background image

Configuring the HSM as Root of Trust

You can configure the HSM as Root of Trust using either the GUI or the CLI (KSCTL). This section uses the
GUI. For instructions on using KSCTL to configure the HSM as Root of Trust, refer to the NextGen KeySecure
Administrator Guide.

1.

Browse to the KeySecure k570 Appliance GUI home page as you did in the

"Activating the Appliance" on

page 31

section above.

2.

Click

Admin Settings

to open the

Admin Settings

application.

3.

In the left pane, click

System

>

HSMs

.

The

HSM Settings

page is displayed.

4.

On the

HSM Settings

page, select:

5.

Select the HSM type and select

Next

.

6.

On the

Configuring KeySecure Internal HSM - PCIe HSM

page:

a.

Enter the

HSM Partition Label

and

Password

.

The

HSM Partition Label

is the label that was assigned using the lunacm command

partition

init -label <new partition label>

in the section

"Initializing the SafeNet Luna PCIe

HSM Card" on page 26

.

The

Password

is the partition password (also known as the Crypto Officer password) that was

assigned in the section

"Resetting the Crypto Officer Password" on page 29

.

b.

Select

Next

.

The following warning is displayed:

7.

When ready to confirm, select:

The appliance restarts and the HSM configuration settings are applied. KeySecure is unavailable during this
period.

When the HSM configuration is complete, you are returned to the

Log In

screen.

KeySecure k570 Appliance : Installation Guide

16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

33

Summary of Contents for KeySecure k570

Page 1: ...SafeNet KeySecure k570 Appliance INSTALLATION GUIDE ...

Page 2: ...vice 21 Connecting to the GUI 22 Installing the Locking Bezel 25 Deploying the Appliance 26 Initializing the SafeNet Luna PCIe HSM Card 26 Resetting the Crypto Officer Password 29 Activating the Appliance 31 Configuring the HSM as Root of Trust 33 Licensing 34 Lock Codes 34 Connector Client Licensing 35 Support Contacts 36 Customer Support Portal 36 Telephone Support 36 Email Support 36 Troublesho...

Page 3: ... listed in Received Items on page 5 3 If you plan to mount the hardware in an equipment rack follow the instructions in Rack Mounting on page 13 4 Connect the appliance to your network and log in as described in Connecting to the Appliance on page 20 5 For maximum physical access security install the Locking Bezel as described in Installing the Locking Bezel on page 25 6 Deploy your appliance as d...

Page 4: ...contact Thales support 3 Are all of the tamper evident bag serial numbers and tamper evident label serial numbers listed in the advanced shipping notification present and do they match the actual tamper evident bag label serial numbers received If yes go to the next step If no contact Thales support 4 Did you receive any tamper evident bag label serial numbers that are not listed on the advance sh...

Page 5: ...e k570 Appliance are listed the following table Qty Item 1 KeySecure k570 Appliance Your order should include one password authenticated or PED authenticated KeySecure k570 Appliance Both models appear physically identical NOTE You can verify whether your appliance is password authenticated or PED authenticated using the part number on the product label 2 Power Supply Cord One for each power suppl...

Page 6: ...8C modular connector Used to connect a console terminal to the appliance during initial configuration 1 Front Ear Bracket Set Set includes 2 front ear brackets 4 bracket screws KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 6 ...

Page 7: ...tting the appliance into racks of varying depth it must not be used to extend the appliance out of the rack Optional gliding rails with rolling bearings are available for situations where rolling excursion of the appliance while attached to the rack is required for maintenance See Optional Items on page 11 1 Friction Rail Rack Mounting Screws Cage Nuts Set includes 8 M5 cage nuts 8 M5x14 rack scre...

Page 8: ...you should have received some combination of the following items in addition to the basic order items above Qty Item 1 PED device Your order should include at least one PED device If you intend to back up your KeySecure k570 Appliance Appliance to a SafeNet Luna Backup HSM then you require a Luna PED to connect to that Backup HSM If you intend to combine remote operation and backup you might prefe...

Page 9: ...Kit If you ordered a Luna PED your order should also include a Luna PED power supply kit with the appropriate power connection for your region The power supply is auto sensing and includes replaceable mains plug modules for international use KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 9 ...

