>
    Set Up Connectivity with a Thales CipherTrust Manager HSM
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Certificate Management
    4. Secure Keys with a Hardware Security Module
    5. Set Up Connectivity with an HSM
    6. Set Up Connectivity with a Thales CipherTrust Manager HSM
    Download PDF

    Set Up Connectivity with a Thales CipherTrust Manager HSM

    Table of Contents

    Set Up Connectivity with a Thales CipherTrust Manager HSM

    Set up HSM connectivity to use Thales CipherTrust Manager.
    To set up connectivity between the Palo Alto Networks firewall (HSM client) and a Thales CipherTrust Manager HSM server, you must specify the IP address of the server, enter a password for authenticating the firewall to the server, and then register the firewall with the server. Before you begin configuring your HSM client, create a partition for the firewall on the HSM server and then confirm that the Thales CipherTrust Manager client version on the firewall is compatible with your Thales CipherTrust Manager HSM server (see Set Up Connectivity with an HSM).
    Before the hardware security module (HSM) and firewall connect, the HSM authenticates the firewall based on the firewall IP address. Therefore, you must configure the firewall to use a static IP address—not a dynamic address assigned through DHCP. Operations on the HSM stop working if the firewall IP address changes during runtime.
    HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA configurations, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for a failover to function properly.
    1. Define connection settings for each Thales CipherTrust Manager HSM.
      1. Log in to the firewall web interface and select
        Device
        Setup
        HSM
        .
      2. Edit the hardware security module provider settings and set the
        Provider Configured
         to
        Thales CipherTrust Manager
        .
      3. Add
         each HSM server as follows. An HA HSM configuration requires two servers.
        1. Enter a
          Module Name
           for the HSM server. This can be any ASCII string of up to 31 characters.
        2. Enter an IPv4 address for the HSM
          Server Address
          .
      4. Click
        OK
         and
        Commit
         your changes.
    2. Set Up HSM Connectivity Account
      .
      1. Enter the
        Server Name
        . This should match the Module Name from the connection setting.
      2. Import the certificates you generated in Thales CipherTrust Manager.
        • HSM Server CA Certificate—Import a Base64 encoded certificate (PEM).
        • HSM Client Certificate—Import a Base64 encoded certificate (PEM).
        • HSM Client Private Key—Import a Base64 encoded certificate (PEM) and enter a
          Passphrase
           fewer than 32 characters.
      3. Click
        OK
        .
    3. Restart HSM Connection
       to refresh the PAN-OS state. This removes the old certificates and adds the new certificates.
      1. Click
        OK
        .
      2. Wait for the module state to display as Reachable.
    4. Set Up HSM Crypto User Account
       to match the Thales CipherTrust Manager account you want to use.
      1. Enter a
        Username
        .
      2. Enter a
        Password
        .
      3. Click
        OK
        .
      The success dialog displays and the Status changes to green in the dashboard.
    5. Show Detailed Information
       to view the new fields.
    6. Confirm that your certificate is imported and valid.
      1. Select
        Device
        Certification Management
        Certificates
        Device Certificates
        .
      2. Confirm that the
        Key
         displays a lock and the
        Status
         is valid.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.