background image

CHAPTER 3

HSM Initialization

To initialize an HSM is to prepare it for operation, under the control of an HSM Admin.

Choose instructions for the type of HSM that you own:

"

About Initializing a Password Authenticated HSM

"

"

About Initializing a PED Authenticated HSM

"

Which kind do I have?

Luna SA HSMs are shipped from the factory as one or the other type. This is not a field-changeable setting. If you are
not sure which kind you have, verify the type of HSM with the

hsm displayLicenses

command. You can run that

command from the Luna shell (logged in as appliance admin). The hsm displayLicences command is one of several
non-sensitive HSM commands that does not require HSM authentication. The output lists the configuration packages
(additions to the basic build) that make up your Luna SA. Look for the term

FIPS3

appearing in that list to indicate that

your Luna SA is PED Authenticated (uses the Trusted Path) - otherwise, your HSM is Password Authenticated.

What if I make a mistake?

No harm. Offering the wrong kind of authentication is not harmful - the only result is a brief delay. However, offering the
wrong authentication of the correct type starts the counter for "bad login" attempts. The following paragraphs offer a
little more detail.

As a general rule, when you attempt to login to the HSM or to issue any command that requires authentication, the
lunash command-line prompts you for the needed authentication. If yours is a Password Authenticated HSM, you are
asked for the password, and the command eventually times out if the password is not given. (Of course, if you provide a
wrong password, that is applied against the count of bad login attempts. However, connecting a PED and offering a
PED Key to a Password Authenticated HSM has no effect; it is ignored.)

If yours is a PED Authenticated (Trusted Path) HSM, the prompt asks you to attend to the PED for further instructions.
If a PED is not connected and/or you don't supply the appropriate PED Keys and keypad actions, the command
eventually times out. (If you do have a PED connected and supply the wrong PED Key [of the type requested], then
that action is applied against the count of bad login attempts. However, if you mistakenly provide a password [at the
command-line] for a PED Authenticated Luna HSM, that password is ignored and the bad-login-attempt count is not
incremented.)

In either case, just wait for the timeout (a few minutes) to conclude, then begin again, using the correct authentication
method.

Note:

We recommend that you read through the pages in the Configuration section of this help

at least once in advance of starting the procedure, so that you can resolve any questions before
beginning any time-limited operations. For a Password Authenticated Luna HSM, you should
have passwords already determined according to your organization's security policies. For a
PED Authenticated Luna HSM, you should have a Luna PED connected, and an appropriate
set of PED Keys available.

Luna SA Configuration Guide

Release 5.4.1 007-011136-007Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

42

Summary of Contents for Luna SA

Page 1: ...Luna SA Configuration Guide ...

Page 2: ...ims any implied warranties of merchantability or fitness for any particular purpose Furthermore SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes We have attempted to make these documents complete accurate and useful but we cannot...

Page 3: ...omain and the Red Domain PED Key 18 Partition Owner User and the black PED Key 18 Remote PED Orange PED Key RPK 19 Auditor 19 Secure Recovery Purple PED Key SRK 20 Other Considerations 20 Luna PED Planning 20 What each PED prompt means 21 HSM Initialization and the Blue SO PED Key 22 HSM Cloning Domain and the Red Domain PED Key 23 Partition Owner User and the black PED Key 23 Remote PED Orange PE...

Page 4: ...g a Partition on the HSM 72 Prepare to Create a Partition Password Authenticated 72 About HSM Partitions on the Initialized HSM 72 Create the Partition PW 73 Partition creation audit log entry 74 Next steps 74 Prepare to Create a Partition PED Authenticated 75 About HSM Partitions on the Initialized HSM 75 Create Initialize the Partition PED Authenticated 76 Partition creation audit log entry 84 R...

Page 5: ... Export a Client Cert to an HSM Appliance UNIX 104 Register the Client Certificate to an HSM Server 105 How Many Clients 106 Register VM Clients 106 What s the Next Step 106 CHAPTER 8 Assign a Client to an HSM Partition 107 Assign a Client to a Partition 107 Verify Your Setup 107 Client Connection Limits 108 Applications and Integrations 108 CHAPTER 9 Optional Configuration Tasks 109 Luna SA Confi...

Page 6: ...onventions on page 7 Support Contacts on page 8 For information regarding the document status and revision history see Document Information on page 2 Customer release notes The customer release notes CRN provide important information about this release that is not included in the customer documentation Read the CRN to fully understand the capabilities limitations and known issues for this release ...

Page 7: ... that may help prevent unexpected results or data loss Warnings Warnings are used to alert you to the potential for catastrophic data loss or personal injury They use the following format WARNING Be extremely careful and obey all safety and security measures In this situation you might do something that could result in catastrophic data loss or personal injury Command syntax and typeface conventio...

