A Hardware Security Module (HSM) provides both logical and physical protection of sensitive data from non-authorized use and potential adversaries. In an HSM environment, the key file is stored on the HSM and retains an additional layer of access control to prevent its movement.
Complete the following tasks:
- Install the HSM in your environment.
- Create and configure the nCipher security world.
- See the information about SSL key operations.
To provide the best possible support for the HSM in use, the HSM has specific prerequisites that it must meet.
- The drivers that are provided with the card must be OpenSSL-aware.
- The card must be configured to provide not apparent access at startup.
- Verify that the key installation works on system reboot.
For more information about meeting these prerequisites, see nCipher application interfaces in the nShield/payShield documentation provided with your nCipher product.
When the above mentioned requirements are met, Tealeaf can transparently access the true private keys by creating an alias. It can also reference keys that are generated by the SSL keys that are provided. Tealeaf creates reference keys to access the keys that are stored on the HSM. The keys used by the Tealeaf run time inherit the protective measures that are offered by the HSM.
The following topics describe a general method for integrating Tealeaf with SSL keys stored on a Hardware Security Module (HSM) for nCipher nShield products.
- This method must be customized for your HSM solution.
- This method applies to the nCipher nShield, payShield, and payShield Ultra modules.
Integrate with HSM
To integrate Tealeaf with the nCipher nShield key management system, apply these general instructions to your specific environment.
generatekey
creates equivalent reference PEM key files. These reference key files are used by Passive Capture for conversion to its encrypted PTL format by using the script, PEM2PTL
.- Confirm that Linux™ and the Passive Capture software is installed and that the CX Passive Capture Application server boots up successfully.
- Verify that nCipher card and software is properly installed, including the smart card reader.
Note: For more information, see Testing the installation in the nShield/payShield documentation.
- Install the nCipher software on the PCA server.
- Add the nCipher CHIL library directory (
/opt/nfast/toolkits/hwcrhk
) to the load library path to the/etc/ld.so.conf
file, if it is not present. - Reboot the PCA server to confirm it boots up successfully.
- Run the kernel module list cmd to confirm that the nCipher kernel module (
lsmod
) is loaded. - On the HSM, create the security world for key import.
- Generate and/or import the PEM key files to the HSM.
Note: For more information, read Generating and importing keys in the nShield/payShield documentation.
- Verify that the keys are listed in KeySafe.
- On the PCA server, run the nCipher utility to list the keys in the nCipher security world:
/opt/nfast/bin/nfkminfo -l
- Confirm that Passive Capture is running and decrypting SSL traffic.
Disable HSM
To disable HSM integration from starting at Passive Capture boot time, complete the following steps. This procedure must be done before removal of the hardware to allow Passive Capture to boot without the Hardware Security Module (HSM).
- Create a
DISABLED
directory in/etc/init.d
. - Move the nCipher scripts from the previous directory to the
DISABLED
directory. - Restart Passive Capture.