Working with Thales Luna HSM

Configuration Steps

Use this workflow to configure a Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / ClusterXL / Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. to work with the Thales Luna HSM Server (formerly, Gemalto SafeNet Network HSM Server).

Step 1 of 2: Configure the Thales Luna HSM environment

Use the Thales Luna configuration documents to configure the HSM environment.

The HSM Partition on the Thales Luna HSM should contain these objects:

CA certificate
CA certificate private key
CA certificate public key
At least one of the following key pairs for creating Fake Certificate:
- RSA 1024 key pair
- RSA 2048 key pair
- RSA 4096 key pair

Optional key pairs for creating Fake Certificate:

RSA 1024 key pair
RSA 2048 key pair
RSA 4096 key pair
ECDSA 256 key pair
ECDSA 384 key pair
ECDSA 521 key pair

Step 2 of 2: Configure the Check Point Security Gateway to work with the Thales Luna HSM Server

This step has three sub-steps.

Sub-Step 2-A: Configure HTTPS Inspection on the Security Gateway / Cluster Members / Security Group to work without the Thales Luna HSM Server

Important:

In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.
In a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. environment, you must perform this step in the context of each Virtual System (on the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or each VSX Cluster Member Security Gateway that is part of a cluster.).
On Scalable Platforms, you must run the applicable commands in Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group. of the applicable Security Group.

Step Instructions

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., enable and configure the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..

See the R82.10 Threat Prevention Administration Guide > Chapter HTTPS Inspection.

On the Security Gateway / eachCluster Member / Security Group, disable the HSM configuration:

Connect to the command line.
Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

Disable the HSM configuration:

set param path https_inspection.hsm.enabled param-value false

Save the configuration:

save config

In SmartConsole, install the applicable Access Control Policy on the Security Gateway / ClusterXL object.

Make sure that HTTPS Inspection works correctly without the HSM Server:

From an internal computer, connect to any HTTPS web site.
On the internal computer, in the web browser, you must receive the signed CA certificate from the Security Gateway / ClusterXL / Security Group.

Sub-Step 2-B: Install the Thales Luna HSM Client on the Security Gateway / ClusterXL / Security Group

Notes:

For more information, see the Thales Luna HSM Documentation.
If you need to establish new Trust Link, you have to delete the current Trust Link.

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of the VSX Gateway or each VSX Cluster Member (context of VS 0).
On Scalable Platforms, you must run the applicable commands in the Expert mode on the applicable Security Group.

Procedure for a Security Gateway / ClusterXL:

Step Instructions

Copy the "Luna Minimal Client" to the Check Point Security Gateway / each Cluster Member to some directory (for example, /var/log/).

Connect to the command line on the Check Point Security Gateway / each Cluster Member.

Create the installation directory for the "Luna Minimal Client":

mkdir -p /usr/safenet/lunaclient

Install the "Luna Minimal Client" as described in the Thales Luna HSM Documentation.

You must use the installation directory "/usr/safenet/lunaclient".

Important - Make sure that there is a Trust Link between the Thales Luna HSM Client on the Check Point Security Gateway / each Cluster Member and the Thales Luna HSM Server.

Copy the libCryptoki2.so file to the /usr/lib/hsm_client/ directory:

cp -v /usr/safenet/lunaclient/libs/64/libCryptoki2.so /usr/lib/hsm_client/libCryptoki2.so

Important - For security reasons, only the root user has permissions to access this directory.

You must copy the physical file into this directory. Do not create a symbolic link.

Procedure for a Scalable Platform Security Group:

Step Instructions

Copy the "Luna Minimal Client" to the Check Point Security Group to some directory (for example, /var/log/).

Connect to the command line on the Check Point Security Group.

Create the installation directory for the "Luna Minimal Client":

g_all mkdir -p /usr/safenet/lunaclient

Install the "Luna Minimal Client" as described in the Thales Luna HSM Documentation.

You must use the installation directory "/usr/safenet/lunaclient".

Important - Make sure that there is a Trust Link between the Thales Luna HSM Client on the Check Point Security Group and the Thales Luna HSM Server.

Copy the libCryptoki2.so file to the /usr/lib/hsm_client/ directory:

g_all cp -v /usr/safenet/lunaclient/libs/64/libCryptoki2.so /usr/lib/hsm_client/libCryptoki2.so

Important - For security reasons, only the root user has permissions to access this directory.

You must copy the physical file into this directory. Do not create a symbolic link.

Sub-Step 2-C: Configure HTTPS Inspection on the Security Gateway / ClusterXL / Security Group to work with the Thales Luna HSM Server

Important:

In a Cluster, you must configure all the Cluster Members in the same way.
In a VSX environment, you must perform this step in the context of the VSX Gateway or each VSX Cluster Member (context of VS 0).
On Scalable Platforms, you must run the applicable commands in the Expert mode on the applicable Security Group.

Notes:

After you apply the HSM configuration for the first time, you may get an HSM connection error.

Most common scenario is when you configure several Security Gateways (Cluster Members) to use the same HSM Server, and they access it at the same time.

In this case:
1. Run the "fw fetch local" command on the Security Gateway (Cluster Member) that has an HSM connection issue.
  
