Working with Gemalto HSM

Step 1 of 5: Extracting the Gemalto Help Package

Use the Gemalto configuration documents to configure the Gemalto HSM environment.

Step

Instructions

1

Download this package:

Gemalto SafeNet HSM Help package

(007-011136-012_Net_HSM_6.2.2_Help_RevA)

Note - Software Subscription or Active Support plan is required to download this package.

2

Use a Windows-based computer.

3

Extract the Gemalto HSM Help package to some folder.

4

Open the extracted Gemalto HSM Help folder.

5

Double-click the START_HERE.html file.

The Gemalto SafeNet Network HSM 6.2.2 Product Documentation opens.

Step 2 of 5: Configuring the Gemalto HSM Server to Work with a Check Point Security Gateway / ClusterXL / Scalable Platform Security Group

Use the Gemalto Help documents to install and configure the Gemalto HSM Server.

Step Instructions

1

Install the Gemalto HSM Appliance.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Installation Guide > SafeNet Network HSM Hardware Installation.

2

Do the initial configuration of the Gemalto HSM Appliance and the Gemalto HSM Server.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Configuration Guide > follow from [Step 1] to [Step 6].

3

Run the "sysconf recenCert" command in LunaSH to generate a new certificate for the Gemalto HSM Server (server.pem).

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other.

4

Complete the configuration of the Gemalto HSM Server to work with the Check Point Security Gateway / ClusterXL / Security Group:

Set the applicable partition to be active and auto-activated.

Run these commands in LunaSH:

lunash:> partition showPolicies -partition <Partition Name>

lunash:> partition changePolicy -partition <Partition Name> -policy 22 -value 1

lunash:> partition changePolicy -partition <Partition Name> -policy 23 -value 1

lunash:> partition showPolicies -partition <Partition Name>

Note - If you do not set the partition to stay auto-activated, the partition does not stay activated when the machine is shut down for more than two hours.

Disable the validation of the client source IP address by NTLS upon an NTLA client connection.

Run this command in LunaSH:

lunash:> ntls ipcheck disable

Note - This allows the HSM Server to accept traffic from Check Point Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members that hide this traffic behind a Cluster VIP address, and from a Check Point Security Gateway / Security Group hidden behind NAT.

Step 3 of 5: Configuring the Gemalto HSM Client workstation

You use the Gemalto HSM Client workstation to create a CA Certificate on the Gemalto HSM Server.

Check Point Security Gateway / ClusterXL / Scalable Platform Security Group uses this CA Certificate for HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. to store and to access SSL keys on the Gemalto HSM Server.

Note - You can also use Check Point Security Gateway / ClusterXL / Scalable Platform Security Group with the installed HSM Client package as an HSM Client workstation.

Step Instructions

1

Get this HSM Client package from the Gemalto vendor:

610-012382-017_SW_Client_HSM_6.2.2_RevA

2

Install a Windows-based or Linux-based computer to use as a Gemalto HSM Client Workstation.

3

Install the HSM Client package on the computer:

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Installation Guide > SafeNet HSM Client Software Installation.

4

Establish a Trust Link between the Gemalto HSM Client Workstation and the Gemalto HSM Server.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other.

On the Gemalto HSM Client Workstation, run in LunaCM:

lunacm:> clientconfig deploy -c <IP Address of HSM Client Workstation> -n <IP Address of HSM Server> -par <Partition Name> -pw <Partition Password>

Step 4 of 5: Creating the CA Certificate on the Gemalto HSM Server

Step Instructions

1

On the Gemalto HSM Client workstation, open a command prompt or a terminal window.

2

Use the "cmu generatekeypair" command to create a key pair.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities Reference Guide > Certificate Management Utility (CMU) > cmu generatekeypair.

Example:

# cd /usr/safenet/lunaclient/bin

# ./cmu generatekeypair -modulusBits=2048 -publicExponent=65537 -labelPublic="CAPublicKeyPairLabel" -labelPrivate="CAPrivateKeyPairLabel" -sign=T -verify=T

3

When prompted, enter the password for the partition on Gemalto HSM Server (you configured it in Step 2 of 5: Configuring the Gemalto HSM Server to Work with a Check Point Security Gateway / ClusterXL / Scalable Platform Security Group).

