Integrating FortiProxy with SafeNet Luna Network HSM
A hardware security module (HSM) is a dedicated device for managing digital keys and performing cryptographic operations. An HSM can be a plug-in card or an external device directly connected to a computer or network server. Purposefully designed to protect the crypto-key life cycle, HSMs have been used by some of the world's most security-conscious entities to protect their cryptographic infrastructure by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.
Because of their strengths in securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services for a wide range of applications, HSMs have been used by enterprises worldwide to safeguard their online transactions, identities, and applications.
Starting from Version 2.0, FortiProxy has integrated with SafeNet Luna Network HSM. It enables you to retrieve a per-connection, SSL session key from the HSM server instead of loading the private key and certificate stored on FortiProxy. The HSM integration supports active-passive and active-active HA modes but not active-passive configuration synchronization (config-sync). You can sync local certificate using HSM to peer FortiProxy appliances but the local certificate may NOT function properly on peer FortiProxy appliances.
To integrate FortiProxy with SafeNet Luna Network HSM:
- Check if the FortiProxy has already registered with the HSM by running the following command on HSM:
ssh admin@<hsm_ip>
.If the FortiProxy IP is listed under the HSM client list, clear up existing configuration by running the following commands:
client revokePartition -client <fortiproxy_ip> -partition fortiproxy
client delete -client <fortiproxy_ip> –force
- Create and initialize a new HSM partition that uses password authentication using the
partition create
command on HSM. HSM partition is a global configuration that can be used from individual VDOMs.This is the partition FortiProxy uses on the HSM server. You can create more than one partition, but all the partitions are assigned to the same client. For more information, see SafeNet Luna Network HSM documentation.
- Retrieve the server certificate file from the HSM server using the SCP utility and the following command:
scp <hsm_username>@<hsm_ip>:server.pem /usr/lunasa/bin/server_<hsm_ip>.pem
- Configure the HSM by running the
config system nethsm
command on the FortiProxy. You need to specify the HSM server certificate and the partition name/password. See configconfig system nethsm
set status enable
set interface "port1"
config servers
edit "us_hsm"
set server "172.30.30.13"
set server-cert "copy over the HSM server certificate from previous step"
set htl disable
next
end
config slots
edit "fortiproxy"
set id <partition name on the HSM server>
set password <partition password on the HSM server>
next
end
end
The HSM configuration also generates a default FortiProxy client certificate, which can be displayed by running the
execute nethsm client-cert-show
command. To re-generate the client certificate, run theexecute nethsm client-cert-create
command. - Export the FortiProxy client certificate to local PC using the following command:
execute nethsm client-cert-export
. - Send the FortiProxy client certificate to the HSM using the SCP utility and the following command:
scp <fortiproxy_ip>.pem admin@<hsm_ip>:
- Connect to the HSM server using an admin account via SSH and register a client for FortiProxy on the HSM server using the following command:
lunash:> client register -c <client_name> -ip <fortiproxy_ip>
, where<client_name>
is the name you specify that identifies the client.You can verify the client registration using the
exe nethsm diagnose
command. - Assign the client you registered to the partition you've created in step 2 above using the following command:
You can verify the assignment using the following command:lunash:> client assignPartition -client <client_name> -partition <partition_name>
lunash:> client show -client <client_name>
- Repeat the client assignment process for any additional partitions you've created for FortiProxy.
- In FortiProxy, generate a certificate-signing request that includes the HSM's configuration information.
The CSR generation process creates a private key on both the HSM and FortiProxy. The private key on the HSM is the "real" key that secures communication when FortiProxy uses the signed certificate. The key found on the FortiProxy is to indicate the HSM server information when you upload the certificate to FortiProxy.
- Download the certificate request (
.csr
) file under System > Certificates > Local Certificates in FortiProxy. - Upload the certificate request (
.csr
) file to your certificate authority (CA) under System > Certificates > Create/Import > CA Certificate. See Import a CA certificate. - Upload the HSM server certificate (that you obtained in step 3) under System > Certificates > Create/Import > Certificate. See Import a local certificate.
- You can then use the HSM server in a policy or server pool configuration by referencing the HSM certificate.
- In case of any server or client changes, you must re-configure the FortiProxy-HSM integration which involves deleting the intermediate CA, deleting the server and partitions, and then reset the configuration using the
exe nethsm reset
command on FortiProxy. - To configure FortiProxy HA with SafeNet Network HSM, follow the steps below:
- Enable HA with HSM by running the following command on the FortiProxy:
config system nethsm
set ha enable
- Disable Network Trust Links (NTLs) IP check (ntls ipcheck) on the HSM server.
- Configure multiple HSM servers with the same software version and multiple partitions with the same domain name and password. Refer to the steps above for instructions about creating one single HSM server or partition. Alternatively, use the
config system nethsm
command on the FortiProxy to set up the HA cluster with HSM:config system nethsm
set ha enable
config hagroups
edit "hagroup1"
set member "partition_1" "partition_2"
next
end
end
end
config slots
edit “partition_1”
set id 0
set password <password>
next
edit “partition_2”
set id 1
set password <password>
next
edit “hagroup1” <<<< virtual slot created by background process, which is used to create the CSR>
set id 5
set password <password>
next
end
- Register each client to all HSM servers. Refer to the steps above for instructions about registering a client to an HSM server.
- Enable HA with HSM by running the following command on the FortiProxy: