Configuring FortiGate
The HSM integration is done via the ForteGate nethsm module (Command Line Interface).
1. HSM Registration
Enable HSM functionality with following command:
config system nethsm
set status enable
2. Upload the HSM Configuration File
- Upload the HSM Configuration File
- Alternatively Transfer Configuration via CLI
It is recommended to upload the previously tested configuration file (primus.cfg) in raw mode via a tftp server
(e.g. http://tftpd32.jounin.net):
execute nethsm upload-primus-cfg-raw <configFileName> <tftp-server-ip> e.g.
execute nethsm upload-primus-cfg-raw primusorigext.cfg 192.168.159.1
This will apply the new primus.cfg without applying recommended settings. Do you want to continue? (y/n)y
primus.cfg has been updated.
Any quotes in the configuration file have to be escaped by a backslash!
config system nethsm
set status enable
set primus-cfg \"#-----------------------------
# Primus PKCS#11 configuration
#-----------------------------
version = \"1.0\";
/* This example configuration template contains 3 slots: */
/* hsm0: standalone hsm with one partition (slot id 0) */
/* hsm1,hsm2: redundant hsm cluster with each two partitions (slot id 1+2) */
/* e.g. for CloudsHSM service */
/* Comment/Uncomment the hsm or slot sections to adapt to your setup */
/* See PKCS#11 Provider User Guide for details */
# FORTIGATE Integration Test
/*--- GLOBAL CONFIGURATION SECTION ----------------------------------------*/
primus:
{
wait_delay = 250; /* in ms*/
…"
3. Prepare and Configure HSM Secrets
The connection permenent secrets(s) and pkcs11-pin(s) have to be configured via CLI (or GUI).
The base-64 encoded .secrets.cfg file can be generated without local traces using the ppin tool console output (highlighted part), on the client machine:
The maximum secrets length supported by FortiGate is 3k bytes.
- Secrets-File fetching and encoding
Note: for interactive input ommit the optional parameters.
ppin --fortinet --user <username> [<setupPassword> <PKCS11Password>] [--proxyuser <proxyUserName> [--proxypassword <proxyPassword>]]
# Fortinet secret to be loaded:
dmVyc2lvbiA9ICIxLjAiOwpwcmltdXMgOiAKewogIHVzZXJzIDogCiAgewogICAgdXNlcjAgOiAKICAgIHsKICAgICAgbmFtZSA9ICJQUklNVVNERVYzNjgiOwogICAgICBdpY3MgPSAiMzcwYzJj
...
GUwY2Y4ZjNhNTkwMzE2ZjE4MGI4YWZlNDdiMzY1Nzg1ZWQ3NyI7CiAgICB9OwogIH07Cn07Cg==
The parameter pkcs11-pin corresponds to the HSM PKCS#11 password and should be available from the HSM administrator (or configured previously).
To configure the prepared connection secrets and pkcs11-pin(s) of the HSM partition(s) via CLI, use the following command sequence:
- Syntax
- Example configuration
config system nethsm
set status enable
set primus-cfg "<content of primus.cfg escaped, if not already loaded via tftp>"
set secret-content <base-64 encoded .secrets.cfg file as output of ppin --fortinet>
config partitions
edit "<partition name 1>"
set slot-id <pkcs#11 slot index>
set pkcs11-pin <PKCS#11 PIN of this partition>
next
edit "<partition name 2>"
set slot-id <pkcs#11 slot index>
set pkcs11-pin <PKCS#11 PIN of this partition>
next
end
end
Configuration file primus.cfg already uploaded via tftp.
config system nethsm
set status enable
set secret-content dmVyc2lvbiA9ICIxLjAiOwpwcmltdX...9OwogIH07Cn07Cg==
config partitions
edit "PRIMUSDEV368"
set slot-id 0
set pkcs11-pin PRIMUSDEV
next
edit "ALDUROZEP"
set slot-id 1
set pkcs11-pin dbZMEmqpMNU7PRIMUSDEV
next
end
end
FortiGate stores and outputs above values in an encrypted format (see FortiGate documentation for details). If previously configured, these values can also be entered in the FortiGate encrypted format (using ENC in front of the value):
config system nethsm
set status enable
set secret-content ENC kFR3tNLNuU5y4Lr08RMxx//gGBQznk0vgBiILs/L....
config partitions
edit "PRIMUSDEV368"
set slot-id 0
set pkcs11-pin ENC Y6f4fDwBaF2GUcT21R8Q9KTbi9Kw8N...
next
edit "ALDUROZEP"
set slot-id 1
set pkcs11-pin ENC WQw9aQ2qKTyDeWtDgsvujjqBWCoV/E...
next
end
end
For detailed FortiGate command description, certificate generation and usage refer to the FortiGate documentation.