Configuring FortiGate
The HSM integration is done via the ForteGate nethsm
module (Command Line Interface).
1. HSM Registration
Enable HSM functionality with following command:
config system nethsm
set status enable
2. Uploading the HSM Configuration File
It is recommended to upload the previously tested configuration file (primus.cfg) in raw mode via a tftp server
(e.g. http://tftpd32.jounin.net):
execute nethsm upload-primus-cfg-raw <configFileName> <tftp-server-ip> e.g.
execute nethsm upload-primus-cfg-raw primusorigext.cfg 192.168.159.1
This will apply the new primus.cfg without applying recommended settings. Do you want to continue? (y/n)y
primus.cfg has been updated.
Alternatively, the configuration could be transferred via command line interface (CLI).
Any quotes in the configuration file have to be escaped by a backslash!
config system nethsm
set status enable
set primus-cfg "#-----------------------------
# Primus PKCS#11 configuration
#-----------------------------
version = \"1.0\";
/* This example configuration template contains 3 slots: */
/* hsm0: standalone hsm with one partition (slot id 0) */
/* hsm1,hsm2: redundant hsm cluster with each two partitions (slot id 1+2) */
/* e.g. for CloudsHSM service */
/* Comment/Uncomment the hsm or slot sections to adapt to your setup */
/* See PKCS#11 Provider User Guide for details */
# FORTIGATE Integration Test
/*--- GLOBAL CONFIGURATION SECTION ----------------------------------------*/
primus:
{
wait_delay = 250; /* in ms*/
…"
3. Configuring the HSM Secrets
The pkcs11-pin and secret (permanent secret resp. coded secrets file) have to be configured via CLI (or GUI).
The pkcs11-pin corresponds to the HSM PKCS#11 password and should be available from the HSM administrator (or configured previously).
The format of the secret to be configured, depends on the PKCS#11 provider version that is integrated into FortiGate. The secret value to be configured is copied from the ppin tool console output (highlighted part) on the client machine.
- FortiOS v7.2.8 Special Build 9127 and newer (PKCS#11 v2.2.4+)
- FortiOS v7.2.8 Special Build 8993 (PKCS#11 v2.2.2)
ppin --fortinet --user <username> [<setupPassword> <PKCS11Password>] [--proxyuser <proxyUserName> [--proxypassword <proxyPassword>]]
# Fortinet secret to be loaded:
dmVyc2lvbiA9ICIxLjAiOwpwcmltdXMgOiAKewogIHVzZXJzIDogCiAgewogICAgdXNlcjAgOiAKICAgIHsKICAgICAgbmFtZSA9ICJQUklNVVNERVYzNjgiOwogICAgICBdpY3MgPSAiMzcwYzJj
...
GUwY2Y4ZjNhNTkwMzE2ZjE4MGI4YWZlNDdiMzY1Nzg1ZWQ3NyI7CiAgICB9OwogIH07Cn07Cg==
ppin --printsecret --user <username> [<setupPassword> <PKCS11Password>]
Blinded Permanent Secret:
b644224735bb748e23c02373882213eb5edf…365785ed77
To configure the pkcs11-pin and the prepared secret of the HSM partition via CLI, use the following command sequence:
config system nethsm
set status enable
config partitions
edit "PRIMUSDEV368"
set slot-id 0
set pkcs11-pin PRIMUSDEV
set secret b644224735bb748e23c02373882213eb5edf … 6c365785ed77
next
end
end
FortiGate stores and outputs above values in an encrypted format (see FortiGate documentation for details). If previously configured, these values can also be entered in the FortiGate encrypted format (using ENC in front of the value):
config system nethsm
set status enable
config partitions
edit "PRIMUSDEV368"
set slot-id 0
set pkcs11-pin ENC Y6f4fDwBaF2GUcT21R8Q9KTbi9Kw8NfX2dYD0HBpLoeWBrmCuB0EM7qFFjXgBvTET3XVg7VCYKLbYxx8QQnSpLcXbtPHiRNtfJBXRWzGOpg+Xrpvmk7mb53uvNGGOcbM8FMkHXRkXFy/ltJcvPKhWQw9aQ2qKTyDeWtDgsvujjqBWCoV/EazjlfDiLpxv1EADM0a7A==
set secret ENC kFR3tNLNuU5y4Lr08RMxx//gGBQznk0vgBiILs/LyznPg30f/cw0cfGY5rzKNKPHgo2XBhhS+kShm6zc3ZPoqygo1wE0jO9hkgSpaNQbnry6npuEGJtu+rPi1E0IOjeRLlrDDmQ4IC0ZSHUGkiE2Q288LpagJMcFclFWzIHyuNZNb4jdr7p8uU91/ADcaBZ8uubtLQ==
next
end
end