Hardware Security Module (HSM)

 

1Introduction

A Hardware Security Module (HSM) is a physical device that provides a secure environment for thestorage of cryptographic keys and for performing operations using these keys. The HSM provides physical protection using tamper evidence and tamper protection mechanisms and by providing a secure out-of-band management interface for key material.

HSMs act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world by securely managing, processing and storing cryptographic keys inside a hardened, tamper-resistant device.

HSMs provide protection for transactions, identities and applications by securing cryptographic keys and provisioning encryption, decryption, authentication and digital signing services for a wide range of applications.

HSMs allow organisations to improve profitability and achieve compliance with solutions for paper-to-digital initiatives, Payment Card Industry (PCI) Data Security Standard (DSS), digital signatures, Domain Name System Security extensions (DNSSEC), hardware key storage, transactional acceleration, certificate signing, code/document signing, bulk key generation, data encryption and more.

The functions of a HSM are:

  • On-board, secure cryptographic key generation
  • On-board, secure cryptographic key storage and management
  • Use of cryptographic and sensitive data material
  • Offloading application servers for complete asymmetric and symmetric cryptography

A HSM is a third party product which works with the LoadMaster.

Figure 1‑1: HSM and LoadMaster

By default in the KEMP LoadMaster - all SSL handling is performed by the LoadMaster itself.

For more information about the default SSL handling, refer to the SSL Accelerated Services, Feature Description.

However, the LoadMaster can also be configured to connect to and work with an external network HSM device which will take care of the SSL transactions and certificate management and provides additional security.

The traffic flow as outlined in the diagram above, is as follows:

  1. The client connects to the LoadMaster which presents a certificate as part of the SSL server “hello” handshake. This certificate contains the public key corresponding to the private key stored on the HSM.
  2. The client provides the LoadMaster with the SSL “Pre-master Secret” which has been encrypted by the client using the public key from the certificate.
  3. The LoadMaster passes the “Pre-master Secret” to the HSM for decryption.
  4. Both client and server compute a new Transport Layer Security (TLS) session key using the “Pre-master Secret”. The HSM is not involved in this.

1.1Prerequisites

The following prerequisites must be in place before the steps in this document should be attempted:

  • The LoadMaster must be licensed and configured as needed.
  • The HSM device and partition must be set up and configured as per the HSM vendor documentation.
  • Important: Proximity to the LoadMaster is a key item that network architects should consider when designing their network to include the LoadMaster and HSM. Ideally, the LoadMaster and the HSM should be as close as possible to ensure the lowest latency and highest security.

1.2Document Purpose

The purpose of this document is to outline how to configure the KEMP LoadMaster to effectively work with a HSM.

1.3Intended Audience

This document is intended to be used by anyone who is interested in finding out how to configure the LoadMaster to work effectively with a HSM device. Knowledge of the HSM device is also required, particularly in relation to setup, configuration and administration.

2Configure the LoadMaster and the HSM

The LoadMaster supports two network HSM devices:

  • SafeNet HSM
  • Cavium HSM (beta support)

The steps to configure the LoadMaster and HSM are similar, but some steps are not relevant for Cavium HSM. Refer to the relevant section below for steps on how to connect the HSM with the LoadMaster and configure the relevant settings as needed.

For further information on any of the HSM-specific steps, please refer to the relevant HSM vendor documentation.

2.1SafeNet HSM Steps

Follow the steps in the sections below to configure the SafeNet HSM and the LoadMaster.

2.1.1Download the CA Certificate from the HSM

Before configuring the LoadMaster, the Certificate Authority (CA) certificate must be downloaded from the HSM. For instructions on how to do this, please refer to the HSM vendor documentation.

The CA certificate will later be uploaded to the LoadMaster to set up the secure connection between the HSM and the LoadMaster.

2.1.2Configure the LoadMaster

To configure the LoadMaster, follow the steps below in the Web User Interface (WUI):

  1. In the main menu, go to Certificates & Security > HSM Configuration.

Figure 2‑1: Select the HSM subsystem

  1. Select Safenet Luna HSM.

Figure 2‑2: SafeNet HSM Configuration

  1. Enter the IP address of the SafeNet HSM unit to be used and click Set Address.
  2. To upload the CA certificate, click Choose File.
  3. Browse to and select the relevant certificate that has been downloaded from the HSM in Section 2.1.1.
  4. Enter the LoadMaster FQDN name in the Generate the HSM Client Certificate text box and click Generate Client Cert.The client certificate (which will be downloaded) will be given the name which was entered in the Client Certificate text box, that is, <HSMClientCertificateName>.pem (test1.pem in our example).

This generates the client certificate that will be uploaded to the HSM. The name specified here should be used when setting up the connection on the HSM device, which is referred to in Section 2.1.3.

  1. Enter the Password for the HSM partition and click the Set the HSM Password button.

The HSM partition password would have been set on the HSM when originally configuring the partition. For further information, please consult the HSM vendor documentation.

If any of the fields are configured incorrectly, an error message is displayed such as “Configuration incorrect or network problems”. The error message also lists the possible reason for the problem.

Before enabling HSM on the LoadMaster, the client certificate must be uploaded to the HSM and the LoadMaster must be registered as a client on the HSM, otherwise the LoadMaster will not be able to communicate with the HSM module. Follow the steps in Section 2.1.3 to do this.

2.1.3Configure the HSM

To configure the HSM to work with the LoadMaster, follow the steps below:

These steps vary depending upon the type of HSM device. For step-by-step instructions on how to perform the steps below, please refer to the relevant vendor HSM documentation.

  1. Upload the client certificate to the HSM.

This is the client certificate that was generated in the LoadMaster in Section 2.1.3.

