HSM SafeNet 2.1.0 

What is HSM ? and How it is Working ?

What is a HSM (Hardware Security Module) :

A hardware security module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Hardware security modules act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.

Using HSM You Can 

  1. Address compliance requirements with solutions for Blockchain, GDPR, IoT, paper-to-digital initiatives, PCI DSS, digital signatures, DNSSEC, hardware key storage, transactional acceleration, certificate signing, code or document signing, bulk key generation, data encryption, and more.
  2. Keys are generated, and always stored in the intrusion-resistant, tamper-evident, FIPS-validated appliance, providing the strongest levels of access controls.
  3. Create partitions with a dedicated Security Office per partition, and segment through admin key separation.

Why UseHSM (Hardware Security Module)

Enterprises buy hardware security modules to protect transactions, identities, and applications, as HSMs excel at securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services for a wide range of applications.

Basic Structure :

We have three Sub user to control HSM each user have its own Role.

 1 – Admin :

Responsible to control Administration of HSM, Admin have two Stake Holder, Each Stack Holder have its own Unique Key (USB founded in HSM Box , working as a Password)

1.1 – EFT Admin :-

Responsible for Creating partitions and its users and also use to decommission the HSM

after decommission HSM will return to 0 (fresh State) .

hsm de 
its a command to get back to HSM as New or in Zero (0) Condition

2 – Partition Owner :

Responsible all type of HSM Configuration and Updation

  1. Responsible to Configuration of keys
  2. Deletion and insertion of Keys
  3. Can update the Patches of HSM
  4. Generation of Certificates
  5. Change there Date and time
  6. Partition Owner also have two Stake Holder, Each Stack Holder have its own Unique Key (USB founded in HSM Box , working as a Password)

3 – Auditor

A Luna HSM Audit role allows complete separation of Audit responsibilities from the Security Officer (SO or HSM Admin), the Partition User (or Owner), and other HSM roles. If the Audit role is initialized, the HSM and Partition administrators are prevented from working with the log files, and auditors are unable to perform administrative tasks on the HSM.

For Luna HSMs with Password Authentication, the auditor logs into the HSM to perform his/her activities using a password.

For Luna HSMs with PED Authentication, the auditor logs in to perform his/her activities using a white PED Key. The Audit feature works only with Luna PED version 2.5.0-1 or newer. Older versions of PED firmware are not aware of the Audit role and Audit Key.

Audit initialization – creating the Auditor role (and imprinting the white PED Key for PED authenticated HSMs) does not require the presence or cooperation of the HSM SO.

Basic Commands HSM.

  • Login
    • here you can select user to Execute functions.
  • Support
    • Key Management (Restore, Backup, Define and Delete)
    • Restore all keys at a time
    • restore and backup also done by remote on internet connection
  • KeyMgmt
    • Use for Insertion, Updation and Deletion of KEYS
  • Sysconfig
    • System level changes (like Date-time etc)

Two Steps To Configure HSM:

  • Console Configuration
  • Web ssl Configuration

How to Configure HSM SafeNet ?

Console Configure HSM SafeNet 

    1. Start Puttyfor windows and minicom for linux
        1. Putty:
          1. select Serial and write COM in text bar  and set
        2. Minicom:
          1. select su in terminal
          2. write minicom -s
          3. Configure Mini Com select Serial Port Setup
          4. Press A and Type /dev/ttyUSB0
          5. Press E and select 115200 8n1
          6. Set Hardware Flow Control = Yes
          7. Select Save setup as dfl
          8. Select Exit
          9. Press Enter.
        3. Write Admin and its Password
          1. username: admin
          2. password: xxxxxx
        4. Set Date/Time Setup
       	Command: status date or status time (view date and time)
       	Command : sysconfig timezone set GMT
       	Command : sysconfig time 22:59 20170319
      