Example:

Enter a password for the token in slot 0:

4

Select the RSA mechanism by entering the corresponding number:

[1] PKCS [2] FIPS 186-3 Only Primes [3] FIPS 186-3 Auxiliary Primes

5

View the handles of the key pair you created.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities Reference Guide > Certificate Management Utility (CMU) > cmu list.

# ./cmu list

Example output:

Enter password for token in slot 0 : <Password for the Partition>

handle=17 label=CAPrivateKeyPairLabel

handle=18 label=CAPublicKeyPairLabel

6

Use the handle numbers from the previous step to create the CA certificate.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities Reference Guide > Certificate Management Utility (CMU) > cmu selfsigncertificate

Example:

# ./cmu selfsigncertificate -privatehandle=17 CN="www.gemltoHSM.cp" -sha256WithRSA -startDate 20190720 -endDate 20240720 -serialNum=111aaa -keyusage digitalsignature,keycertsign,crlsign -basicconstraints=critical,ca:true

7

View the handles of the CA certificate you created.

# ./cmu list

Example output:

Enter password for token in slot 0 : <Password for the Partition>

handle=13 label=www.myhsm.cp

handle=17 label=CAPrivateKeyPairLabel

handle=18 label=CAPublicKeyPairLabel

Important - You use the numbers of these three handles later when you configure the $FWDIR/conf/hsm_configuration.C file on the Check Point Security Gateway / each Cluster Member Security Gateway that is part of a cluster. / Scalable Platform Security Group).

8

Export the CA certificate to a file.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities Reference Guide > Certificate Management Utility (CMU) > cmu export

# ./cmu export -handle=<Handle Number> -outputfile=<Name of Output File>

Step 5 of 5: Configuring the Security Gateway to Work with the Gemalto HSM Server

This step has three sub-steps.

Sub-Step 5-A: Configuring HTTPS Inspection on the Security Gateway / Cluster Members / Security Group to work without the Gemalto HSM Server

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. environment, you must perform this step in the context of each Virtual System (on the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or each VSX Cluster Member).
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Step Instructions

1

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., enable and configure the HTTPS Inspection.

See the R81 Security Management Administration Guide > Chapter HTTPS Inspection.

2

On the Security Gateway / each Cluster Member / Security Group, disable the HSM in the $FWDIR/conf/hsm_configuration.C file.

Connect to the command line.
Log in to the Expert mode.

Edit the file:

vi $FWDIR/conf/hsm_configuration.C

Configure the value "no" for the parameter "enabled":

:enabled ("no")

Save the changes in the file and exit the editor.

On the Scalable Platform Security Group, you must copy the updated file to all Security Group Members:

asg_cp2blades $FWDIR/conf/hsm_configuration.C

3

In SmartConsole, install the applicable Access Control Policy on the Security Gateway / ClusterXL object.

4

Make sure that HTTPS Inspection works correctly without the HSM Server:

From an internal computer, connect to any HTTPS web site.
On the internal computer, in the web browser, you must receive the signed CA certificate from the Security Gateway / ClusterXL / Security Group.

Sub-Step 5-B: Installing the Gemalto HSM Simplified Client Software Packages on the Security Gateway / ClusterXL / Security Group

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of the VSX Gateway or each VSX Cluster Member (context of VS 0).
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Notes:

For more information, see the Gemalto SafeNet Network HSM 6.2.2 Product Documentation.

For information about establishing a Trust Link, go to the Appliance Administration Guide > Configuration without One-step NTLS > [Step 7] Create a Network Trust Link Between the Client and the Appliance.
If you need to establish new Trust Link, you have to delete the current Trust Link.

See Deleting a Trust Link with the HSM Server.

Procedure for a Security Gateway / ClusterXL:

Step Instructions

1

Open the Gemalto HSM Client package you received from Gemalto:

610-012382-017_SW_Client_HSM_6.2.2_RevA

Go to this directory: linux > 32

2

Install the HSM Client package.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Installation Guide > SafeNet HSM Client Software Installation.

3

In the Expert mode, copy the libCryptoki2.so file to the /usr/lib/hsm_client/ directory:

cp -v /usr/safenet/lunaclient/lib/libCryptoki2.so /usr/lib/hsm_client/

Important - For security reasons, only the root user has permissions to access this directory.

You must copy the physical file into this directory. Do not create a symbolic link.

4

Establish a Trust Link between the Gemalto HSM Client on the Security Gateway / each Cluster Member and the Gemalto HSM Server.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other.