Page 8: ...sired Choices are separated by vertical OR bars Support Contacts If you encounter a problem while installing registering or operating this product please ensure that you have read the documentation If you cannot resolve the issue please contact your supplier or SafeNet support SafeNet support operates 24 hours a day 7 days a week Your level of access to this service is governed by the support plan...

Page 9: ...al Support Portal https serviceportal safenet inc com Existing customers with a Customer Connection Center account or a Service Portal account can log in to manage incidents get the latest software upgrades and access the SafeNet Knowledge Base Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 9 ...

Page 10: ...onitor disabled until you enable default password PASSWORD Those three built in accounts can be neither created nor destroyed but admin can enable or disable the other two as needed You can leave that arrangement as is or you can create additional users with names of your own choice and assign them any of the roles and the powers that go with those roles The default password of any created user is...

Page 11: ...p and Restore of User Profiles The commands sysconf config backup and sysconf config restore allow you to store a snapshot of the administrative user database the names and status of all named Luna Shell users that can later be restored if desired CAUTION Restoring from backup restores the database of user profiles that existed before the backup was made This includes the set of users that existed...

Page 12: ... HSM follows the standard Cryptoki model appliance admin This is the basic administrative access to the a Luna HSM appliance When you connect via ssh putty exe or other ssh utility the Luna HSM presents the login as prompt The only ID that is accepted is admin You must be logged in as the appliance admin before you can access further authentication layers such as HSM Admin Partition Owner Crypto O...

Page 13: ...cess the lunash command shell Note Therefore in both access control models a Client with the Password can connect and perform object generation and deletion and can use objects sign verify encrypt decrypt but they cannot perform Partition management operations unless they can also login to Luna Shell lunash as admin Client A Client is a working or production user of one or more Luna SA HSM Partiti...

Page 14: ...generate and manipulate cryptographic objects in the Partition Crypto User or restricted Client user Read only If the Partition has been readied for access by the black PED Key a Client can connect with a Client application authenticating with the Crypto User Password a challenge secret generated on command by the Luna PED similar to the Crypto Officer or Partition Owner Password that is generated...

Page 15: ...PED Key or it can be split by the MofN feature over several red keys which are then distributed among trusted personnel such that no single person is able to provide the cloning domain without oversight from other trusted personnel In scenarios where multiple HSM partitions are in use it can be useful to segregate those partitions according to department or business unit or according to function g...

Page 16: ...he Yes or do reuse option The decision is do you wish this HSM to be accessed by the same secret that accesses this function role on one or more other HSMs Or do you wish this HSM to have a new unique secret that is recognized by no previous HSM Sometimes it is advantageous to have a single secret for a group of HSMs managed by a single person Sometimes security or operational rules require that e...

Page 17: ...ies of that secret or if you need to make more The more you make the more you must track But you must have enough to satisfy your organization s operational and security protocols The above paragraphs explain the meanings of each of the prompts that you would see from Luna PED while performing an action like initialization that imprints PED Keys with secrets The following sections discuss some imp...

Page 18: ... below HSM Cloning Domain and the Red Domain PED Key All the points options decisions listed above for the SO key apply equally to the Cloning domain key with two exceptions First you MUST apply the same red key Cloning Domain secret to every HSM that is to clone objects to from each other participate in an HA group synchronization uses cloning backup restore By maintaining close control of the re...

Page 19: ...fundamental activity like initializing an HSM or creating a partition Instead if you don t expect to use the Remote PED option you never need to create an orange PED Key If you do have a Remote capable Luna PED and want to use it for remote authentication rather than always having the PED locally connected to the HSM then the HSM and the PED that is remotely hosted must share a Remote PED Vector R...

Page 20: ...ey or outdated secret to be overwritten by a unique new Secure Recovery Vector generated by the HSM Other Considerations In each case have your materials and notes about your previously made decisions on hand before you launch a command that invokes key creation or imprinting Predetermine which of your personnel will have access to which PED Keys how many people should be required to perform a giv...

Page 21: ...le the full secret and authenticate that role You invoke M of N by providing the M value and the N value using the PED Keypad when prompted You refuse M of N by setting the M value and the N value both to 1 M of N is the more secure choice when you require multiple persons to be present with their splits of the role secret in order to access that role and perform its functions No M of N is the mor...

Page 22: ...ture HSMs to be administered by that person or role job in your organization would accept that secret from a provided blue PED Key rather than creating their own unique SO PED Keys In that situation you would choose to Reuse an existing keyset when initializing every HSM after the first one Alternatively you might have a very compartmentalized organization where a separate individual must have adm...

