Installing a Thales ProtectServer hardware security module

You can choose between two options to set up a functionality module:

  • Unsigned functionality module. Copy the unsigned OneSpan Authentication Server Framework functionality module file (aal2sdk) to the machine on which HSM administration will take place. In this case, you need to generate your own self-signed certificate to sign the module before it is uploaded to the HSM.
  • Signed functionality module. Copy the signed OneSpan Authentication Server Framework functionality module file (aal2sdk.signed) to the machine on which HSM administration will take place. This module is already signed by OneSpan. The corresponding OneSpan code signing certificate (vascosigningcert.crt) is required to upload the module.

The functionality modules are located on the OneSpan Authentication Server product CD in the following folders (depending on the used HSM model):

  • Software/HSM-SAFENET/k7-ppc (used for Thales ProtectServer 3)
  • Software/HSM-SAFENET/k6-ppc (used for Thales ProtectServer 2)
  • Software/HSM-SAFENET/k5-arm (used for Thales ProtectServer)

Before you install a functionality module, install the hardware security module with the required drivers and libraries and restart the machine.

Sign and upload the OneSpan Authentication Server Framework functionality module (aal2sdk)

The following procedure applies only if you want to sign (and install) an unsigned OneSpan Authentication Server Framework functionality module with your own self-signed certificate.

To sign an unsigned OneSpan Authentication Server Framework functionality module with your own self-signed certificate, you need the mkfm tool.

The mkfm binary is part of the FM SDK included in the Thales ProtectServer PTK (Thales ProtectServer Toolkit) since version 5.0.0. Prior to PTK 5.0.0, the mkfm binary was part of the PPO SDK (Protect Processing Orange) delivered separately from the PTK.

To install an unsigned OneSpan Authentication Server Framework functionality module

  1. Open a terminal window.

  2. Run the following command to generate a SSL certificate in the user slot:

    ctcert c -sUserSlotID -k -zKeySize -lCertificateName

    where:

    • UserSlotID is the ID of the slot on which the certificate should be generated.
    • KeySize is the length of the private key required (minimum size is 1024).
    • CertificateName is the name of the certificate.

  3. Provide the requested information.

  4. Run the following commands to transfer the certificate to the admin slot:

    ctcert x -lCertificateName -sUserSlotID -fCertExportFileName

    ctcert i -fCertExportFileName -sAdminSlotID -lCertificateName

    where:

    • CertificateName is the name of the certificate that you entered when generating the certificate.
    • UserSlotID is the ID of the slot in which the certificate was generated.
    • CertExportFileName is the file name of the certificate.
    • AdminSlotID is the ID of the administration slot to which the certificate is being copied.

  5. Run the following command to mark the certificate as trusted:

    ctcert t -lCertificateName -sAdminSlotID

  6. Run the following command to sign the OneSpan Authentication Server Framework functionality module with the trusted certificate :

    mkfm -k"UserSlotLabe(PIN) CertificateName" -faal2sdk -oaal2sdk.fm

    where:

    • UserSlotLabel is the label for the user slot on which the certificate was generated.
    • PIN is the administrator PIN for the token.
    • CertificateName is the name of the certificate that you entered when generating the certificate.

  7. Run the following command to upload the functionality module to the HSM:

    ctconf -bCertificateName -jaal2sdk.fm

Storage and sensitive data keys cannot be created in the admin slot.

Upload the signed OneSpan Authentication Server Framework functionality module (aa2sdk.signed)

The OneSpan Authentication Server product CD contains a signed version of the OneSpan Authentication Server Framework functionality module.

The following procedure applies only if you want to install a OneSpan Authentication Server Framework functionality module that is already signed by OneSpan.

To install a signed OneSpan Authentication Server Framework functionality module

  1. Import the OneSpan signing certificate into the admin slot.

    ctcert i -f CertExportFileName -s AdminSlotID -l CertificateName

    where:

    • CertExportFileName is the OneSpan code signing certificate (vascosigningcert.crt).
    • AdminSlotID is the ID of the administration slot to which the certificate is being copied.
    • CertificateName is the display name of the certificate to be imported.

  2. Type the SO-PIN.

  3. Mark the OneSpan signing certificate as trusted in the admin slot:

    ctcert t -l CertificateName -s AdminSlotID

  4. Type the SO-PIN.

  5. Upload the signed module to the HSM:

    ctconf -b CertificateName -j aal2sdk.signed

  6. Type the admin PIN.