Entrust: Integration Guide

Entrust
Integration Guide
All information herein is either public information or is the property of and owned solely by Gemalto and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual
property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under
any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
 The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in
all copies.
 This document shall not be posted on any publicly accessible network computer or broadcast in any media
and no modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless
otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information
contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to
the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the
specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In
no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential
damages or any damages whatsoever including but not limited to damages resulting from loss of use, data,
profits, revenues, or customers, arising out of or in connection with the use or performance of information
contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not
incur, and disclaims, any liability in this respect. Even if each product is compliant with current security
standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to
the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall
Gemalto be held liable for any third party actions and in particular in case of any successful attack against
systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security
for direct, indirect, incidental or consequential damages that result from any use of its products. It is further
stressed that independent testing and verification by the person using the product is particularly encouraged,
especially in any application in which defective, incorrect or insecure functioning could result in damage to
persons or property, denial of service or loss of privacy.
© 2016-2018 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of
Gemalto and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks,
whether registered or not in specific countries, are the property of their respective owners.
Document Number: 007-013456-001, Rev. N

Release Date: November 2018
Entrust Integration Guide 2

Contents
Contents
Preface .................................................................................................................................. 4
Scope .............................................................................................................................................................. 4
Document Conventions .................................................................................................................................. 4
Command Syntax and Typeface Conventions ......................................................................................... 5
Support Contacts ...................................................................................................................................... 6
1 Introduction ...................................................................................................................... 7
Overview ......................................................................................................................................................... 7
3rd party Application Details ............................................................................................................................ 7
Supported Platforms ....................................................................................................................................... 7
Prerequisites ................................................................................................................................................... 8
Configuring SafeNet Luna HSM ............................................................................................................... 8
Provision your HSM on Demand service ............................................................................................... 10
Installation Overview ..................................................................................................................................... 12
2 Integrating Entrust Authority Security Manager with SafeNet HSM ................................ 13

Configuring EASM with SafeNet HSM on Windows ..................................................................................... 13
Configuring EASM with SafeNet HSM on RHEL .......................................................................................... 18

Preface
Preface
This document covers the necessary information to install, configure, and integrate Entrust Authority Security
Manager with SafeNet Luna HSM or HSM on Demand service.
Scope
This technical integration guide provides an overview of how to integrate Entrust Authority Security Manager
(EASM) with SafeNet Luna HSM or HSM on Demand service.
When using it in “hardware” mode, you can use SafeNet HSMs for cryptographic operations and key storage.
The operations performed on hardware devices are listed as below:
 Secure generation, storage, and protection of the CA signing private key.
 Signing of certificates and CRL’s using the CA signing private key.
Document Conventions
This section provides information on the conventions used in this template.
Notes
Notes are used to alert you to important or helpful information. These elements use the following format:
NOTE: Take note. Contains important or helpful information.
Cautions
Cautions are used to alert you to important information that may help prevent unexpected results or data loss.
These elements use the following format:
CAUTION: Exercise caution. Caution alerts contain important information that may
help prevent unexpected results or data loss.
Warnings
Warnings are used to alert you to the potential for catastrophic data loss or personal injury. These elements use
the following format:
WARNING: Be extremely careful and obey all safety and security measures. In
this situation you might do something that could result in catastrophic data loss or
personal injury.

Preface
Command Syntax and Typeface Conventions

Convention Description
bold The bold attribute is used to indicate the following:

 Command-line commands and options (Type dir /p.)
 Button names (Click Save As.)
 Check box and radio button names (Select the Print Duplex check box.)
 Window titles (On the Protect Document window, click Yes.)
 Field names (User Name: Enter the name of the user.)
 Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)
 User input (In the Date box, type April 1.)
italic The italic attribute is used for emphasis or to indicate a related document. (See the
Installation Guide for more information.)
Consolas Denotes syntax, prompts, and code examples.

