WIXLIB

SafeNet ProtectToolkit CAdministration Guide

ProtectToolkit C Administration Guide 2000-2016 Gemalto NV. All rights reserved.Part Number 007-008393-008Version 5.2TrademarksAll intellectual property is protected by copyright. All trademarks and product names used or referred to are thecopyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system ortransmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise withoutthe prior written permission of Gemalto.Gemalto RebrandingIn early 2015, Gemalto NV completed its acquisition of SafeNet, Inc. As part of the process of rationalizing the productportfolios between the two organizations, the HSM product portfolio has been streamlined under the SafeNet brand. Asa result, the ProtectServer/ProtectToolkit product line has been rebranded as follows:Old product nameNew product nameProtect Server External 2 (PSE2)SafeNet ProtectServer Network HSMProtect Server Internal Express 2 (PSI-E2)SafeNet ProtectServer PCIe HSMProtectToolkitSafeNet ProtectToolkitDisclaimerAll information herein is either public information or is the property of and owned solely by Gemalto NV. and/or itssubsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual propertyprotection in connection with such information.Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under anyintellectual and/or industrial property rights of or concerning any of Gemalto’s information.This document can be used for informational, non-commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear inall copies. This document shall not be posted on any network computer or broadcast in any media and no modification ofany part of this document shall be made.Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwiseexpressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.The document could include technical inaccuracies or typographical errors. Changes are periodically added to theinformation herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specificationsdata, information, and the like described herein, at any time.Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including allimplied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shallGemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or anydamages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, orcustomers, arising out of or in connection with the use or performance of information contained in this document.Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, anddisclaims, any liability in this respect. Even if each product is compliant with current security standards in force on thedate of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security andii

ProtectToolkit C Administration Guidenotably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third partyactions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products.Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages thatresult from any use of its products. It is further stressed that independent testing and verification by the person using theproduct is particularly encouraged, especially in any application in which defective, incorrect or insecure functioningcould result in damage to persons or property, denial of service or loss of privacy. 2016 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of GemaltoN.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whetherregistered or not in specific countries, are the property of their respective owners.Technical SupportIf you encounter a problem while installing, registering or operating this product, please make sure that you have readthe documentation. If you cannot resolve the issue, please contact your supplier or Gemalto support. Gemalto supportoperates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support planarrangements made between Gemalto and your organization. Please consult this support plan for further informationabout your entitlements, including the hours when telephone support is available to you.Contact methodContactAddressGemalto NV4690 Millennium DriveBelcamp, Maryland 21017USAPhoneGlobal 1 410-931-7520Australia1800.020.183China(86) 10 8851 9191France0825 341000Germany01803 96New and0800.564.849United Kingdom0800.056.3158United States(800) 545-6608Webwww.safenet-inc.comSupport andDownloadswww.safenet-inc.com/supportProvides access to the Gemalto Knowledge Base and quick downloads for variousproducts.Technical SupportCustomer g customers with a Technical Support Customer Portal account can log in tomanage incidents, get the latest software upgrades, and access the GemaltoKnowledge Base.iii

ProtectToolkit C Administration GuideRevision HistoryRevision DateReasonARelease 5.214 March 2016iv

ProtectToolkit C Administration GuideTABLE OF CONTENTSTABLE OF CONTENTS. vIntroduction . 1Who Should Read This Manual? . 1Chapter Overview . 1Further Documentation . 2SafeNet Manuals . 2Software . 2Hardware . 2SafeNet Application Integration Guides . 2Utility Normal Mode vs. Work Load Distribution and HA Mode . 2Configuration Items . 3Overview . 3Platform-specific Details . 4Windows . 4Example. 4UNIX . 4Example. 4Operating Mode Setup . 5Operating Mode Setup Overview . 5PCI and Network Operating Modes . 5Software-only Mode . 5Secure Messaging Overview . 6Messaging Mode Configuration . 6Configuring Session Key Rollover . 6Configuring Session Protection . 7HSM Stored Security Flags . 7SMPR Security Flags . 8Specifying the Network Server(s) . 9Software-only Mode Configuration . 10Storage Location Assignment . 10Fixing Command Line Utility Low Performance . 10Enabling Smart Card Access under UNIX . 10Cryptoki Configuration . 11Introduction . 11The ProtectToolkit C Model . 11Slots and Tokens . 12User Slots. 12Smart Card Slots . 12The Admin Slot. 12PKCS #11 Objects . 13Administration Objects . 13User Roles . 13PINs and Passwords . 14PIN Retry Delay. 14Initial Configuration . 15Preparation. 15Setting the Admin Token PINs. 15Selecting and Setting a Security Policy . 16Setting up Slots. 16Multiple Adapter HSMs . 17Token Initialization . 17Trust Management . 18Establishing Trust Relationships . 20Token Replication . 22v

ProtectToolkit C Administration GuideAlternative 1 – Master Tokens Replicated to a Single Slot or List of Slots . 22Alternative 2 – Token Replicated to Many Tokens . 24Work Load Distribution Model (WLD) and High Availability (HA) . 25HSMs. 25ProtectToolkit C . 25WLD Slots . 25Distribution Scheme . 26Token Replication . 26WLD Example . 26Configuring WLD Slots . 31Operation in WLD Mode . 32Operation in HA Mode . 33HA Mode Logging . 34External Key Storage . 35Introduction . 35Implementation. 36Configuration . 39Real Time Clock. 43Setting the Rule for RTC Adjustment Access Control . 43Security Policies and User Roles. 45Overview . 45PKCS #11 Compliance and Security . 46Typical Security Policies . 46Overview . 46PKCS #11 Compatibility Mode. 47SafeNet Default Mode . 47FIPS Mode . 47Entrust Compliant Modes . 49Netscape Compliant Mode . 49Restricted Mode . 49Security Flags . 49Overview . 49Configuring Security Flags . 50Security Flag Descriptions . 51Security Policy Options . 54User Roles . 55Administration Security Officer (ASO) . 55Administrator . 56Security Officer (SO) . 56Token Owner (User) . 57Unauthenticated Users . 57Operational Tasks. 58Changing a User or Security Officer PIN. 58Secure Key Backup and Restoration . 58Re-initializing a Token . 63Adding and Removing Slots . 64Connecting and Removing Smart Card Readers . 64Using Transport Mode to Avoid a Board Removal Tamper . 65Adjusting the HSM Clock. 65Changing Secure Messaging Mode . 66Managing Session Key Rollover . 66Using the System Event Log . 66Viewing and Interpreting the Event Log . 66Purging the Event Log . 66Updating Firmware . 67Tampering the HSM. 67Installing a Functionality Module . 68vi

ProtectToolkit C Administration GuideCommand Line Utilities Reference . 70CTCERT . 70Synopsis . 70Description . 70Commands. 71Options . 73Certificate Attribute File . 75Examples . 79CTCHECK . 79Synopsis . 79Description . 79Options . 81Diagnostics . 82Examples . 82See Also . 83CTCONF. 83Synopsis . 83Description . 84Options . 84CTFM . 86Synopsis . 86Description . 87Commands. 87Options . 88CTIDENT . 89Synopsis . 89Description . 89Commands. 89Parameters . 90Exit Status . 91CTLIMITS . 91Synopsis . 91Description . 91Options . 91Commands.

Protect Server External 2 (PSE2) SafeNet ProtectServer Network HSM Protect Server Internal Express 2 (PSI-E2) SafeNet ProtectServer PCIe HSM ProtectToolkit SafeNet ProtectToolkit Disclaimer All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its