Skip to main content

Configuring the PKCS#11 Provider

PKCS#11 Provider for FortiGate and FortiWeb

The Securosys PKCS#11 provider (v2.2.4 or later) is already integrated into Fortinet (no installation needed).

However a valid configuration file and secrets have to be prepared and tested in advance, to be loaded then to Fortinet via CLI or GUI.

Therefore the PKCS#11 provider installation, configuration and connectivity setup including permanent secret retrieval has to be prepared on a separate client machine (preferably Linux) before the configuration and secrets can be loaded to Fortinet.

tip

Fortinet assumes that the configuration file primus.cfg and secrets are consistent and correct!

PKCS#11 Provider Installation on Client Machine

Install the PKCS#11 provider on a Linux machine according to PKCS#11 Provider Installation Guide.

Prepare Provider Configuration

warning

Currently, the Fortinet integration has the following configuration restrictions:

  • Logging must be disabled (write_log_file = false; write_syslog = false;)
  • Establish all connections on initialization for latency optimization (connect_on_init = true;)
  • DNS is currently not supported in the configuration file (host = "a.b.c.d"), use IP addresses instead

Configure the file /etc/primus.cfg with your HSM connectivity parameters.
For details consult PKCS#11 Provider Configuration Guide.

  1. Adjust the global and log configuration section according to the highlighted lines:

/*--- GLOBAL CONFIGURATION SECTION ----------------------------------------*/
primus:
{
wait_delay = 250; /* in ms*/
wait_max_tries = 5;
connect_on_init = true;

/*--- HSM CONFIGURATION SECTION -----------------------------------------*/

/*--- LOG CONFIGURATION SECTION -----------------------------------------*/
log:
{
file = "/tmp/primus.log";
write_log_file = false;
write_syslog = false;
trace_linenumber = false;
trace_timestamp = true;
trace_function = true;
trace_inout = false;
trace_pid = true;
trace_filename = false;
trace_mask = 0x00;
trace_level = 0; /* 0-7 log level details */
}; /* end log */

Retrieve the Permanent Secret

Retrieve the blinded permanent secret with ppin tool:

ppin -ae <HSM_USERNAME> <setupPassword> <PKCS11Password>

For more details see Permanent Secret Management. In case of failure see the section Troubleshooting.

Testing the Cluster Connectivity

  1. Ensure proper testing of the connectivity to all clustered devices with the ppin tool:
ppin -t
Load config file: '/etc/primus/primus.cfg'

hsm0: Connect to '82.197.162.10' on port 2410, firmware: RX-3.1.0-T
slot0 (id=0), user=PRIMUSDEV368: OK

hsm1: Connect to '82.197.162.10' on port 2411, firmware: RP-3.1.0-T
slot0 (id=0), user=PRIMUSDEV368: OK

Number of tested HSMs: 2 (number of partitions: 2)

Number of failures: 0

Continue with: