Go to content

Beyond Insight

General Information

This BeyondTrust BeyondInsight integrated user guide has been prepared using the software and firmware versions below:

  • Windows Server 2019
  • BeyondInsight 22.2.2.109/22.3.0.1270
  • HSM DINAMO with FW 4.0.28
  • DINAMO CLIENT in version 4.7.33.0

Requirements:

  1. Connectivity with the HSM (TCP port 4433).
  2. HSM client software installed on the BeyondInsight server (see Windows topic).
  3. HSM service started.
  4. Credentials of the HSM partition that will be used by BeyondInsight.

Integration with BeyondInsight using the PKCS#11 library

Configurations in the HSM Client DINAMO

Integration with the application is carried out using the PKCS#11 library (more information in PKCS#11).

  1. Configure the PKCS#11 parameters with the partition credentials on the DINAMO Console (DINAMOcon). On the start screen select: Environment settings.

    HSM console - Dinamocon
    HSM console - Dinamocon

  2. On the next screen, select the option: PKCS#11 in the left sidebar, enter the credentials of the partition that will be used by BeyondInsight and click Apply.

    HSM console - Dinamocon
    HSM console - Dinamocon

Settings in BeyondInsight

  1. Open the BeyondInsight Configuration tool:

    Start > Apps > eEye Digital Security > BeyondInsight Configuration.

  2. Click Configure HSM Credentials in the right-hand sidebar.

    BeyondInsight Configuration
    BeyondInsight Configuration

  3. In the Configure HSM Credentials window, select:

    Edit > Add New HSM Credential.

    HSM Credentials
    HSM Credentials

  4. Enter the HSM settings:

    • 32-bit Driver Path: Usually located in: C:\Program Files\Dinamo Networks\HSM Dinamo\sdk\32-bit\tacndp11.dll.

    • 64-bit Driver Path: Usually located in: C:\Program Files\Dinamo Networks\HSM Dinamo\sdk\c\tacndp11.dll.

    • Slot: On the DINAMO HSMs there is only one slot. Select: Dinamo HSM (0).

    • Key Name : Key label. Any name can be used as long as it is unique (e.g: keytest).

    • Description: Information about the key.

    • PIN: Password for the partition configured in the previous step.

  5. Click on Save.

Test

To test connectivity with the HSM, click Test Active Credential in the Configure HSM Credentials window. A success message will be displayed if the connection was successful.

HSM Connected

HSM Connected

It is possible to monitor the opening of the HSM session via the BeyondInsight service and also the use of the symmetric key using the monitoring tool on the remote console (hsmcon).

Dinamo - Remote Management Console v. 4.7.33.0 2018 (c) Dinamo Networks

HSM 10.61.53.64 e - Engine 5.0.28.0 (DST) - TCA0000000 - ID master

HSM - Logs - Follow

Press Control+C to exit...


2022/10/17 20:34:35 0000C42C 000B3E0D EDC1CCA3 e-conn: 10.61.53.205|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:34:35 0000C42D 000B3E10 CDEF55B7 e-conn: 10.61.53.205|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:34:35 0000C42D 000B3E11 000A3309 session thread down [4]|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:34:42 0000C42E 000B3E12 000A3309 session thread up [5]
2022/10/17 20:34:42 0000C42E 000B3E13 FAED60C4 10.61.53.205 auth try, c: 39, tls: y, 5|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:34:42 0000C42E 000B3E14 FAED60C4 beyondtrust auth init, c: 39|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:34:42 0000C42E 000B3E15 FAED60C4 beyondtrust auth ok, 10.61.53.205, 5|10.61.53.205 10.61.53.64:4433 -
                                               ^^^^^^^^^^^
2022/10/17 20:34:46 0000C42E 000B3E17 FAED60C4 e-conn: 10.61.53.205|10.61.53.205 10.61.53.64:4433 -
2022/10/17 20:35:10 0000C423 000B3E2F 02C2DA21 f-sym: beyondtrust/518bf6106ecefb, 82, 0010, 0160|10.61.53.205 10.61.53.64:4433 beyondtrust
                                                      ^^^^^^^^^^^ ^^^^^^^^^^^^^^
2022/10/17 20:35:10 0000C423 000B3E30 02C2DA21 f-sym: beyondtrust/518bf6106ecefb, 82, 0010, 0160|10.61.53.205 10.61.53.64:4433 beyondtrust
2022/10/17 20:35:10 0000C423 000B3E31 02C2DA21 f-sym: beyondtrust/518bf6106ecefb, 02, 0010, 0160|10.61.53.205 10.61.53.64:4433 beyondtrust
2022/10/17 20:36:49 0000C423 000B3E4B 02C2DA21 e-conn: 10.61.53.205|10.61.53.205 10.61.53.64:4433 beyondtrust
2022/10/17 20:36:49 0000C423 000B3E4C 000A3309 session thread down [4]|10.61.53.205 10.61.53.64:4433 beyondtrust

128-bit AES key generated by BeyondInsight in HSM:

Dinamo - Remote Management Console v. 4.7.33.125 2018 (c) Dinamo Networks

HSM 10.61.53.64 e - Engine 5.0.28.0 (DST) - TCA0000000 - ID beyondtrust

Keys/Objects - List


Name Type T E Label
================================================================================
518bf6106ecefb aes128 n n keytest
^^^^^^^^^^^^^^

Total of objects: 1

Press ENTER key to continue...

For more details on integration with HSM, see the BeyondInsight website.