Page 23: ...use or blank or outdated secret to be overwritten by a unique cloning domain secret generated by the HSM Partition Owner User and the black PED Key All the points listed above for the SO key apply equally to the black PED Key when an HSM partition is created The black PED Key Partition Owner User secret secures the HSM partition to which it is applied and all contents of the partition The black PE...

Page 24: ...ck PED keys with the same questions choices for you to make about reuse or a fresh new secret about M of N about duplicates etc Before you begin the PED vector init process have your orange PED Keys ready either with an existing RPV secret to reuse or blank or outdated secret to be overwritten by a unique new RPV secret generated by the HSM The first time you set an RPV for an HSM the PED must be ...

Page 25: ...sions on hand before you launch a command that invokes key creation or imprinting Predetermine which of your personnel will have access to which PED Keys how many people should be required to perform a given authentication action whether they will carry their PED Key s or will need to retrieve them from a secure lockup for each occasion that they are used how many backup sets you expect to maintai...

Page 26: ...ck panel closest to the power supply and is labeled 1 DNS Entries Ensure that you have configured your DNS Server s with the correct entries for the appliance and the client If you are using DHCP then all references to the Client and the HSM appliance as in Certificates should use hostnames Client Requirements If you are using a client workstation with Linux or UNIX then SSH secure shell and the s...

Page 27: ...na appliance See http www cisco com warp public 473 12 html bkg for some descriptions of Cisco switches If the switch is configured to run the Spanning Tree Protocol on the port which appears to be the default configuration at least for Cisco switches then there is a delay of about 30 seconds while it runs through a series of discovery commands and waits for responses The switches can be configure...

Page 28: ...he HSM appliance begins to power up If the appliance was deliberately powered down using the START STOP switch or the poweroff command then it should remain off until you press the START STOP switch However if power was removed while the system was on either a power failure or the power cable was disconnected not good practice then the system should restart without a button press This behavior all...

Page 29: ... test activity Power Off To power off the HSM appliance locally press and release the START STOP switch Do not hold it in The HSM appliance then performs an orderly shutdown that is it closes the file system and shuts down services in proper order for the next startup This takes approximately 30 seconds to complete In the unlikely event that the system freezes and does not respond to a momentary S...

Page 30: ...l or a PC for example a laptop that will serve as the administration computer Note A standard null modem serial cable with DB9 connectors is included with the HSM appliance as is a USB to serial adapter if needed For security reasons the USB port on the Luna SA appliance recognizes only SafeNet HSMs and peripheral devices therefore it is prohibited from supporting general USB operations and thus d...

Page 31: ...e Interface with the lunash prompt is independent of the platform Linux Windows Solaris HP UX or AIX that you used to connect however we assume that most lab server rooms have a Linux or Windows PC available Password defaults Admin appliance default password PASSWORD via local serial link or via SSH Operator appliance default password PASSWORD via local serial link or via SSH Monitor appliance def...

Page 32: ... appliance and its HSM from vulnerabilities due to weak passwords new passwords must be at least eight characters in length and must include characters from at least three of the following four groups lowercase alphabetic abcd xyz uppercase alphabetic ABCD XYZ numeric 0123456789 special non alphanumeric _ Note You must login within two minutes of opening an administration session or the connection...

Page 33: ... Date and Time Before proceeding with HSM and HSM Partition setup ensure that the HSM Server s system date time and timezone are appropriate for your network Setting correct system time is important because the next step is to generate your own server certificate The certificate becomes valid at the time of its creation which is recorded as part of the certificate as a GMT value If your local time...

Page 34: ...d by the minor name The code that you must apply from the list in the appendix may not look exactly like the code displayed by status date For example status date shows EDT i e Eastern Daylight Time but to set that you must type EST5EDT or Canada Eastern or America Montreal a number of values produce the same setting 3 Use sysconf time to set the system time and date HH MM YYYYMMDD in the format s...

Page 35: ...en you might wish to use the system s clock drift correction protocol See Correcting Time Drift on page 1 in the Appliance Administration Guide for further information Go to Configure IP and Network Parameters on page 35 Configure IP and Network Parameters The HSM appliance is pre configured with network settings left over from our manufacturing process and not recommended for your production netw...

Page 36: ...e of the network domain in which the HSM Server appliance is to operate lunash net domain safenet inc com 4 Use network dns add nameserver to set the Nameserver IP Address address for the local name server lunash net dns add nameserver 192 168 1 3 substitute an appropriate address for the example ask your Network Administrator Note Your network could have multiple DNS name servers Repeat this step...

