Configuring FortiWeb
FortiWeb must be explicitly configured to use an HSM for cryptographic operations. This is done through the CLI by enabling HSM support and specifying the manufacturer. Without this step, FortiWeb will not recognize the HSM for certificate storage and cryptographic functions.
1. Specifying Primus HSM
Set the policy with the following command:
config server-policy setting
set hsm enable
set hsm-manufacturer primus
end
When HSM is successfully enabled, the Securosys Primus HSM page becomes accessible in the GUI, and the CLI command config system nethsm can be configured.
2. Upload the HSM Configuration File
After a successful configuration of the PKCS#11 Provider, you should have your configuration and security files available. FortiWeb uses these credentials to authenticate with the HSM
In FortiWeb, navigate to System > Config > Securosys Primus HSM. Upload the Primus HSM configuration file and FortiWeb will read the configuration and display a breakdown of the Partition. Configure now the partition settings according to the FortiWeb administration guide Configure the HSM in FortiWeb.
Select Status Enable to activate the HSM integration. Select OK to apply the configuration.
FortiWeb validates the configuration before you can begin performing cryptographic operations using your partition.
3. Using the Primus HSM on FortiWeb
For a detailed breakdown of uses of FortiWeb with Primus HSM, please visit
- Generating Local CSR
- Obtaining Signed Certificates
- Importing the Signed Certificate into FortiWeb
- Applying the Certificate in Server Policy
4. Disabling Primus HSM Configuration
Before disabling the Primus HSM configuration, you must remove all associated HSM-dependent configurations, including local certificates and CSRs of the Primus HSM type. After clearing these dependencies, you can modify or delete the HSM partition.
For more information, including Monitoring and Troubleshooting FortiWeb, please visit the Fortinet documentation page.