Prerequisites

Please ensure the following requirements are met:

• FortiWeb with FortiOS v7.6.3 and newer (has the Securosys PKCS#11 Provider built in (v2.2.4 or newer))
• FortiGate with FortiOS v7.2.8 Special Build 9127 (has the Securosys PKCS#11 Provider built in (v2.3.2 or newer))
• An HSM:
  • A CloudHSM partition or
  • A Primus HSM, firmware v2.8.21 or newer

Get an HSM

CloudHSM

CloudHSM is a hosted offering from Securosys, where Securosys manages the HSMs for you in a geo-redundant cluster.

For testing purposes, CloudHSM offers a free 90-day trial.

Sign up to CloudHSM →

On-premise

Contact the Securosys Sales team to purchase a Primus HSM. There are various models available.

Configure the HSM

info

You can skip this step if you are using CloudHSM.

If you are using an on-premise HSM, start by installing the hardware. Run through the Initial Wizard, set up your Genesis and Security Officer (SO) roles, and define the network settings.

Once this basic HSM setup is done, proceed with necessary configurations to integrate Fortinet, as explained below.

Create a Partition

Create a new Partition. The Fortinet appliance will use this Partition to store its keys.

UI

Roles User Create

Console

hsm_sec_create_user

Enable PKCS#11 API

The PKCS#11 API must be enabled on the device and user (partition) level.

UI

• Setup Configuration Security Device Security Crypto Policy PKCS#11: enabled
• Setup Configuration Security User Security (user name) PKCS#11: enabled

Console

hsm_sec_set_config pkcs11=true

hsm_sec_enter_user_config
hsm_user_set_config pkcs11=true

XML

  ...
  <pkcs_process>
    <active>enabled</active>
    ...
  </pkcs_process>
  ...
  <crypto_process>
    ...
     <crypto_user state="enabled">                   <!-- enabled=user config, disabled=device config -->
        <user_name>PART001</user_name>               <!-- partition name -->
        <pkcs_allowed>enabled</pkcs_allowed>         <!-- enable PKCS#11, interface on partition -->
     </crypto_user>
    ...

Set PKCS#11 Password

Assuming that user level configuration is used.

UI

• Setup Configuration Security User Security (user name) PKCS#11 password

Console

• hsm_user_set_config pkcs11_pwd

XML

  ...
  <crypto_process>
    ...
     <crypto_user state="enabled">                   <!-- enabled=user config, disabled=device config -->
        <user_name>PART001</user_name>               <!-- partition name -->
        <pkcs_password>PRIMUSDEV</pkcs_password>     <!-- set partition pwd for PKCS#11 -->
        ...
     </crypto_user>
    ...

Generate a New Setup Password

Generate a new setup password for the partition:

UI

• Roles User New Setup Pw

Console

hsm_user_new_setup_pass

Disable Wrapped Key Export, Key Extract, and Key Import

UI

• Setup Configuration Security User Security (user name) Key export: disabled
• Setup Configuration Security User Security (user name) Key extract: disabled
• Setup Configuration Security User Security (user name) Key import: disabled

Console

hsm_user_set_config key_export=false
hsm_user_set_config key_extract=false
hsm_user_set_config key_import=false

XML

  ...
  </pkcs_process>
  
     <crypto_user state="enabled">                   <!-- enabled=user config, disabled=device config -->
        <user_name>PART001</user_name>               <!-- partition name -->
        ...
        <import_keys>disabled</import_keys>          <!-- disable key import on user -->
        <export_keys>disabled</export_keys>          <!-- disable key export on user -->
        <extract_keys>disabled</extract_keys>        <!-- disable wrapped key export on user -->
        ...
     </crypto_user>
     ...