Fortinet black logo

Administration Guide

Home FortiProxy 7.2.0 Administration Guide
7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

Integrating FortiFroxy with SafeNet Luna Network HSM

Integrating FortiFroxy with SafeNet Luna Network HSM

A hardware security module (HSM) is a dedicated device for managing digital keys and performing cryptographic operations. An HSM can be a plug-in card or an external device directly connected to a computer or network server. Purposefully designed to protect the crypto-key life cycle, HSMs have been used by some of the world's most security-conscious entities to protect their cryptographic infrastructure by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.

Because of their strengths in securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services for a wide range of applications, HSMs have been used by enterprises worldwide to safeguard their online transactions, identities, and applications.

Starting from Version 2.0, FortiProxy has integrated with SafeNet Luna Network HSM. It enables you to retrieve a per-connection, SSL session key from the HSM server instead of loading the private key and certificate stored on FortiProxy. The HSM integration supports active-passive and active-active HA modes but not active-passive configuration synchronization (config-sync). You can sync local certificate using HSM to peer FortiProxy appliances but the local certificate may NOT function properly on peer FortiProxy appliances.

To integrate FortiFroxy with SafeNet Luna Network HSM:
  1. Check if the FortiProxy has already registered with the HSM by running the following command on HSM: ssh admin@<hsm_ip>.

    If the FortiProxy IP is listed under the HSM client list, clear up existing configuration by running the following commands:

    • client revokePartition -client <fortiproxy_ip> -partition fortiproxy
    • client delete -client <fortiproxy_ip> –force
  2. Create and initialize a new HSM partition that uses password authentication using the partition create command on HSM. HSM partition is a global configuration that can be used from individual VDOMs.
    Note

    This is the partition FortiProxy uses on the HSM server. You can create more than one partition, but all the partitions are assigned to the same client. For more information, see SafeNet Luna Network HSM documentation.

  3. Retrieve the server certificate file from the HSM server using the SCP utility and the following command:
    scp <hsm_username>@<hsm_ip>:server.pem /usr/lunasa/bin/server_<hsm_ip>.pem
  4. Configure the HSM by running the config system nethsm command on the FortiProxy. You need to specify the HSM server certificate and the partition name/password. See config

    config system nethsm

    set status enable

    set interface "port1"

    config servers

    edit "us_hsm"

    set server "172.30.30.13"

    set server-cert "copy over the HSM server certificate from previous step"

    set htl disable

    next

    end

    config slots

    edit "fortiproxy"

    set id <partition name on the HSM server>

    set password <partition password on the HSM server>

    next

    end

    end

    The HSM configuration also generates a default FortiProxy client certificate, which can be displayed by running the execute nethsm client-cert-show command. To re-generate the client certificate, run the execute nethsm client-cert-create command.

  5. Export the FortiProxy client certificate to local PC using the following command: execute nethsm client-cert-export.
  6. Send the FortiProxy client certificate to the HSM using the SCP utility and the following command:
    scp <fortiproxy_ip>.pem admin@<hsm_ip>:
  7. Connect to the HSM server using an admin account via SSH and register a client for FortiProxy on the HSM server using the following command:
    lunash:> client register -c <client_name> -ip <fortiproxy_ip>, where <client_name> is the name you specify that identifies the client.

    You can verify the client registration using the exe nethsm diagnose command.

  8. Assign the client you registered to the partition you've created in step 2 above using the following command:

    lunash:> client assignPartition -client <client_name> -partition <partition_name>

    You can verify the assignment using the following command:
    lunash:> client show -client <client_name>
  9. Repeat the client assignment process for any additional partitions you've created for FortiProxy.
  10. In FortiProxy, generate a certificate-signing request that includes the HSM's configuration information.

    The CSR generation process creates a private key on both the HSM and FortiProxy. The private key on the HSM is the "real" key that secures communication when FortiProxy uses the signed certificate. The key found on the FortiProxy is to indicate the HSM server information when you upload the certificate to FortiProxy.

  11. Download the certificate request (.csr) file under System > Certificates > Local Certificates in FortiProxy.
  12. Upload the certificate request (.csr) file to your certificate authority (CA) under System > Certificates > Create/Import > CA Certificate. See Import a CA certificate.
  13. Upload the HSM server certificate (that you obtained in step 3) under System > Certificates > Create/Import > Certificate. See Import a local certificate.
  14. You can then use the HSM server in a policy or server pool configuration by referencing the HSM certificate.
  15. In case of any server or client changes, you must re-configure the FortiProxy-HSM integration which involves deleting the intermediate CA, deleting the server and partitions, and then reset the configuration using the exe nethsm reset command on FortiProxy.
  16. To configure FortiProxy HA with SafeNet Network HSM, follow the steps below:
    1. Enable HA with HSM by running the following command on the FortiProxy:

      config system nethsm

      set ha enable

    2. Disable Network Trust Links (NTLs) IP check (ntls ipcheck) on the HSM server.
    3. Configure multiple HSM servers with the same software version and multiple partitions with the same domain name and password. Refer to the steps above for instructions about creating one single HSM server or partition. Alternatively, use the config system nethsm command on the FortiProxy to set up the HA cluster with HSM:

      config system nethsm

      set ha enable

      config hagroups

      edit "hagroup1"

      set member "partition_1" "partition_2"

      next

      end

      end

      end

      config slots

      edit “partition_1”

      set id 0

      set password <password>

      next

      edit “partition_2”

      set id 1

      set password <password>

      next

      edit “hagroup1” <<<< virtual slot created by background process, which is used to create the CSR>

      set id 5

      set password <password>

      next

      end

    4. Register each client to all HSM servers. Refer to the steps above for instructions about registering a client to an HSM server.
Previous
Next

Integrating FortiFroxy with SafeNet Luna Network HSM

A hardware security module (HSM) is a dedicated device for managing digital keys and performing cryptographic operations. An HSM can be a plug-in card or an external device directly connected to a computer or network server. Purposefully designed to protect the crypto-key life cycle, HSMs have been used by some of the world's most security-conscious entities to protect their cryptographic infrastructure by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.