Page 10: ...1 Set of PED Keys and Labels Your order should include a set of iKey PED keys and peel and stick labels KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 10 ...

Page 11: ... instructions The set includes 2 sliding rail mounts with removable side rails 2 transformer brackets 6 rail screws 1 Sliding Rail Rack Mounting Screws Set includes 8 M5x8 flat headed screws If you did not receive this set you can request one from Thales Group part number 216 000034 001 or obtain your own suitable screws If you do not use the screws included in this kit ensure that the screw heads...

Page 12: ... to back up remotely located HSMs in conjunction with a Remote PED The authentication method for a Backup HSM must match the authentication method password or PED for any HSM with which it is used 2 SFP 10 Gbps Optical Ethernet transceiver modules If you ordered the k570 model with 2X10Gbps ports and 2X1Gbps ports you should have received two SFP 10 Gbps Optical Ethernet transceiver modules packed...

Page 13: ... CAUTION The included mounting hardware is meant for static positioning of the appliance The long tab that slides into the bracket applied to each side of the appliance is adjustable for fitting the appliance into racks of varying depth it must not be used to extend the appliance out of the rack Optional gliding rails with rolling bearings are available for situations where rolling excursion of th...

Page 14: ...wdriver Note how the sliding rear brackets fit into the side rails 4 Install the two sliding rear brackets in your equipment rack using four rack mounting screws NOTE While any standard equipment rack screws should fit the brackets certain large headed screws may interfere with the operation of the secure locking bezel KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales ...

Page 15: ...er rack pull the appliance back towards you until the sliding rear brackets fit into the side rails Pull the appliance back onto the rear brackets until the front ear brackets meet the equipment rack CAUTION Support the weight of the appliance with the hydraulic lift until all four brackets are secured 7 Secure the front ear brackets using rack mounting screws KeySecure k570 Appliance Installation...

Page 16: ...tandard 19 equipment rack Ensure you have all the necessary components before proceeding In addition to the supplied components you will need a 2 Philips screwdriver To mount the appliance 1 Install the two front ear mounting brackets on the appliance using the included screws and a 2 Phillips screwdriver 2 Fit the front end of each mount into either side of the rack and pull the spring loaded lat...

Page 17: ...o the rack with two wide flat headed screws 4 Fasten the transformer bracket to each sliding mount with two wide flat headed screws KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 17 ...

Page 18: ...s onto the rack mounts until they lock into place 7 The appliance now moves smoothly and securely on the rails Push the appliance all the way back and secure it to the transformer bracket with four rack screws NOTE Screws with heads that are too large can prevent the locking bezel from fitting to the faceplate Use the screws included with the appliance or other screws with suitable heads KeySecure...

Page 19: ...See Connecting to the Appliance on the next page to continue the installation process KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 19 ...

Page 20: ...orts Eth0 Eth1 Eth2 and Eth3 are dependent on the appliance model Correct locations for your model are printed on the rear panel For proper redundancy and best reliability the power cables should connect to two completely independent power sources 2 If you have a password authenticated appliance skip to the next step If you have a PED authenticated appliance connect the PED directly to the applian...

Page 21: ...fic Technology Inc USB to RJ45 with 8P8C connector adapter 2 If the driver for the Prolific Technology Inc USB to RJ45 with 8P8C connector adapter did not download and install automatically go to http www prolific com to download and install the PL2303 USB to Serial Windows driver 3 Open Device Manager Control Panel Hardware Device Manager and expand the Ports COM and LPT folder If the driver inst...

Page 22: ...n issue with the Windows 10 PL2303 drivers If you experience trouble opening a serial connection using Windows 10 use another supported operating system 6 As the System Administrator enter ksadmin to log in and follow the prompts to create a secure password CAUTION Be sure to retain this password it will be required to access the system in case of network connectivity problems The system starts up...

Page 23: ...he Error displayed is normal and simply requires the default SSH Public Key to be replaced 2 As the System Administrator ksadmin paste in your SSH Public Key in the box provided and then select Add NOTE The SSH Public Key must be a PEM formatted RSA key You can generate this key using PuTTYgen or similar utility Save this SSH Public Key at a safe location You will need this key for future SSH acce...

Page 24: ...H to the appliance from this point on The initial Application Administrator can now log in This is part of appliance activation which is covered in the following section Deploying the Appliance on page 26 KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 24 ...