On the Security Gateway / each Cluster Member, run in LunaCM:

lunacm:> clientconfig deploy -c <IP Address of Security Gateway or Cluster Member> -n <IP Address of HSM Server> -par <Partition Name> -pw <Partition Password>

5

Examine the partition access on the Security Gateway / each Cluster Member:

# /usr/safenet/lunaclient/bin/vtl verify

Procedure for a Scalable Platform Security Group:

Step Instructions

1

Open the Gemalto HSM Client package you received from Gemalto:

610-012382-017_SW_Client_HSM_6.2.2_RevA

2

Transfer the software package to the Security Group to some directory.

For example, create /var/log/HSM_Client/ on all Security Group Members:

g_all mkdir -v /var/log/HSM_Client/

3

Connect to the command line on the Security Group.

4

Log in to the Expert mode.

5

Extract the Gemalto HSM Client package:

g_all cd /var/log/HSM_Client/

g_all tar -xvf <Name of Gemalto HSM Client Package>.tar

6

Install the Gemalto HSM Client packages on all Security Group Members:

g_all rpm -Uvh /var/log/HSM_Client/configurator-6.2.2-4.i386.rpm

g_all rpm -Uvh /var/log/HSM_Client/libcryptoki-6.2.2-4.i386.rpm

g_all rpm -Uvh /var/log/HSM_Client/vtl-6.2.2-4.i386.rpm

7

Establish a Trust Link between the Gemalto HSM Client on the Security Group and the Gemalto HSM Server.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with each other.

On the Security Group, run in LunaCM:

lunacm:> clientconfig deploy -c <IP Address of Security Group> -n <IP Address of HSM Server> -par <Partition Name> -pw <Partition Password>

8

Examine the partition access on the Security Group:

# /usr/safenet/lunaclient/bin/vtl verify

Sub-Step 5-C: Configuring HTTPS Inspection on the Security Gateway / ClusterXL / Security Group to work with the Gemalto HSM Server

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of the VSX Gateway or each VSX Cluster Member (context of VS 0).
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Notes:

After you apply the HSM configuration for the first time, you may get an HSM connection error.

Most common scenario is when you configure several Security Gateways (Cluster Members) to use the same HSM Server, and they access it at the same time.

In this case:
1. Run the "fw fetch local" command on the Security Gateway (Cluster Member) that has an HSM connection issue.
  
  In a VSX environment, run this command in the context of the problematic VSX Virtual System.
2. Wait until you see "HSM on".
3. Continue to configure the next Security Gateway, Cluster Member, or VSX Virtual System.
After any change in the $FWDIR/conf/hsm_configuration.C file, you must do one of these:
- Fetch the local policy with the "fw fetch local" command
- In SmartConsole, install the policy on the Security Gateway / ClusterXL / VSX Virtual System object.
If the HSM Server is not available when you fetch the local policy or install the policy in SmartConsole, the HTTPS Inspection cannot inspect the Outbound HTTPS traffic. As a result, internal computers behind the Security Gateway / ClusterXL / Security Group / VSX Virtual System cannot access HTTPS web sites.

In addition, see Disabling Communication from the Security Gateway to the HSM Server.

Step Instructions

1

Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group.

2

Log in to the Expert mode.

3

Back up the $FWDIR/conf/hsm_configuration.C file:

On the Security Gateway / each Cluster Member, run:

cp -v $FWDIR/conf/hsm_configuration.C{,_BKP}

On the Scalable Platform Security Group, run:

g_cp -v $FWDIR/conf/hsm_configuration.C{,_BKP}

4

Edit the $FWDIR/conf/hsm_configuration.C file:

vi $FWDIR/conf/hsm_configuration.C

5

Configure the required values for these attributes:

(

:enabled ("yes")

:hsm_vendor_name ("Luna Gemalto HSM")

:lib_filename ("libCryptoki2.so")

:CA_cert_public_key_handle (<Number of "Public" Handle for CA certificate>)

:CA_cert_private_key_handle (<Number of "Private" Handle for CA certificate>)

:CA_cert_buffer_handle (<Number of Handle for CA certificate>)

:token_id ("<Password for Partition on Gemalto HSM Server>")

)

Notes:

The ":enabled ()" attribute must have the value of either "yes" (to enable the HSM), or "no" (to disable the HSM).
The ":hsm_vendor_name ()" attribute must contain the string "Luna Gemalto HSM" (or must be empty).
The ":lib_filename ()" attribute must contain the name of the PKCS#11 library of the Gemalto HSM vendor (located in the /usr/lib/hsm_client/ directory on the Security Gateway / each Cluster Member / Security Group.
The ":CA_cert_<XXX> ()" attributes must have the required values of handles from the output of the "cmu list" command on the Gemalto HSM Server.