  In a VSX environment, run this command in the context of the problematic VSX Virtual System.
2. Wait until you see "HSM on".
3. Continue to configure the next Security Gateway, Cluster Member, or VSX Virtual System.
After any change in the HSM configuration, you must do one of these:
- Fetch the local policy with the "fw fetch local" command
- In SmartConsole, install the policy on the Security Gateway / ClusterXL / VSX Virtual System object.
If the HSM Server is not available when you fetch the local policy or install the policy in SmartConsole, the HTTPS Inspection cannot inspect the Outbound HTTPS traffic. As a result, internal computers behind the Security Gateway / ClusterXL / Security Group / VSX Virtual System cannot access HTTPS web sites.

In addition, see Disabling Communication from the Security Gateway to the HSM Server.

Step Instructions

Connect to the command line on the Security Gateway / each Cluster Member / Security Group.

Log in to Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish.

Configure the HSM settings:

Name of the PKCS#11 library of your HSM vendor (located in the "/usr/lib/hsm_client/" directory):

set param path https_inspection.hsm.lib_filename param-value "<Name of Library File of HSM Vendor>"

Name of the HSM vendor:

set param path https_inspection.hsm.hsm_vendor_name param-value "<Name of HSM Vendor>"

Name of the HSM model:

set param path https_inspection.hsm.hsm_model_name param-value "<Name of HSM Model>"

Name of the HSM partition:

set param path https_inspection.hsm.token_label param-value "<Name of HSM Partition>"

Password for HSM partition:

set param path https_inspection.hsm.token_id param-value "<Password for HSM Partition>"

Label for the CA certificate object:

set param path https_inspection.hsm.ca_cert.buffer_label param-value "<Label for the CA certificate object>"

Public key name for the CA certificate:

set param path https_inspection.hsm.ca_cert.public_key_label param-value "<Public Key Name for the CA Certificate>"

Private key name for the CA certificate:

set param path https_inspection.hsm.ca_cert.private_key_label param-value "<Private Key Name for the CA Certificate>"

Note - Use the "printHSMSlotInformation" command to see the HSM vendor, model and partition names:

Go from Gaia Clish to the Expert mode.

Run:

printHSMSlotInformation <Path to the PKCS#11 Library>

Go from the Expert mode to Gaia Clish.

Optional: Configure the User Type ID.

Some HSM vendors might require or allow logging in with user types other than the default "CKU_USER ('1')".

set param path https_inspection.hsm.user_type_id param-value "<User Type ID>"

Configure the key labels for the RSA fake certificate.

At least one key pair is required.

To configure the RSA 4096 key pair:

set param path https_inspection.hsm.inspection_keys.rsa_4096.private_key_label param-value "<Key Label>"

set param path https_inspection.hsm.inspection_keys.rsa_4096.public_key_label param-value "<Key Label>"

To configure the RSA 2048 key pair:

set param path https_inspection.hsm.inspection_keys.rsa_2048 .private_key_label param-value "<Key Label>"

set param path https_inspection.hsm.inspection_keys.rsa_2048 .public_key_label param-value "<Key Label>"

To configure the RSA 1024 key pair:

set param path https_inspection.hsm.inspection_keys.rsa_1024.private_key_label param-value "<Key Label>"

set param path https_inspection.hsm.inspection_keys.rsa_1024.public_key_label param-value "<Key Label>"

Configure the key labels for the ECDSA fake certificate.

At least one key pair is required.

To configure the ECDSA 521 key pair:

set param path https_inspection.hsm.inspection_keys.ecdsa_521.private_key_label param-value "<Key Label>"

set param path https_inspection.hsm.inspection_keys.ecdsa_521.public_key_label param-value "<Key Label>"

To configure the ECDSA 384 key pair:

set param path https_inspection.hsm.inspection_keys.ecdsa_384.private_key_label param-value "<Key Label>"

set param path https_inspection.hsm.inspection_keys.ecdsa_384.public_key_label param-value "<Key Label>"

To configure the ECDSA 256 key pair:

set param path https_inspection.hsm.inspection_keys.ecdsa_256.private_key_label param-value "<Key Label>"

set param path https_inspection.hsm.inspection_keys.ecdsa_256.public_key_label param-value "<Key Label>"

Enable the HSM configuration:

set param path https_inspection.hsm.enabled param-value true

Save the configuration:

save config

Validate the HSM configuration:

Go from Gaia Clish to the Expert mode.

Run:

checkHSMconfiguration

Stop and start Check Point services:

cpstop

cpstart

Important - Traffic does not flow through until the services start.

Make sure that the Security Gateway / each Cluster Member / Security Group can connect to the HSM Server and that HTTPS Inspection is activated successfully on the outbound traffic.

On the Security Gateway / each Cluster Member, run:

cpstat https_inspection -f all

On the Scalable Platform Security Group, run:

g_all cpstat https_inspection -f all

The output must show:

HSM partition access (Accessible/Not Accessible): Accessible
Outbound status (HSM on/HSM off/HSM error): HSM on

For more information, see Monitoring HTTPS Inspection with HSM in CLI.

Make sure that HTTPS Inspection is activated successfully on the outbound traffic:

From an internal computer, connect to any HTTPS web site.
On the internal computer, in the web browser, you must receive the signed CA certificate from the HSM Server.