manualshive.com logo in svg

Thales SafeNet Luna Network HSM 7.3, Administration Manual

Download the free Thales SafeNet Luna Network HSM 7.3 Administration Manual from our website. This comprehensive manual provides all the necessary instructions for effectively managing your Luna Network HSM, ensuring optimum security and performance. Upgrade your knowledge today and unlock the full potential of this exceptional product.

Share
Download
background image

Chapter 1:   Appliance Hardware Functions

One such event is removal of the lid (top cover). The lid is secured by anti-tamper screws, so any event that lifts
that lid is likely to be a serious intrusion.

Another event that is considered tampering is opening of the bay containing the ventilation fans.

You can use the thumbscrew to access the mesh air filter in front of the fans, without disturbing the system.
However, if you open the fan-retaining panel behind that, which requires a Torx #8 screwdriver, then the
system registers a tamper.

Therefore, cleaning of the filter is encouraged, especially if you work in a dusty environment, but fan module
removal and replacement are discouraged unless you have good reason to suspect that a fan module is faulty.
See

"Power Supply and Fan Maintenance" on page 21

for more information.

Decommission

The red "Decommission" button recessed behind the back panel is not a tamper switch. Its purpose is different.
See

"HSM Emergency Decommission Button" on page 27

for a description.

What Happens When You Tamper - Including Opening the Fan Bay

The following sequence illustrates how a tamper event affects the HSM and your use of it. You do not need to
perform all these steps. Many are included for illustrative purposes and to emphasize the state of the appliance
and of the enclosed HSM at each stage.

Action

Result/State

First, we place the HSM in its basic operational condition (we reset only to have a clean starting point for this
illustration).

hsm
factoryReset

Starting point

hsm initialize

Basic setup of HSM

Next, we illustrate a software "tamper" (destroying the MTK by setting the HSM into Transport Mode)

stm transport

Enable Secure Transport Mode.

hsm show

Basic HSM info remains undisturbed.

partition list

None have been created since initialization, above.

partition create

Attempt to create a partition - doesn't work; must be logged in as SO.

hsm login

No, can't do that either: LUNA_RET_MTK_ZEROIZED

stm recover

Log in to the HSM and HSM SO and recover from Secure Transport Mode.
Also, the PED presents the Transport Mode verification string.

SafeNet Luna Network HSM 7.3 Appliance Administration Guide

007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales

16

Summary of Contents for SafeNet Luna Network HSM 7.3

Page 1: ...SafeNet Luna Network HSM 7 3 APPLIANCE ADMINISTRATION GUIDE ...

Page 2: ...The copyright notice the confidentiality and proprietary legend and this full warning notice appear in all copies This document shall not be posted on any publicly accessible network computer or broadcast in any media and no modification of any part of this document shall be made Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities The informati...

Page 3: ...n any application in which defective incorrect or insecure functioning could result in damage to persons or property denial of service or loss of privacy All intellectual property is protected by copyright All trademarks and product names used or referred to are the copyright of their respective owners No part of this document may be reproduced stored in a retrieval system or transmitted in any fo...

Page 4: ... Hard Reboot 20 Automatic Restart Following a Power Interruption 21 Power Supply and Fan Maintenance 21 Replacing a Power Supply 21 The Fans 23 Summary 26 HSM Emergency Decommission Button 27 What the Emergency Decommission Button Does 27 Disabling Decommissioning 28 When to Use the Emergency Decommission Button 28 Serial Connections 28 Serial Pinout 30 Troubleshooting 30 Front Locking Bezel 30 Re...

Page 5: ...er 43 Securing Your NTP Connection 44 References 45 Chapter 4 System Logging 46 About System Logging 46 Log Severity Levels 46 Hardware Monitoring and Logging 47 Configuring System Logging 47 Rotating System Logs 47 Customizing Severity Levels 48 Reading System Logs 49 Exporting System Logs 50 Deleting System Logs 51 Remote System Logging 51 Chapter 5 Backing Up the Appliance Configuration 54 Back...

Page 6: ...STC that allows the SafeNet Cryptographic Engine the HSM inside the appliance to be shared as a service to network applications Like traditional servers that provide e mail web pages and file download FTP services to authenticated clients the HSM appliance offers HSM services to clients on the network As an Ethernet attached device the HSM appliance can be shared among many applications on a netwo...

Page 7: ...ly perform the tasks assigned to them The information processes and procedures contained in this document are intended for use by trained and qualified personnel only It is assumed that the users of this document are proficient with security concepts Document Conventions This document uses standard conventions for describing the user interface and for alerting you to important information Notes No...

Page 8: ...ommand line description Optionally enter the keyword or variable that is enclosed in square brackets if it is necessary or desirable to complete the task a b c a b c Represent required alternate keywords or variables in a command line description You must choose one command line argument enclosed within the braces Choices are separated by vertical OR bars a b c a b c Represent optional alternate k...

