Skip to main content

Securosys PKCS#11 Provider Preparations

The Securosys PKCS#11 provider v2.2.2 or later is already integrated into FortiGate (no installation needed). However a valid configuration file and secrets have to be prepared and tested in advance, to be loaded then to the FortiGate via CLI or GUI. Therefore the PKCS#11 provider installation, configuration and connectivity setup including permanent secret retrieval has to be prepared on a separate client machine (preferably Linux) before the configuration and secrets can be loaded to FortiGate.

warning

The FortiGate assumes that the configuration file primus.cfg and secrets are consistent and correct!

PKCS#11 Provider Installation on Client Machine

Install the PKCS#11 provider on a Linux machine according https://docs.securosys.com/pkcs/Installation/pkcs11_provider_installation

  • For FortiGate with
    • FortiOS v7.2.8 Special Build 8993 install the Securosys PKCS#11 Provider v2.2.2
    • FortiOS v7.2.8 Special Build 9127 and newer install the Securosys PKCS#11 Provider v2.2.4 or newer

Prepare Provider Configuration

FortiGate implementation has currently the following configuration restrictions:

  • FortiGate can address one single redundant partition only (clustered; different partitions are not supported)
  • Logging must be disabled (write_log_file = false; write_syslog = false;)
  • Establish all connections on initialization for latency optimization (connect_on_init = true;)
  • DNS is currently not supported in the configuration file (host = "a.b.c.d"), use IP addresses instead

Configure the file /etc/primus.cfg with your HSM connectivity parameters.
For details consult https://docs.securosys.com/pkcs/Installation/pkcs11_provider_configuration.

Adjust the global and log configuration section according to the highlighted lines:


/*--- GLOBAL CONFIGURATION SECTION ----------------------------------------*/
primus:
{
  wait_delay = 250; /* in ms*/
  wait_max_tries = 5;
  connect_on_init = true;
  
  /*--- HSM CONFIGURATION SECTION -----------------------------------------*/

  /*--- LOG CONFIGURATION SECTION -----------------------------------------*/
  log:
  {
    file                = "/tmp/primus.log"; 
    write_log_file      = false;
    write_syslog        = false;
    trace_linenumber    = false;
    trace_timestamp     = true;
    trace_function      = true;
    trace_inout         = false;
    trace_pid           = true;
    trace_filename      = false;
    trace_mask          = 0x00;
    trace_level         = 0; /* 0-7 log level details */
  }; /* end log */

Retrieve the Permanent Secret

Retrieve the blinded permanent secret with ppin tool:
For details see https://docs.securosys.com/pkcs/Installation/permanent_secret_management

ppin -ae <HSM_USERNAME> <setupPassword> <PKCS11Password>

In case of failure see the section Troubleshooting: https://docs.securosys.com/pkcs/Tutorials/troubleshooting

Cluster Connectivity Test

Test proper connectivity to all clustered devices with ppin tool:

ppin -t
Load config file: '/etc/primus/primus.cfg'

hsm0: Connect to '82.197.162.10' on port 2410, firmware: RX-3.1.0-T 
    slot0 (id=0), user=PRIMUSDEV368: OK

hsm1: Connect to '82.197.162.10' on port 2411, firmware: RP-3.1.0-T 
    slot0 (id=0), user=PRIMUSDEV368: OK

Number of tested HSMs: 2 (number of partitions: 2)

Number of failures: 0