How To Configure SafeNet Network HSM and integrate it with Palo Alto Networks Firewall
11708
Created On 10/22/19 10:04 AM - Last Modified 10/23/19 09:10 AM
Objective
The purpose of this article is to provide the steps required to configure SafeNet Network HSM and integrate it with Palo Alto Networks Firewall
Environment
Firewall running PAN-OS 8.0.x or above
SafeNet Network HSM running version 6.2.2-5
Firewall IP address 1.2.3.4
Linux Client IP address 192.168.1.100
Procedure
Step 1: SSH to the HSM and check its running version, this will be used to change the HSM client version running on the firewall
[local_host] lunash:>hsm show Appliance Details: ================== Software Version: 6.2.2-5
Step 2: Create a partition on the HSM if one is not already created
1) Login to the HSM using the HSM Administrators' password (This password is configured when the HSM is initialzed with the "hsm init" command)
[local_host] lunash:>hsm login
Please enter the HSM Administrators' password:
> *********
'hsm login' successful.
2) Create the partition using the below command and type 'proceed' when prompted
partition create -partition <name> [-password <password>] [-domain <domain>] [-size <size>]
[local_host] lunash:>partition create -partition EXAMPLE -password EXAMPLE -label EXAMPLE -domain EXAMPLE.LOCAL
On completion, you will have this number of partitions: 1
Type 'proceed' to create the initialized partition, or
'quit' to quit now.
> proceed
'partition create' successful.
Command Result : 0 (Success)
Step 3: Add the HSM IP address to the firewall and commit the change
Device ---> Setup ---> HSM ---> Hardware Security Module Provider
Step 4: Change the HSM client version on the firewall to match the HSM
1) Check HSM version on the firewall
show hsm client-version
admin@EXAMPLE> show hsm client-version
Current HSM Luna-SA client version is 6.2.2:
2) Change the HSM version (Requires reboot)
request hsm client-version x.x.x
admin@EXAMPLE> request hsm client-version 6.2.2
Executing this command will reboot the device.. Do you want to continue? (y or n)
Step 5: Authenticate the Firewall with the HSM
request hsm authenticate server <Name of the HSM server configured on the firewall> password
admin@EXAMPLE> request hsm authenticate server EXAMPLE password
Enter password :
HSM authentication server name EXAMPLE authentication success. Please register client on HSM server and login.
Step 6: Register the firewall with the HSM
client register -c <client-name> -ip <Firewall IP address that needs to communicate with HSM>
[local_host] lunash:>client register -c EXAMPLE -ip 1.2.3.4
'client register' successful.
Command Result : 0 (Success)
Step 7: Assign the newly created or an existing partition to the client
client assignpartition -c <client-name> -p <partition-name>
[local_host] lunash:>client assignpartition -c EXAMPLE -p EXAMPLE
'client assignPartition' successful.
Command Result : 0 (Success)
Step 8: Connect to the HSM partition using the partition password
request hsm login password
admin@EXAMPLE> request hsm login password
Enter password :
HSM Login succeeded.
Once all the above steps are complete, you should see green status in the GUI
Step 9: Importing the certificate public key to the firewall
1) Go to Device ----> Certificate Management ---> Certificates ---> Import
2) Use File Format PEM and select the certificate from your PC
3) Check the "Private key resides on Hardware Security Module" check box
4) Commit the changes
Step 10: Import the private key to the HSM partition
If the private key does not exist in the HSM partition, then one way to import it is by configuring a different client to connect to the same partition and upload the key
On a Linux machine with Luna client, follow the below steps to export the private key to the HSM
1) Go to the folder containing Luna client
cd /usr/safenet/lunaclient/bin/
2) Transfer the HSM server certificate to the client
sudo scp admin@<HSM IP address>:server.pem /usr/safenet/lunaclient/cert/server/
3) Add HSM as a server
cd /usr/safenet/lunaclient/bin/
sudo ./vtl addServer -n <HSM IP address> -c /usr/safenet/lunaclient/cert/server/server.pem -htl
4) Generate client certificate to connect to HSM
sudo ./vtl createCert -n <Linux client source IP address that is used to reach HSM>
5) Export client cert to HSM
scp /usr/safenet/lunaclient/cert/client/192.168.1.100.pem
6) Register the client and assign it the same partition that is assigned for the firewall
client register -c Linux_client -ip 192.168.1.100
client assignPartition -c Linux_client -p EXAMPLE
7) Connect to the HSM and authenticate using the admin SSH password
./salogin -o -s 0 -v -i 1:1 -p <Partition password>
8) Export the private key to the HSM partition
/usr/safenet/lunaclient/bin/cmu importkey -in keyout.key -keyalg RSA
Additional Information
References
Set Up Connectivity with a SafeNet Network HSM
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/certificate-management/secure-keys-with-a-hardware-security-module/set-up-connectivity-with-hsm/set-up-connectivity-with-a-safenet-network-hsm.html