Generic
Guardian Series 3: Configure H...

Before you start

5min

Before you start, ensure your environment conforms to the following specifications:

Supported hardware:

  • , 7.2.x.x and later
  • Guardian Series 3, 6.1.6.x and later

If you have not already set up the (such as configuring the network, loading major keys, and so on), refer to the relevant administrator guide for instructions on setting up a new Guardian device.

Preconditions for configuring Futurex Device Group with the Guardian Series 3

To connect client HSMs for management by the , make sure to meet the following preconditions for all involved HSMs.

The following sections use certificates, preloaded on every unit, to connect the to HSMs. There is a private key and associated signed certificate, which is signed under a TLS CA tree. In conjunction with a client certificate signed under the same CA, you can use these certificates for secure communications with one of our units without needing to generate and manage certificates on a customer-managed CA.

Preconditions for Client Futurex HSMs

Keep the following considerations in mind:

  1. Ensure your HSM is network-attached with a configured IP address and an Ethernet cable plugged into a local area network.
  2. You must load a major key onto the HSM when using user certificates. This precondition does not apply when using certificates.
  3. If using Transport Layer Security (TLS) between the HSM and the , you must enable the proper TLS settings on the HSM. When establishing a mutually authenticated connection, ensure these settings match on the Guardian. If they do not match, selecting this connection type fails to add the device to the group.
  4. The HSM must be signed using the same root certificate as the . This happens automatically when using certificates.
  5. The HSM must have the same date and time settings as the and other units in the device group. The date and time settings automatically sync when you sign in to the Device Group on the Guardian, so you don't need extra user configuration.
  6. All HSMs in the device group must be the same model, firmware version, and feature set.

Preconditions for Guardian Series 3

To add a client HSM to a device group, meet the following preconditions:

  1. The must be network-attached, configured with a configured IP address, and plugged into a local area network with an Ethernet cable.
  2. You must load a major key onto the when using user certificates. This precondition does not apply when using certificates.
  3. If using Transport Layer Security (TLS) between the and HSM, you must enable the proper TLS settings on the Guardian. When establishing a mutually authenticated connection, ensure these settings match on all the client HSMs. If they do not match, selecting this connection type fails to add the device to the group.
  4. The must be signed using the same root certificate as the client HSM devices. This happens automatically when using certificates.
  5. The must have the same date and time settings as all HSMs in the device group. The date and time settings automatically sync when you sign in to the Device Group on the Guardian, so you don't need extra user configuration.
  6. You must enable the Guardian-required Host API commands.



Updated 01 Oct 2024
Did this page help you?
PREVIOUS
Guardian Series 3: Configure HSMs for PKCS #11 Integrations
NEXT
Use the Guardian Series 3 to configure HSMs for PKCS #11 integrations
Docs powered by Archbee