Page 25: ...ts highlighted below Turn the keys to the vertical position to lock the bezel The keys cannot be removed if the bezel is unlocked The two locks are keyed differently so the keys can be issued to different security personnel and kept in secure separate locations NOTE Leaving the keys in the bezel could interfere with closing the rack door and compromise security KeySecure k570 Appliance Installatio...

Page 26: ...appliance on page 28 Initializing the HSM Card in a PED authenticated appliance 1 As the System Administrator ksadmin SSH in to the appliance or connect via serial port using your password and execute the usr safenet lunaclient bin lunacm utility The utility displays information on the detected HSM card and allows you to execute various HSM management commands NOTE Refer to the Gemalto Luna PCIe H...

Page 27: ...5 Initialize the partition and the Partition SO role lunacm slot set slot slot number of user token slot created above lunacm partition init label new partition label Respond to PED prompts to create the partition SO token Blue Partition Cloning Domain token Red 6 Activate the partition lunacm role login name Partition SO You must be logged in as Partition SO to change partition policies lunacm pa...

Page 28: ... case instruct the k570 appliance to re authenticate with the HSM using the black PED key 8 Mandatory Change the Crypto Officer password set by the Partition SO Go to Resetting the Crypto Officer Password on the next page Initializing the HSM Card in a Password authenticated appliance 1 As the System Administrator ksadmin SSH in to the appliance or connect via serial port using your password and e...

Page 29: ...ole lunacm slot set slot slot number of user token slot created above lunacm partition init label new partition label 6 Initialize the Crypto Officer role lunacm role login name Partition SO You must be logged in as Partition SO to initialize the Crypto Officer role lunacm role init name Crypto Officer Enter the Crypto Officer password Does not prompt for cloning domain co is the short form for Cr...

Page 30: ...key This step is required to reset the CO PED key created by the Partition SO lunacm role changePw name Crypto Officer Respond to PED Prompts 4 Activate cache the new Crypto Officer credentials by logging in lunacm role login name Crypto Officer 5 Exit the lunacm utility For a Password authenticated appliance 1 Login as Crypto Officer lunacm role login name Crypto Officer 2 Change Password lunacm ...

Page 31: ... 1 Browse to the KeySecure IP address as you did earlier in the section Connecting to the GUI on page 22 The Log In screen is displayed 2 Log in using the initial default credentials for the initial Application Admin user Username admin Password admin The following Password Change screen is displayed 3 Enter a new password using this default Password Policy KeySecure k570 Appliance Installation Gu...

Page 32: ... 4 Using your new password log in again The KeySecure k570 Appliance GUI home page appears The KeySecure k570 Appliance has been activated When you are ready you can continue with the following section to configure the PCIe HSM Card as Root of Trust KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 32 ...

Page 33: ... KeySecure Internal HSM PCIe HSM page a Enter the HSM Partition Label and Password The HSM Partition Label is the label that was assigned using the lunacm command partition init label new partition label in the section Initializing the SafeNet Luna PCIe HSM Card on page 26 The Password is the partition password also known as the Crypto Officer password that was assigned in the section Resetting th...

Page 34: ...on 30 days prior to license expiration the NextGen KeySecure Server will notify you in the top banner in red that your license is expiring soon Before the expiration a new purchased license must be installed Contact Gemalto Sales representative for assistance in obtaining a license Lock Codes Licensing requires a lock code Each NextGen KeySecure server comes with two lock codes the Key Manager Loc...

Page 35: ...t by entering the License String ksctl licensing licenses add l license string Connector Client Licensing A separate and unique Connector Lock Code is provided by each NextGen KeySecure Server This lock code is used to license supported SafeNet Connectors Clients e g SafeNet ProtectFile as well to activate the KMIP interface NOTE Unlike the Key Manager Lock Code the Connector Lock Code is cluster ...

Page 36: ...re downloads Latest product documentation Latest release notes listing known problems and workarounds A knowledge base FAQs Technical notes and more You can also use the portal to create and manage support cases NOTE You require an account to access the Customer Support Portal To create a new account go to the portal and click on the REGISTER link Telephone Support If you have an urgent problem or...

Page 37: ...ny ssl connection related error message can be filtered from the log file based on ERR and tls tags KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 37 ...

Reviews: