Skip to main content

Configuring the PKCS#11 Provider

PKCS#11 Provider for FortiGate and FortiWeb

The Securosys PKCS#11 provider (v2.2.4 or later) is already integrated into Fortinet (no installation needed).

However, a valid configuration file and secrets have to be prepared and tested in advance, and are then loaded onto Fortinet via CLI or GUI.

Therefore, the PKCS#11 provider installation, configuration and connectivity setup (including permanent secret retrieval) has to be done on a separate machine (preferably Linux) before the configuration and secrets can be loaded to Fortinet.

tip

Fortinet assumes that the configuration file primus.cfg and .secrets.cfg are consistent and correct!

PKCS#11 Provider Installation on Client Machine

Install the PKCS#11 provider on a Linux machine according to PKCS#11 Provider Installation Guide.

Prepare Provider Configuration

warning

Currently, the Fortinet integration has the following configuration restrictions:

  • Logging must be disabled (write_log_file = false; write_syslog = false;).
  • Establish all connections on initialization for latency optimization (connect_on_init = true;).
  • DNS is currently not supported in the configuration file. Use IP addresses instead (host = "a.b.c.d").

Configure the file /etc/primus.cfg with your HSM connectivity parameters. For details see the PKCS#11 Provider Configuration Guide.

In particular, adjust the global and log configuration section according to the highlighted lines:


/*--- GLOBAL CONFIGURATION SECTION ----------------------------------------*/
primus:
{
wait_delay = 250; /* in ms*/
wait_max_tries = 5;
connect_on_init = true;

/*--- HSM CONFIGURATION SECTION -----------------------------------------*/

/*--- LOG CONFIGURATION SECTION -----------------------------------------*/
log:
{
file = "/tmp/primus.log";
write_log_file = false;
write_syslog = false;
trace_linenumber = false;
trace_timestamp = true;
trace_function = true;
trace_inout = false;
trace_pid = true;
trace_filename = false;
trace_mask = 0x00;
trace_level = 0; /* 0-7 log level details */
}; /* end log */

Retrieve the Permanent Secret

Retrieve the blinded permanent secret with the ppin tool:

ppin -ae <HSM_USERNAME> <setupPassword> <PKCS11Password>

For more details see Permanent Secret Management. In case of failure see the Troubleshooting section.

Testing the Cluster Connectivity

Test the connectivity to all devices in the cluster:

ppin -t
Load config file: '/etc/primus/primus.cfg'

hsm0: Connect to '82.197.162.10' on port 2410, firmware: RX-3.1.0-T
slot0 (id=0), user=PRIMUSDEV368: OK

hsm1: Connect to '82.197.162.10' on port 2411, firmware: RP-3.1.0-T
slot0 (id=0), user=PRIMUSDEV368: OK

Number of tested HSMs: 2 (number of partitions: 2)

Number of failures: 0
Get started withCloudHSM for free.
Other questions?Ask Sales.
Feedback
Need help?