ProtectServer 3+ External overview
The ProtectServer 3+ External is a self-contained, security-hardened server providing hardware-based cryptographic functionality through a TCP/IP network connection. Together with high-level application programming interface (API) software, it provides cryptographic services for a wide range of secure applications.
The ProtectServer 3+ External is PC-based. The enclosure is a heavy-duty steel case with common PC ports and controls. Necessary software components come pre-installed on a Linux operating system. Network setting configuration is required, as described in this document.
The full range of cryptographic services required by Public Key Infrastructure (PKI) users is supported by the ProtectServer 3+ External’s dedicated hardware cryptographic accelerator. These services include encryption, decryption, signature generation and verification, and key management with a tamper resistant and battery-backed key storage.
The ProtectServer 3+ External must be used with one of SafeNet’s high-level cryptographic APIs. The following table shows the provider types and their corresponding SafeNet APIs:
API | Product required |
---|---|
PKCS#11 | ProtectToolkit-C |
JCA / JCE | ProtectToolkit-J |
Microsoft IIS and CA | ProtectToolkit-M |
These APIs interface directly with the product’s FIPS-validated core using high-speed hardware-based cryptographic processing. Key storage is tamper-resistant and battery-backed.
A smart card reader, supplied with the HSM, allows for the secure loading and backup of keys.
Cryptographic architecture
A hardware-based cryptographic system consists of three general components:
-
One or more hardware security modules (HSMs) for key processing and storage.
-
High-level cryptographic API software. This software uses the HSM's cryptographic capabilities to provide security services to applications.
-
Access provider software to allow communication between the API software and the HSMs.
Operating in network mode, a standalone ProtectServer 3+ External can provide key processing and storage.
In network mode, access provider software is installed on the machine hosting the cryptographic API software. The access provider allows communication between the API and the ProtectServer 3+ External over a TCP/IP connection. The HSM can therefore be located remotely, improving the security of cryptographic key data.
The figure below depicts a cryptographic service provider using the ProtectServer 3+ External in network mode.