Configure network Hardware Security Module (HSM) support

We can register a network HSM device with the local management interface. WebSEAL can then be configured to use this HSM for the secure storage of SSL keys.

The appliance supports the use of the following HSM devices:

• nCipher nShield Connect HSM

  The appliance supports the nCipher nShield Connect HSM device. To enable the integration with this device the 'IBM Security Verify Access nCipher nShield Connect HSM Extension' should be installed on the appliance. This extension is available for download from the IBM Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/IdentityandAccess).

  Due to a limitation in key protection type support, the appliance does not support “HSM Pool mode”. The appliance continues to support high availability using the load sharing capabilities provided by nShield HSMs.

• SafeNet Luna Network HSM

  The appliance supports the SafeNet Luna Network HSM device. To enable the integration with this device the 'IBM Security Verify Access SafeNet Luna Network HSM Extension' must be installed on the appliance. This extension is available for download from the IBM Security App Exchange. See https://exchange.xforce.ibmcloud.com/hub/IdentityandAccess.

The appliance can connect to a maximum of one nCipher nShield Connect device and multiple SafeNet Luna SA devices.

Perform the following steps to configure WebSEAL for the network HSM device.

Steps

1. Create a network key file with the local management interface.

   1. Select System > Secure Settings > SSL Certificates.

   2. From the menu bar, click New.

   3. On the Create SSL Certificate Database page, enter the name of the certificate database to create.

   4. Select Network as the type of the certificate database.

   5. Complete the Token Label and Passcode fields.

   6. Select the HSM type.

      • If we select nCipher nShield Connect as the HSM type, complete the HSM IP Address and RFS IP Address fields on the nCipher nShield Connect tab. The rest of the fields are optional.

      • If we select SafeNet Luna SA as the HSM type, complete the IP Address and Admin Password fields on the SafeNet tab. You can use the appliance to manage the certificates contained on the HSM device. However, some operations, such as certificate extract, are not supported.

   7. Click Save.

2. Edit the WebSEAL configuration file directly or through the Edit panel in the local management interface to make the following changes.

   1. Set the value of the pkcs11-keyfile configuration entry in the [ssl] stanza to be the name of the pkcs11 key file containing the configuration information for the network HSM device.

   2. Set the webseal-cert-keyfile-label configuration entry in the [ssl] stanza, which defines the WebSEAL key file label, to use a key from the HSM device.

3. Restart WebSEAL for the changes to take effect.

• Registering the appliance as a client in the SafeNet Luna SA HSM
  Configure the Luna SA HSM to allow the appliance to access the required partitions.
• Delete a client from the SafeNet Luna SA HSM
  If all SSL certificates that refer to a Luna SA HSM are deleted from the appliance, remember to delete the client from that HSM.

Parent topic: Cryptographic hardware for encryption and key storage