U Configuring HSM Support
Introduction
A Hardware Security Module (HSM) is a device that can be attached to a server system to manage digital keys. It provides both logical and physical protection of these materials from non-authorized use.
HSM support within RUEI is based on OpenSSL. A detailed description of the OpenSSL project is available at http://www.openssl.org/
. The monitoring support provided by RUEI has been verified against the nCipher product line. However, other OpenSSL-based implementations should also work.
Installing and Configuring the HSM Vendor Software
To install and configure the HSM Vendor software, do the following:
Configuring the Collector Systems
To configure the required Collector systems, do the following:
Note:
When the collector running on the Reporter system, identified by localhost, is not used for HSM integration or is disabled in your environment you should still prepare this collector for HSM integration. This is because the SSL key verification takes place using the localhost collector. Make sure this collector is enabled while uploading the HSM key to RUEI. Once the key is uploaded the localhost collector may be disabled again.
Configuring HSM Keys
In order for RUEI to be able to decrypt any HSM-encrypted traddic, you will first need to import your existing HSM keys into RUEI. You need to ensure that they are in the embed format and are module protected. All keys must be stored within the HSM device as module protected. That is, a module key is used to protect user authentication tokens. Such keys have no passphase, and can be accessed by any application that is connected to the HSM device within the appropriate security domain. Note that this description is specific to the nCipher product line.
If your existing keys do not meet the above requirements, you will need to retarget them before importing them into RUEI. Consult your HSM vendor documentation for information on the procedure to do this.
After generation or retargeting, a special PEM file is created by the HSM software. This file can be imported into RUEI (as described in Managing SSL Keys). Note that the public certificate must be included in the PEM file. If the generated PEM file does not contain the public certificate, you will need to manually append it to the PEM file. The special PEM file does not actually contain the SSL key, but references the key that is stored on the HSM.
Verifying Correct Monitoring of HSM-Based Traffic
To verify that the keys stored on the HSM device are being successfully decrypted, review the information within the SSL encryption tab in the Collector Statistics window. The use of this facility is described in Viewing the Status of the Collectors.