Product Documentation

When administering a hardware security module (HSM) within StrongKey Tellaro appliances, the HSM supports authenticating Administrators in multiple ways:

  • Using cryptographic credentials on smartcards with user-verifying PINs: These deliver the highest level of security, but require that sites have smartcard PIN-pad readers, as well as the user with their smartcard, present in front of the StrongKey Tellaro appliance to authenticate to the HSM;
  • Using cryptographic credentials in keystore files with user-verifying PINs: These deliver high levels of security and can be used for remote authentication - but they require the user’s keystore file be accessible on the StrongKey Tellaro appliance while performing administrative tasks. Some of the risk associated with having the keystore file on the appliance can be managed by having the user place their keystore file on the appliance only when they need to perform administrative tasks and deleting it when completing their tasks;
  • Using username and password: StrongKey does not recommend this method because of the risks of using this mechanism on highly sensitive devices.

 

Prerequisites

  • At least two HSM Administrators (to satisfy ‘M of N’ authentication security requirements) with smartcards, in front of the StrongKey Tellaro appliance with a PIN-pad smartcard reader.
  • As many USB flash-drives as new administrator credentials that need to be created. These are necessary to copy software keystore files to individual USB flash-drives to be assigned to specific individuals for custody and use

 

Create the new credentials on the first Tellaro appliance

  1. Connect the appropriate smartcard reader with a PIN-pad to the front USB port of the StrongKey Tellaro appliance. Depending on the server hardware, some models do not recognize the reader on the USB ports at the back of the machine without configuration changes in the machine’s BIOS.
  2. Login into the appliance as the ‘strongauth’ user. Login into the appliance’s console to operate the smartcard and PIN-pad reader with the HSM’s Cryptoserver Administration Tool (CAT) – SSH or Putty session cannot be used for this task.
  3. If the graphical user interface (GUI) of the appliance does not start automatically, at the command prompt, start X-Windows as follows:
    shell> startx
  4. Open the terminal. When the Terminal window has started up, create a directory to store the software keystore files:
    shell> mkdir /usr/local/strongauth/keystores
  5. Run the Cryptoserver Administration Tool (CAT) and put it in the background:
    shell> java -jar /usr/local/bin/cat.jar & 
  6. Click on the Devices button and connect to the HSM with /dev/cs2.0 as the device and click 'OK'.
  7. Authenticate to the tool by selecting the Login/Logoff button. A panel will display a list of existing credentials with additional information about the credentials
  8. Choose one of the Administrator credentials on the displayed User Management panel. The administrator must insert their smartcard into the reader and follow prompts on the PIN-pad reader’s screen to enter their secret PIN. A successful PIN authentication will enable the smartcard to authenticate the user to CAT
  9. When ‘M’ administrators have successfully authenticated to CAT, close the User Management panel
  10. Remove the smartcard reader with the PIN-pad from the front USB port (however, have it handy in case the work does not get completed and the session, inadvertently, expires)
  11. Select Authentication Token from the CAT menu and generate a keystore file for each administrator, one-at-a-time. Choose the location and name of the keystore file and input a password to protect access to the contents of this file. It is recommended to include the name of the administrator who will associated with the keystore file to identify which administrator is using which keystore file. For example, if administrator is expected to be administrator01, use a keystore filename such as softkey-administrator01.key

    NOTE: This password should be recorded on a 3x5 index card, sealed in a security envelope and locked away for security and disaster recovery purposes.

  12. Repeat the keystore file generation step for as many administrators that will be added
  13. After generating the requisite number of keystore files on the Tellaro appliance, create new administrative users and associate each keystore file with the individual administrator authorized to authenticate to the HSM. Do this by clicking on the Manage User button.
  14. Select Add User
    • Type in a unique name for the new administrator – it can be a generic role-based name or the username of the specific individual assigned to that role
    • Choose ADMIN Manager two-person rule for the User Profile
    • Select the type of algorithm that was chosen earlier for the keystore file and click OK
    • This will prompt for a keystore file to be associated with the new administrator; choose the appropriate keystore file assigned to this user and select ‘OK’
  15. Repeat the above two steps to add at least three (3) credentials for the HSM administrators who will use software keystore files for authentication.

