Manage Keystore

The can use either of the following keystores:
gateway91
The
Layer7 API Gateway
can use either of the following keystores:
  • Software DB
    : This is a software keystore that is built into every
    Layer7 API Gateway
    database, as a PKCS#12 keystore. The software keystore is always available and will be used unless a hardware keystore is installed. Private keys stored in the software keystore may be exported as PKCS#12 files and then imported into the SafeNet Luna HSM if necessary.
  • Hardware, SafeNet Luna SA
    : This is an optional network-attached HSM that can be accessed by the
    Layer7 API Gateway
    .
The
Manage Keystore
task is used to enable, disable, or view the status of the SafeNet Luna HSM.
Prerequisite
: The SafeNet Luna HSM must be correctly installed and configured, including the JSP on all cluster nodes. Please refer to the setup instructions provided by SafeNet.
WARNING:
Switching from one keystore to another will cause the
Layer7 API Gateway
to lose access to any private keys stored in the previous keystore. This may cause policies or listen ports to fail. To ensure that you can start the Policy Manager, make sure there is at least one listen port that uses the "Default SSL key."
Fallback to System Default Keystore
If the SafeNet HSM is enabled but the
Layer7 API Gateway
is unable to connect to it on startup, the
Layer7 API Gateway
will fall back to the software keystore.
If fallback occurs, you may need to re-enter the Partition Client PIN with the Policy Manager.
To manage keystores
:
  1. In the Policy Manager, select
    [Tasks] > Certficates, Keys, and Secrets > Manage Private Keys
    from the Main Menu.
    The Manage Private Keys dialog appears.
    1. Click [
      Manage Keystore
      ] and then enter the
      Layer7 API Gateway
      partition password if prompted. The Manage Keystore dialog is displayed and will show different messages depending on your current configuration.
      This dialog provides details about the current status of your keystore:
      Label
      Description
      Current keystore type
      Displays the keystore currently being used:
      • SafeNet HSM
      • System default
      • Configured for system default, but using SafeNet HSM
        : The SafeNet HSM has been disabled but the current
        Layer7 API Gateway
        node has not yet restarted for the system default to take effect.
      • Configured for SafeNet HSM, but using system default
        : This can indicate one of two things:
        • The SafeNet HSM has been enabled but the current
          Layer7 API Gateway
          node has not yet restarted for the SafeNet HSM to take effect.
        • The
          Layer7 API Gateway
          is configured to use the SafeNet HSM but had to fall back to the system default keystore in order to start the node successfully.
      The system default is the software database.
      SafeNet HSM support
      Displays the current status of the SafeNet HSM:
      • Ready to use
        : The SafeNet HSM is correctly configured.
      • Client software and JSP not installed or not configured
        : The SafeNet HSM client software and Java Service Provider (JSP) is either not present or incorrectly configured. For information on configuring the SafeNet HSM for use with the
        Layer7 API Gateway
        .
      Disable SafeNet HSM
      Available only if a SafeNet HSM is configured and enabled.
      Disable the SafeNet HSM and revert to using the system default keystore upon
      Layer7 API Gateway
      restart.
      Enable SafeNet HSM
      Available only if a SafeNet HSM is configured but not enabled.
      Enable the SafeNet HSM upon
      Layer7 API Gateway
      restart. This button is available even when SafeNet HSM is configured and ready to use, but is not currently the active keystore. The Connect to SafeNet HSM dialog is displayed.
      Enter a
      Partition Label
      , the accompanying
      Partition Password
      , and then click
      [Connect]
      Finding the Partition Label
      On the Gateway server or your Luna client machine, navigate to the
      /usr/safenet/lunaclient/bin
      directory and enter the LunaCM
      slot list
      command. The response returned should list all the partitions assigned to the Luna HSM client.
      Optional
      : Select the
      Prefer to use this device for all cryptographic operations
      option to ensure that all cryptographic operations are performed on the Luna HSM appliance itself. Otherwise, if left unselected, the
      Layer7 API Gateway
      will be the preferred platform to perform cryptographic operations using keys retrieved from the Luna HSM.
      Restart all
      Layer7 API Gateway
      cluster nodes for the configuration changes to take effect.
  2. Click [
    Close
    ] when done.