Work With A SafeNet Java HSM - TechDocs - Broadcom Inc.

• Home
• Symantec Security Software
• Web and Network Security
• SSL Visibility 5.4
• SSL Visibility Appliance Overview
• Work with a SafeNet Java HSM

SSL Visibility 5.4 Version 6.1 5.5 5.4 4.5 Open/Close Topics Navigation Product Menu

Topics

Work with a SafeNet Java HSM Configure an SSL Visibility appliance to work with an HSM appliance. A Hardware Security Module (HSM) provides security for storing cryptographic keys and certificates. The SSL Visibility appliance is able to use a network-attached HSM appliance to store resigning CA keys, and to perform digital signature operations.The SSL Visibility appliance interacts with an HSM on its management interface, exchanging signing requests and responses with the attached HSM appliance, over HTTPS. When mutually authenticated during the SSL handshake, the SSL Visibility appliance sends the resigning CA data to the HSM; the HSM signs the data and returns the signature to the SSL Visibility appliance.An SSL Visibility appliance can work with multiple HSM appliances, and multiple SSL Visibility appliances can work with the same HSM.SSL Visibility Appliance to HSM Resigning CA Options:

• One CA per HSM: the appliance goes to each CA in turn, load balancing among CAs, and in effect, among HSMs
• One CA, multiple HSMs: the appliance goes to each HSM in turn, balancing among the HSMs

System HSM Agent

The Symantec HSM Agent can be run on the following platforms:

• Integrated Secure Gateway (ISG) application
• VMware virtual appliance
• Docker or Podman container

For configuration information, see the Symantec HSM Agent documentation.

HSM Failure Mechanism

The HSM failure action has been removed from the SSL Visibility WebUI and a new failure mechanism has been instituted.If an Inspection Service using an HSM to sign cannot work due to a lack of response from the HSM, the attempt is logged, and the flow is rejected. The following items describe the SSL Visibility policy evaluation when HSM CAs cannot be reached:

• If a single HSM in a group fails to respond, the flow that is being resigned is rejected, and the HSM is put into a disabled state. At this point, the SSL Visibility appliance uses a heartbeat mechanism to check the HSM health and does not send any resigning requests to this HSM until it begins to respond. Once the health check is passed, SSL Visibility adds the HSM back into the available pool of HSMs for resigning.
• For an HSM group with more than one HSM, if a single HSM fails, the HSM group remains active and the group continues to resign matching flows. Flows in-flight to the faulty HSM are impacted when the HSM is marked down. Once the flow is retried, it is sent to a healthy HSM within the group for resigning.
• If all HSMs in a group fail to respond, SSL Visibility disables the top-level rule that calls the Inspection Service referencing the HSM group. Any flows in-flight to be resigned by an HSM in that group is rejected, similar to a single HSM failure. All new flows are evaluated against the updated policy and skip the inactive Inspection. You can create a rule to apply the appropriate policy action when this condition occurs. For example, add a subsequent rule with a cut or reject policy. After the SSL Visibility heartbeat mechanism detects that an HSM has recovered, the original Inspection Service rule becomes active, and traffic will be decrypted again.

See Troubleshooting Inspection with HSM Resigning for more information on HSM failures.

SSL Visibility and HSM Configuration Steps

Broadcom provides an HSM Agent and CLI to install on the SafeNet Java HSM, which is used to interact with SSL Visibility appliances.An SSL Visibility and HSM configuration includes the following steps, assuming the HSM is properly configured:

1. Add the HSM certificate to the SSL Visibility trusted certificates list. See Add a Trusted Certificate.
2. Configure the client certificates used to authenticate the HSM. See Add a Client Certificate.
3. Configure an External CA list to authenticate the HSM. See Configure External CA Lists.
4. Add the HSM, using the client certificates and External CA list configured in the previous step. See Add an HSM .
5. Configure HSM resigning CA using the HSM appliance configured in the previous step. See Add Resigning Certificates.
6. Add the HSM resigning CA configured in the previous step to the HSM resigning CA load-balancing groups. See Load Balancing Groups.
7. (Optional) Enhance security by configuring HSM Mode, to add an extra layer of encryption to the keys in the known-certificates-with-keys list within the PKI store on the SSL Visibility appliance. See HSM Mode with a Server Key Protection Group for information.
8. Configure the resigning rules in the SSL Visibility policy with the HSM resigning CA load-balancing groups configured in the previous step. See Use HSM Configuration in Policy.

Failure to apply the changes might cause a manual HSM test to fail. For example, if you add an External CA to the External Certificate Authorities Lists but do not click Apply, the test might fail due to using the incorrect External CA. SSL Visibility Appliance Overview PKI Basics for HSMAdd a Trusted Certificate for HSMAdd a Client Certificate for Each HSMConfigure an External CA List for HSMAdd an HSMAdd HSM Resigning CertificatesHSM Load Balancing GroupsHSM Mode with a Server Key Protection GroupUse HSM Configuration in PolicyHSM LogsHSM Diagnostics

Content feedback and comments