Page 37: ...onfigure it specifically to a test network e g network interface device eth1 ip 192 168 1 254 netmask 255 255 255 0 so that it does not affect the behavior of other Luna features e g remote PED Note If either interface is configured to use DHCP then the DNS parameters are overwritten for the entire HSM appliance It is not possible to have manual settings preserved for one interface while DHCP deri...

Page 38: ...SM appliance by hostname and by IP address from the Client Repeat for each Client where the Client Software was installed OPTIONAL Once you know your network setup is correct you can invoke network time protocol To use NTP you must add one or more servers to the HSM appliance s NTP server list and then activate enable the servers Use the sysconf ntp command as follows Add servers lunash sysconf nt...

Page 39: ...em time which would be unwelcome in your system logging When your connection is working got to Generate a New HSM Server Certificate on page 39 Generate a New HSM Server Certificate Although your HSM appliance came with a server certificate good security practice dictates that you should generate a new one 1 Use sysconf regenCert to generate a new Server Certificate lunash sysconf regenCert WARNIN...

Page 40: ... the Network Trust Link Service From the factory the network trust link service NTLS is bound to the loopback device by default In order to use the appliance on your network you must bind the NTLS to one of the two Ethernet ports ETH0 or ETH1 or to a hostname or IP address You can use the ntls show command to see current status 2 Use ntls bind to bind the service luna23 lunash ntls bind eth0 Succe...

Page 41: ...s in these pages as part of setting up a new HSM appliance then the next step is to initialize the HSM on your Luna SA appliance Those instructions can be found in the HSM Configuration section Choose one of the following links according to the type of HSM appliance that you have Initializing a Password Authenticated HSM on page 44 Initializing a PED Authenticated HSM on page 48 Luna SA Configurat...

Page 42: ...sword Authenticated HSM you are asked for the password and the command eventually times out if the password is not given Of course if you provide a wrong password that is applied against the count of bad login attempts However connecting a PED and offering a PED Key to a Password Authenticated HSM has no effect it is ignored If yours is a PED Authenticated Trusted Path HSM the prompt asks you to a...

Page 43: ...hould have received a PED and PED Keys along with the HSM appliance If you have other PED Authenticated units at your location then you can use a PED from one of them Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 43 ...

Page 44: ...ference See hsm init on page 1 in the Lunash Command Reference For an HSM with Password Authentication you need to provide a label password and cloning domain The only one that you should type at the command line is the label The password and cloning domain can be typed at the command line but this makes them visible to anyone who can see the computer screen or to anyone who later scrolls back in ...

Page 45: ...ow proceed hsm init successful When activity is complete lunash displays a success message You have initialized the HSM and created an HSM Admin identity which is an additional capability set overlaid on the HSM appliance administrator identity Appliance admin alone can use lunash to perform some administrator operations on the HSM server such as network configuration but cannot access the HSM wit...

Page 46: ...u have not used Luna HSMs and PED Keys before please read the sub section Managing PED Keys in the Administration Guide before you start initializing Once you have initialized an HSM you would return to this section only to clear an entire HSM and all its contents and HSM Partitions by re initializing If you received your Luna HSM in Secure Transport Mode then a preliminary step is required before...

Page 47: ...lit enabled yes SRK resplit1 required no Hardware tampered no Transport mode yes Command Result No Error lunash Recover the srk with the command lunash hsm srk transportMode recover Refer to the Luna PED and follow the prompts to insert the purple PED Key enter responses on the PED keypad etc During the process a validation string is shown You should have received your HSM s validation string by s...

Page 48: ...M to Secure Transport Mode before placing it into storage or before shipping to your organization s remote location or before shipping to your customer offering them the same Secure Shipping option as is available from SafeNet If you have just received an HSM from SafeNet in Secure Transport Mode and recovered from STM your next step should be to initialize the HSM Go to Initializing a PED Authent...

Page 49: ...tory Reset mode ensuring that when you receive it it does not contain left over objects and settings from factory burn in and final test Depending on the options that you chose when ordering your Luna SA HSM might also arrive in Secure Transport Mode If the HSM is in Factory Reset mode only then it is ready to be initialized by you If the HSM is also in Secure Transport Mode then you must run the ...

Page 50: ...any of Factory reset by command The Decommission button being pressed The HSM detecting 3 bad login attempts on the SO account This renders any HSM contents unrecoverable At the factory we would have created only unimportant test objects on the HSM if you have previously had the HSM in service and then either decommissioned it or performed hsm factoryreset your valid objects and keys are similarly...

Page 51: ...tialize the HSM or quit to quit now Please attend to the PED Note Respond promptly to avoid PED timeout Error At this time the PED becomes active and begins prompting you for PED Keys and other responses For security reasons this sequence has a time out which is the maximum permitted duration after which an error is generated and the process stops If you allow the process to time out you must re i...

