Important changes in Skyhigh Web Gateway 10.1 Hardware Security Module configuration
Last Modified: 2023-06-22 12:18:46 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Important changes in Skyhigh Web Gateway 10.1 Hardware Security Module configuration
Technical Articles ID:
KB94202
Last Modified: 2023-06-22 12:18:46 Etc/GMT Environment
Skyhigh Web Gateway (SWG) 10.1 and later Hardware Security Module (HSM) Summary
Solution 1
Configure Retargeting existing CHIL based " Existing CHIL engine-based keys don't work directly with SWG 10.1. After you upgrade to SWG 10.1, you must retarget these keys pkcs11: Type plainname: Key name? [] > new_rsa-mwg1 key generation parameters: operation Operation to perform retarget application Application pkcs11 slot Slot to read cards from 0 verify Verify security of key yes from-application Source application hwcrhk from-ident Source key identifier rsa-mwg1 plainname Key name new_rsa-mwg1 Loading `mwgapp5500d': Module 1: 0 cards of 1 read Module 1 slot 0: `mwgapp5500d' #3 Module 1 slot 0:- passphrase supplied - reading card Card reading complete. Key successfully retargetted. IMPORTANT: See your HSM user guide documentation for full details about using the Generating private keys When you install a new To generate a new key, type protect: Protected by? (token, module) [token] > recovery: Key recovery? (yes/no) [yes] > type: Key type? (DES3, DH, DHEx, DSA, HMACSHA1, HMACSHA256, HMACSHA384, HMACSHA512, RSA, DES2, AES, Rijndael, Ed25519, X25519) [RSA] > size: Key size? (bits, minimum 1024) [2048] > OPTIONAL: pubexp: Public exponent for RSA key (hex)? [] > plainname: Key name? [] > test_card_key1 nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] > key generation parameters: operation Operation to perform generate application Application pkcs11 protect Protected by token slot Slot to read cards from 0 recovery Key recovery yes verify Verify security of key yes type Key type RSA size Key size 2048 pubexp Public exponent for RSA key (hex) plainname Key name test_card_key1 nvram Blob in NVRAM (needs ACS) no Loading `mwgsolo': Module 1: 0 cards of 1 read Module 1 slot 0: `mwgsolo' #1 Module 1 slot 0:- passphrase supplied - reading card Card reading complete. Key successfully generated. Path to key: /opt/nfast/kmdata/local/key_pkcs11_uc23c57899105f07825044cd406347da6009184fb9-6271a944ede6ce655dc39ca15ed7d7a7cea1b9ea Importing private keys (optional) If you already have a private key, and want to import it into the HSM: Type type: Key type? (DES3, RSA, DES2) [RSA] > logkeyusage: Log key usage? (yes/no) [no] > nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] > key generation parameters: operation Operation to perform import application Application pkcs11 verify Verify security of key yes type Key type RSA logkeyusage Log key usage no pemreadfile PEM file containing RSA key /root/key.pem plainname Key name imported_pkcs11 nvram Blob in NVRAM (needs ACS) no Key successfully imported. Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua36b73b72e6af772916cca9385f665576f327684d Fill in the appropriate fields for import, taking note of the Key identifier as it's needed in later steps. Create a Certificate Signing Request (CSR) If you create a new private key within the HSM Security World to obtain a signed certificate, you must generate a CSR. To generate a CSR using one of the newly protected keys, use the OpenSSL engine and req commands. Replace the KEYIDENTIFIER with the pkcs11 URI corresponding to the key, according to the PKCS#11 URI Scheme RFC. See this RFC. NOTE: Use OpenSSL1.1.1 to perform all OpenSSL operations. For example: OpenSSL> req -engine pkcs11 -keyform engine -key KEYIDENTIFIER -new -x509 -out FILENAME.crt Example session and output: OpenSSL> engine -pre MODULE_PATH:/opt/nfast/toolkits/pkcs11/libcknfast.so pkcs11 (pkcs11) pkcs11 engine [Success]: MODULE_PATH:/opt/nfast/toolkits/pkcs11/libcknfast.so OpenSSL> req -engine pkcs11 -keyform engine -key "pkcs11:object= new_rsa-mwg1" -new -x509 -out pkcs11cert.crt engine "pkcs11" set. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:KA Locality Name (eg, city) [Default City]:BLR Organization Name (eg, company) [Default Company Ltd]:MCAFEE Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: OpenSSL> exit [root@mwgappl bin]# PKCS#11 URI examples:
NOTE: For keys protected by the module, use the pkcs 11 URI:
For OCS protected keys, use the pkcs11 URI:
NOTES:
For SWG to use the keys within the HSM's Security World, you must enumerate the available keys in the UI. Click Configuration, Hardware Security Module and add all key identifiers in the Keys to be loaded section: The format for adding the keys is Here the engine-label is For example, if Other steps to perform for passphrase or multicard-OCS-protected private keys after configuring the SWG manager:
The console then guides or asks the administrator for each declared identifier to enter the passphrases or insert the needed smart cards of the OCS into the HSM. Also, you can inspect the
Solution 2
Configure Gemalto/Luna/SafeNet Network HSM The SafeNet HSM configuration steps remain the same in this release, except for the use of OpenSSL1.1.1. For example, to generate a Key-Cert pair: Affected ProductsLanguages:This article is available in the following languages: |
|