It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Network HSM Settings

  • Last updated on

Overview

A Hardware Security Module (HSM) is a secure, “trusted” PCI card, appliance, or cloud service (DPoD Cloud HSM) that is used to perform a variety of cryptographic operations such as secure key management and encryption. It is a network-attached HSM device designed to secure the cryptographic keys on board, with specialized tamper-proof hardware and hardened software.

The Barracuda Web Application Firewall is connected with Gemalto SafeNet Luna Network HSM for securing its private keys. New private keys can be created in the HSM by the Barracuda Web Application Firewall and existing keys can be uploaded to the HSM via Barracuda Web Application Firewall. In each case, the private key is stored securely in the Gemalto HSM.

When certificates are created, the private key associated with the certificate is generated and securely stored in the Gemalto HSM, while the certificate is generated and saved on the Barracuda Web Application Firewall. The certificates can be viewed using the BASIC > Certificates > Saved Certificates section. Private keys can also be imported to the Gemalto HSM when any certificate is uploaded to the Barracuda Web Application.

Support for the Gemalto SafeNet Luna Network HSM device is available only on the Barracuda Web Application Firewall models 660 and above for both hardware and virtual appliances.

Prerequisites                                                                                                    

  • HSM Server certificate(Gemalto HSM)
  • HSM Client certificate (Barracuda Web Application Firewall)

  • Network HSM partition details

The configuration steps mentioned in this article have been verified to work with Gemalto SafeNet Luna 6 Network HSM. For more information on this integration, contact Barracuda Networks Technical Support


Enable the Connection with Gemalto HSM

To enable connection between the Barracuda Web Application Firewall and Gemalto HSM:

HSM Client certificate (Barracuda WAF )

On the Barracuda Web Application Firewall, you can generate a new HSM Client certificate. This certificate must be downloaded from the Barracuda Web Application Firewall and then uploaded to Gemalto HSM.

To generate a HSM Client certificate:

  1. Navigate to ADVANCED > System Configuration > Network HSM Settings.
  2. Click the Generate Client Certificate button. The certificate generation success message is displayed. In case you encounter a failure message, refer to the troubleshooting section for resolution.

    If the certificate already exists on an HSM client, a message is displayed beside the Generate Client Certificate button. If you still attempt to create a new certificate, the new certificate overwrites the old certificate.

  3. Click the Download HSM Client Certificate button. The certificate is downloaded to your system.

Primary Network HSM Server

After obtaining all the details from Primary Gemalto HSM, you can now configure the Barracuda Web Application firewall to register and establish connection with Gemalto HSM.
  1. Navigate to ADVANCED > System Configuration > Network HSM Settings section.
  2. Click Browse and then select the certificate obtained from the HSM server administrator.

  3. In the Network HSM Host box, enter the host name/IP address of Network HSM provided by the Network HSM administrator.
  4. In the Partition Name box, enter the name of the partition allocated in Network HSM. The partition name is provided by the Network HSM administrator.
  5. In the Partition Password box, enter the password for the partition provided by the Network HSM administrator.
  6. Upload the Primary Network HSM server certificate.

  7. Click Register to configure the Network HSM on the Barracuda Web Application Firewall.
    NetworkHSM_Primary.png
  8. Click Connect to connect to a single Network HSM server. The connection between the Barracuda Web Application Firewall and the Network HSM server is established.

Backup Network HSM Server

Configure the Backup Network HSM server if you want to connect to the Network HSM HA.  After obtaining all the details from Gemalto HSM, configure the Barracuda Web Application Firewall to establish connection with Gemalto HSM.

  1. Click ADVANCED > System Configuration and then navigate to the Network HSM Settings section.
  2. In the Network HSM Host box, enter the host name/IP address of Network HSM provided by the Network HSM administrator.
  3. In the Partition Name box, enter the name of the partition allocated in Network HSM. The partition name is provided by the Network HSM administrator.
  4. In the Partition Password box, enter the password for the partition provided by the Network HSM administrator.
  5. Click Register to configure the Network HSM on the Barracuda Web Application Firewall.
    NetworkHSM_Backup1.png
  6. Click Connect after registering both Primary and Network HSM servers. This will establish the connection between the Barracuda Web Application Firewall and the Network HSM HA.