Installing ProtectToolkit 7 on Windows
This section describes how to use the ProtectToolkit Windows Installer (PTKinstaller.exe) to install ProtectToolkit on a Windows client or modify an existing ProtectToolkit installation. Refer to the prerequisites below before proceeding.
Prerequisites
Complete the following steps before installing ProtectToolkit 7:
-
Review the Operating modes as they apply to your HSM deployment.
-
Review Supported platforms to ensure that your operating system is supported.
-
Ensure that your ProtectServer 3 HSM is installed and configured for access over a network (if applicable):
If you are setting up ProtectToolkit to run in Software Emulation Mode, HSM setup is unnecessary.
-
Install the following components on the client machine:
-
Java Runtime Environment (JRE) (required for graphical user interface utilities only). The product has been tested using JRE version 7.x, 8.x, 9.x, 10.x, 11.x, 17.x, and 21.x.
Note
Warnings appear when compiling some of the provided Java samples with JRE 9, 10, or 11 installed. These warnings can be safely ignored.
-
Microsoft Visual C++ 2005, 2008, 2010, 2015, 2019 (Windows only). All required MSVC versions are available for download from Microsoft.
-
-
Download the ProtectToolkit Windows Installer (PTKinstaller.exe) from the Thales Customer Portal.
Note
If you are deploying a ProtectServer 3 HSM with the 32-bit version of ProtectToolkit 7.2.0 or newer in PCI mode, while using a 64-bit Windows 10 PC as the HSM and application host, you must download the 64-bit Windows installation wizard and 32-bit Windows installation wizard.
ProtectToolkit Windows installation procedures
Install ProtectToolkit on Windows in one of the following two ways:
-
Silent Installation (ProtectToolkit 7.2.0 and newer only)
Attended Windows Installation
You can use the installation wizard to guide you through an attended installation of ProtectToolkit 7.
Run the Windows Installer (PTKinstaller.exe) on your client and follow the wizard instructions to accept the licensing agreement, select your desired install location, and select your desired ProtectToolkit component(s). For more information about available components, refer to Available ProtectToolkit 7 components.
Note
If you are deploying a ProtectServer 3 HSM with the 32-bit version of ProtectToolkit 7.2.0 or newer in PCI mode, while using a 64-bit Windows 10 PC as the HSM and application host, refer to Package installation sequence for 32-bit ProtectToolkit in PCI mode.
If you installed the Network HSM Communication Interface, you are prompted to specify a space-separated list of IP addresses for ProtectServer 3 HSMs you will access from this client. If you set custom ports, specify them as well in the format <IP_address:port>
.
If you installed any of the HSM Communication Interface components, specify whether you want to run the ProtectToolkit software in HSM or Emulator mode:
-
ProtectServer HSM: cryptographic operations are performed on the ProtectServer 3 HSM and keys are stored on the HSM hardware.
-
ProtectServer Emulator: operations are performed and keys are stored on the local client machine. This mode is intended for application and FM development and should not be used for production as keys are not stored securely on an HSM.
Silent Windows installation
The ProtectToolkit Windows Installer that is provided with ProtectToolkit 7.2.0 and newer can be set to run in silent mode. When it is set to run in silent mode, no further manual intervention is required after running the installer.
Note
If you are deploying a ProtectServer 3 HSM with the 32-bit version of ProtectToolkit 7.2.0 or newer in PCI mode, while using a 64-bit Windows 10 PC as the HSM and application host, refer to Package installation sequence for 32-bit ProtectToolkit in PCI mode.
To run the ProtectToolkit Windows installer in silent mode, run the following command:
PTKinstaller.exe {/SILENT | /VERYSILENT} [/components=<ptk_components>] [/hsmserverlist=<IP_address>]
- /SILENT
-
If this parameter is set, the installation wizard and the background window are not displayed but the installation progress window is displayed during installation.
- /VERYSILENT
-
If this parameter is set, no windows are displayed during installation.
- /components=<ptk_components>
-
Used to specify the ProtectToolkit component to install. For more information about available components, refer to Available ProtectToolkit 7 components.
The table below lists the parameter's valid values and corresponding ProtectToolkit component.
Value ProtectToolkit component cprt ProtectToolkit Client cprt\cpsdk ProtectToolkit SDK cprt\fmsdk ProtectToolkit FM SDK jprov ProtectToolkit Java Runtime jprov\jpsdk ProtectToolkit Java SDK hsm HSM Communication Interface hsm\net Network HSM Communication Interface hsm\pci PCI HSM Communication Interface hsm\pci\netsrv HSM Net Server Communication Interface int Microsoft Cryptographic Provider int\cng CNG Provider int\ptkm ProtectToolkit M Provider Multiple components can be specified as a comma-separated list of values.
Note
If this parameter is not set, only the ProtectToolkit client (cprt) is installed.
- /hsmserverlist=<IP_address>
-
Used to specify the IP address of the network HSM(s).
Note
If this parameter is not set, 127.0.0.1 is set as the network HSM IP address.
For example, to install the ProtectToolkit C SDK in for operation in Network Mode with HSM IP 172.23.32.55, the following command is used:
PTKinstaller.exe /SILENT /components="cprt\cpsdk" /hsmserverlist=172.23.32.55
Package installation sequence for 32-bit ProtectToolkit in PCI mode
-
Run the 64-bit installation wizard and install the PCI HSM Communications Interface by selecting the required checkboxes, as shown below.
-
Run the 32-bit installation wizard and install the ProtectToolkit component you require and PCI HSM Communications Interface by selecting the required checkboxes, as shown below.
Modifying the ProtectToolkit Windows installation
You can modify an existing ProtectToolkit installation/configuration on Windows by using the client installer. This includes adding new client components, modifying the list of accessible ProtectServer 3 HSM IPs, or switching between HSM and Software Emulation mode.
Note
With logging enabled, you can no longer use the Windows installer to switch between HSM and Software Emulator modes. See Activating logging for more information.
If you are using ProtectToolkit 7.2.0 or newer, run PTKinstaller.exe MODIFY /hsmserverlist=
To modify the ProtectToolkit installation
-
From the Windows Start menu, select Start > Safenet > Modify ProtectToolkit Client.
The Windows Installer opens to the Select Components dialog, displaying your installed ProtectToolkit components.
-
Select or clear components as desired and select Next. For more information about available components, refer to Available ProtectToolkit 7 components
New components will be installed. If you cleared previously-installed components, they will not be uninstalled from the client, but their related configuration will change. For example, if you switch the HSM Communication Interface from PCI to Network, the PCIe driver will not be deleted, but you will be prompted to add valid IP addresses for network-connected ProtectServer 3 HSMs at the end of the modification procedure.
-
If the Network HSM Communication Interface is installed, you can update the list of IP addresses for ProtectServer 3 HSMs this client will access.
-
If any of the HSM Communication Interface components are installed, you can switch between HSM and Software Emulation mode.
Caution
Applications that were running before the modification, including cmd windows, must be restarted before changes are reflected. Be especially cautious about this when switching from Software Emulation to HSM mode.