system nethsm
Use this command to configure Securosys Primus HSM integration on FortiWeb. This step follows enabling HSM and specifying primus as the manufacturer in config server-policy setting.
Integrating with Securosys Primus HSM offloads cryptographic operations to a dedicated hardware security module, ensuring strong key protection and efficient processing. Once configured, FortiWeb utilizes the HSM for SSL/TLS key management, digital signatures, and secure encryption/decryption, leveraging hardware acceleration to enhance security and compliance with high-assurance standards.
Prerequisites
Before configuring Securosys Primus HSM on FortiWeb, ensure the following prerequisites are met. These credentials and files are required when setting up PKCS pin authentication on FortiWeb:
-
Active account with HSM username, setup password, and PKCS#11 password.
-
PKCS#11 API provider installed on the client machine.
-
Primus HSM configuration file obtained and configured.
-
Client registered to the HSM server and permanent secret retrieved.
Once you have configured and saved this configuration, FortiWeb will validate the configuration file and partition parameters. If all values match the expected HSM settings, the Primus HSM integration is established. At this point, cryptographic operations can be performed securely using the configured partition.
Next steps:
-
Generate a Local CSR on FortiWeb — Create a CSR on FortiWeb with the Primus HSM enabled, selecting the appropriate HSM partition.
-
Obtain a Signed Certificate — Download the CSR, submit it to a Certificate Authority (CA) for signing, and retrieve the signed certificate.
-
Import the Signed Certificate into FortiWeb — Upload the signed certificate to FortiWeb for use in SSL/TLS encryption.
-
Apply the Certificate in Server Policy — Assign the imported certificate to the relevant server policy to secure traffic with HSM-backed encryption.
For the complete configuration workflow of Securosys Primus HSM on FortiWeb, refer to the FortiWeb Administration Guide.
Syntax
config system nethsm
set primus-cfg-version <version_number>
config partitions
edit <entry_index>
set pkcs11-pin <pin>
next
end
end
| Variable | Description | Default |
|---|---|---|
| status {enable|disable} | Enable the status to activate the Primus HSM integration. | disable |
| primus-cfg <cfg_content> | The primus configuration file content. | No default. |
| primus-cfg-version <version_number> | The version tracker of primus hsm configuration file. | No default. |
| config partitions | ||
| <entry_index> |
Enter the index number of the individual entry in the table. The valid range is from 1–9,999,999,999,999,999,999. |
No default. |
| name <partition_name> |
Define the partition name. This value must exactly match the For more information, see the Securosys documentation. |
No default. |
| pkcs11-pin <pin> | Enter the PKCS#11 authentication PIN required to establish a secure session with the HSM. This PIN is used for cryptographic operations and must correspond to the PIN configured on the HSM. | No default. |
|
Provide the Permanent Secret associated with the partition. This secret serves as a cryptographic key to authenticate and encrypt communications between FortiWeb and the HSM. |
No default. |
|
|
Specify the Slot ID corresponding to the HSM partition. This value must match the For more information, see the Securosys documentation. |
0 |
|