10-03-2011 11:24 AM
[ZXTM 4.2 | http://knowledgehub.zeus.com/admin/b2edit.php?action=edit&post=325] or later can connect to external SSL hardware using the PKCS#11 standard (if you're using a ZXTM appliance, see
<a target="_blank" href="http://community.riverbed.com/t5/Answers/How-do-I-connect-a-ZXTM-Appliance-to-an-nCipher-NetHSM/td-p/16468">the appliance version of this article</a>
). This can improve the security of your SSL private keys, using a device such as an
<a target="_blank" href="http://www.thales-esecurity.com/Products/Hardware%20Security%20Modules.aspx">nCipher NetHSM</a>
(which can generate keys and perform ZXTM's cryptographic operations such that the keys never leave the NetHSM). Alternatively, you could use this feature to connect to a locally attached SSL accelerator to improve performance. You will need an appropriate PKCS#11 library provided by your SSL hardware vendor, to translate between the PKCS#11 API and the specifics of that vendor's hardware. The nCipher Support Software includes such a library (libcknfast.so in the "pkcs11" bundle) which will connect to whatever nCipher hardware has been configured in the Support Software.
To connect ZXTM to your hardware, go to the SSL Hardware Support section of the Global Settings page. For ssld!library, select "PKCS#11 (e.g. nCipher NetHSM)". If you have installed the nCipher Support Software in the default location /opt/nfast, you can leave ssld!driver!pkcs11_lib blank. Otherwise, enter the full path to your vendor's PKCS#11 library. Finally, set ssld!driver!pkcs11_user_pin to the User PIN for your hardware. Note that unless you have just entered a PIN, the field will show a constant number of stars for security reasons.
You should now be able to use the key and certificate files from the NetHSM as you would any other key pair (including editing the certificate), as long as the NetHSM is working (ZXTM and the administration server will delegate all cryptographic operations that require the private key to the NetHSM). The administration server will mark such keys as stored on secure hardware, as in this example.
By default, ZXTM will only use the SSL hardware if a key requires it. This is the normal mode of operation for a NetHSM: the private key file uploaded to ZXTM is not the real key, but tells the NetHSM which key to use. ZXTM can instead be configured to always use the SSL hardware (as long as it is available). To do this, set ssld!accel to Yes.