Skip to main content
Skyhigh Security

Using a Hardware Security Module

Several components are involved when a Hardware Security Module is used on Web Gateway. These include the HSM Agent and other components that differ depending on the particular solution that is implemented.

HSM Agent

The HSM Agent runs as a daemon within the Web Gateway appliance system. This agent enables the handling of the Hardware Security Module.

Depending on the solution that is implemented, the agent addresses the component that provides the module functions, for example, a module card or a remote server.

The agent provides a command line interface for performing activities on the module, such as generating, storing, or unlocking keys.

Module card

A module card can be installed as a hardware component on a Web Gateway appliance to provide the functions of a Hardware Security Module.

The module card that is available for use with Web Gateway is the nShield Solo HSM card. It is provided by a Skyhigh Security partner (Entrust).

When the module card is installed, you can access it by logging on to the appliance from a system console.

For more information, see the documentation of the Skyhigh Security partner (Entrust).

Appliance

The functions of a Hardware Security Module can be provided on a Web Gateway appliance using an additional appliance. The appliance that is used within this solution is the nShield Connect appliance. It is provided by a Skyhigh Security partner (Entrust).

When the nShield Connect appliance solution is implemented, we recommend configuring Web Gateway as an unprivileged client of nShield Connect. This means remote administration of other clients cannot be performed from this client.

For more information, see the documentation of the Skyhigh Security partner (Entrust).

Remote server

The functions of a Hardware Security Module can be provided on a Web Gateway appliance using a remote server. The remote server that is used within this solution is the Luna Network HSM server. It is provided by a Skyhigh Security partner (Thales).

When the remote server has been set up and connected to the appliance, you can access the module by logging on to the appliance from a system console.

For more information, see the documentation of the Skyhigh Security partner (Thales).

Emulation

An emulation can be run on Web Gateway, which provides the functions of a Hardware Security Module using OpenSSL.

As this solution does not include a module card, additional appliance, or remote server for storing private keys, you must store these keys manually in a directory of the Web Gateway appliance system.

This solution is not considered as secure as the module card solution. When implemented on a standalone Web Gateway appliance, however, it compares to the remote server solution with regard to security. An emulation is preferably used for demos, tests, and training.

Client-server model for multiple appliances

When multiple Web Gateway appliances are part of an HSM solution, they can be configured to follow the client-server model.

This means, for example, that you need not install a module card on every Web Gateway appliance in your network to use the functions of a Hardware Security Module. Appliances that have no HSM solution of their own implemented can connect to an appliance with this solution to use its functions.

The appliance that has an HSM solution implemented then takes the server role towards the other appliances, which connect to it as clients.

NOTE: On the user interface of Web Gateway, an appliance that has an HSM solution of its own implemented is referred to as HSM server even if no other appliances are configured as its clients.

The client-server model can be configured for Web Gateway appliances regardless of the particular solution (module card, appliance, remote server, or emulation) that is implemented on one of them.

Web Gateway as client of a remote server (Thales)

When the HSM solution on a Web Gateway appliance uses the remote server that is provided by a Skyhigh Security partner (Thales), the client-server model also applies. The Web Gateway  appliance then connects as client to the remote server.

When a Web Gateway appliance has the HSM solution implemented that uses a remote server (Thales) and other appliances connect to it to use the functions of this solution, this Web Gateway appliance takes both the roles of a client and a server.

The appliance then acts as a client towards the remote server (Thales) and as a server towards the other appliances.

  • Was this article helpful?