Configuring SafeNet HSM with HSM Load Balancer


In this tutorial we’ll present how to add the SafeNet Luna Mk.II device to BP-Node’s HSM Load Balancer and its HSM pool.

Using Hardware Security Modules (HSMs) in the Payments industry is a compulsory for achieving reliable and safe payments service and also having your systems PCI:DSS compliant.

BP-Node supports SafeNet Luna integration for for achieving this and adding the HSM to its configuration is very easy.

Components used

In this scenario, following BP-Node components will be used:

  • SafeNetClient
  • HsmLoadBalancer

SafeNetClient configuration

The first thing we’ll need is to create the client connection to establish connectivity with the SafeNet Luna device. In our scenario a component called SafeNetClient class will be used, which manages the connectivity and also the messaging interface.

Open your BP-UI and navigate to Components. There click the green button which says “Add Component”. From the Class options available pick the bp::eftlab::node::ipc::SafeNetClient and name it: SafeNetLocal.

When clicking the Save button new options will appear, related to the class selected. Fill in the following values:

  • Label: SafeNetLocal
  • Description: Feel free to use this feel for your notes about this connection (purpose, contact details)
  • Remote Address:
  • Remote port: 1500
  • Max Connections: 1
  • SSL Enabled: False

Click the Save button.

BP-Node and SafeNet Luna integrates TLS communication support, which is now mandated starting with PCI:DSS 3.1. Setting the SSL Enabled checkbox will bring all the SSL/TLS configuration options needed.

HSM Load Balancer

Having a client configured, we can now add it the HSM Load Balancer component and its pool of HSMs.

Open the HSM Load Balancer component and click the add button in the Hsms form. Select the “bp::eftlab::node::hsm::plugins::safenet::SafeNetHsmPlugin” Class.

Save the component to get more configuration options related to the SafeNetHsmPlugin.

Fill the following:

  • Client Name: SafeNetClient (Name of the SafeNetClient component configured above)
  • Comment: Feel free to use this feel for your notes about this connection (purpose, contact details)
  • Enabled: True
  • Idle time: 1 (timeout in seconds for sending HSM probes)
  • Label: SafeNet Luna on 1500

Click Save.

Well done!

Check proper configuration

Start your SafeNet Luna or BP-HSM SafeNet emulator and check the BP-Node event log for connection events like:

229282016-04-06 13:42:35 (+1000)INFOA connection was established between :0 and on node ‘SafeNetClient’.

followed by:

229432016-04-06 13:43:20 (+1000)INFOHsmLoadBalancer became available for processing.

Also the Health screen will start tracking HSM’s Health status:

Note that SafeNetLocal (Client) has already one subscriber as global Health of the HSM Load Balancer is based on watching all its child clients.

Finally, when using e.g. BP-HSM, you should see following messages coming, when BP-Node is asking SafeNet Luna for its health on its idle timeout.

[13:49:20.002050] - SafeNet Luna - Mark II message received
[None       an  002 M] : 'Command Code'        = [01]

binary data:
0000(0000)   01 01 00 25 00 01 01                              ...%...


[13:49:20.002220] - SafeNet Luna - Mark II message responded
[None      hex  001 M] : 'Function Code'    = [01]
[None      hex  001 M] : 'Error Code'        = [00]
[None      hex  001 M] : 'RAM Status'        = [00]
[None      hex  001 M] : 'ROM Status'        = [00]
[None      hex  001 M] : 'DES Status'        = [00]
[None      hex  001 M] : 'Host Port Status'    = [00]
[None      hex  001 M] : 'Battery Status'    = [00]
[None      hex  001 M] : 'Hard Disk Status'    = [00]
[None      hex  001 M] : 'RSA Accelerator'    = [00]
[None      hex  001 M] : 'Performance Level'    = [00]
[None      hex  002 M] : 'Reset Count'        = [4200]
[None      hex  004 M] : 'Calls in last Minute'    = [FF000000]
[None      hex  004 M] : 'Calls in last 10 Mins'= [EE0E0000]
[None      hex  001 M] : 'Software ID Length'    = [08]
[None      ans  008 M] : 'Software ID'        = [EF0TL1AB]

binary data:
0000(0000)   01 01 00 25 00 1D 01 00  00 00 00 00 00 00 00 00  ...%............
0016(0010)   42 00 FF 00 00 00 EE 0E  00 00 08 45 46 30 54 4C  B..........EF0TL
0032(0020)   31 41 42                                          1AB


Having this in place, same procedure applies for adding more HSMs into the HSM Load Balancer pool. BP-Node then iterates over the HSMs available based on their availability and response times.