SafeNet Data Protection On Demand 1.7

Application Owner Guide

Issue Date: 07 February 2019

Document Part Number: 007-000039-001

Release: 1.7

Product Description

SafeNet Data Protection On Demand is a cloud-based platform that provides on-demand HSM based encryption services through a simple online marketplace. With SafeNet Data Protection On Demand, security is simple, cost effective and easy to manage because there is no hardware to buy, deploy and maintain. Just click and deploy the services you need, provision clients, add devices and get usage reports.

HSM on Demand secures customers' sensitive data and critical applications by storing, protecting and managing cryptographic keys in a high-assurance, tamper-resistant hardware device that offers market-leading performance. End-user keys are protected with a strong encryption and authentication scheme outside the HSM, and are only able to be decrypted inside an authorized HSM. Tenants can be assured that their keys are never available to anyone else, including other tenants and the service provider.

Release Description

Release 1.x is the first GA release of SafeNet Data Protection On Demand, supporting an initial set of features described in the following section.

Features and Enhancements

Feature and Enhancements introduced in release 1.7:

>Added the Key Migration Guide to the HSM Client Guides in the Help system. This migration guide now details the process for transferring key material from an Amazon Web Services (AWS) cloud HSM to a DPoD HSM on Demand service.

>Introduced a multi-factor authentication requirement using an authentication application on a mobile device for all users.

>Updated HSM on Demand Service software Integration Guides available in the user documentation.

>Updated the following HSM on Demand service tiles:

HSM on Demand - Set up and access an HSM on Demand service for your organization's cryptographic operations.

HSM on Demand for Digital Signing – Digitally sign software and firmware packages or electronic documents in order to ensure the integrity of the sender.

HSM on Demand for PKI Private Key Protection – Secure private keys belonging to Certificate Authorities responsible for establishing PKI trust hierarchy.

HSMoD for Oracle TDE Database – Ensure that data encryption keys are encrypted with a master key that resides within a HSM.

HSM on Demand for Hyperledger - Bringing trust to blockchain transactions to perform the required crypto operations across the distributed system.

>Added the following HSM on Demand services:

HSM on Demand for CyberArk Digital Vault - Secure CyberArk Digital Vault's top-level encryption key in an HSM.

HSM on Demand for Java Code Signer - Sign Java artifacts using an encryption key generated on an HSM.

HSM on Demand for Microsoft ADCS - Secure your Microsoft Root Certificate Authority (CA) signing key in an HSM.

HSM on Demand for Microsoft Authenticode - Generate and secure your Microsoft Authenticode certificates on an HSM.

HSM on Demand for Microsoft SQL Server - Off-load Microsoft SQL Server cryptographic operations to an HSM.

>For other enhancements, see Resolved Issues.

Feature and Enhancements introduced in release 1.6:

>Introduced multi-tier hierarchy:

Service Provider Tenant Accounts can now distribute additional tiers of Service Provider Administrators (up to two). This allows certain Service Provider Tenant Accounts to take on a marketplace operator role.

Reports are now an aggregate of all service usage from all of the Service Provider's tenants and any sub-Service Provider tenants for a specified month.

>Application Owner HSM on Demand services can now support up to fifty 4096 bit RSA key pairs. Longer bit RSA keys increase security of cryptographic operations.

>Updated HSM on Demand Service software Integration Guides available in the user documentation.

>Added HSM on Demand service support for Windows Server 2008.

Feature and Enhancements introduced in release 1.5:

>Marketplace Management - gives the Tenant Administrator visibility of the available tiles and the ability to configure service availability. This allows the Tenant Admin to restrict the types of services which are available for provisioning by Application Owners in their tenant.

>Migrate keys into DPoD - users can clone from an on-premise Luna device or Luna cloud HSM into an HSM on Demand service. Cloning in HSM on Demand is not supported on services which existed prior to this release.

>API Credential Management - allows API access for Application Owner users. There are two types of API credentials available, platform credentials and service credentials.

Platform credentials scoped to an Application Owner user allow a client to perform tasks via the API that an Application Owner may complete in the GUI.

Service credentials scoped to a DPoD service allow a client to perform service level tasks using via the DPoD API.

>HSM on Demand Service - introduced the Hyperledger HSM on Demand Service tile.

>Application Owner HSM on Demand partitions can now support up to five 4096 bit RSA keys. Longer bit RSA keys increase security of cryptographic operations.

>Updated HSM on Demand Service software Integration Guides available in the user documentation.

Features and Enhancements introduced in release 1.4:

>Added support for the DPoD Service Provider.

>Allowed Service Providers to re-skin the DPoD service and brand it for their tenants.

>Increased the manageability of sub-tenants.

>Improved reporting on sub-tenants.

Allowed Operators to include additional details about the tenant hierarchy within tenant usage reports.

Allowed Service Providers to generate a tenant usage report on a single instance or multi-tenancy configuration.

>GUI enhancements and usability improvements, including:

Added ability to view, sort, and edit the Tenants list.

Added ability to view and edit Users details.

>For other enhancements, see Resolved Issues.

Enhancements introduced in release 1.3:

>GUI enhancements and usability improvements, including:

Added ability to search and sort to tables.

Added ability to view Tenant Subscriber Group details.

Added ability to edit Tenant Subscriber Group details.

Added HSM client support on additional Windows platforms, see Supported client platforms for HSM on Demand services

Features introduced in release 1.2:

>Added the Salesforce Key Broker Service, the first Key Management On Demand Service available via DPoD. This feature enables you to create and manage tenant secrets for the Salesforce Shield bring your own key feature. The tenant secret management table enables you to:

View data encryption keys with active, archived, destroyed, and revoked statuses.

Generate new secret using entropy from HSM. DPoD-generated secrets use SafeNet HSMs as a root of trust.

Push HSM generated secret to Salesforce.

Revoke secret from Salesforce.

Upload (recover) Revoked secret.

NOTE   At this time, Data in Salesforce key types are supported. The Search Index type will be supported in a future release.

>Added tracking for service type in service list and usage reports.

>Added a strong password policy for user accounts, in accordance with the latest NIST standards.

>Added session expiry improvements such as decreased session expiry time and a redirect on expiry.

>Added improvements to the reporting feature, including a new report format and usage tracking per service type.

>Added improvements to the subscriber group selection and creation.

>Enhanced security, performance, and usability.

Features introduced in release 1.1.1:

>Implemented Service Creation optimizations to improve performance. Service creation time is now less than 10 seconds.

>Implemented improvements to client deployment so that the procedure is more robust.

>Expanded Cryptographic API support (shown in Compatibility Information.)

>Added Certificate Management Utility (CMU) to client archive.

>Added Partition Serial Number display in the UI.

Features introduced in release 1.1:

>Added client OS support for Windows Servers; see section Supported client platforms for HSM on Demand services

>Added "Monthly Usage Reports" feature for the Tenant Administrator.

Features introduced in release 1.0:

>User based authentication for Tenant Administrator and Application Owner

>Service tiles available:

PKI Private Key Protection – Secure private keys belonging to Certificate Authorities responsible for establishing PKI trust hierarchy.

Key Vault - Set up a certified key vault for applications or integration requirements.

Digital Signing – Verify the author of software and firmware packages or electronic documents in order to ensure the integrity of the sender.

Oracle TDE Database – Ensure that data encryption keys are encrypted with a master key that resides within the HSM for optimal performance and scalability.

>Delete service

>Tenant Admin - user management

>Tenant Admin - subscription group management

>Application Owner - Provision HSM services/clients

>Tenant CLI provisioning for Gemalto

>CLI device management for Gemalto

Advisory Notes

Please take the following into consideration when using this release of DPoD.

Limitations on previously existing HSMoD services.

You cannot download new service clients for a service which existed prior to release 1.5. If you attempt these operations, a message displays indicating that the service version is out of date.

TIP   We recommend downloading a new client following a release to fully benefit from any updates and features.

Compatibility Information

Note that each service has the capacity to store up to 100 symmetric keys or 50 asymmetric key pairs.

Supported client platforms for HSM on Demand services

Client connections for HSM on Demand services are supported on the following platforms:

>Red Hat Enterprise Linux 7 (64-bit).

>Other RHEL variants such as CentOS 7 (64-bit).

>Microsoft Windows Servers with the following prerequisites:

Microsoft Visual C++ 2015 Redistributable Update 3 (https://www.microsoft.com/en-us/download/details.aspx?id=53587)

Universal C Runtime (CRT) (https://support.microsoft.com/en-us/kb/2999226)

Microsoft Visual C++ 2015 Redistributable Update 3 requires Universal C Runtime (CRT) to be installed. Older Windows versions may not have this installed. If not installed, you will get a "Setup Failed" error. If this occurs, you will need to install Universal C Runtime in Windows (https://support.microsoft.com/en-us/kb/2999226) update, and its prerequisites

Supported Microsoft Windows platforms:

Windows Server 2008

Windows Server 2012 R2 (64-bit)

Windows Server 2016

Windows 10 (64-bit)

Supported browsers

>Google Chrome

>Mozilla Firefox

>Microsoft Edge

Supported Cryptographic APIs 

>Java 7

>Java 8

>Microsoft CAPI

>Microsoft CNG

>PKCS#11 v. 2.20

Known Issues

This section lists the issues known to exist in the product at the time of release. The following table defines the severity of the issues listed.

Priority Classification Definition
C Critical No reasonable workaround exists.
H High Reasonable workaround exists.
M Medium Medium level priority problems.
L Low Lowest level priority problems.

List of Known Issues

Issue Severity Synopsis
DPS-2808 M

Problem: When the Service Provider deletes a Tenant, if the deletion fails the Tenant Details page is not accessible.

Workaround: This issue results from attempting to delete a Tenant with active services. To clear this state you must remove the blocking service from the Tenant's Application Owner users.

DPS-2159 M

Problem: When the Service Provider Admin edits a Tenant, the Tenant Admin field displays empty.

Workaround: Refresh the page to display the Admin.

DPS-1418 M

Problem: The trash can icon cannot delete tenants stuck in a pending state.

Workaround: Contact Gemalto Customer Support to remove failed objects from the database.

DPS-782 M

Problem: Creating a user with an invalid character, such as ?, in firstname or lastname returns an error.

Workaround: Do not include invalid characters in the firstname or lastname field when creating a user.

HOD-216 M

Problem: Sometimes when you attempt to delete a service, it remains in the list.

Workaround: Re-try the deletion.

DPS-2494 L

Problem: Non-functional tenants that appear in the "Pending" state in the user interface are included in reports.

Workaround: Ignore ghost tenant.

DPS-2161 L

Problem: Services with extended ascii characters in their name do not display properly in reports.

Workaround: Do not include extended ascii characters in service names.

DPS-783 L

Problem: The DPoD UI allows the input of email addresses that the system email validator cannot verify.

Workaround:Limit user email addresses to 254 characters.

HOD-457 L

Problem: The cmu export command requires the -handle parameter when exporting certificates.

Workaround: Verify the key handle value by executing cmu list, and specify the key handle value when running cmu export. For example: cmu export –handle=<handle_value> -outfile=<output_file_name>

Resolved Issues

This section lists issues fixed in the product at the time of release. The following table defines the severity of the issues listed.

Priority Classification Definition
C Critical No reasonable workaround exists.
H High Reasonable workaround exists.
M Medium Medium level priority problems.
L Low Lowest level priority problems.

List of Resolved Issues

Issue Severity Synopsis
DPS-2501 H

Problem: The UI does not identify an invalid hostname when creating a tenant, resulting in the user having to repeat the tenant creation process.

Workaround: Resolved in 1.7. The UI now identifies and rejects invalid characters in the hostname.

DPS-2159 M

Problem: When the Service Provider Admin edits a Tenant, the Tenant Admin field displays empty.

Workaround: Resolved in 1.7. The Tenant Admin field no longer displays as empty after editing a Tenant.

DPS-2487 L

Problem: Editing the tenant account name does not update the heading on the log in page.

Workaround: Resolved in 1.7

DPS-2434 L

Problem: Deleting a tenant when the tenant account was accessed using search box fails.

Workaround: Resolved in 1.7

Support Contacts

Contact method Contact

Phone

Global +1 410-931-7520
Australia 1800.020.183
India 000.800.100.4290
Netherlands 0800.022.2996
New Zealand 0800.440.359
Portugal 800.863.499
Singapore 800.1302.029
Spain 900.938.717
Sweden 020.791.028
Switzerland 0800.564.849
United Kingdom 0800.056.3158
United States (800) 545-6608
Web https://safenet.gemalto.com
Technical Support Customer Portal

https://supportportal.gemalto.com

Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the Knowledge Base.