Page 9: ...elease notes listing known problems and workarounds a knowledge base FAQs product documentation technical notes and more You can also use the portal to create and manage support cases NOTE You require an account to access the Customer Support Portal To create a new account go to the portal and click on the REGISTER link Telephone The support portal also lists telephone numbers for voice contact Co...

Page 10: ...ff or Reboot the Appliance on page 19 Power Supply and Fan Maintenance on page 21 HSM Emergency Decommission Button on page 27 Serial Connections on page 28 Front Locking Bezel on page 30 Power Consumption on page 32 Physical Features The SafeNet Luna Network HSM is 1U high and fits into standard 19 inch equipment racks Front Panel The front panel is illustrated below with the secure locking bezel...

Page 11: ...er off or Reboot the Appliance on page 19 F Fan status LEDs The appliance has three 3 cooling fans If these lights are illuminated the fans are working correctly G Ventilation fan filter cover Removable cover allows cleaning of air filter See also Power Supply and Fan Maintenance on page 21 H Fan bay securing screw Torx screw secures the fan bay CAUTION Opening to swap fan modules triggers a tampe...

Page 12: ... cable see SafeNet Luna Network HSM Required Items on page 1 See also Installing the SafeNet Luna Network HSM Hardware on page 1 G Decommission button This button should only be pressed as part of decommissioning and zeroizing the appliance See also Declassify or Decommission the HSM Appliance on page 1 H Power supplies Connect the appliance to power For proper redundancy and best reliability the ...

Page 13: ...ion of the LCD displays the current appliance state and related status codes The state can be one of the following ISO In Service Operational The appliance is operating normally All services are running and the appliance is providing encryption signing services as expected IST In Service Trouble The appliance is operational but is experiencing a fault condition The required services are operationa...

Page 14: ...ut the status of the network interfaces 61 In Service Operational The eth1 interface is offline Use the LunaSH network show and service status network commands to display more information about the status of the network interfaces 62 In Service Operational The eth2 interface is offline Use the LunaSH network show and service status network commands to display more information about the status of t...

Page 15: ...oot the issue 90 In Service Trouble The SSH service is not running Use the LunaSH service status ssh command to display more information about the status of the syslog service and the syslog tail command to view the system logs to help troubleshoot the issue 110 In Service Trouble Hard disk utilization is too high Use the LunaSH syslog tarlogs command to create a tar archive of the logs and then u...

Page 16: ...cription What Happens When You Tamper Including Opening the Fan Bay The following sequence illustrates how a tamper event affects the HSM and your use of it You do not need to perform all these steps Many are included for illustrative purposes and to emphasize the state of the appliance and of the enclosed HSM at each stage Action Result State First we place the HSM in its basic operational condit...

Page 17: ...SM driver times out the command line prompt is still available until you issue a command that attempts to access the HSM at which point the driver goes into time out the entire system stops responding for approximately ten minutes you can wait it out or you can reboot the system has detected a tamper event system resumes run sysconf appliance reboot or press the restart Stop Start switch on the ba...

Page 18: ...073 logged the following internal event RESTART 0x0000002f 133103 13 01 28 14 47 35 S N 150073 HSM with S N 150073 logged the following internal event LOG resync 0x0000002e Command Result 0 Success hsm tamper show WARNING Tamper s Detected hsm login not permitted LUNA_RET_MTK_ZEROIZED hsm tamper clear Clear the HSM tamper The HSM SO must be logged in to issue this command hsm login This time it wo...

Page 19: ...M has both splits available and can immediately reconstitute the MTK and go on operating normally without further intervention from you Power on Power off or Reboot the Appliance This section describes how to power on power off or reboot the appliance It contains the following sections Power On below Power Off on the next page Reboot on the next page Hard Reboot on the next page Automatic Restart ...

Page 20: ... panel of the system or issue the sysconf appliance reboot command To switch off the system issue the sysconf appliance poweroff command or use the START STOP switch on the SafeNet Luna Network HSM front panel If you issue the poweroff command the system requests that you confirm by typing proceed After you type proceed the system returns a success message From that point the orderly shutdown take...

Page 21: ...Fan Maintenance The two power supplies in the SafeNet Luna Network HSM appliance are hot swap capable meaning that one is sufficient to power the appliance while the other is removed and replaced with no service interruption The indicator light LED on each power supply shows different behavior depending upon conditions Power Supply Condition Power Supply LED DC present only standby output on Flash...

Page 22: ...ply 3 Press the lever sideways to release the power supply retaining catch and simultaneously pull the handle out toward you Withdraw the power supply completely using your other hand to support the body of the power supply as it emerges SafeNet Luna Network HSM 7 3 Appliance Administration Guide 007 013576 005 Rev A 13 December 2019 Copyright 2001 2019 Thales 22 ...

Page 23: ...urled captive thumb screw and a Torx T8 screw The knurled screw can be fastened or released without tools It secures the lattice screen that in turn retains the mesh air filter While we recommend controlled atmosphere environments for greatest longevity and reliability of the equipment we recognize that some environments might include some dust in the air The mesh filter traps larger particulate m...

