ProtectServer 3 External overview
The ProtectServer 3 External is a self-contained, security-hardened server providing hardware-based cryptographic functionality through a TCP/IP network connection. Together with high-level SafeNet application programming interface (API) software, it provides cryptographic services for a wide range of secure applications.
The ProtectServer 3 External is PC-based. The enclosure is a heavy-duty steel case with common PC ports and controls. Necessary software components come pre-installed on a Linux operating system. Network setting configuration is required, as described in this document.
The full range of cryptographic services required by Public Key Infrastructure (PKI) users is supported by the ProtectServer 3 External’s dedicated hardware cryptographic accelerator. These services include encryption, decryption, signature generation and verification, and key management with a tamper resistant and battery-backed key storage.
The ProtectServer 3 External must be used with one of SafeNet’s high-level cryptographic APIs. The following table shows the provider types and their corresponding SafeNet APIs:
API | SafeNet product required |
---|---|
PKCS#11 | ProtectToolkit-C |
JCA/JCE | ProtectToolkit-J |
Microsoft IIS and CA | ProtectToolkit-M |
These APIs interface directly with the product’s FIPS-validated core using high-speed hardware-based cryptographic processing. Key storage is tamper-resistant and battery-backed.
A smart card reader, supplied with the HSM, allows for the secure loading and backup of keys.
Front panel view
The features on the front panel of the ProtectServer 3 External are illustrated below:
Ports
Port | Description |
---|---|
VGA | Not active. |
Console | Provides console access to the appliance. See First Login and System Test. |
USB | Not active. |
eth0 eth1 |
Autosensing 10/100/1000 Mb/s Ethernet RJ45 ports for connecting the appliance to the network. |
HSM USB | Connects a smart card reader to the appliance using the included USB-to-serial cable. |
LEDs
LED | Description |
---|---|
Power | Illuminates green to indicate that the unit is powered on. |
HDD | Flashes amber to indicate hard disk activity. |
Status | Flashes green on startup. |
Reset Button
The reset button is located between the USB and Ethernet ports. Pressing the reset button forces an immediate restart of the appliance. Although it does not power off the appliance, it does restart the software. Pressing the reset button is service-affecting and is not recommended under normal operating conditions.
Rear panel view
The features on the rear panel of the ProtectServer 3 External are illustrated below:
Tamper lock
The tamper lock is used during commissioning or decommissioning of the appliance to destroy any keys currently stored on the HSM.
With the key in the horizontal (Active) position, the HSM is in normal operating mode. Turning the key to the vertical (Tamper) position places the HSM in a tamper state, and any keys stored on the HSM are destroyed.
Caution
Turning the tamper key from the Active position to the Tamper position deletes any keys currently stored on the HSM. Deleted keys are not recoverable. Ensure that you always back up your keys. To avoid accidentally deleting the keys on an operational ProtectServer 3 External, remove the tamper key after commission and store it in a safe place.
Cryptographic architecture
A hardware-based cryptographic system consists of three general components:
-
One or more HSMs for key processing and storage.
-
High-level cryptographic API software. This software uses the HSM's cryptographic capabilities to provide security services to applications.
-
Access provider software to allow communication between the API software and the HSMs.
Operating in network mode, a standalone ProtectServer 3 External can provide key processing and storage.
In network mode, access provider software is installed on the machine hosting the cryptographic API software. The access provider allows communication between the API and the ProtectServer 3 External over a TCP/IP connection. The HSM can therefore be located remotely, improving the security of cryptographic key data
The figure below depicts a cryptographic service provider using the ProtectServer 3 External in network mode.
Technical specifications
The ProtectServer 3 External specifications are as follows:
Hardware
-
One smart card reader secure USB port (requires the included USB-to-serial cable)
-
Protective, heavy duty steel, industrial PC case
-
Intel® Atom™ CPU E3827 1.74GHz
-
2 GB RAM
-
4 GB solid state flash memory hard disk (DOM)
-
10/100/1000 Mbps autosensing Network Interface with RJ45 LAN connector
Pre-installed software
-
Linux operating system
-
ProtectServer HSM Access Provider software
-
ProtectServer HSM Net Server software
Power supply
-
Nominal power consumption: 43 W
-
Input AC voltage range: 100-240 V
-
Input frequency range: 50-60 Hz
Physical properties
-
437 mm (W) x 270 mm (D) x 44 mm (H) (1U)
-
19” rack mounting brackets included
-
Weight 5 kg (11 lb)
Operating environment
-
Temperature: 0 to 40°C (32 to 104°F)
-
Relative Humidity: 5 to 85%