Skip to main content

Configure FortiGate

The HSM integration is done via the ForteGate nethsm module (Command Line Interface).

1. HSM Registration

Enable HSM functionality with following command:

config system nethsm
set status enable

2. Upload the HSM Configuration File

It is recommended to upload the previously tested configuration file (primus.cfg) in raw mode via a tftp server (e.g. http://tftpd32.jounin.net):

execute nethsm upload-primus-cfg-raw <configFileName> <tftp-server-ip>

For example:

execute nethsm upload-primus-cfg-raw primusorigext.cfg 192.168.159.1
This will apply the new primus.cfg without applying recommended settings. Do you want to continue? (y/n)y

primus.cfg has been updated.

3. Prepare and Configure HSM Secrets

The connection permanent secrets(s) and PKCS#11 PIN(s) have to be configured via CLI (or GUI).

The base64 encoded .secrets.cfg file can be generated without local traces using the ppin tool console output (highlighted part). Do this on the client machine where you previously prepared the files.

warning

The maximum secrets length supported by FortiGate is 3k bytes.

ppin --fortinet --user <username> [<setupPassword> <PKCS11Password>] [--proxyuser <proxyUserName> [--proxypassword <proxyPassword>]]   
# Fortinet secret to be loaded:
dmVyc2lvbiA9ICIxLjAiOwpwcmltdXMgOiAKewogIHVzZXJzIDogCiAgewogICAgdXNlcjAgOiAKICAgIHsKICAgICAgbmFtZSA9ICJQUklNVVNERVYzNjgiOwogICAgICBdpY3MgPSAiMzcwYzJj
...
GUwY2Y4ZjNhNTkwMzE2ZjE4MGI4YWZlNDdiMzY1Nzg1ZWQ3NyI7CiAgICB9OwogIH07Cn07Cg==

To configure the prepared connection secrets and PKCS#11 PIN(s) of the HSM partition(s) via CLI, use the following command sequence:

config system nethsm
set status enable
set primus-cfg "<content of primus.cfg escaped, if not already loaded via tftp>"
set secret-content <base64 encoded .secrets.cfg file as output of ppin --fortinet>
config partitions
edit "<partition name 1>"
set slot-id <pkcs#11 slot index>
set pkcs11-pin <PKCS#11 PIN of this partition>
next
edit "<partition name 2>"
set slot-id <pkcs#11 slot index>
set pkcs11-pin <PKCS#11 PIN of this partition>
next
end
end

The parameter pkcs11-pin corresponds to the HSM PKCS#11 password. The HSM administrator has previously configured this password and can provide it to you.

FortiGate stores and outputs above values in an encrypted format (see FortiGate documentation for details). If previously configured, these values can also be entered in the FortiGate encrypted format (using ENC in front of the value):

config system nethsm
set status enable
set secret-content ENC kFR3tNLNuU5y4Lr08RMxx//gGBQznk0vgBiILs/L....
config partitions
edit "PRIMUSDEV368"
set slot-id 0
set pkcs11-pin ENC Y6f4fDwBaF2GUcT21R8Q9KTbi9Kw8N...
next
edit "ALDUROZEP"
set slot-id 1
set pkcs11-pin ENC WQw9aQ2qKTyDeWtDgsvujjqBWCoV/E...
next
end
end

For detailed FortiGate command description, certificate generation and usage refer to the FortiGate documentation.

Get started withCloudHSM for free.
Other questions?Ask Sales.
Feedback
Need help?