Set up a Thales HSM record to allow us to use private keys stored in your HSM (Hardware Security Module) via the HSM API. Thales HSM is supported for Unix authenticated scanning. A Unix authentication record is also required.
Go to VM > Scans > Authentication and choose New > HSM. Then choose New > Thales. Provide details about where the private keys are stored in your Thales HSM.
QSAA Id - One or more QSAA appliances have been installed by Qualys in your environment. Choose the appliance you want to use for secure connections with this HSM.
Slot Type - Choose the appropriate slot type where the private keys reside: module, ocs, softcard.
Slot Name - Enter the slot name.
User PIN / Confirm User PIN - Enter the HSM user PIN (HSM token password) when required by the HSM slot that you've selected.
In your Unix authentication record, you'll need to select HSM as the private key mechanism and provide information about the target hosts you want to authenticate to.
What are the steps?
- Go to the Private Keys/Certificates tab in your Unix record and choose "Add Private Key/Certificate".
- Select HSM as the private key mechanism used to fetch the private key.
- Select the Thales HSM Record already created and enter the HSM label (the key name).
How does it work?
A Thales HSM record is where you provide us with the information needed to use private keys via the HSM API. All connections to and from your HSM will go through a Qualys QSAA appliance that has been installed in your environment. At scan time, when logging into a scan target the target may ask the scanner appliance to perform a private key operation as part of the login, e.g. an SSH private key signature. The scanner appliance then contacts the QSAA appliance using an encrypted and authenticated connection and forwards the signature request from the scan target to the QSAA appliance and from there to the HSM. The HSM then performs the private key signing operation on behalf of the scanner appliance and returns the signature result to the scanner appliance, which then forwards it to the scan target, thus completing the login.
Tell me about user permissions
Managers have permission to create/edit authentication records and vault records. Unit Managers must be granted the permission "Create/edit authentication records/vaults" in their user account.