CHAPTER 3
HSM Initialization
To initialize an HSM is to prepare it for operation, under the control of an HSM Admin.
Choose instructions for the type of HSM that you own:
•
"
About Initializing a Password Authenticated HSM
"
•
"
About Initializing a PED Authenticated HSM
"
Which kind do I have?
Luna SA HSMs are shipped from the factory as one or the other type. This is not a field-changeable setting. If you are
not sure which kind you have, verify the type of HSM with the
hsm displayLicenses
command. You can run that
command from the Luna shell (logged in as appliance admin). The hsm displayLicences command is one of several
non-sensitive HSM commands that does not require HSM authentication. The output lists the configuration packages
(additions to the basic build) that make up your Luna SA. Look for the term
FIPS3
appearing in that list to indicate that
your Luna SA is PED Authenticated (uses the Trusted Path) - otherwise, your HSM is Password Authenticated.
What if I make a mistake?
No harm. Offering the wrong kind of authentication is not harmful - the only result is a brief delay. However, offering the
wrong authentication of the correct type starts the counter for "bad login" attempts. The following paragraphs offer a
little more detail.
As a general rule, when you attempt to login to the HSM or to issue any command that requires authentication, the
lunash command-line prompts you for the needed authentication. If yours is a Password Authenticated HSM, you are
asked for the password, and the command eventually times out if the password is not given. (Of course, if you provide a
wrong password, that is applied against the count of bad login attempts. However, connecting a PED and offering a
PED Key to a Password Authenticated HSM has no effect; it is ignored.)
If yours is a PED Authenticated (Trusted Path) HSM, the prompt asks you to attend to the PED for further instructions.
If a PED is not connected and/or you don't supply the appropriate PED Keys and keypad actions, the command
eventually times out. (If you do have a PED connected and supply the wrong PED Key [of the type requested], then
that action is applied against the count of bad login attempts. However, if you mistakenly provide a password [at the
command-line] for a PED Authenticated Luna HSM, that password is ignored and the bad-login-attempt count is not
incremented.)
In either case, just wait for the timeout (a few minutes) to conclude, then begin again, using the correct authentication
method.
Note:
We recommend that you read through the pages in the Configuration section of this help
at least once in advance of starting the procedure, so that you can resolve any questions before
beginning any time-limited operations. For a Password Authenticated Luna HSM, you should
have passwords already determined according to your organization's security policies. For a
PED Authenticated Luna HSM, you should have a Luna PED connected, and an appropriate
set of PED Keys available.
Luna SA Configuration Guide
Release 5.4.1 007-011136-007Rev C July 2014 Copyright 2014 SafeNet, Inc. All rights reserved.
42