Page 52: ...r onto one that contains old unwanted authentication Luna PED asks you to set M of N values If you say YES you indicate that you have a PED Key or set of PED Keys from another HSM and you wish your current new HSM to share the authentication with that other HSM Authentication will be read from the PED Key that you present and imprinted onto the current HSM and Luna SA Configuration Guide Release 5...

Page 53: ...ccess control no single person can access the HSM without cooperation of other holders Luna PED now asks you to provide the appropriate PED Key a fresh blank key or a previously used key that you intend to overwrite or a previously used key that you intend to preserve and share with this HSM Insert a blue HSM Admin SO PED key of course the PED Key is generically black we suggest that you apply the...

Page 54: ...ED Key that contains authentication secret for another HSM then this PED Key will no longer be able to access the other HSM only the new HSM that you are currently initializing with a new unique authentication secret therefore YES means yes destroy the contents on the key and create new authentication information in its place be sure that this is what you wish to do This will be matched on the Lun...

Page 55: ... of a multi digit PIN code that must always be supplied along with the PED Key for all future HSM access attempts Type a numeric password on the PED keypad if you wish Otherwise just press Enter twice to indicate that no PED PIN is desired Luna PED imprints the PED Key or the HSM or both as appropriate and then prompts the final question for this key Luna SA Configuration Guide Release 5 4 1 007 0...

Page 56: ...should always have backups of your imprinted PED Keys to guard against loss or damage To begin imprinting a Cloning Domain red PED Key you must first log into the HSM so in this case you can simply leave the blue PED Key in place Luna PED passes the authentication along to the HSM and then asks the first question toward imprinting a cloning domain Luna SA Configuration Guide Release 5 4 1 007 0111...

Page 57: ...ed then answer NO Luna PED prompts for values of M and N If you have another HSM and wish that HSM and the current HSM to share their cloning Domain then you must answer YES In that case Luna PED does not prompt for M and N Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 57 ...

Page 58: ...ain PED Key Insert a red HSM Cloning Domain PED key of course the PED Key is generically black we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting and press Enter Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 58 ...

Page 59: ...PTER 3 HSM Initialization OR Just as with the blue SO PED Key the next message is Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 59 ...

Page 60: ...wish to overwrite whatever is or is not on the currently inserted key with a Cloning Domain generated by the PED the PED asks And finally Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 60 ...

Page 61: ...022 Firmware 6 2 1 Hardware Model Luna K6 Authentication Method PED keys HSM Admin login status Logged In HSM Admin login attempts left 3 before HSM zeroization RPV Initialized Yes Manually Zeroized No Partitions created on HSM FIPS 140 2 Operation The HSM is NOT in FIPS 140 2 approved operation mode HSM Storage Information Maximum HSM Storage Space Bytes 2097152 Space In Use Bytes 0 Free Space Le...

Page 62: ...ected Luna PED demands the first SO HSM Admin PED Key Insert the Blue PED Key This table below summarizes the steps involving Luna PED immediately after you invoke the command hsm init The first column is the simplest and most like what you would encounter the very first time you initialize using fresh from the carton iKey PED Keys The next two columns of the table show some differences if you are...

Page 63: ... the questions are more important since the keys to be overwritten already have material on them SLOT 01 SETTING SO PIN Insert a SO HSM Admin PED Key Press ENTER SLOT 01 SETTING SO PIN Insert a SO HSM Admin PED Key Press ENTER Slot 01 SETTING SO PIN Insert a SO HSM Admin PED Key Press ENTER This PED Key is blank Overwrite YES NO Warning This PED Key is for SO HSM Admin Overwrite YES NO Warning Thi...

Page 64: ...have just the one key with that secret don t lose it Same as in first column Same as in first column Login SO HSM Admin Insert a SO HSM Admin PED Key Press ENTER Login SO HSM Admin Insert a SO HSM Admin PED Key Press ENTER Login SO HSM Admin Insert a SO HSM Admin PED Key Press ENTER Having created imprinted the HSM Admin or SO secret the HSM now requires you to login in order to go further This is...

Page 65: ...it correctly In future every time you are required to present that PED Key you must also enter the PED PIN on the PED keypad if you created a PED PIN at initialization time then you must provide that exact PED PIN along with the PED Key in order to gain access to the HSM If you did not create a PED PIN when you initialized then just press Enter at the PED prompt when you insert the requested PED K...

Page 66: ... If the domain data on the key should be preserved as valid and recorded on the current HSM or token What to do This allows the PED Key to work with both the previous and the current HSM or token that is they will all share the same cloning backup domain Therefore to preserve the existing domain answer YES to reuse an existing keyset OR b If the domain data that was found on the red key must be ov...