Because of their strengths in securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services for a wide range of applications, HSMs have been used by enterprises worldwide to safeguard their online transactions, identities, and applications.

Starting from Version 2.0, FortiProxy has integrated with SafeNet Luna Network HSM. It enables you to retrieve a per-connection, SSL session key from the HSM server instead of loading the private key and certificate stored on FortiProxy. The HSM integration supports active-passive and active-active HA modes but not active-passive configuration synchronization (config-sync). You can sync local certificate using HSM to peer FortiProxy appliances but the local certificate may NOT function properly on peer FortiProxy appliances.

To integrate FortiFroxy with SafeNet Luna Network HSM:
  1. Check if the FortiProxy has already registered with the HSM by running the following command on HSM: ssh admin@<hsm_ip>.

    If the FortiProxy IP is listed under the HSM client list, clear up existing configuration by running the following commands:

    • client revokePartition -client <fortiproxy_ip> -partition fortiproxy
    • client delete -client <fortiproxy_ip> –force
  2. Create and initialize a new HSM partition that uses password authentication using the partition create command on HSM. HSM partition is a global configuration that can be used from individual VDOMs.
    Note

    This is the partition FortiProxy uses on the HSM server. You can create more than one partition, but all the partitions are assigned to the same client. For more information, see SafeNet Luna Network HSM documentation.

  3. Retrieve the server certificate file from the HSM server using the SCP utility and the following command:
    scp <hsm_username>@<hsm_ip>:server.pem /usr/lunasa/bin/server_<hsm_ip>.pem
  4. Configure the HSM by running the config system nethsm command on the FortiProxy. You need to specify the HSM server certificate and the partition name/password. See config

    config system nethsm

    set status enable

    set interface "port1"

    config servers

    edit "us_hsm"

    set server "172.30.30.13"

    set server-cert "copy over the HSM server certificate from previous step"

    set htl disable

    next

    end

    config slots

    edit "fortiproxy"

    set id <partition name on the HSM server>

    set password <partition password on the HSM server>

    next

    end

    end

    The HSM configuration also generates a default FortiProxy client certificate, which can be displayed by running the execute nethsm client-cert-show command. To re-generate the client certificate, run the execute nethsm client-cert-create command.

  5. Export the FortiProxy client certificate to local PC using the following command: execute nethsm client-cert-export.
  6. Send the FortiProxy client certificate to the HSM using the SCP utility and the following command:
    scp <fortiproxy_ip>.pem admin@<hsm_ip>:
  7. Connect to the HSM server using an admin account via SSH and register a client for FortiProxy on the HSM server using the following command:
    lunash:> client register -c <client_name> -ip <fortiproxy_ip>, where <client_name> is the name you specify that identifies the client.

    You can verify the client registration using the exe nethsm diagnose command.

  8. Assign the client you registered to the partition you've created in step 2 above using the following command:

    lunash:> client assignPartition -client <client_name> -partition <partition_name>

    You can verify the assignment using the following command:
    lunash:> client show -client <client_name>
  9. Repeat the client assignment process for any additional partitions you've created for FortiProxy.
  10. In FortiProxy, generate a certificate-signing request that includes the HSM's configuration information.

    The CSR generation process creates a private key on both the HSM and FortiProxy. The private key on the HSM is the "real" key that secures communication when FortiProxy uses the signed certificate. The key found on the FortiProxy is to indicate the HSM server information when you upload the certificate to FortiProxy.

  11. Download the certificate request (.csr) file under System > Certificates > Local Certificates in FortiProxy.
  12. Upload the certificate request (.csr) file to your certificate authority (CA) under System > Certificates > Create/Import > CA Certificate. See Import a CA certificate.
  13. Upload the HSM server certificate (that you obtained in step 3) under System > Certificates > Create/Import > Certificate. See Import a local certificate.
  14. You can then use the HSM server in a policy or server pool configuration by referencing the HSM certificate.
  15. In case of any server or client changes, you must re-configure the FortiProxy-HSM integration which involves deleting the intermediate CA, deleting the server and partitions, and then reset the configuration using the exe nethsm reset command on FortiProxy.
  16. To configure FortiProxy HA with SafeNet Network HSM, follow the steps below:
    1. Enable HA with HSM by running the following command on the FortiProxy:

      config system nethsm

      set ha enable

    2. Disable Network Trust Links (NTLs) IP check (ntls ipcheck) on the HSM server.
    3. Configure multiple HSM servers with the same software version and multiple partitions with the same domain name and password. Refer to the steps above for instructions about creating one single HSM server or partition. Alternatively, use the config system nethsm command on the FortiProxy to set up the HA cluster with HSM:

      config system nethsm

      set ha enable

      config hagroups

      edit "hagroup1"

      set member "partition_1" "partition_2"

      next

      end

      end

      end

      config slots

      edit “partition_1”

      set id 0

      set password <password>

      next

      edit “partition_2”

      set id 1

      set password <password>

      next

      edit “hagroup1” <<<< virtual slot created by background process, which is used to create the CSR>

      set id 5

      set password <password>

      next

      end

    4. Register each client to all HSM servers. Refer to the steps above for instructions about registering a client to an HSM server.
Previous
Next