Preface
Support Contacts
Contact Method Contact Information
Address Gemalto
4690 Millennium Drive
Belcamp, Maryland 21017, USA
Phone US 1-800-545-6608
International 1-410-931-7520
Technical Support https://supportportal.gemalto.com

Customer Portal Existing customers with a Technical Support Customer Portal account can log in to
manage incidents, get the latest software upgrades, and access the Gemalto Knowledge
Base.

1 – Introduction
1
Introduction
Overview
The Entrust Authority Security Manager (EASM) serves as the Certification Authority (CA) in an Entrust
infrastructure. Although it can operate in "software" mode, it can optionally use hardware devices where
cryptographic operations and key storage are performed. By managing the full lifecycles of certificate-based
digital identities, EASM enables encryption, digital signature and authentication capabilities to be consistently,
transparently applied across a broad range of applications and platforms.
The benefits of securing the CA key with SafeNet HSM include:
 Secure generation, storage and protection of the signing private key on FIPS 140-2 level 3 validated
hardware*.
 Full life cycle management of the keys.
 Access to the HSM audit trail**.
 The advantage of cloud services with confidence.
*validation for HSMoD services in progress.
**HSMoD services do not have access to the secure audit trail
3rd party Application Details

 Entrust Authority Security Manager (EASM)
 Entrust Authority Security Manager PostgreSQL
 Directory Server (Critical Path Directory server/Open LDAP/OpenDJ/Atos DirX/Microsoft Active Directory
LDS).
Supported Platforms
SafeNet Luna HSM: SafeNet Luna HSM appliances are purposefully designed to provide a balance of security,
high performance, and usability that makes them an ideal choice for enterprise, financial, and government
organizations. SafeNet Luna HSMs physically and logically secure cryptographic keys and accelerate
cryptographic processing.
The SafeNet Luna HSM on premise offerings include the SafeNet Luna Network HSM, SafeNet PCIe HSM, and
SafeNet Luna USB HSMs. SafeNet Luna HSMs are also available for access as an offering from cloud service
providers such as IBM cloud HSM and AWS cloud HSM classic.

1 – Introduction
SafeNet HSM Entrust ASM
SafeNet Luna HSM 8.3 (Window Server 2016,Window Server 2012R2, RHEL)
8.2 (Window Server 2012R2, RHEL)
8.1 SP1 with Patch 192895 (Window Server 2012R2, RHEL)
NOTE: For support with earlier versions of SafeNet Luna HSM and Entrust
Authority Security Manager, you require a previous version of the SafeNet Luna
HSM Integration Guide. Refer Entrust_SafeNetLunaHSM_IntegrationGuide_RevL
for legacy support.
SafeNet DPoD: SafeNet Data Protection on Demand (DPoD) is a cloud-based platform that provides on-
demand HSM and Key Management services through a simple graphical user interface. With DPoD, security is
simple, cost effective and easy to manage because there is no hardware to buy, deploy and maintain. As an
Application Owner, you click and deploy services, generate usage reports and maintain just the services you
need.
SafeNet HSM Entrust ASM
SafeNet Data Protection on Demand 8.3 (Window Server 2016,Window Server 2012R2, RHEL)
8.2 (Window Server 2012R2, RHEL)
Prerequisites
Configuring SafeNet Luna HSM
Before you get started ensure the following:
1. Ensure the HSM is set up, initialized, provisioned and ready for deployment. Refer to the SafeNet Luna
HSM Product Documentation for help.
2. Create a partition on the HSM that will be later used by Entrust Authority Security Manager.
3. If using a SafeNet Luna Network HSM, register a client for the system and assign the client to the partition
to create an NTLS connection. Initialize Crypto Officer and Crypto User roles for the registered partition.
4. Ensure that the partition is successfully registered and configured. The command to see the registered
partitions is:
# /usr/safenet/lunaclient/bin/lunacm
lunacm.exe (32-bit) v7.2.0-219. Copyright (c) 2018 SafeNet. All rights reserved.
Available HSMs:
Slot Id -> 0
Label -> Entrust
Serial Number -> 1213475834492
Model -> LunaSA 7.2.0
Firmware Version -> 7.2.0
Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode

