The can use either of the following keystores:
Layer7 API Gatewaycan use either of the following keystores:
- Software DB: This is a software keystore that is built into everyLayer7 API Gatewaydatabase, as a PKCS#12 keystore. The software keystore is always available and will be used unless a hardware keystore is installed. Private keys stored in the software keystore may be exported as PKCS#12 files and then imported into the SafeNet Luna HSM if necessary.
- Hardware, SafeNet Luna SA: This is an optional network-attached HSM that can be accessed by theLayer7 API Gateway.
Manage Keystoretask is used to enable, disable, or view the status of the SafeNet Luna HSM.
Prerequisite: The SafeNet Luna HSM must be correctly installed and configured, including the JSP on all cluster nodes. Please refer to the setup instructions provided by SafeNet.
WARNING:Switching from one keystore to another will cause the
Layer7 API Gatewayto lose access to any private keys stored in the previous keystore. This may cause policies or listen ports to fail. To ensure that you can start the Policy Manager, make sure there is at least one listen port that uses the "Default SSL key."
Fallback to System Default Keystore
If the SafeNet HSM is enabled but the
Layer7 API Gatewayis unable to connect to it on startup, the
Layer7 API Gatewaywill fall back to the software keystore.
If fallback occurs, you may need to re-enter the Partition Client PIN with the Policy Manager.
To manage keystores:
- In the Policy Manager, select[Tasks] > Certficates, Keys, and Secrets > Manage Private Keysfrom the Main Menu.The Manage Private Keys dialog appears.
- Click [Manage Keystore] and then enter theLayer7 API Gatewaypartition password if prompted. The Manage Keystore dialog is displayed and will show different messages depending on your current configuration.This dialog provides details about the current status of your keystore:LabelDescriptionCurrent keystore typeDisplays the keystore currently being used:
The system default is the software database.SafeNet HSM supportDisplays the current status of the SafeNet HSM:
- SafeNet HSM
- System default
- Configured for system default, but using SafeNet HSM: The SafeNet HSM has been disabled but the currentLayer7 API Gatewaynode has not yet restarted for the system default to take effect.
- Configured for SafeNet HSM, but using system default: This can indicate one of two things:
- The SafeNet HSM has been enabled but the currentLayer7 API Gatewaynode has not yet restarted for the SafeNet HSM to take effect.
- TheLayer7 API Gatewayis configured to use the SafeNet HSM but had to fall back to the system default keystore in order to start the node successfully.
Disable SafeNet HSMAvailable only if a SafeNet HSM is configured and enabled.Disable the SafeNet HSM and revert to using the system default keystore uponLayer7 API Gatewayrestart.Enable SafeNet HSMAvailable only if a SafeNet HSM is configured but not enabled.Enable the SafeNet HSM uponLayer7 API Gatewayrestart. This button is available even when SafeNet HSM is configured and ready to use, but is not currently the active keystore. The Connect to SafeNet HSM dialog is displayed.Enter aPartition Label, the accompanyingPartition Password, and then click[Connect]Finding the Partition LabelOn the Gateway server or your Luna client machine, navigate to the/usr/safenet/lunaclient/bindirectory and enter the LunaCMslot listcommand. The response returned should list all the partitions assigned to the Luna HSM client.Optional: Select thePrefer to use this device for all cryptographic operationsoption to ensure that all cryptographic operations are performed on the Luna HSM appliance itself. Otherwise, if left unselected, theLayer7 API Gatewaywill be the preferred platform to perform cryptographic operations using keys retrieved from the Luna HSM.Restart allLayer7 API Gatewaycluster nodes for the configuration changes to take effect.
- Ready to use: The SafeNet HSM is correctly configured.
- Client software and JSP not installed or not configured: The SafeNet HSM client software and Java Service Provider (JSP) is either not present or incorrectly configured. For information on configuring the SafeNet HSM for use with theLayer7 API Gateway.
- Click [Close] when done.