ProtectServer 3 PCIe hardware installation
The ProtectServer 3 PCIe is the third-generation intelligent ProtectServer cryptographic services PCIe adapter, replacing the ProtectServer PCIe 2 HSM.
ProtectServer can employ either generic processing or high-speed DES and RSA hardware acceleration. Key storage security is ensured by persistent, tamper-protected memory. Multiple adapters can be installed in a single host computer to improve throughput or provide redundancy.
This section provides instructions for installing a ProtectServer 3 PCIe cryptographic services hardware adapter. To ensure a successful installation, perform the following tasks in the order indicated:
-
Ensure that you have all of the required components, as listed in ProtectServer 3 PCIe required items.
-
Install and connect the hardware, as described in ProtectServer 3 PCIe installation.
Caution
This product uses semiconductors that can be damaged by electro-static discharge (ESD). When handling the device, avoid contact with exposed components, and always use an anti-static wrist strap connected to an earth ground. In rare cases, ESD can trigger a tamper or decommission event on the HSM. If this happens, all cryptographic materials, configuration, and user data are deleted.
Server compatibility
The ProtectServer 3 PCIe has been tested with a variety of representative systems/servers with compliant PCI express slots. When a compatibility problem with a current brand and model computer arises, that information is made available via the Thales Support Portal. To troubleshoot a ProtectServer 3 PCIe installation issue that you are experiencing, refer to ProtectServer 3 PCIe installation issues.
Compatibility issue with Intel Ice Lake CPUs
The ProtectServer 3 PCIe conforms to the PCIe 2.0 standard and requires a PCIe x4 or higher slot. When installed in a server using an Intel Ice Lake CPU, the ProtectServer 3 PCIe does not boot up after a hot restart of the server. This issue has been confirmed on Dell, HP, and Fujitsu servers. Please ensure that you install the ProtectServer 3 PCIe in a server with a newer (Rocket Lake, for example) or older (Cascade Lake, for example) CPU.
If you have the ProtectServer 3 PCIe installed in an Ice Lake server, no issues have been found using cold restarts (startup from shutdown). If you choose to use a remote server management system such as iDRAC, ensure that you have assessed the security risks associated with this deployment, and that the system is properly maintained (security patches applied).
Special RAM requirements for servers hosting two ProtectServer 3 PCIe HSMs
Two ProtectServer 3 PCIe HSMs can only be installed in a server with two, four, or eight sticks of RAM. If the server has six sticks of RAM installed, the ProtectServer 3 PCIe HSMs are not detected.
ProtectServer 3 PCIe required items
This section lists the components received with your ProtectServer 3 PCIe HSM order.
Contents received
The following items are included in a ProtectServer 3 PCIe HSM order:
ProtectServer 3 PCIe adapter card
Quantity supplied: 1
Smart card reader
Quantity supplied: 1
Smart cards
Quantity supplied: 5 (in a single media case)
Each smart card contains a total of 64 kilobytes of storage space.
Optional items
Contact your Thales sales representative to order the following optional items:
SafeNet 110 Time-Based OTP Token
Part number: 955-000237-001
Enables multifactor authentication on ProtectServer 3 HSM tokens.
Thales recommends ordering at least two (2) SafeNet 110 Time-Based OTP Tokens for each slot on the HSM (one each for the Security Officer and Token User).
ProtectServer-compatible PIN pad
Part number: 934-000121-001
Enables manual key component entry.
Note
For FIPS 140-2-compliant deployments
This item is only compatible with ProtectServer 3 HSMs running ProtectServer 3 HSM Firmware 7.02.04 or newer.
ProtectServer 3 PCIe installation
Install and commission a ProtectServer 3 PCIe card by completing the following steps:
-
Install the ProtectServer 3 PCIe card into the host computer.
-
Connect a chassis intrusion connector to the tamper header on the card (if necessary).
-
Connect a smart card reader (if necessary).
Installing the ProtectServer 3 PCIe card into the host computer
Install the ProtectServer 3 PCIe card into an open PCIe slot on the host computer.
Caution
This product uses semiconductors that can be damaged by electro-static discharge (ESD). When handling the device, avoid contact with exposed components, and always use an anti-static wrist strap connected to an earth ground. In rare cases, ESD can trigger a tamper or decommission event on the HSM. If this happens, all cryptographic materials, configuration, and user data are deleted.
To install the ProtectServer 3 PCIe hardware
-
Open your computer, and remove the slot-cover bracket from an available PCIe slot. If the bracket is secured by a screw, keep that screw.
-
Use the provided anti-static wrist-strap to ground yourself to an exposed metal part of the computer chassis.
-
Remove the ProtectServer 3 PCIe from its anti-static packaging and prepare to insert the card into your computer.
Your ProtectServer 3 PCIe comes fitted with a full-height mounting bracket, but if you have no full-height slots available, the card can fit into a half-height slot. A half-height mounting bracket is included for this purpose. To install the half-height bracket, remove the two screws connecting the full-height bracket to the card, and use them to mount the half-height bracket in its place.
-
Align the ProtectServer 3 PCIe card with the vacant slot. You might need to introduce the tip of the card-hold-down bracket first (the silver-metal part along the back edge of the card), in order to properly align the card with the connector.
You can use a PCIe X4 or larger slot, as long as it is wired for at least four PCI express channels, and not reserved for a dedicated function. For example, we do not recommend that you use your ProtectServer 3 PCIe card in a designated PCI express video slot - different models of computer and their BIOS firmware can differ in how faithfully they support the PCIe standard.
-
Insert the ProtectServer 3 PCIe card into the connector. It should go straight in - angling the card might cause it to bend. The card is properly seated when no portion of the gold-colored contacts of the card protrudes above the connector socket.
-
Secure the card hold-down bracket with a screw.
Connecting a chassis intrusion connector to the tamper header
The ProtectServer 3 PCIe is equipped with a two-pin tamper header which, when shorted, places the HSM in a tamper state with a status of Chassis Open. If your chassis is so equipped, you can connect the chassis intrusion connector to the tamper header so that the HSM is placed in a tamper state if the chassis is opened. Refer to the documentation provided by your chassis manufacturer for more information.
To connect a chassis intrusion connector to the tamper header
-
Install the ProtectServer 3 PCIe card. For more information about installation, see Installing the ProtectServer 3 PCIe Card Into the Host Computer.
-
Connect the chassis intrusion connector to the tamper input header on the card, shown below.
Note
If used, this pin pair would usually be wired to a chassis switch that is held open when the lid or panel is in place. Opening the lid or panel would close the switch and tamper the HSM. If you are constructing or ordering a cable for this purpose, the header has 2 mm pin pitch and mates with a Molex connector or equivalent.
Smart card reader installation
The ProtectServer 3 PCIe supports the use of smart cards with a Thales-supplied smart card reader. The ProtectServer 3 PCIe does not support smart card readers that are not supplied by Thales.
To install the USB card reader, simply plug the card reader into the HSM's USB port.
ProtectServer 3 PCIe storage capacity
The ProtectServer 3 PCIe has the following storage capacity:
-
Functionality Module (FM) storage: 8 MB.
-
Secure Memory File System (SMFS) storage for keys and cryptographic materials: 4 MB shared between the firmware and FMs.