BP-Switch: Configuring message persistence
March 23, 2016BP-Sim: Running from command line/terminal
May 26, 2016BP-Switch: Configuring SafeNet HSM with HSM Load Balancer
Introduction
In this tutorial we’ll present how to add the SafeNet Luna Mk.II device to BP-Node’s HSM Load Balancer and its HSM pool.
Using Hardware Security Modules (HSMs) in the Payments industry is a compulsory for achieving reliable and safe payments service and also having your systems PCI:DSS compliant.
BP-Node supports SafeNet Luna integration for for achieving this and adding the HSM to its configuration is very easy.
Components used
In this scenario, following BP-Node components will be used:
- SafeNetClient
- HsmLoadBalancer
SafeNetClient configuration
The first thing we’ll need is to create the client connection to establish connectivity with the SafeNet Luna device. In our scenario a component called SafeNetClient class will be used, which manages the connectivity and also the messaging interface.
Open your BP-UI and navigate to Components. There click the green button which says “Add Component”. From the Class options available pick the bp::eftlab::node::ipc::SafeNetClient and name it: SafeNetLocal.
When clicking the Save button new options will appear, related to the class selected. Fill in the following values:
- Label: SafeNetLocal
- Description: Feel free to use this feel for your notes about this connection (purpose, contact details)
- Remote Address: 127.0.0.1
- Remote port: 1500
- Max Connections: 1
- SSL Enabled: False
Click the Save button.
BP-Node and SafeNet Luna integrates TLS communication support, which is now mandated starting with PCI:DSS 3.1. Setting the SSL Enabled checkbox will bring all the SSL/TLS configuration options needed.
HSM Load Balancer
Having a client configured, we can now add it the HSM Load Balancer component and its pool of HSMs.
Open the HSM Load Balancer component and click the add button in the Hsms form. Select the “bp::eftlab::node::hsm::plugins::safenet::SafeNetHsmPlugin” Class.
Save the component to get more configuration options related to the SafeNetHsmPlugin.
Fill the following:
- Client Name: SafeNetClient (Name of the SafeNetClient component configured above)
- Comment: Feel free to use this feel for your notes about this connection (purpose, contact details)
- Enabled: True
- Idle time: 1 (timeout in seconds for sending HSM probes)
- Label: SafeNet Luna on 1500
Click Save.
Well done!
Check proper configuration
Start your SafeNet Luna or BP-HSM SafeNet emulator and check the BP-Node event log for connection events like:
| 22928 | 2016-04-06 13:42:35 (+1000) | INFO | A connection was established between :0 and 127.0.0.1:1500 on node ‘SafeNetClient’. |
followed by:
| 22943 | 2016-04-06 13:43:20 (+1000) | INFO | HsmLoadBalancer became available for processing. |
Also the Health screen will start tracking HSM’s Health status:
Note that SafeNetLocal (Client) has already one subscriber as global Health of the HSM Load Balancer is based on watching all its child clients.
Finally, when using e.g. BP-HSM, you should see following messages coming, when BP-Node is asking SafeNet Luna for its health on its idle timeout.
[13:49:20.002050] - SafeNet Luna - Mark II message received
[None an 002 M] : 'Command Code' = [01]
binary data:
0000(0000) 01 01 00 25 00 01 01 ...%...
--------------------
[13:49:20.002220] - SafeNet Luna - Mark II message responded
[None hex 001 M] : 'Function Code' = [01]
[None hex 001 M] : 'Error Code' = [00]
[None hex 001 M] : 'RAM Status' = [00]
[None hex 001 M] : 'ROM Status' = [00]
[None hex 001 M] : 'DES Status' = [00]
[None hex 001 M] : 'Host Port Status' = [00]
[None hex 001 M] : 'Battery Status' = [00]
[None hex 001 M] : 'Hard Disk Status' = [00]
[None hex 001 M] : 'RSA Accelerator' = [00]
[None hex 001 M] : 'Performance Level' = [00]
[None hex 002 M] : 'Reset Count' = [4200]
[None hex 004 M] : 'Calls in last Minute' = [FF000000]
[None hex 004 M] : 'Calls in last 10 Mins'= [EE0E0000]
[None hex 001 M] : 'Software ID Length' = [08]
[None ans 008 M] : 'Software ID' = [EF0TL1AB]
binary data:
0000(0000) 01 01 00 25 00 1D 01 00 00 00 00 00 00 00 00 00 ...%............
0016(0010) 42 00 FF 00 00 00 EE 0E 00 00 08 45 46 30 54 4C B..........EF0TL
0032(0020) 31 41 42 1AB
Summary
Having this in place, same procedure applies for adding more HSMs into the HSM Load Balancer pool. BP-Node then iterates over the HSMs available based on their availability and response times.
