfer the FutureX certificate files you received from the FutureX vendor to the Security Gateway / each Cluster Member / Scalable Platform Security Group to the /usr/futurex/ directory.

On the Scalable Platform Security Group, you must copy these certificate files to all Security Group Members:

asg_cp2blades /usr/futurex/<Name of Certificate File>

Connect to the command line on the Security Gateway / each Cluster Member / Security Group.

Back up the configuration file /etc/fxpkcs11.cfg:

On the Security Gateway / each Cluster Member, run:

cp -v /etc/fxpkcs11.cfg{,_BKP}

On the Scalable Platform Security Group, run:

g_cp -v /etc/fxpkcs11.cfg{,_BKP}

Edit the configuration file /etc/fxpkcs11.cfg:

vi /etc/fxpkcs11.cfg

Configure these attribute values:

Attribute	Attribute Value
<LOG-FILE>	`/var/log/fxpkcs11.log`
<ADDRESS>	The IP address (or URL) of the FutureX HSM Server.
<PROD-PORT>	The port on the FutureX HSM Server. You can use the default port 9100, or configure a different port.
<PROD-TLS-CA>	The path to the Certificate Authority certificate file. This attribute can appear multiple times.
<PROD-TLS-CERT>	The path to the client certificate file.
<PROD-TLS-KEY>	The path to the client private key file.

Save the changes in the file and exit the editor.

On the Scalable Platform Security Group, you must copy the updated file to all Security Group Members:

asg_cp2blades /etc/fxpkcs11.cfg

Create the required symbolic link:

On the Security Gateway / each Cluster Member, run:

ln -s /var/log/fxpkcs11.log /tmp/fxpkcs11.log

On the Scalable Platform Security Group, run:

g_all ln -s /var/log/fxpkcs11.log /tmp/fxpkcs11.log

Sub-Step 3-D: Configuring HTTPS Inspection on the Security Gateway / Cluster Members / Security Group to work with the FutureX HSM Server

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of the VSX Gateway or each VSX Cluster Member (context of VS 0).
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Notes:

After you apply the HSM configuration for the first time, you can get an HSM connection error.

Most common scenario is when you configure several Security Gateways / Cluster Members / Scalable Platform Security Groups to use the same HSM Server, and they access it at the same time.

In this case:
1. Run the "fw fetch local" command on the Security Gateway / each Cluster Member / Security Group that has an HSM connection issue.
  
  In a VSX environment, run this command in the context of the problematic VSX Virtual System.
2. When you see "HSM on" on the screen, continue to configure the next Security Gateway, Cluster Member, Security Group, or VSX Virtual System.
After any change in the $FWDIR/conf/hsm_configuration.C file, you must do one of these:
- Fetch the local policy with the "fw fetch local" command
- In SmartConsole, install the policy on the Security Gateway / ClusterXL / VSX Virtual System object.
If the HSM Server is not available when you fetch the local policy or install the policy in SmartConsole, the HTTPS Inspection cannot inspect the Outbound HTTPS traffic. As a result, internal computers behind the Security Gateway / ClusterXL / VSX Virtual System cannot access HTTPS web sites.

In addition, see Disabling Communication from the Security Gateway to the HSM Server.

Step Instructions

Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group.

Back up the $FWDIR/conf/hsm_configuration.C file:

On the Security Gateway / each Cluster Member, run:

cp -v $FWDIR/conf/hsm_configuration.C{,_BKP}

On the Scalable Platform Security Group, run:

g_cp -v $FWDIR/conf/hsm_configuration.C{,_BKP}

Edit the $FWDIR/conf/hsm_configuration.C file:

vi $FWDIR/conf/hsm_configuration.C

Configure the required values for these attributes:

(

:enabled ("yes")

:hsm_vendor_name ("FutureX HSM")

:lib_filename ("")

:CA_cert_public_key_handle (<Number of "CAPublicKey" Handle for CA certificate>)

:CA_cert_private_key_handle (<Number of "CAPrivateKey" Handle for CA certificate>)

:CA_cert_buffer_handle (<Number of "CACert" Handle for CA certificate>)

:token_id ("<Password for Partition on FutureX HSM Server>")

)

Notes:

The ":enabled ()" attribute must have the value of either "yes" (to enable the HSM), or "no" (to disable the HSM).
The ":hsm_vendor_name ()" attribute must contain the string "FutureX HSM".
The ":lib_filename ()" attribute must contain the full path to the file libfxpkcs11.so (from the FutureX PKCS #11 Library) on the Security Gateway / each Cluster Member / Security Group

You must configure this full path explicitly, if this file is not located at the default path: /usr/lib/libfxpkcs11.so
The ":CA_cert_<XXX> ()" attributes must have the required values of handles from the output of the "keytable" command on the FutureX HSM Server.

See Step 2 of 3: Creating the CA Certificate on the FutureX HSM Server.
The ":token_id ()" attribute must have the contain the password for the partition on the FutureX HSM Server.

Example:

Copy

(:enabled ("yes")
:hsm_vendor_name ("FutureX HSM")
:lib_filename ("")
:CA_cert_public_key_handle (1)
:CA_cert_private_key_handle (2)
:CA_cert_buffer_handle (3)
:token_id ("p@ssw0rd")
)

Apply the new configuration.

If you explicitly defined (or changed) the value of the ":hsm_vendor_name ()" attribute to the string "FutureX HSM", then restart all Check Point services with this command:

On the Security Gateway / each Cluster Member, run:

cprestart

On the Scalable Platform Security Group, run:

g_all cprestart

Important - This blocks all traffic until all services restart. In a cluster, this can cause a failover.

If the value of the ":hsm_vendor_name ()" attribute already contained the string "FutureX HSM", then fetch the local policy with this command:

On the Security Gateway / each Cluster Member, run:

fw fetch local

On the Scalable Platform Security Group, run:

g_fw fetch local

Make sure that the Security Gateway / each Cluster Member / Security Group can connect to the HSM Server and that HTTPS Inspection is activated successfully on the outbound traffic.

Run this command:

On the Security Gateway / each Cluster Member, run:

cpstat https_inspection -f all

On the Scalable Platform Security Group, run:

g_all cpstat https_inspection -f all

The output must show:

HSM partition access (Accessible/Not Accessible): Accessible
Outbound status (HSM on/HSM off/HSM error): HSM on

For more information, see Monitoring HTTPS Inspection with HSM in CLI.

Make that HTTPS Inspection is activated successfully on the outbound traffic:

From an internal computer, connect to any HTTPS web site.
On the internal computer, in the web browser, you must receive the signed CA certificate from the HSM Server.

Note - If there is a connectivity issue from the Check Point Security Gateway / Cluster Member / Security Group to the FutureX HSM Server, then perform these steps on the Security Gateway / Cluster Member / Security Group:

Examine the /var/log/fxpkcs11.log file.

If you do not see a root cause in this log file, continue to the next step to configure verbose logs.
Configure these logging settings in the /etc/fxpkcs11.cfg file to see more information in the log file:
- LOG-TRAFFIC: YES
- LOG-MODE: INFO
  
  or
  
  LOG-MODE: ERROR