Verify Authentication, Administrative privileges with the new credentials and take backup of the keystores and databases

  1. Without disconnecting from CAT, logoff all users from the session by selecting the Login/Logoff button and then selecting the Logoff All… button
  2. Select any one of the newly created administrator credentials using keystore files to authenticate, and select the Login.. button
  3. The Choose User Token for Login panel will prompt for either using a smartcard or Keyfile token. Choosing Keyfile Token, supply the password assigned to the specified administrator
  4. If correct, a Green check-mark shows up against the credential indicating that the administrator is authenticated. Verify all software keystore administrator credentials to confirm that the credential authenticates to the HSM correctly
  5. While authenticated with software keystore administrator credentials, select the Backup/Restore button
  6. In the CryptoServer Database Backup/Restore Wizard panel, select the ‘Backup databases from Source CryptoServer to Backup directory’ option
  7. Choose the /usr/local/strongauth/keystores folder for Backup directory
  8. If there are no errors, a Database Export panel will display the names of the databases that were exported – this will indicate that the software keystore administrators have the appropriate credentials

    NOTE:  If the CXIKEY.db and the user.db files already exist in the target directory (presumably, from a previous backup), there will be a warning prompt to overwrite a preexisting file by the same name. Cancel the operation and rename the preexisting files to preserve the prior backup (STRONGLY RECOMMENDED).

  9. Navigate to the /usr/local/keystores folder where the newly generated software keystores are located. For each software keystore, copy the keystores to the individual USB flash-drives
  10. Using a different USB flash-drive, copy the CXIKEY.db and the user.db files from /usr/local/keystores onto the flash-drive
  11. This concludes the process on the first StrongKey Tellaro appliance. It is now necessary to import the exported databases from the HSM to make sure that other appliances can authenticate the newly created software keystore administrators.

 

Import HSM Databases on StrongKey Tellaro Appliances

  1. Login into the appliance as the strongauth user. Login into the appliance’s console to operate the smartcard and PIN-pad reader with the HSM’s Cryptoserver Administration Tool (CAT) –  SSH or Putty session cannot be used for this task
  2. When the Terminal window has started up, create a directory to store the keystore files:
    shell> mkdir /usr/local/strongauth/keystores
  3. Insert the USB flash-drive containing the CXIKEY.db and user.db files into the front port of the StrongKey Tellaro appliance. Copy the databases to the newly created keystores folder.
  4. Run the Cryptoserver Administration Tool (CAT) and put it in the background:
    shell> java -jar /usr/local/bin/cat.jar & 
  5. Click on the Devices button and connect to the HSM with /dev/cs2.0 as the device and click 'OK'.
  6. Authenticate to the tool by selecting the Login/Logoff button. A panel will display a list of existing credentials with additional information about the credentials
  7. Choose one of the Administrator credentials on the displayed User Management panel. The administrator must insert their smartcard into the reader and follow prompts on the PIN-pad reader’s screen to enter their secret PIN. A successful PIN authentication will enable the smartcard to authenticate the user to CAT
  8. When ‘M’ administrators have successfully authenticated to CAT, close the User Management panel
  9. Select the Backup/Restore button
  10. In the CryptoServer Database Backup/Restore Wizard panel, select the Restore databases from Backup directory to Target CryptoServer option.
  11. Choose the /usr/local/strongauth/keystores folder for Backup directory and select all the available databases in the backup directory.
  12. Click on 'Add All' and Execute.
  13. If there are no errors, a Database Import panel will display the names of the databases that were imported

Verify Authentication, Administrative privileges with new credentials

  1. Without disconnecting from CAT, logoff all users from the session by selecting the Login/Logoff button and then selecting the Logoff All… button
  2. Select any one of the newly created administrator credentials using keystore files to authenticate, and select the Login.. button
  3. The Choose User Token for Login panel will prompt for either using a smartcard or Keyfile token. Choosing Keyfile Token, supply the password assigned to the specified administrator
  4. If correct, a Green check-mark shows up against the credential indicating that the administrator is authenticated. Verify all software keystore administrator credentials to confirm that the credential authenticates to the HSM correctly
  5. Continue importing the HSM databases on the remaining Tellaro appliances until all appliances have the same CXIKEY.db and user.db contents, and until all software keystore administrators can authenticate to CAT successfully.
  6. This concludes the process of generating software keystores for HSM administrators and verifying their access.