Configuring the TPM on SNS firewalls

This chapter explains the configuration of the TPM on an SNS firewall.

Initializing the TPM

This section includes procedures to initialize the TPM on an SNS firewall or TPMs in a high availability (HA) cluster.

NOTE
The initialization of the TPM does not automatically activate the protection of private keys in the firewall's certificates. To protect them, refer to the chapter Protecting private keys in SNS firewall certificates.

Initializing the TPM on SNS firewalls

From the web administration interface

This use case is exclusive to SNS 4.3 LTSB versions and SNS 4.7 and higher versions.

  1. Go to Configuration > Objects > Certificates and PKI.

  2. In the TPM initialization window, set a TPM administration password. The password must comply with the password policy set on the firewall. Keep the TPM password in a safe and protected location.

    If the window does not appear, check whether the TPM has already been initialized. Initialize the TPM from the CLI console if required.

  3. Click on Apply.

If the firewall is part of a high availability cluster, the mechanism that derives the symmetric key will automatically be enabled.

From the CLI console

Run the following command:

SYSTEM TPM INIT tpmpassword=<password> derivekey=<on|off>

  • Replace <password> with the desired TPM administration password. The password must comply with the password policy set on the firewall. Keep the TPM password in a safe and protected location,

  • If the firewall is part of a high availability cluster:

    1. Enter derivekey=on for the command SYSTEM TPM INIT.

    2. Initialize the TPM on the passive firewall by running the following command:

      HA TPMSYNC tpmpassword=<password>

Initializing TPMs in a high availability (HA) cluster

If the cluster has already been created

Initialize the TPM on the active firewall and on the passive firewall. Then refer to the procedures above.

If the cluster has not yet been created

There are two possibilities, depending on whether the TPM has already been initialized on the firewalls in the cluster.

The TPM has not yet been initialized on the firewalls in the cluster

  1. Configure the cluster (create the cluster and integrate the second firewall).
  2. Initialize the TPM on the active firewall and on the passive firewall. Then refer to the procedures above.

The TPM is already initialized on the future active firewall in the cluster

  1. Configure the cluster (create the cluster and integrate the second firewall).

  2. Renew the symmetric key on the active firewall by running the following command in a CLI console:

    SYSTEM TPM RENEW tpmpassword=<password> derivekey=on

    • Replace <password> with the TPM password,
    • As the firewall is part of a cluster, enter derivekey=on.

    All TPM-protected private keys of certificates are decrypted then re-encrypted with the new symmetric key derived from the TPM password.

  3. Initialize the TPM on the passive firewall by running the following command:

    HA TPMSYNC tpmpassword=<password>

Checking whether the TPM is initialized

From the web administration interface

This use case is exclusive to SNS 4.7 and higher versions.

  1. Go to Monitoring > Dashboard.

  2. In the Health indicators widget, check the status of the TPM:

    • A status shown in green indicates that the TPM is initialized and functioning,

    • A status shown in orange indicates that either the TPM has not been initialized or automatic backups of the firewall configuration are not protected by a password,

    • A status shown in red indicates that pings to the TPM do not function (for example, when the TPM no longer responds),

    • If the status of the TPM does not appear (icon not displayed), this means that the firewall is not equipped with a TPM.

From the CLI console

Run the following command:

SYSTEM PROPERTY

TpmInit=1 indicates that the TPM is initialized.

Managing the TPM password

Changing the TPM password

Run the following command in a CLI console:

SYSTEM TPM CHANGE currentpassword=<current_password> newpassword=<new_password>

  • Replace <current_password> with the current TPM password,

  • Replace <new_password> with the new TPM password. The password must comply with the password policy set on the firewall. Keep the TPM password in a safe and protected location.

If you have forgotten the TPM password

You will not be able to reset the TPM password. If you cannot remember the TPM password, you can reset the TPM on the firewall as a last resort.

Do note that by resetting the TPM, you will not be able to recover the private keys of encrypted certificates. You will need to import the certificates in question again on the firewall and protect their private key again.

To reset the TPM, refer to the instructions in the Stormshield knowledge base article I've lost my TPM password, how can I reset it?.

Disabling the TPM

Run the following command in a CLI console:

SYSTEM TPM RESET tpmpassword=<password> force=<on|off>

  • Replace <password> with the TPM password,
  • Enter force=on if private keys in certificates are protected by the TPM and you wish to disable it by force anyway. The protected private keys will then be decrypted.