1 – Introduction
Slot Description -> Net Token Slot
Current Slot Id: 0
NOTE: Entrust Authority Security Manager 8.3 works with 64 bit SafeNet Luna
HSM library/client.
Entrust Authority Security Manager 8.2 or earlier version is 32 bit application, so
update chrystoki.ini file to point to the 32 bit SafeNet Luna HSM library. For
UNIX, install 32 bit SafeNet Luna HSM client.
Configuring PED Authenticated SafeNet Luna HSM

For a PED-based SafeNet Luna HSM, make sure ProtectedAuthenticationPathFlagStatus is set to ‘1’ in Misc
Section of Chrystoki.conf(Linux) or crystoki.ini(Windows) file.
For Linux:
Misc = {
ProtectedAuthenticationPathFlagStatus = 1;
}
For Windows:
[Misc]
ProtectedAuthenticationPathFlagStatus = 1
Controlling User Access to the HSM

By default, only the root user has access to the HSM. You can specify a set of non-root users that are permitted
to access the HSM by adding them to the hsmusers group. The client software installation automatically
creates the hsmusers group. The hsmusers group is retained when you uninstall the client software. This allows
you to upgrade your client software while retaining your hsmusers group configuration.
Adding users to hsmusers group

To allow non-root users or applications access to the HSM, assign the users to the hsmusers group. The users
you have assigned to the hsmusers group must exist on the client workstation. Only users that you have added
to the hsmusers group are able to access the HSM.
 To add a user to hsmusers group
a. Ensure that you have sudo privileges on the client workstation.
b. Add a user to the hsmusers group.
sudo gpasswd --add <username> hsmusers
where <username> is the name of the user you want to add to the hsmusers group.
Removing users from hsmusers group

To revoke a user's access to the HSM, you can remove them from the hsmusers group.
 To remove a user from hsmusers group
a. Ensure that you have sudo privileges on the client workstation.

1 – Introduction
b. Remove a user from the hsmusers group.

sudo gpasswd -d <username> hsmusers
where <username> is the name of the user you want to remove from the hsmusers group. You must log
in again to see the change.
NOTE: The user you delete will continue to have access to the HSM until you
reboot the client workstation.
SafeNet Luna HSM HA (High-Availability) Setup

Refer to the SafeNet Luna HSM documentation for HA steps and details regarding configuring and setting up
two or more HSMs on host systems. You must enable the HAOnly setting in HA for failover to work so that if the
primary is inaccessible all calls are automatically routed to secondary until the primary becomes accessible
again.
Provision your HSM on Demand service

This service provides your client machine with access to an HSM Application Partition for storing cryptographic
objects used by your applications. Application partitions can be assigned to a single client, or multiple clients
can be assigned to, and share, a single application partition.
You need to provision your application partition, starting by initializing the following roles:
 Security Officer (SO) - responsible for setting the partition policies and for creating the Crypto Officer.
 Crypto Officer (CO) - responsible for creating, modifying, and deleting crypto objects within the partition.
The CO can use the crypto objects and create an optional, limited-capability role called Crypto User that
can use the crypto objects but cannot modify them.
 Crypto User (CU) - optional role that can use crypto objects while performing cryptographic operations.
NOTE: Refer the “SafeNet Data Protection on Demand Application Owner Quick
Start Guide” for configuring the HSM on Demand service and creating a service
client.
The HSM service client package is a zip file which contains system information
needed to connect your client machine to an existing HSM on Demand service.
NOTE: Entrust Authority Security Manager 8.3 works with 64 bit SafeNet DPoD
service client.
Entrust Authority Security Manager 8.2 or earlier version is a 32 bit application, so
you require the 32-bit binaries of SafeNet DPoD for this integration. Please contact
technical support to obtain the binaries.