Page 67: ...nment Refer to the instructions for your HSM authentication type Set HSM Policies Password Authentication on page 67 Set HSM Policies PED Trusted Path Authentication on page 69 Set HSM Policies Password Authentication Set any of the alterable policies that are to apply to the HSM Note Capability vs Policy Interaction Capabilities identify the purchased features of the product and are set at time o...

Page 68: ...will zeroize erase completely the entire HSM Description Value Code Destructive Allow masking On 6 Yes Allow cloning On 7 Yes Allow non FIPS algorithms On 12 Yes SO can reset partition PIN On 15 Yes Allow network replication On 16 No Allow Remote Authentication On 20 Yes Force user PIN change after set reset Off 21 No Allow off board storage On 22 Yes Allow acceleration On 29 Yes Allow unmasking O...

Page 69: ...IN turning it off Refer to the Reference section for a description of all and their meanings If you have been following the instructions on this page as part of setting up a new HSM system then the next step is to create virtual HSMs or HSM Partitions on the HSM that you just configured Prepare to Create a Partition Password Authenticated on page 72 Set HSM Policies PED Trusted Path Authentication...

Page 70: ... describe the current configuration of this HSM and may by changed by the HSM Administrator Changing policies marked destructive will zeroize erase completely the entire HSM Description Value Code Destructive Allow masking On 6 Yes Allow cloning On 7 Yes Allow non FIPS algorithms On 12 Yes SO can reset partition PIN On 15 Yes Allow network replication On 16 No Allow Remote Authentication On 20 Yes...

Page 71: ...icyCode value policyValue As an example change code 15 from a value of 1 On to 0 Off Example Change of HSM Policy lunash hsm changePolicy policy 15 value 0 That command assigns a value of zero 0 to the HSM Admin can reset partition PIN policy turning it off WARNING The above example is a change to a destructive policy meaning that if you apply this policy the HSM is zeroized and all contents are l...

Page 72: ...itialized HSM At this point the Luna appliance should already have its network settings configured by Configure the Luna Appliance for your Network on page 26 have its HSM Administrator assigned by Initializing a Password Authenticated HSM on page 44 Within the HSM separate cryptographic work spaces must be initialized and designated for clients A workspace or Partition and all its contents are pr...

Page 73: ...tion names must be unique in the HSM You are not permitted to create two partitions with the same label on one HSM This will be the label seen by PKCS 11 applications A partition name can be from 1 to 64 characters in length and can include any of the following characters 0123456789 ABCDEFGHIJKLMNOPQRSTUVWXYZ _abcdefghijklmnopqrstuvwxyz No spaces When labeling HSMs or partitions never use a numera...

Page 74: ...llowing is generated when a partition is created on the HSM 5 12 12 17 16 14 14 S N 150718 session 1 Access 2147483651 2669 SO container operation LUNA_ CREATE_CONTAINER returned RC_OK 0x00000000 container 20 using PIN entry LUNA_ENTRY_DATA_ AREA It is not obvious from this entry what the serial number is for the created partition This information however can be derived from the log entry since th...

Page 75: ...c work spaces must be initialized and designated for clients A workspace or Partition and all its contents are protected by encryption derived in part from its authentication Only a Client that presents the proper authentication is allowed to see the Partition and to work with its contents In this section you will Create an HSM Partition First Establish a Connection to your HSM Appliance 1 If you ...

Page 76: ...at you are currently logged in as HSM Admin or SO perform an hsm logout then log in again Create Initialize the Partition PED Authenticated Having logged in you can now use the partition create command to create an HSM Partition You must supply a label or name for the new Partition when you issue the command lunash partition create partition name for new Partition The angle brackets and indicate t...

Page 77: ...tend to reuse a pre existing imprinted black PED Key Respond Yes if you have a key from another HSM partition with a partition Owner ID already imprinted on it that you wish to share reuse Respond No if you have a fresh never imprinted key or if you have a key previously imprinted with an ID that you do not wish to preserve 3 The PED requests values for Luna SA Configuration Guide Release 5 4 1 00...

Page 78: ...u wish to invoke M of N split secret multi person access control Using M of N on page 1 4 The PED then demands the black Owner PED key with the message Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 78 ...

Page 79: ...apply the appropriate color sticker either immediately before or immediately after imprinting and press Enter A unique Partition Owner PIN is to be imprinted on both the PED key and the HSM Partition 5 The PED might continue with Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 79 ...

