Fortinet black logo

Cookbook

Configuring the NetHSM profile on FortiAuthenticator

Copy Link
Copy Doc ID 23809264-eafe-11eb-97f7-00505692583a:631158
Download PDF

Configuring the NetHSM profile on FortiAuthenticator

To configure a new the Safenet Luna HSM server:
  1. In FortiAuthenticator, go to System > Administration > NetHSMs, and click Create New.
  2. In the Create New HSM Server window, configure the following:
    NameEnter a name for the HSM server.
    Server IP/FQDNEnter the IP address or FQDN of the HSM server to which the FortiAuthenticator will connect.
    Partition PasswordEnter the key partition password from the HSM server.
    Client IPEnter the address of the FortiAuthenticator interface that the HSM will see.

    Upload server certificate

    Click Upload server certificate to select the certificate from your HSM.

  3. Click OK to complete the setup.
To authorize FortiAuthenticator as a Safenet Luna HSM client:
  1. Make sure the FortiAuthenticator client certificate uses the <FAC IP>.pem naming convention. For example: 172.16.68.47.pem
  2. Upload the FortiAuthenticator client certificate to Safenet Luna HSM using SCP transfer.

    scp [certificate filename] admin@[HSM address]:

  3. Use SSH to connect to the HSM, then register your FortiAuthenticator, and associate it with a partition.

    ssh -1 admin [HSM address]

    client register -c [client name] -ip [client address]

    client assignpartition -c [client name] -p [partition name]

  4. Confirm the status of the NetHSM client. For example:

    client show -c my_fac

    ClientID: my_fac

    IPAddress: 172.16.68.47

    Partitions: my_partition

Configuring the NetHSM profile on FortiAuthenticator

To configure a new the Safenet Luna HSM server:
  1. In FortiAuthenticator, go to System > Administration > NetHSMs, and click Create New.
  2. In the Create New HSM Server window, configure the following:
    NameEnter a name for the HSM server.
    Server IP/FQDNEnter the IP address or FQDN of the HSM server to which the FortiAuthenticator will connect.
    Partition PasswordEnter the key partition password from the HSM server.
    Client IPEnter the address of the FortiAuthenticator interface that the HSM will see.

    Upload server certificate

    Click Upload server certificate to select the certificate from your HSM.

  3. Click OK to complete the setup.
To authorize FortiAuthenticator as a Safenet Luna HSM client:
  1. Make sure the FortiAuthenticator client certificate uses the <FAC IP>.pem naming convention. For example: 172.16.68.47.pem
  2. Upload the FortiAuthenticator client certificate to Safenet Luna HSM using SCP transfer.

    scp [certificate filename] admin@[HSM address]:

  3. Use SSH to connect to the HSM, then register your FortiAuthenticator, and associate it with a partition.

    ssh -1 admin [HSM address]

    client register -c [client name] -ip [client address]

    client assignpartition -c [client name] -p [partition name]

  4. Confirm the status of the NetHSM client. For example:

    client show -c my_fac

    ClientID: my_fac

    IPAddress: 172.16.68.47

    Partitions: my_partition