See Step 4 of 5: Creating the CA Certificate on the Gemalto HSM Server.
The ":token_id ()" attribute must have the contain the password for the partition on the Gemalto HSM Server.

See Step 2 of 5: Configuring the Gemalto HSM Server to Work with a Check Point Security Gateway / ClusterXL / Scalable Platform Security Group.

Example:

Copy

(
:enabled ("yes")
:hsm_vendor_name ("Gemalto HSM")
:lib_filename ("libCryptoki2.so")
:CA_cert_public_key_handle (17)
:CA_cert_private_key_handle (18)
:CA_cert_buffer_handle (13)
:token_id ("p@ssw0rd")
)

6

Apply the new configuration.

If you explicitly defined (or changed) the value of the ":hsm_vendor_name ()" attribute the string "Gemalto HSM", then restart all Check Point services with this command:

On the Security Gateway / each Cluster Member, run:

cprestart

On the Scalable Platform Security Group, run:

g_all cprestart

Important - This blocks all traffic until all services restart. In a cluster, this can cause a failover.

If you did not define the value of the ":hsm_vendor_name ()" attribute (it is empty), then fetch the local policy with this command:

On the Security Gateway / each Cluster Member, run:

fw fetch local

On the Scalable Platform Security Group, run:

g_fw fetch local

7

Make sure that the Security Gateway / each Cluster Member / Security Group can connect to the HSM Server and that HTTPS Inspection is activated successfully on the outbound traffic.

Run this command:

On the Security Gateway / each Cluster Member, run:

cpstat https_inspection -f all

On the Scalable Platform Security Group, run:

g_all cpstat https_inspection -f all

The output must show:

HSM partition access (Accessible/Not Accessible): Accessible
Outbound status (HSM on/HSM off/HSM error): HSM on

For more information, see Monitoring HTTPS Inspection with HSM in CLI.

8

Make that HTTPS Inspection is activated successfully on the outbound traffic:

From an internal computer, connect to any HTTPS web site.
On the internal computer, in the web browser, you must receive the signed CA certificate from the HSM Server.

Deleting a Trust Link with the HSM Server

If you need to establish new Trust Link between a Check Point Security Gateway and an HSM Server, you have to delete the current Trust Link.

Use Case: When you replace or reconfigure a Check Point Security Gateway, or an HSM Server.

Step Instructions

1

Delete the current Trust Link on the Check Point Security Gateway / each Cluster Member / Scalable Platform Security Group:

Connect to the command line.
Log in to the Expert mode.

Go to the SafeNet HSM Simplified Client installation directory:

On the Security Gateway / each Cluster Member, run:

cd /usr/safenet/lunaclient/bin/

On the Scalable Platform Security Group, run:

g_all cd /usr/safenet/lunaclient/bin/

Delete the old Trust Link:

On the Security Gateway / each Cluster Member, run:

./vtl deleteServer -n <IP Address of HSM Server>

On the Scalable Platform Security Group, run:

g_all ./vtl deleteServer -n <IP Address of HSM Server>

2

Delete the current Trust Link on the HSM Appliance:

Connect to the HSM Appliance over SSH.

Examine the list of configured HSM Client Workstations:

lunash:> client list

Delete the Check Point HSM Client Workstation:

lunash:> client delete -client <Name of HSM Client>

Note - For more information, see the Gemalto SafeNet Network HSM 6.2.2 Product Documentation.

Configuring a Second Interface on a Gemalto HSM Appliance for NTLS

Step Instructions

1

Connect to the HSM Appliance over SSH.

2

Examine all the configured interfaces:

lunash:> network show

3

Add a new interface:

lunash:> network interface -device <Name of Interface> -ip <IP Address> -netmask <NetMask> [-gateway <IP Address>]

4

Enable Network Trust Link Service (NTLS) on all the interfaces.

Note - For more information, see the Gemalto SafeNet Network HSM 6.2.2 Product Documentation > LunaSH Command Reference Guide > LunaSH Commands.

Working with Gemalto HSM

Configuration Steps

Additional Actions for a Gemalto HSM Server