Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

HashiCorp Vault

Installing and Configuring the SafeNet ProtectApp PKCS#11 Provider

search

Installing and Configuring the SafeNet ProtectApp PKCS#11 Provider

This section covers the following:

Installing the SafeNet ProtectApp PKCS#11 Provider

Perform the following steps to install the SafeNet ProtectApp PKCS#11 Provider.

  1. Unzip the SafeNet ProtectApp PKCS#11 Provider.

    For example:

    tar -xzf <source_directory/tar_file_name> -C <destination_directory>

  2. Create the /opt/hashi/<ARCH>/hsm/safenet/<VERSION> directory. The HashiCorp Vault user must have appropriate access permissions on /opt/.

    <ARCH> is the system architecture (either 32 or 64), and <VERSION> is the software version number (for example, 8.3.2). This point onward, in this document, <ARCH> is used as 64 and <VERSION> as 8.3.2. If the system architecture and version are different, adjust these values accordingly.

  3. Copy the library file libIngPKCS11.so-8.3.2.000 from the extracted /root/Ingrian_pkcs11-8.3.2.000/lib directory to /opt/hashi/64/hsm/safenet/8.3.2.

    For example:

    cp libIngPKCS11.so-8.3.2.000 /opt/hashi/64/hsm/safenet/8.3.2

    The receiving directory is a fixed location. HashiCorp Vault searches for this directory. It cannot be changed. Changing the directory name results in a "cannot find PKCS11 library" error.

  4. Copy the IngrianNAE.properties file from extracted /root/Ingrian_pkcs11-8.3.2.000 directory to /opt/hashi/64/hsm/safenet/8.3.2.

    For example:

    cp IngrianNAE.properties /opt/hashi/64/hsm/safenet/8.3.2

  5. Rename libIngPKCS11.so-8.3.2.000 as libIngPKCS11.so.

    For example:

    mv libIngPKCS11.so-8.3.2.000 libIngPKCS11.so

  6. Export the following environment variables.

    export SFNT_HSMAPI_BASE=/opt/hashi/64/hsm/safenet/8.3.2
export NAE_Properties_Conf_Filename=$SFNT_HSMAPI_BASE/IngrianNAE.properties
export IngrianNAE_Properties_Conf_Slot_ID_Max=100
export IngrianNAE_Properties_Conf_SessionID_Max=100
export AES_GCM_TAG_LEN=6

Configuring the SafeNet ProtectApp PKCS#11 Provider

The basic configuration parameters that are required to be changed are:

  • NAE_IP‌: IP address of the CipherTrust Manager

  • NAE_Port: 9000 (default value)

  • Protocol: tcp/ssl

  • CA_File: The CA_File parameter refers to the CA certificate that was used to sign the server certificate presented by the NAE Server to the client. (for ssl only)

  • Cert_File: The Cert_File parameter stores the path and filename of the client certificate. This is only used when your SSL configuration requires clients to provide a client certificate to authenticate to the CipherTrust Manager appliances. (for ssl only)

  • Key_File: The Key_File parameter refers to the private key associated with the client certificate specified in the Cert_ File parameter. (for ssl only)

  • Log_Level: MEDIUM (default value, can be set to HIGH for troubleshooting)

  • Log_File: Full path and file name. The user must have write permissions on this path and file.

You can further configure the SafeNet ProtectApp PKCS#11 Provider to meet the requirements of your environment. Refer to Configuring the Properties File for more details.

On this page