Page 80: ...ED PIN is not desired You must press Enter to inform the PED that you are finished entering PED PIN digits or that you have decided not to use a PED PIN no digits entered When you provide a PED PIN even if it is the null PIN by just pressing Enter with no digits the PED requests it a second time to ensure that you entered it correctly Press ENTER again 7 You are then prompted Luna SA Configuration...

Page 81: ...more black PED Keys until you have imprinted duplicated as many as you wish 8 At the command line session the next part of the sequence is displayed Luna PED operation required to generate cloning domain on the partition use Domain red PED key and control once again goes to the Luna PED 9 The PED inquires if you intend to reuse a previously imprinted red Domain PED Key Luna SA Configuration Guide ...

Page 82: ...nted key or if you have a key previously imprinted with an ID that you do not wish to preserve 10 As it did for the black key the PED now requests values for M and N Again enter 1 for each unless you wish to invoke M of N splitting 11 The PED then prompts for a red Domain PED key with the message Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc Al...

Page 83: ...after imprinting and press Enter A unique Partition Owner PIN is to be imprinted on both the PED key and the HSM Partition 12 The PED goes through the same prompts as for the black PED Key Respond as appropriate 13 Luna PED presents the generated partition challenge secret password which you must record Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet...

Page 84: ...ored in a safe place in case of loss or damage to the primary keys Partition creation audit log entry Each time a partition is created an entry is added to the audit log Any subsequent actions logged against the partition are identified by the partition serial number that was generated when the partition was created Determining the serial number of a created partition from the audit log An audit l...

Page 85: ...e the partition serial number concatenate the two numbers as follows 150718020 Use this number to identify the partition in subsequent audit log entiries Record the Partition Client Password PED Auth HSMs The PED now generates and displays the Client Password login secret by which Clients will later authenticate themselves to this HSM Partition Record the Login Secret Value from the PED screen wri...

Page 86: ...cessful At the same time Luna PED goes back to Awaiting command Next you might need to adjust the Partition Policy settings for the new Partition Optional see Partition Policies on page 88 Otherwise see Prepare the Client for Network Trust Link on page 91 Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 86 ...

Page 87: ...Luna SA Configuration Guide Release 5 4 1 007 011136 007Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 87 ...

Page 88: ...llowed Enable private key wrapping Disallowed Enable private key unwrapping Allowed Enable private key masking Disallowed Enable secret key cloning Allowed Enable secret key wrapping Allowed Enable secret key unwrapping Allowed Enable secret key masking Disallowed Enable multipurpose keys Allowed Enable changing key attributes Allowed Enable PED use without challenge Allowed Allow failed challenge...

Page 89: ...logins allowed 10 20 Allow high availability recovery On 21 Allow activation Off 22 Allow auto activation Off 23 Minimum pin length inverted 255 min 248 25 Maximum pin length 255 26 Allow Key Management Functions On 28 Perform RSA signing without confirmation On 29 Allow Remote Authentication On 30 Allow private key unmasking On 31 Allow secret key unmasking On 32 Allow RSA PKCS mechanism On 33 Al...

Page 90: ... HSM whenever you finish operations that require HSM login lunash hsm logout lunash Policy setting example Luna HSM with PED Authentication This is just an example You do not need to change this particular policy or any other except to configure the HSM Partition more appropriately for your use 1 Login Before Changing Policies 2 Change a selected policy for a Partition labeled myPartition1 Type lu...

Page 91: ...r contact your Network Administrator for assistance This means Configure all the necessary IP settings hostname IP address DNS gateway etc as appropriate to your network and as applicable to your Client s operating system Install an ssh client the scp copy utility should already have been installed during the HSM software installation Start network services on your Client machine and verify that y...

Page 92: ...r operating system during the general installation refer to the Luna SA QuickStart Guide You will perform the actions in this section the first time you commission a Luna SA appliance and you require a client to exchange certificates with the HSM and to be assigned to an HSM Partition and whenever you have a new client that needs access to an HSM Partition Import a Server Cert Choose the version f...

Page 93: ...Program Files SafeNet LunaClient cert server You might need to surround the entire filespec path and filename within quotation marks if Windows stumbles at the space between Program and Files If the operations fail and you have verified that the commands are typed correctly then you might lack file permissions in the affected directories If you lack administrator privileges on your computer contac...

Page 94: ... Program Files SafeNet LunaClient pscp admin 192 168 0 123 server pem admin 192 168 0 123 s password server pem 100 928 00 00 Any time the IP or hostname of the HSM appliance has changed such as moving from a pre production environment the client s that have previously connected via SSH will detect a mismatch in the HSM appliance s server certification information and warn you of potential securit...