1 – Introduction
Constraints on HSM on Demand Services

HSM on Demand Service in FIPS mode
HSMoD services operate in a FIPS and non-FIPS mode. If your organization requires non-FIPS algorithms for
your operations, ensure you enable the Allow non-FIPS approved algorithms check box when configuring your
HSM on Demand service. The FIPS mode is enabled by default.
Refer to the Mechanism List in the SDK Reference Guide for more information about available FIPS and non-
FIPS algorithms.
Verify HSM on Demand <slot> value

LunaCM commands work on the current slot. If there is only one slot, then it is always the current slot. If you are
completing an integration using HSMoD services, you need to verify which slot on the HSMoD service you send
commands to. If there is more than one slot, then use the slot set command to direct a command to a specified
slot. You can use LunaCM’s slot list command to determine which slot numbers are in use by which HSMoD
service.
Using SafeNet HSM in FIPS Mode

Under FIPS 186-3/4, the RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux
primes. This means that RSA PKCS and X9.31 key generation are no longer approved for operation in a FIPS-
compliant HSM. If you are using the SafeNet Luna HSM or HSM on Demand service in FIPS mode, you have to
make the following change in the configuration file:
For Linux in the Chrystoki.conf file:
Misc = {
RSAKeyGenMechRemap=1
}
For Windows in the crystoki.ini file:
[Misc]
RSAKeyGenMechRemap=1
The above setting redirects the older calling mechanism to a new approved mechanism when SafeNet Luna
HSM or HSMoD is in FIPS mode.

1 – Introduction
Installation Overview
This section describes how to integrate new installations of Entrust Authority Security Manager with SafeNet
HSMs. Note that in the following discussion, there will be Entrust Authority Security Manager Server, and
SafeNet HSM configured with Entrust Authority Security Manager Server machine. For the purpose of this
discussion, the Entrust Authority Security Manager system assumes the role of client to the SafeNet HSM.
Entrust Authority Security Manager with SafeNet HSM Client

Ensure the following third party software is installed on the machine before proceeding further.
 Entrust Authority Security Manager PostgreSQL
 Directory Server
 Entrust Authority Security Manager

2 – Integrating Entrust Authority Security Manager with SafeNet HSM
2
Integrating Entrust Authority Security
Manager with SafeNet HSM
Integrate Entrust Authority Security Manager (EASM) with a SafeNet Luna HSM or HSM on Demand Service to
secure the EASM CA keys. To set up Entrust Authority Security Manager to use the SafeNet Luna HSM or HSM
on Demand (HSMoD) service complete the following procedure set for your operating system:
 Configuring EASM with SafeNet HSM on Windows
 Configuring EASM with SafeNet HSM on RHEL
Configuring EASM with SafeNet HSM on Windows

Configure Entrust Authority Security Manager to use the SafeNet Luna HSM or HSMoD service on Microsoft
Windows.
To configure EASM with SafeNet HSM on Windows

1. Run the Entrust Authority Security Manager Configuration utility. At the point where you choose whether to
store keys in hardware or software, select hardware. Point to the Cryptoki library path.
2. On the Certification Authority Key Generation tab select the Use hardware radio button and click Next.

3. On the CA Key Type tab select the RSA radio button and select 2048 from the parameters drop-down
menu. Click Next.
4. On the CA Signing Algorithm tab select “RSA-SHA256”. Click Next.

5. On the Policy Certificate tab keep the default value in the Policy Certificate Lifetime field. Click Next.
6. The “No Hardware Device Found” dialog displays. Click OK.

7. Select the cryptoki.dll in the file menu. Click Open.
8. Select the Root CA radio button and click Next.

9. Accept the default CA Certificate Properties and click Next.
10. The configuration complete message displays. Click OK to complete the configuration process.

