Skip to main content

Configuring FortiGate

The HSM integration is done via the ForteGate nethsm module (Command Line Interface).

1. HSM Registration

Enable HSM functionality with following command:

config system nethsm
set status enable

2. Uploading the HSM Configuration File

It is recommended to upload the previously tested configuration file (primus.cfg) in raw mode via a tftp server
(e.g. http://tftpd32.jounin.net):

execute nethsm upload-primus-cfg-raw <configFileName> <tftp-server-ip> e.g.
execute nethsm upload-primus-cfg-raw primusorigext.cfg 192.168.159.1
This will apply the new primus.cfg without applying recommended settings. Do you want to continue? (y/n)y


primus.cfg has been updated.

Alternatively, the configuration could be transferred via command line interface (CLI).

quotes

Any quotes in the configuration file have to be escaped by a backslash!

config system nethsm
set status enable
set primus-cfg "#-----------------------------
# Primus PKCS#11 configuration
#-----------------------------
version = \"1.0\";

/* This example configuration template contains 3 slots:                   */
/* hsm0: standalone hsm with one partition (slot id 0)                     */ 
/* hsm1,hsm2: redundant hsm cluster with each two partitions (slot id 1+2) */
/*            e.g. for CloudsHSM service                                   */
/* Comment/Uncomment the hsm or slot sections to adapt to your setup       */
/* See PKCS#11 Provider User Guide for details                             */
# FORTIGATE Integration Test

/*--- GLOBAL CONFIGURATION SECTION ----------------------------------------*/
primus:
{
  wait_delay = 250; /* in ms*/

…"

3. Configuring the HSM Secrets

The pkcs11-pin and secret (permanent secret resp. coded secrets file) have to be configured via CLI (or GUI).

The pkcs11-pin corresponds to the HSM PKCS#11 password and should be available from the HSM administrator (or configured previously).

The format of the secret to be configured, depends on the PKCS#11 provider version that is integrated into FortiGate. The secret value to be configured is copied from the ppin tool console output (highlighted part) on the client machine.

ppin --fortinet --user <username> [<setupPassword> <PKCS11Password>] [--proxyuser <proxyUserName> [--proxypassword <proxyPassword>]]
# Fortinet secret to be loaded:
dmVyc2lvbiA9ICIxLjAiOwpwcmltdXMgOiAKewogIHVzZXJzIDogCiAgewogICAgdXNlcjAgOiAKICAgIHsKICAgICAgbmFtZSA9ICJQUklNVVNERVYzNjgiOwogICAgICBdpY3MgPSAiMzcwYzJj
... 
GUwY2Y4ZjNhNTkwMzE2ZjE4MGI4YWZlNDdiMzY1Nzg1ZWQ3NyI7CiAgICB9OwogIH07Cn07Cg==

To configure the pkcs11-pin and the prepared secret of the HSM partition via CLI, use the following command sequence:

config system nethsm
    set status enable
    config partitions
        edit "PRIMUSDEV368"
            set slot-id 0
            set pkcs11-pin PRIMUSDEV
            set secret b644224735bb748e23c02373882213eb5edf … 6c365785ed77
        next
    end
end

FortiGate stores and outputs above values in an encrypted format (see FortiGate documentation for details). If previously configured, these values can also be entered in the FortiGate encrypted format (using ENC in front of the value):

config system nethsm
    set status enable
    config partitions
        edit "PRIMUSDEV368"
            set slot-id 0
            set pkcs11-pin ENC Y6f4fDwBaF2GUcT21R8Q9KTbi9Kw8NfX2dYD0HBpLoeWBrmCuB0EM7qFFjXgBvTET3XVg7VCYKLbYxx8QQnSpLcXbtPHiRNtfJBXRWzGOpg+Xrpvmk7mb53uvNGGOcbM8FMkHXRkXFy/ltJcvPKhWQw9aQ2qKTyDeWtDgsvujjqBWCoV/EazjlfDiLpxv1EADM0a7A==
            set secret ENC kFR3tNLNuU5y4Lr08RMxx//gGBQznk0vgBiILs/LyznPg30f/cw0cfGY5rzKNKPHgo2XBhhS+kShm6zc3ZPoqygo1wE0jO9hkgSpaNQbnry6npuEGJtu+rPi1E0IOjeRLlrDDmQ4IC0ZSHUGkiE2Q288LpagJMcFclFWzIHyuNZNb4jdr7p8uU91/ADcaBZ8uubtLQ==
        next
    end
end