You can improve the security of your SSL private keys by connecting an appliance running ZXTM 4.2 or later to an
<a target="_blank" href="http://www.thales-esecurity.com/Products/Hardware%20Security%20Modules.aspx">nCipher NetHSM</a>
using the PKCS#11 standard (if you're not using an appliance, see
<a target="_blank" href="http://community.riverbed.com/t5/Answers/How-do-I-connect-ZXTM-software-to-external-SSL-hardware/m-p/16466/highlight/true#M125">the software version of this article</a>
). Keys generated on the NetHSM need never leave it: ZXTM can use these keys and their associated certificates for SSL decryption in virtual servers just like standard keys, by delegating all cryptographic operations that require the private key to the NetHSM over a secure network connection.
This has the following requirements; see nCipher's
<a target="_blank" href="http://www.thales-esecurity.com/Products/Hardware%20Security%20Modules.aspx">NetHSM documentation</a>
for how to obtain these:
- The IP addresses of:
- an nCipher NetHSM with a properly configured Security World.
- the Remote File System that the NetHSM is using.
- An nCipher Card Set, with a card inserted into the NetHSM, and its passphrase.
- One or more nCipher-created keys of type "PKCS#11", protected by this Card Set (not module-protected), that you wish to use with ZXTM, including the files produced by the nCipher software for use by external applications.
To connect ZXTM to your NetHSM, go to the SSL Hardware Support section of Global Settings.
You should set your PIN (the passphrase for your Card Set) and click Update. Note that unless you have just entered a PIN, the field will show a constant number of stars for security reasons. Once the PIN is set, click Add to launch the Connect to a NetHSM Wizard. This wizard has a number of stages:
- The license agreement required to use the nCipher Support Software on the appliance.
- Enter the IP addresses of your NetHSM and its Remote File System.
- Confirm the identity of the NetHSM, by checking the NetHSM's reported ESN and HKNETI against its front panel. This ensures that the ZXTM is really connected to the intended NetHSM, and not to a malicious third party. While visiting the front panel, you should also ensure that the appropriate IP address of the ZXTM appliance has been added to the NetHSM as an allowed client.
If the connection fails, you'll see something like this: Here are some common reasons this can happen:
PKCS#11 PIN incorrect The PIN on the Global Settings page is incorrect. Note that the field will show a constant number of stars even before a PIN has been set, for security reasons. PKCS#11 could not connect to hardware The nCipher PKCS#11 library failed to connect to the NetHSM and did not return any additional information to ZXTM. If you see this in the wizard, since the ESN and HKNETI were just retrieved successfully, the most likely explanation is that the NetHSM is not configured to allow this appliance to connect. If you later see this message in your logs, it is more likely that your NetHSM has become uncontactable. Failed to synchronise nCipher Remote File System: ... The nCipher tools could not retrieve a copy of the Remote File System data from the IP address entered. This can happen if the Remote File System was uncontactable, if it is not associated with the same NetHSM as the appliance, or if it has been configured not to allow the appliance to connect (or to require an nToken, which a ZXTM appliance cannot use).
When the wizard has finished, the "Connect to NetHSM" line of the Global Settings page should change to indicate that the connection has been made:
You should now be able to use the key and certificate files from the NetHSM as you would any other key pair (including editing the certificate), as long as the NetHSM is working (ZXTM and the administration server will delegate all cryptographic operations that require the private key to the NetHSM). The administration server will mark such keys as stored on secure hardware, as in this example.