11. Click Start -> Programs -> Entrust -> Security Manager Control Command Shell.
12. Initialize Entrust Authority Security Manager via the “Entrust Authority Security Manager Control Command
Shell” following Entrust Authority Security Manager documentation.
13. Entrust Authority Security Manager detects the HSM slot or service and requests its password. Enter the
SafeNet Luna HSM or HSM on Demand service partition password.
Entrust Authority Security Manager generates the CA key on the SafeNet HSM.
Configuring EASM with SafeNet HSM on RHEL

Configure Entrust Authority Security Manager to use the SafeNet Luna HSM or HSMoD service on a Red Hat
Enterprise Linux (RHEL) operating system.
To configure EASM
1. Create the "Entrust Authority Security Manager" user which will own the Entrust Authority Security Manager
installation.
2. Install Entrust Authority Security Manager PostgreSQL and Entrust Authority Security Manager. Follow the
Entrust Authority Security Manager documentation for detailed procedure steps.
3. Run the Entrust Authority Security Manager Configuration utility. When the system prompts you asking if
you would like to use a hardware device for the CA keys, type Yes.
4. Point to the Cryptoki library path from <SafeNet HSM installation directory>/libCryptoki.so
5. The EASM Configuration utility presents the option to use a SafeNet HSM, with a given serial number.
Select the correct SafeNet HSM slot.
6. Complete the EASM configuration.
7. Initialize EASM for the first time using the Entrust Authority Security Manager Master Control Command
Shell. Add passwords for the Master1, Master2, Master3 and First Officer user.

8. Entrust Authority Security Manager detects slot and requests for the partition password. Enter the HSM
partition password. If you are using a SafeNet Network HSM with Secure Authentication & Access Control,
ensure that the black PED Key is inserted in the PED.
9. Entrust Authority Security Manager generates the root CA key on the SafeNet HSM in the partition.
10. Entrust Authority Security Manager performs a database backup.
11. Entrust Authority Security Manager is now running.
The Integration of SafeNet HSM is successful with Entrust Authority Security Manager.
Use the ca key show-cache command on the Entrust Authority Security Manager command line. This
command displays all the keys created during integration.
You can use partition showcontents command on the HSM to display the content of the partition used for
Entrust Authority Security Manager.

Entrust: Integration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Entrust: Integration Guide

Uploaded by

Copyright:

Available Formats

Entrust

Document Number: 007-013456-001, Rev. N

Entrust Integration Guide 2

2 Integrating Entrust Authority Security Manager with SafeNet HSM ................................ 13

Entrust Integration Guide 3

NOTE: Take note. Contains important or helpful information.

Entrust Integration Guide 4

Command Syntax and Typeface Conventions

bold The bold attribute is used to indicate the following:

Consolas Denotes syntax, prompts, and code examples.

Entrust Integration Guide 5

Contact Method Contact Information

Technical Support https://supportportal.gemalto.com

Entrust Integration Guide 6

3rd party Application Details

Entrust Integration Guide 7

SafeNet HSM Entrust ASM

SafeNet HSM Entrust ASM

Entrust Integration Guide 8

Slot Description -> Net Token Slot

Current Slot Id: 0

Configuring PED Authenticated SafeNet Luna HSM

Controlling User Access to the HSM

Adding users to hsmusers group

Removing users from hsmusers group

Entrust Integration Guide 9

b. Remove a user from the hsmusers group.

SafeNet Luna HSM HA (High-Availability) Setup

Provision your HSM on Demand service

Entrust Integration Guide 10

Constraints on HSM on Demand Services

Verify HSM on Demand <slot> value

Using SafeNet HSM in FIPS Mode

Entrust Integration Guide 11

Entrust Authority Security Manager with SafeNet HSM Client

Entrust Integration Guide 12

Configuring EASM with SafeNet HSM on Windows

To configure EASM with SafeNet HSM on Windows

Entrust Integration Guide 13

4. On the CA Signing Algorithm tab select “RSA-SHA256”. Click Next.

Entrust Integration Guide 14

6. The “No Hardware Device Found” dialog displays. Click OK.

Entrust Integration Guide 15

7. Select the cryptoki.dll in the file menu. Click Open.

8. Select the Root CA radio button and click Next.

Entrust Integration Guide 16

9. Accept the default CA Certificate Properties and click Next.

Entrust Integration Guide 17

Configuring EASM with SafeNet HSM on RHEL

Entrust Integration Guide 18

Entrust Integration Guide 19

You might also like