Working with FutureX HSM
Use this workflow to configure a Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / ClusterXL / Scalable Platform Security Group to work with the FutureX HSM Server.
Prerequisites
The FutureX vendor supplies all these packages.
Package |
Files | Description |
---|---|---|
FutureX PKCS11 Library |
|
Contains the FutureX PKCS #11 Library. Install on the:
|
FutureX CLI Utility |
|
Contains the FutureX CLI Utility to manage keys and certificates. Install on the FutureX HSM Client Workstation. |
FutureX Certificates |
|
FutureX certificates for trust between the FutureX HSM Client Workstation and the FutureX HSM Server. |
Configuration Steps
Use this workflow to configure a Check Point Security Gateway / ClusterXL / Scalable Platform Security Group to work with the FutureX HSM Server.
|
Important - Before you do the steps described below, read the FutureX integration guide. |
You use the FutureX HSM Client Workstation to:
-
Create a CA Certificate on the FutureX HSM Server.
The Check Point Security Gateway / ClusterXL / Scalable Platform Security Group uses this CA Certificate for HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. to store and access SSL keys on the FutureX HSM Server.
-
Manage keys for fake certificate the Check Point Security Gateway / ClusterXL / Scalable Platform Security Group created.
Step | Instructions | ||||||
---|---|---|---|---|---|---|---|
1 |
Install a computer to use as a FutureX HSM Client Workstation. Get the applicable HSM Client package from the FutureX vendor. A FutureX HSM Client Workstation can run these operating systems (for more information, contact the FutureX vendor):
|
||||||
2 |
Transfer the applicable FutureX PKCS #11 Library package to the FutureX HSM Client Workstation.
Important - Make sure to transfer the file in the binary mode. |
||||||
3 |
Extract the contents of the FutureX PKCS #11 Library package to some directory on the FutureX HSM Client Workstation. In the instructions below, we show this directory as: <PKCS#11 Dir>.
|
||||||
4 |
Transfer the certificates you received from the FutureX vendor to some directory on the FutureX HSM Client Workstation. |
||||||
5 |
Prepare the HSM Client to work with the PKCS#11 manager:
|
||||||
6 |
Test the PKCS#11 Library:
|
||||||
7 |
For more information about the configuration of PKCS#11 on the FutureX HSM Client Workstation:
|
||||||
8 |
Transfer the applicable FutureX CLI Utility package to the FutureX HSM Client Workstation.
Important - Make sure to transfer the file in the binary mode. |
||||||
9 |
Extract the contents of the FutureX CLI Utility package to some directory on the FutureX HSM Client Workstation. In the instructions below, we show this directory as: <CLI Dir>.
|
||||||
10 |
Transfer these certificates to the <CLI Dir> directory on the FutureX HSM Client Workstation:
|
||||||
11 |
Establish a connection between the FutureX HSM Client and the FutureX HSM Server:
|
||||||
12 |
You can use these tools on the FutureX HSM Client Workstation to manage keys and certificates that are stored on the FutureX HSM Server:
|
Step | Instructions | ||||
---|---|---|---|---|---|
1 |
On the FutureX HSM Client Workstation, open the FutureX CLI utility. |
||||
2 |
Get the list of available slots. Run one of these commands:
|
||||
3 |
Generate the key pair for the CA certificate:
Example:
|
||||
4 |
Generate the CA certificate:
Example:
|
||||
5 |
Get the list of slots used for the CA certificate and CA certificate's key pair. Run one of these commands:
|
||||
6 |
Write down the handles of the:
Example:
|
This step has four sub-steps.
|
Important:
|
Step | Instructions | |||
---|---|---|---|---|
1 |
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., configure the HTTPS Inspection. See the R81 Security Management Administration Guide > Chapter HTTPS Inspection. |
|||
2 |
On the Security Gateway / each Cluster Member / Security Group, disable the HSM in the
|
|||
3 |
In SmartConsole, install the applicable Access Control Policy on the Security Gateway / ClusterXL object. |
|||
4 |
Make sure that HTTPS Inspection works correctly without the HSM Server:
|
|
Important:
|
Step | Instructions | ||
---|---|---|---|
1 |
Transfer the FutureX PKCS #11 binary files to the Security Gateway / each Cluster Member / Scalable Platform Security Group:
|
||
2 |
Transfer the FutureX PKCS #11 configuration file to the Security Gateway / each Cluster Member / Scalable Platform Security Group:
|
To establish a connection between a Check PointSecurity Gateway (HSM client) to a FutureX HSM server, you must create certificate files for the TLS authentication between the Check PointSecurity Gateway and the FutureX HSM server. These are the options to create the required certificate files:
-
Create the certificates on the HSM (the most common method).
-
Get the certificates from the FutureX vendor.
-
Enabling the "
Anonymous
" setting on the HSM server, so that mutual authentication is not required (see the FutureX Integration Guide).
|
Important:
|
Step | Instructions | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 |
Transfer the FutureX certificate files you received from the FutureX vendor to the Security Gateway / each Cluster Member / Scalable Platform Security Group to the /usr/futurex/ directory. On the Scalable Platform Security Group, you must copy these certificate files to all Security Group Members:
|
||||||||||||||
2 |
Connect to the command line on the Security Gateway / each Cluster Member / Security Group. |
||||||||||||||
3 |
Log in to the Expert mode. |
||||||||||||||
4 |
Back up the configuration file /etc/fxpkcs11.cfg:
|
||||||||||||||
5 |
Edit the configuration file /etc/fxpkcs11.cfg:
|
||||||||||||||
6 |
Configure these attribute values:
|
||||||||||||||
7 |
Save the changes in the file and exit the editor. |
||||||||||||||
8 |
On the Scalable Platform Security Group, you must copy the updated file to all Security Group Members:
|
||||||||||||||
9 |
Create the required symbolic link:
|
|
Important:
|
|
Notes:
|
Step | Instructions | ||||||
---|---|---|---|---|---|---|---|
1 |
Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group. |
||||||
2 |
Log in to the Expert mode. |
||||||
3 |
Back up the
|
||||||
4 |
Edit the
|
||||||
5 |
Configure the required values for these attributes:
|
||||||
|
Example: Copy
|
||||||
6 |
Apply the new configuration.
|
||||||
7 |
Make sure that the Security Gateway / each Cluster Member / Security Group can connect to the HSM Server and that HTTPS Inspection is activated successfully on the outbound traffic. Run this command:
The output must show:
For more information, see Monitoring HTTPS Inspection with HSM in CLI. |
||||||
8 |
Make that HTTPS Inspection is activated successfully on the outbound traffic:
|
|
Note - If there is a connectivity issue from the Check Point Security Gateway / Cluster Member / Security Group to the FutureX HSM Server, then perform these steps on the Security Gateway / Cluster Member / Security Group:
|