  1. Register the LoadMaster as a client on the HSM device.
  2. Assign the partition where the private keys that the LoadMaster will use are located.
  3. If the LoadMaster’s IP address is not in DNS, an entry may be required to resolve the client name to the IP address.

2.1.4Enable HSM in the LoadMaster

To enable HSM in the LoadMaster, follow the steps below in the LoadMaster WUI:

  1. In the main menu, go to Certificates & Security > HSM Configuration.

Figure 2‑3: Enable HSM

  1. Select the Enable Safenet HSM check box.

Figure 2‑4: Warning

  1. Click OK.

If there are any problems with the connection an error will be displayed.

2.2Cavium HSM

Follow the steps in the sections below to configure the Cavium HSM and the LoadMaster.

2.2.1Configure the LoadMaster

To configure the LoadMaster, follow the steps below in the Web User Interface (WUI):

  1. In the main menu, go to Certificates & Security > HSM Configuration.

Figure 2‑5: Select the HSM subsystem

  1. Select Cavium HSM.

Figure 2‑6: Cavium HSM Configuration

  1. Enter the IP address of the Cavium HSM unit to be used and click Set Address.
  2. Enter the Username for the HSM partition and click Set the HSM username.
  3. Enter the Password for the HSM partition and click the Set the HSM Password button.

The HSM partition password would have been set on the HSM when originally configuring the partition. For further information, please consult the HSM vendor documentation.

2.2.2Configure the HSM

To configure the HSM to work with the LoadMaster, follow the steps below:

These steps vary depending upon the type of HSM device. For step-by-step instructions on how to perform the steps below, please refer to the relevant vendor HSM documentation.

  1. Register the LoadMaster as a client on the HSM device.
  1. Assign the partition where the private keys that the LoadMaster will use are located.
  2. If the LoadMaster’s IP address is not in DNS, an entry may be required to resolve the client name to the IP address.

2.2.3Enable HSM in the LoadMaster

To enable HSM in the LoadMaster, follow the steps below in the LoadMaster WUI:

  1. In the main menu, go to Certificates & Security > HSM Configuration.

Figure 2‑7: Enable HSM

  1. Select the Enable Cavium HSM check box.

Figure 2‑8: Warning

  1. Click OK.

If there are any problems with the connection an error will be displayed.

2.3Generate a Certificate Signing Request (CSR)

Follow the steps below to generate a CSR:

In the main menu of the LoadMaster WUI, select Certificates & Security > SSL Certificates.

  1. Enter a recognizable name in the Private Key Identifier text box.
  1. Click Generate CSR.

Figure 2‑9: Create CSR

  1. Fill in the information and click Create CSR.

The CSR request will be generated from the HSM. As a result of this, the certificate issued by the CA can only be decrypted from the private key that sits in the HSM.

  1. Copy the text and provide it to your Certificate Authority (CA) who will issue the certificate.

2.4Import the CA Certificate and Assign it to a Virtual Service

When the CA provides the certificate, follow the steps below to import it into the LoadMaster and assign it to a Virtual Service:

  1. In the main menu of the LoadMaster WUI go to Certificates & Security > SSL Certificates.
  1. Click Import Certificate.
  2. Click Choose File.
  3. Browse to and select the relevant certificate file.
  4. To assign the certificate to a Virtual Service, select the Virtual Service IP address in the Available VSs box in the Assignment section.
  5. Click the right arrow.
  6. Click Save Changes.

3Troubleshooting

Refer to the sections below for some troubleshooting advice relating to common problems.

3.1Connection Lost Between the LoadMaster and the HSM

A health check is performed every minute. If connection to the HSM is lost for any reason, an error message will be displayed on the home page of the LoadMaster WUI. This error message will say ERROR: Connection to the HSM Lost. Please rectify and then restart the HSM. Please be aware that the LoadMaster will not automatically re-enable the HSM connection. To re-enable the HSM connection, go to Certificates & Security > HSM Configuration and tick the enable HSM check box.

3.2The LoadMaster Cannot Connect to the HSM

If the LoadMaster cannot connect to the HSM after all of the configuration steps in this document have been carried out, refer to the sections below for some troubleshooting steps.

3.2.1Ping the HSM

To check if the LoadMaster can communicate with the HSM, try to ping the HSM from the LoadMaster. To do this, follow the steps below in the LoadMaster WUI:

  1. Go to System Configuration > Logging Options > System Log Files.

Figure 3‑1: Debug Options

  1. Click Debug Options.

Figure 3‑2: Ping Host

  1. In the Ping Host text box, enter the IP address of the HSM.
  2. Select the relevant Interface.

The Automatic option selects the correct interface to ping an address on a particular network.

  1. Click Ping.

Figure 3‑3: Ping Results

The results of the ping will be displayed.

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

SSL Accelerated Services, Feature Description

Document History

Date

Change

Reason for Change

Version

Resp.

Jan 2015

Initial draft

First draft of document

1.0

LB

Jan 2015

Minor changes

Enhancements made

1.1

LB

Feb 2015

Minor changes

Screenshot updated

1.2

LB

Apr 2015

Release updates

Updates for 7.1-26

1.3

LB

May 2015

Cavium HSM steps added

Support for another device

1.4

LB

June 2015

Release Updates

Changes made

1.5

LB

Oct 2015

Release updates

Updates for 7.1-30

3.0

LB

Dec 2015

Release updates

Updates for 7.1-32

4.0

LB

Jan 2016

Minor changes

Updated

5.0

LB

Mar 2016

Release updates

Updates for 7.1-34

6.0

LB

July 2016

Release updates

Updates for 7.1.35

7.0

LB

Jan 2017

Minor changes

Enhancements made

8.0

LB

Was this article helpful?

0 out of 0 found this helpful

Comments