A Hardware Security Module (HSM) is a secure “trusted” PCI card, appliance, or cloud service (DPoD Cloud HSM) that is used to perform a variety of cryptographic operations such as secure key management and encryption. It is a network-attached HSM device designed to secure the cryptographic keys on board, with specialized tamper-proof hardware and hardened software.
The Barracuda Web Application Firewall is connected with Gemalto SafeNet Luna Network HSM for securing its private keys. New private keys can be created in the HSM by the Barracuda Web Application Firewall and existing keys can be uploaded to the HSM via Barracuda Web Application Firewall. In each case, the private key is stored securely in the Gemalto HSM.
When certificates are created, the private key associated with the certificate is generated and securely stored in the Gemalto HSM, while the certificate is generated and saved on the Barracuda Web Application Firewall. The certificates can be viewed using the BASIC > Certificates > Saved Certificates section. Private keys can also be imported to the Gemalto HSM when any certificate is uploaded to the Barracuda Web Application.
What do you need?
- HSM Server certificate(Gemalto HSM)
HSM Client certificate (Barracuda Web Application Firewall)
Network HSM partition details
Enabling the Connection with Gemalto HSM
To enable connection between the Barracuda Web Application Firewall and Gemalto HSM:HSM Client certificate (Barracuda WAF )
On the Barracuda Web Application Firewall, you can generate a new HSM Client certificate. This certificate must be downloaded from the Barracuda Web Application Firewall and then uploaded to Gemalto HSM.
To generate HSM Client certificate:
- Navigate to ADVANCED > System Configuration > Network HSM Settings.
Click the Generate Client Certificate button. The certificate generation success message is displayed. In case you encounter a failure message, refer to the troubleshooting section for resolution.
- Click the Download HSM Client Certificate button. The certificate is downloaded to your system.
HSM Server Certificate (Network HSM)
On the Gemalto HSM, generate the HSM Server Certificate and download it. Upload the certificate to the Barracuda Web Application Firewall.
To upload the HSM Server certificate:
- Navigate to ADVANCED > System Configuration > Network HSM Settings section.
Click Browse and then select the certificate obtained from the HSM Server administrator.
Network HSM Partition details
The Network HSM Server administrator allocates a partition for each HSM client on the Gemalto HSM Server and shares the following partition details.
- Network HSM Hostname / IP address
- Network HSM Partition Name
- Network HSM Partition Password
After obtaining all the details from Gemalto HSM, you can now configure the Barracuda Web Application firewall to establish connection with Gemalto HSM.
- Click ADVANCED > System Configuration and then navigate to the Network HSM Settings section.
- In the Network HSM Host box, enter the host name/IP address of Network HSM provided by the Network HSM administrator.
- In the Partition Name box, enter the name of the partition allocated in Network HSM. The partition name is provided by the Network HSM administrator.
- In the Partition Password box, enter the password for the partition provided by the Network HSM administrator.
- Click Connect. The connection to the HSM Server may take few minutes. Please wait until you see the success message displayed. If the connection is not successful, a failure message is displayed. Refer the troubleshooting document for more information about the failure message.
- Click Disconnect if you intend to disconnect the connection.