Manage Keystore
The can use either of the following keystores:
gateway91
The
API Gateway
can use either of the following keystores:- Software DB: This is a software keystore that is built into everyAPI Gatewaydatabase, as a PKCS#12 keystore. The software keystore is always available and will be used unless a hardware keystore is installed. Private keys stored in the software keystore may be exported as PKCS#12 files and then imported into the SafeNet Luna HSM if necessary.
- Hardware, SafeNet Luna SA: This is an optional network-attached HSM that can be accessed by theAPI Gateway.
The
Manage Keystore
task is used to enable, disable, or view the status of the SafeNet Luna HSM.Prerequisite
: The SafeNet Luna HSM must be correctly installed and configured, including the JSP on all cluster nodes. Please refer to the setup instructions provided by SafeNet.WARNING:
Switching from one keystore to another will cause the API Gateway
to lose access to any private keys stored in the previous keystore. This may cause policies or listen ports to fail. To ensure that you can start the Policy Manager, make sure there is at least one listen port that uses the "Default SSL key."Fallback to System Default Keystore
If the SafeNet HSM is enabled but the
API Gateway
is unable to connect to it on startup, the API Gateway
will fall back to the software keystore.If fallback occurs, you may need to re-enter the Partition Client PIN with the Policy Manager.
To manage keystores
:- In the Policy Manager, select[Tasks] > Certficates, Keys, and Secrets > Manage Private Keysfrom the Main Menu.The Manage Private Keys dialog appears.
- Click [Manage Keystore] and then enter theAPI Gatewaypartition password if prompted. The Manage Keystore dialog is displayed and will show different messages depending on your current configuration.This dialog provides details about the current status of your keystore:LabelDescriptionCurrent keystore typeDisplays the keystore currently being used:
- SafeNet HSM
- System default
- Configured for system default, but using SafeNet HSM: The SafeNet HSM has been disabled but the currentAPI Gatewaynode has not yet restarted for the system default to take effect.
- Configured for SafeNet HSM, but using system default: This can indicate one of two things:
- The SafeNet HSM has been enabled but the currentAPI Gatewaynode has not yet restarted for the SafeNet HSM to take effect.
- TheAPI Gatewayis configured to use the SafeNet HSM but had to fall back to the system default keystore in order to start the node successfully.
The system default is the software database.SafeNet HSM supportDisplays the current status of the SafeNet HSM:- Ready to use: The SafeNet HSM is correctly configured.
- Client software and JSP not installed or not configured: The SafeNet HSM client software and Java Service Provider (JSP) is either not present or incorrectly configured. For information on configuring the SafeNet HSM for use with theAPI Gateway.
Disable SafeNet HSMAvailable only if a SafeNet HSM is configured and enabled.Disable the SafeNet HSM and revert to using the system default keystore uponAPI Gatewayrestart.Enable SafeNet HSMAvailable only if a SafeNet HSM is configured but not enabled.Enable the SafeNet HSM uponAPI Gatewayrestart. This button is available even when SafeNet HSM is configured and ready to use, but is not currently the active keystore. The Connect to SafeNet HSM dialog is displayed.Enter the following information and then click [Connect]:- Partition Client PIN: Enter the client PIN for theAPI Gatewayintended Luna partition. This is required.
- Override slot number: Optionally select this check box to choose a specific slot number to connect to. This is normally not required, but it may be useful for a SoftwareAPI Gatewaythat is running on a machine that has been configured with access to more than one Luna partition. Consult with your SafeNet Luna administrator for details; if unsure, leave the slot number unchanged.
Restart allAPI Gatewaycluster nodes for the configuration changes to take effect.
- Click [Close] when done.