        1. Initialize HSM
      Command : hsm eftinit
      Insert Purple Activation USB eToken
      Activation eToken PIN: xxxxxxx
      first EFT Administrator: xxxxxx
      Insert Blue eToken HSM Admin 1
      admin1 PIN: xxxxxx
      second EFT Administrator: xxxxxx
      Insert Blue eToken HSM Admin 2
      admin2 PIN: xxxxxx
      first EFT Auditor: xxxxxx
      Insert White eToken HSM Audit 1
      audit1 PIN: xxxxxx
      second EFT Auditor: xxxxxx
      Insert White eToken HSM Audit 2
      audit2 PIN: xxxxxx
    1. Activate the HSM
      Command : hsm activate
  • Update Network Configuration
    Command: sysconfig network interface show
    Command: login eftadmin
    Command: sysconfig network interface static -device eth0 -ip 10.33.31.119 -netmask 255.255.255.0 -gateway 10.33.31.254
  • Change Host name
    Command: sysconfig network hostname luna_eft2_pin1 (Optional, not required in v2.1.0)
  • HSM Activate
    Command: hsm activate
    1. Insert Activation e-token.
    2. Enter PINas mentioned
  • Generating Luna EFT Administration Console Certificate
    Command: login eftAdmin
    1. ViewMode of certification
      Command: sysconfig SSLMgmt viewmode
    2. Settingcertificate mode to Self signing
      Command: sysconfig SSLMgmt setmode -mode Self_Signed
    3. Generate a Certificate
      Command: sysconfig certMgmt generate -modulus 2048new 
      Command: sysconfig certMgmt generate -modulus 2048 -subject "/CN=Luna EFT/O=HabibMetro/OU=Information Technology/C=PK/ST=Karachi/L=Karachi/emailAddress=rao.bilal@habibmetro.com"
    4. View Certificate
      1. command:sysconfig certMgmt view
    5. Export Certificate
      1. command: sysconfig certMgmt export -type server
    6. NOTE: if you want to change Certificatejust update it with same query mentioned in 2
  • CreatingPartition Users
    1. Command : Login EFTadmins
    2. Command: sysconfig partition create -partition part1 -f -size 12000000
    3. Partition Name: xxxxxx
    4. Partition user 1: xxxxxx
    5. password: xxxxxx
    6. Partition user 2: xxxxxx
    7. password: xxxxxx
    8. Note: you can write any name for user.
  • Delete partitionUser
    1. command: sysconfig partition delete -partition part1
  • How to do Smart Card Key Restore
    1. Define KTP on index 1
      1. Command: keyMgmt generate hsm ktp -index 1 -clearComp 2 -encryptedComp 0 -algo DES -keyLen 2
      2. Component 1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(Defined while creating backup)
      3. Component 2:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(Defined while creating backup)
      4. KCV:40826A (KVC always be same as you get while taking backup)
    2. Define KTP on Index 2 
      1. Command: keyMgmt generate hsm ktp -index 2 -clearComp 2 -encryptedComp 0 -algo AES -keybit 256
      2. Component 1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…. (Defined while creating backup)
      3. Component 2:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx… (Defined while creating backup)
    3. Set Index for Restore Backup
      1. Command : keyMgmt activate ktp -index 2
    4. View ktp
      1. Command : keyMgmt view hsm ktp -index 2
        Command : keyMgmt view hsm ktp -index 1 - 50
        
    5. Note: Algo DES is defined on index 1 and Algo AES defined on index 2

WEB Configure HSM SafeNet 

How to Configure HSM EFT Web ?

  1. open url/eftweb (https://10.0.0.1/eftweb)
  2. login as Partition Owner
  3. Click Payment Configuration
    1. Click settings
      1. do KL=KR check is disabled
      2. Allow DES must enable 
      3. then click save 
    2. Click System Configuration
      1. Click Host Configuration and add ips you want to White List (that ip can access the HSM) and save it. 
      2. Then click Host Services 
      3. Set Port as shown in image and save 

How to Restore Smart Card Keys in HSM

Restore Smart Card Keys:

  1. prerequisite
    1. ensure that KL=KR check is disabled, (Check in EFTWeb, log in as Partition Owner (link = https://10.0.0.1/eftweb)
    2. Allow DES must enable
    3. Commands:
      1. Command : support restore smartcard -cardsetid uathsm -force 
        -- For 2.0and  lower Version
      2. Command : support restore smartcard -cardsetid PAK2018 -force -data KEYS 
        -- For HSM 2.1.0version to restore keys
      3. Command : support restore smartcard -cardsetid "#EFT1X" -data KM -i 1 
        -- For HSM 2.1.0version to Master key