Fortinet Document Library

Version:


Table of Contents

Cookbook

6.1.0
Download PDF
Copy Link

Configuring the NetHSM profile on FortiAuthenticator

To configure a new the Safenet Luna HSM server:
  1. In FortiAuthenticator, go to System > Administration > NetHSMs, and click Create New.
  2. In the Create New HSM Server window, configure the following:
    Name Enter a name for the HSM server.
    Server IP/FQDN Enter the IP address or FQDN of the HSM server to which the FortiAuthenticator will connect.
    Partition Password Enter the key partition password from the HSM server.
    Client IP Enter the address of the FortiAuthenticator interface that the HSM will see.

    Upload server certificate

    Click Upload server certificate to select the certificate from your HSM.

  3. Click OK to complete the setup.
To authorize FortiAuthenticator as a Safenet Luna HSM client:
  1. Make sure the FortiAuthenticator client certificate uses the <FAC IP>.pem naming convention. For example: 172.16.68.47.pem
  2. Upload the FortiAuthenticator client certificate to Safenet Luna HSM using SCP transfer.

    scp [certificate filename] admin@[HSM address]:

  3. Use SSH to connect to the HSM, then register your FortiAuthenticator, and associate it with a partition.

    ssh -1 admin [HSM address]

    client register -c [client name] -ip [client address]

    client assignpartition -c [client name] -p [partition name]

  4. Confirm the status of the NetHSM client. For example:

    client show -c my_fac

    ClientID: my_fac

    IPAddress: 172.16.68.47

    Partitions: my_partition

Configuring the NetHSM profile on FortiAuthenticator

To configure a new the Safenet Luna HSM server:
  1. In FortiAuthenticator, go to System > Administration > NetHSMs, and click Create New.
  2. In the Create New HSM Server window, configure the following:
    Name Enter a name for the HSM server.
    Server IP/FQDN Enter the IP address or FQDN of the HSM server to which the FortiAuthenticator will connect.
    Partition Password Enter the key partition password from the HSM server.
    Client IP Enter the address of the FortiAuthenticator interface that the HSM will see.

    Upload server certificate

    Click Upload server certificate to select the certificate from your HSM.

  3. Click OK to complete the setup.
To authorize FortiAuthenticator as a Safenet Luna HSM client:
  1. Make sure the FortiAuthenticator client certificate uses the <FAC IP>.pem naming convention. For example: 172.16.68.47.pem
  2. Upload the FortiAuthenticator client certificate to Safenet Luna HSM using SCP transfer.

    scp [certificate filename] admin@[HSM address]:

  3. Use SSH to connect to the HSM, then register your FortiAuthenticator, and associate it with a partition.

    ssh -1 admin [HSM address]

    client register -c [client name] -ip [client address]

    client assignpartition -c [client name] -p [partition name]

  4. Confirm the status of the NetHSM client. For example:

    client show -c my_fac

    ClientID: my_fac

    IPAddress: 172.16.68.47

    Partitions: my_partition