Configuring the PKCS#11 Provider
PKCS#11 Provider for FortiGate and FortiWeb
The Securosys PKCS#11 provider (v2.2.4 or later) is already integrated into Fortinet (no installation needed).
However, a valid configuration file and secrets have to be prepared and tested in advance, and are then loaded onto Fortinet via CLI or GUI.
Therefore, the PKCS#11 provider installation, configuration and connectivity setup (including permanent secret retrieval) has to be done on a separate machine (preferably Linux) before the configuration and secrets can be loaded to Fortinet.
Fortinet assumes that the configuration file primus.cfg
and .secrets.cfg
are consistent and correct!
PKCS#11 Provider Installation on Client Machine
Install the PKCS#11 provider on a Linux machine according to PKCS#11 Provider Installation Guide.
Prepare Provider Configuration
Currently, the Fortinet integration has the following configuration restrictions:
- Logging must be disabled (
write_log_file = false; write_syslog = false;
). - Establish all connections on initialization for latency optimization (
connect_on_init = true;
). - DNS is currently not supported in the configuration file. Use IP addresses instead (
host = "a.b.c.d"
).
Configure the file /etc/primus.cfg
with your HSM connectivity parameters.
For details see the PKCS#11 Provider Configuration Guide.
In particular, adjust the global and log configuration section according to the highlighted lines:
…
/*--- GLOBAL CONFIGURATION SECTION ----------------------------------------*/
primus:
{
wait_delay = 250; /* in ms*/
wait_max_tries = 5;
connect_on_init = true;
/*--- HSM CONFIGURATION SECTION -----------------------------------------*/
…
/*--- LOG CONFIGURATION SECTION -----------------------------------------*/
log:
{
file = "/tmp/primus.log";
write_log_file = false;
write_syslog = false;
trace_linenumber = false;
trace_timestamp = true;
trace_function = true;
trace_inout = false;
trace_pid = true;
trace_filename = false;
trace_mask = 0x00;
trace_level = 0; /* 0-7 log level details */
}; /* end log */
Retrieve the Permanent Secret
Retrieve the blinded permanent secret with the ppin tool:
ppin -ae <HSM_USERNAME> <setupPassword> <PKCS11Password>
For more details see Permanent Secret Management. In case of failure see the Troubleshooting section.
Testing the Cluster Connectivity
Test the connectivity to all devices in the cluster:
ppin -t
Load config file: '/etc/primus/primus.cfg'
hsm0: Connect to '82.197.162.10' on port 2410, firmware: RX-3.1.0-T
slot0 (id=0), user=PRIMUSDEV368: OK
hsm1: Connect to '82.197.162.10' on port 2411, firmware: RP-3.1.0-T
slot0 (id=0), user=PRIMUSDEV368: OK
Number of tested HSMs: 2 (number of partitions: 2)
Number of failures: 0