Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How do I connect ZXTM software to external SSL hardware?

riverbed
Occasional Contributor
‎09-22-2011 08:40:AM
‎09-22-2011 08:40:AM

How do I connect ZXTM software to external SSL hardware?

(Originally posted July 11, 2007)

0 Kudos
1 REPLY 1
chrisboyle
New Contributor
‎10-03-2011 11:24:AM
‎10-03-2011 11:24:AM

Re: How do I connect ZXTM software to external SSL hardware?

[ZXTM 4.2 | http://knowledgehub.zeus.com/admin/b2edit.php?action=edit&post=325] or later can connect to external SSL hardware using the PKCS#11 standard (if you're using a ZXTM appliance, see

<a target="_blank" href="http://community.riverbed.com/t5/Answers/How-do-I-connect-a-ZXTM-Appliance-to-an-nCipher-NetHSM/td-p/16468">the appliance version of this article</a>

). This can improve the security of your SSL private keys, using a device such as an

<a target="_blank" href="http://www.thales-esecurity.com/Products/Hardware%20Security%20Modules.aspx">nCipher NetHSM</a>

(which can generate keys and perform ZXTM's cryptographic operations such that the keys never leave the NetHSM). Alternatively, you could use this feature to connect to a locally attached SSL accelerator to improve performance. You will need an appropriate PKCS#11 library provided by your SSL hardware vendor, to translate between the PKCS#11 API and the specifics of that vendor's hardware. The nCipher Support Software includes such a library (libcknfast.so in the "pkcs11" bundle) which will connect to whatever nCipher hardware has been configured in the Support Software.

238i537BD49BE77302C1.png

To connect ZXTM to your hardware, go to the SSL Hardware Support section of the Global Settings page. For ssld!library, select "PKCS#11 (e.g. nCipher NetHSM)". If you have installed the nCipher Support Software in the default location /opt/nfast, you can leave ssld!driver!pkcs11_lib blank. Otherwise, enter the full path to your vendor's PKCS#11 library. Finally, set ssld!driver!pkcs11_user_pin to the User PIN for your hardware. Note that unless you have just entered a PIN, the field will show a constant number of stars for security reasons.

NetHSM users

You should now be able to use the key and certificate files from the NetHSM as you would any other key pair (including editing the certificate), as long as the NetHSM is working (ZXTM and the administration server will delegate all cryptographic operations that require the private key to the NetHSM). The administration server will mark such keys as stored on secure hardware, as in this example.

240iDE30D19035D0EBBD.png

Non-NetHSM users

By default, ZXTM will only use the SSL hardware if a key requires it. This is the normal mode of operation for a NetHSM: the private key file uploaded to ZXTM is not the real key, but tells the NetHSM which key to use. ZXTM can instead be configured to always use the SSL hardware (as long as it is available). To do this, set ssld!accel to Yes.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.