Before you start
Before you start, ensure your environment conforms to the following specifications:
- Vectera Plus, 6.7.x.x and above
- Guardian Series 3, 6.1.3.x and above
If you have not already set up the Guardian Series 3 (such as network configuration, setting major keys, etc.), refer to the relevant administrator's guide for instructions on setting up a new Guardian Series 3 device.
To connect client Futurex HSMs for management by the Guardian Series 3, make sure to meet the following preconditions for all involved HSMs.
Futurex certificates will be used for the connection between the Guardian Series 3 and the HSMs in the following sections. Futurex certificates are preloaded on every unit. There is a private key and associated signed certificate, which is signed under a Customer "X" Futurex TLS CA tree. In conjunction with a client certificate signed under the same CA, these certificates can be used for secure communications with a Futurex unit without the need for generating and managing certificates on a customer-managed CA.
- Ensure your HSM is network-attached with a configured IP address and an Ethernet cable plugged into a local area network.
- You must load a major key onto the HSM when using user certificates. This precondition does not apply when using Futurex certificates.
- If using Transport Layer Security (TLS) between the HSM and the Guardian Series 3, you must enable the proper TLS settings on the HSM. When establishing a mutually authenticated connection, ensure these settings match on the Guardian Series 3. If they do not match, selecting this connection type will result in a failure to add the device to the group.
- The HSM must be signed using the same root certificate as the Guardian Series 3. This happens automatically when using Futurex certificates.
- The HSM must have the same date and time settings as the Guardian Series 3 and other units in the device group. The date and time settings automatically sync when you sign in to the Device Group on the Guardian Series 3, so no user configuration is required for this.
- All HSMs in the device group must be the same model, firmware version, and feature set.
In order to add a client Futurex HSM to a device group, the following preconditions must first be met.
- The Guardian Series 3 must be network-attached, configured with a configured IP address, and plugged into a local area network via an Ethernet cable.
- You must load a major key onto the Guardian Series 3 when using user certificates. This precondition does not apply when using Futurex certificates.
- If using Transport Layer Security (TLS) between the Guardian Series 3 and HSM, you must enable the proper TLS settings on the Guardian Series 3. When establishing a mutually authenticated connection, ensure these settings match on all the client HSMs. If they do not match, selecting this connection type will result in a failure to add the device to the group.
- The Guardian Series 3 must be signed using the same root certificate as the client HSM device/s. This happens automatically when using Futurex certificates.
- The Guardian Series 3 must have the same date and time settings as all HSMs in the device group. The date and time settings automatically sync when you sign in to the Device Group on the Guardian Series 3, so no user configuration is required for this.
- The Guardian-required Host API commands must be enabled.