Overview
A Hardware Security Module (HSM) is a secure, “trusted” PCI card, appliance, or cloud service (DPoD Cloud HSM) that is used to perform a variety of cryptographic operations such as secure key management and encryption. It is a network-attached HSM device designed to secure the cryptographic keys on board, with specialized tamper-proof hardware and hardened software.
The Barracuda Web Application Firewall is connected with Gemalto SafeNet Luna Network HSM for securing its private keys. New private keys can be created in the HSM by the Barracuda Web Application Firewall and existing keys can be uploaded to the HSM via Barracuda Web Application Firewall. In each case, the private key is stored securely in the Gemalto HSM.
When certificates are created, the private key associated with the certificate is generated and securely stored in the Gemalto HSM, while the certificate is generated and saved on the Barracuda Web Application Firewall. The certificates can be viewed using the BASIC > Certificates > Saved Certificates section. Private keys can also be imported to the Gemalto HSM when any certificate is uploaded to the Barracuda Web Application.
Prerequisites
- HSM Server certificate(Gemalto HSM)
HSM Client certificate (Barracuda Web Application Firewall)
Network HSM partition details
Enable the Connection with Gemalto HSM
To enable connection between the Barracuda Web Application Firewall and Gemalto HSM:
HSM Client certificate (Barracuda WAF )
On the Barracuda Web Application Firewall, you can generate a new HSM Client certificate. This certificate must be downloaded from the Barracuda Web Application Firewall and then uploaded to Gemalto HSM.
To generate a HSM Client certificate:
- Navigate to ADVANCED > System Configuration > Network HSM Settings.
Click the Generate Client Certificate button. The certificate generation success message is displayed. In case you encounter a failure message, refer to the troubleshooting section for resolution.
- Click the Download HSM Client Certificate button. The certificate is downloaded to your system.
Primary Network HSM Server
- Navigate to ADVANCED > System Configuration > Network HSM Settings section.
Click Browse and then select the certificate obtained from the HSM server administrator.
- In the Network HSM Host box, enter the host name/IP address of Network HSM provided by the Network HSM administrator.
- In the Partition Name box, enter the name of the partition allocated in Network HSM. The partition name is provided by the Network HSM administrator.
- In the Partition Password box, enter the password for the partition provided by the Network HSM administrator.
Upload the Primary Network HSM server certificate.
- Click Register to configure the Network HSM on the Barracuda Web Application Firewall.
- Click Connect to connect to a single Network HSM server. The connection between the Barracuda Web Application Firewall and the Network HSM server is established.
Backup Network HSM Server
Configure the Backup Network HSM server if you want to connect to the Network HSM HA. After obtaining all the details from Gemalto HSM, configure the Barracuda Web Application Firewall to establish connection with Gemalto HSM.
- Click ADVANCED > System Configuration and then navigate to the Network HSM Settings section.
- In the Network HSM Host box, enter the host name/IP address of Network HSM provided by the Network HSM administrator.
- In the Partition Name box, enter the name of the partition allocated in Network HSM. The partition name is provided by the Network HSM administrator.
- In the Partition Password box, enter the password for the partition provided by the Network HSM administrator.
- Click Register to configure the Network HSM on the Barracuda Web Application Firewall.
- Click Connect after registering both Primary and Network HSM servers. This will establish the connection between the Barracuda Web Application Firewall and the Network HSM HA.