Understanding the purpose of HSM
A third-party hardware security module (HSM) enables heightened security in cryptographic functions by protecting the cryptographic keys involved, offloading the cryptographic functions for improved performance and security, and assisting in the auditing of the access and use of these keys.
 
If you need to decrypt network traffic, OMS passes the encrypted premaster secret to the HSM. Using the stored private key, the HSM decrypts the premaster secret and passes it back to OMS, which forwards it to the requesting analyzer.
OMS operates with any HSM that supports PKCS #11, a public-key cryptography standard from RSA Laboratories. PKCS #11 uses a software API called Cryptoki (pronounced crypto-key) to facilitate many cryptographic functions in a secure and centralized manner. Complete information about RSA Security Inc. Public-Key Cryptography Standards (PKCS) #11 is available from OASIS.
Using an HSM with OMS also furthers your goal of centralized and secure management. Specifically, having your HSM decrypt premaster secrets ensures these benefits:
HSM-authorized systems managed by OMS are provided access to temporary decryption keys only at the time they are needed.
Users are never given direct access to SSL private keys, so the keys cannot be lost or stolen.
Use of HSM-delivered temporary decryption keys is tracked. Both OMS and Observer log HSM events by default.
Each HSM uses tokens to store and protect data from unwanted viewing. An token is a device that performs encryption and stores keys inside tokens. A key, sometimes called a PIN, provides access to a token so that you can view the encrypted conversations. As you might expect, a public key is available to anyone and can be used to encrypt data. Though the public key is used to encrypt the data, only the corresponding private key is able to decrypt it. Because of the extra access private keys provide, they must be guarded closely, including limiting who has access to OMS.
Assets managed by OMS do not directly use the private key. In fact, users and assets have no knowledge of where the key is or what the key contains. To decrypt an SSL conversation, a user provides the name of the key that is given to the user. In other words, the only thing a user knows about the key is its name and nothing else. The key name can be unique to OMS; it is not necessarily derived from the HSM itself.
OMS uses keys stored locally or in an HSM token. Keys stored locally are hashed. For more security, create the tokens on the HSM device and store the private keys locally on OMS. This, however, can be very expensive due to the cost of an HSM token, which can be quite high.
 
Figure 7: HSM and OMS
 
 
How to configure an HSM Cryptoki client
OMS can interact with a compatible hardware security module (HSM) to request temporary SSL private keys for network traffic decryption.
Prerequisite(s):  
Only HSM platforms that support PKCS #11 (version 2 or later), a public-key cryptography standard from RSA Laboratories, are supported.
OMS must be a client of your HSM platform; therefore, the HSM client DLL must be installed on the OMS system. Consult your HSM vendor's documentation for setup and configuration instructions before continuing. We recommend placing the DLL in C:\OMS\hsmStorage and securing that directory.
Tokens must first be created in the HSM and placed in the HSM client directory on OMS before they can be referenced.
 
By enabling HSM decryption options in OMS, OMS can request a temporary decryption key from your compatible hardware security module. The temporary decryption key can then be used by authorized probes and Observer for decrypting encrypted network traffic—but only on the specific conversation you want to decrypt. This process is currently the only way OMS uses HSM functionality.
To use a hardware security module (HSM) to provide decryption key access to authorized users or systems, complete the following steps:
1. Click Config > HSM.
2. Click the preferences icon .
3. Provide the path to the cryptoki DLL file and click Validate.
Example: C:\OMS\hsmStorage\Cryptoki64.dll
Typically, the DLL is in the installation directory of the HSM client. Only after the Cryptoki DLL is specified can OMS interface with the hardware security module.
This adds the HSM client information for OMS to use. The Configuration Storage section becomes visible.
4. Choose a location.
Disabled: HSM decryption is completely disabled. Assets are prohibited from using HSM facilitated SSL private key retrieval for traffic decryption. Local System: HSM configuration data is stored locally on the OMS appliance. This saves valuable storage space on the hardware security module (by not utilizing said storage) and can make administration of HSM tokens easier in the future. Although secured in hashed data, this option is less secure than storing the configuration directly in an HSM token. HSM Token: HSM configuration data is stored directly in the HSM configuration token. This consumes valuable storage space in the HSM and may make administration of HSM tokens more difficult in the future. If security is of the highest concern, then choose this option.
5. If you chose HSM Token, choose a token.
A list of tokens on the HSM is shown in this field. Select the token that the configuration data shall be stored in.
6. If you chose HSM Token, provide a PIN.
The PIN that allows access to the configuration token. Different HSM vendors have different requirements for the PIN such as length and characters. Consult your HSM documentation for additional information.
7. Click the accept icon .
 
OMS is configured to use the HSM client DLL to validate private keys.
 
 
Next, add an HSM token and private keys.
 
How to add an HSM token
HSM tokens perform encryption and stores keys.
Prerequisite(s):  
The HSM Cryptoki client configured
Tokens added in the HSM
 
1. Click Config > HSM.
2. Click the new icon .
3. Select an available token.
A list of tokens on the HSM is shown in this field. Select the token that the configuration data shall be stored in.
4. Type or paste a PIN.
The PIN that allows access to the configuration token. Different HSM vendors have different requirements for the PIN such as length and characters. Consult your HSM documentation for additional information.
5. Click Accept.
 
The token was added to the Tokens list showing the slot and its description, both of which are read from the token file you selected in step 3. This also enables you to add private keys. If you store your tokens locally, a hashed key was created. If you use an HSM token, the HSM client was updated.
 
 
Next, create a private key.
 
How to add an HSM private key
Private keys unlock a token so that you can view the encrypted conversation.
Prerequisite(s):  
You must have added at least one HSM token.
 
1. Click Config > HSM.
2. Click the new icon .
3. Type a unique name.
Name is an especially important field. Name is a text string that authorized probes and Observer managed by OMS must provide to the SSL decryption dialog to invoke a decryption session on a network conversation. In other words, a name represents the SSL private key associated with it, so it must be provided at the time of decryption.
4. Select an available token.
A list of tokens on the HSM is shown in this field. Select the token that the configuration data shall be stored in.
5. Choose a private key.
RSA private key to use for decryption
6. Adding users is an easy drag-and-drop operation from the Available groups list to the Restrict to groups list.
7. Click Accept.
 
Any user in any group that you add to the Restrict to groups list will be able to decrypt SSL conversations using the private key name from step 3.
 
 
Inform the users of the private key name they should use to decrypt SSL conversations.