Page 95: ...er C Program Files SafeNet LunaClient vtl addServer n LunaSA hostname or IPaddress c serverCert file Example c Program Files SafeNet LunaClient vtl addServer n myLuna3 c server pem You might need to surround the entire filespec path and filename within quotation marks if Windows stumbles at the space between Program and Files If the operations fail and you have verified that the commands are typed...

Page 96: ... are working without DNS then give the server IP number rather than its name as in c Program Files SafeNet LunaClient vtl addServer n sa ip address c server pem When you have completed this step see Create a Client Certificate Windows on page 96 Create a Client Certificate Windows Begin by creating a certificate and private key for the client using the vtl command line interface Luna SA Configurat...

Page 97: ... the Reference section of this Help for full command syntax and description You might need to surround the entire filespec path and filename within quotation marks if Windows stumbles at the space between Program and Files If the operations fail and you have verified that the commands are typed correctly then you might lack file permissions in the affected directories If you lack administrator pri...

Page 98: ...rt sub directory and for the client and server sub directories Note If you are working without DNS then supply the client IP numerically instead c Program Files SafeNet LunaClient vtl createCert n clientIPaddress In this case the key and cert files are created with the filename being the IP address of the Client Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 201...

Page 99: ...ount on the HSM appliance or the client certificate will not register correctly You might need to surround the entire filespec path and filename within quotation marks if Windows stumbles at the space between Program and Files If the operations fail and you have verified that the commands are typed correctly then you might lack file permissions in the affected directories If you lack administrator...

Page 100: ...cert sub directory and for the client and server sub directories Note For networks without DNS use the HSM appliance s IP address instead of the hostname Example c cd Program Files SafeNet LunaClient cert client c Program Files SafeNet LunaClient cert client dir client ip address Key pem client ip address pem Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 S...

Page 101: ...scp does not recognize the supplied destination as a remote server The file arriving at the HSM is automatically placed in the appropriate directory Do not specify a directory for destination Next see Register the Client Certificate to an HSM Server on page 105 to continue the setup configuration is nearly done at this point Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 ...

Page 102: ... previously connected via SSH will detect a mismatch in the HSM appliance s server certification information and warn you of potential security breach In this case you will need to remove that server s certificate information from the client s known host file found in user home dir ssh known_hosts2 If this is happening in a production environment this could potentially be a security breach needing...

Page 103: ...e using a hostname parameter that is not an exact case match for the client s hostname you might be unable to create an NTLS link bash 2 05 vtl createCert n clientHostname Example bash 2 05 vtl createCert n myClient1 bash 2 05 ls lr total 816 rwxr xr x 1 root root 735720 Apr 19 14 08 vtl rw r r 1 root root 908 Apr 23 14 38 myClient1 pem rw r r 1 root root 887 Apr 23 14 38 myClient1Key pem rwxr xr ...

Page 104: ... 05 scp myClient1 pem admin myLuna3 You must scp to the admin account on the HSM appliance or the client certificate will not register correctly Note For networks without DNS use the HSM appliance s IP address instead of the hostname Example bash 2 05 cd cert client bash 2 05 ls client ip address Key pem client ip address pem bash 2 05 scp client ip address pem admin appliance ip address Note The ...

Page 105: ...his is a check that you are registering the client whose pem file you created in the previous steps and scp d to the appliance You can register several clients to the appliance Example lunash client registerClient Command lunash client register client MyClient hostname MyClient Client registration successful lunash client list registered client 1 MyClient lunash Note If you are working without DNS...

Page 106: ... server The Luna SA appliance is designed for such multi connection operation See Connections to the Appliance Limits on page 1 for a discussion of how total connections are determined Register VM Clients When the client is a virtual machine instance the possibility exists that the VM could be cloned or moved NTL is not aware of such an event For optimum security when registering VM clients with L...

Page 107: ... client to the HSM Partition The command is lunash client assignPartition client clientname partition partition name Example lunash client assignPartition Command lunash client assignPartition client myClient1 partition myPartition1 client assignpartition successful Note The parameter partition name is the name of the HSM Partition that was created earlier following configuration of the HSM To ver...

Page 108: ...DONE Yes That was the complete setup We suggest that you browse the Administration Maintenance manuals to develop a deeper understanding of the options and capabilities of your Luna SA appliance and of the housekeeping tasks and utilities that you might need The SDK section is provided for programmers developers Client Connection Limits See Connections to the Appliance Limits for a discussion of t...

Page 109: ...nce Administration Guide Configure multiple HSMs to operate in high availability HA mode High Availability HA mode allows you to automatically replicate the data on a HSM partition over two or more physical HSMs to provide redundancy and load balancing Applications using an HA HSM partition do not access it directly Instead the HA software creates a virtual slot for the partition and manages which...

Reviews: