[Cryptech Tech] Firewalls

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Jun 2 01:33:37 UTC 2017

Peter Stuge <peter at stuge.se> writes:

>SafeNet Luna SA 5.2.1 or later
>Thales Nshield Connect 11.62 or later"
>"HSM client" has nothing to do with PKCS#11.

Given that the native API for the Luna tokens is PKCS #11, it'd be hard to not
use PKCS #11 for them.  In addition unless the nCipher interface is using JCE
or CryptoAPI, it'll be using PKCS #11 as well.

So you could start with SoftHSM:


and then migrate the functionality into the hardware HSM.  If the PA gear is
hardcoded to only allow the Luna and nCipher devices then you'd have to fake
them via the SoftHSM layer, i.e. return a Luna or nCipher ID string or
whatever it is the PA expects to see.


More information about the Tech mailing list