Page 24: ...or a blunt tool to tuck in the corners 5 Then replace the lattice in front of the mesh by inserting the tabs first then swinging the lattice closed like a door and securing with the knurled screw Replacing a Fan The three fan modules each containing two in line fans provide cooling redundancy If one fan or module fails it is detected by sensors View a summary of appliance sensor conditions by runn...

Page 25: ... either case you can examine the log for tamper events syslog tail search tamper entries 200 To replace a fan 1 To open the fan bay use a Torx number 8 screwdriver to remove the screw that secures the right side tab of the fan retainer 2 The fan retainer is anchored at its left by two tabs swing the retainer out like a door and remove it There is no need to separate the filter mesh and its retaine...

Page 26: ...used by opening the fan bay 8 You will also need to re Activate your HSM Partitions partition activate partition name_of_partition so that they once more become available to your registered clients Summary Removing cleaning and replacing the fan filter the black mesh behind the grille does not cause a tamper and can be done at any time without disrupting your Clients Opening the fan bay behind the...

Page 27: ...ze the HSM 2 Reinitialize the audit role and reconfigure auditing 3 Recreate the partitions 4 Reinitialize the partition roles Event Summary Here is what you would observe after the button is depressed The LCD on the appliance front panel freezes Communication to the HSM key card is blocked as is the software process that polls the HSM for status At this point you must power cycle the SafeNet appl...

Page 28: ...hin the HSM You might find other uses in your organization What to do after decommission if the SafeNet Luna Network HSM is being returned to Gemalto 1 Obtain a Return Material Authorization and shipping instructions from Gemalto if you have not already done so 2 Pack the appliance and ship it to Gemalto Serial Connections You can use a serial connection to connect a computer directly to the SafeN...

Page 29: ...d by the port associated with the adapter For example Prolific USB to Serial Comm Port COM4 Record the COM port COM4 in this example associated with the adapter You will need this port number when you open a serial connection 4 Use a terminal emulation package such as PuTTY to open a serial connection to the COM port associated with your Prolific USB to Serial adapter Set the serial connection par...

Page 30: ...shes when trying to detect a serial port This is a known issue with the Windows 10 PL2303 drivers If you experience trouble opening a serial connection using Windows 10 use another supported operating system Front Locking Bezel Your order may have included an optional front locking bezel pictured below The locking bezel fits over the HSM s faceplate for maximum physical access security Certain sec...

Page 31: ...zel over the posts with both keys in the horizontal position 2 Turn the keys to the vertical position to lock the bezel Remove the keys and store them in a secure location NOTE Leaving the keys in the bezel may interfere with closing the rack door and compromise security Replacement Keys To obtain replacement keys contact Technical Support see Support Contacts on page 1 Please have the lock serial...

Page 32: ...trical mains but not powered on 26W typical Power on Input Surge 15A typical 40A at 90 132VAC max 60A at 180 265VAC max Active under load from clients 84W typical 100W max The SafeNet appliance has two power supplies each rated at 350W either of which is capable of running the system alone SafeNet Luna Network HSM 7 3 Appliance Administration Guide 007 013576 005 Rev A 13 December 2019 Copyright 2...

Page 33: ...s set Maximum number of clients that can connect to one SafeNet Luna Network HSM appliance at the same time No hard limit is set but see below Maximum number of connections per registered client No hard limit is set but see below Maximum number of connections in total to a single SafeNet Luna Network HSM appliance For SafeNet Luna Network HSM 5 2 and newer no hard limit is set SafeNet Luna Network...

Page 34: ...put gains are intended The following conditions and recommendations apply to the port bonding feature Bonded interfaces must both be attached to the same network segment For example if a bonded interface of IP 192 168 9 126 is chosen both interfaces must be connected to devices that can access the 192 168 9 network Bonded interfaces must use static addressing Avoid executing bonding commands while...

Page 35: ... SafeNet appliance Administrator account userid admin uses standard password authentication userid password You can also choose to use Public Key based Authentication for SSH access The relevant commands to manage Public Key Authentication are described here Public Key Authentication to a SafeNet Appliance Using UNIX SSH Clients The following is an example exercise to illustrate the use of Public ...

Page 36: ...a lunash my public key add id_rsa pub Command Result 0 Success 7 Check the list again myLuna lunash my public key list SSH Public Keys for user admin Name Type Bits Fingerprint id_rsa pub ssh rsa 1024 6e 7a 7e e1 2a 54 8f 99 3e 6a 56 f8 38 22 fb a6 Command Result 0 Success Notice that the fingerprint reported is the same as was generated back on mypc 8 From mypc SSH into myLuna you should not be p...

Page 37: ...Authentication functions you could SSH in again from Windows and other UNIX clients and verify that you are still password prompted as normal for those clients Verify that the client list is always accurate Delete one or two of your public key clients Verify that those clients are password prompted again Clear all public key clients with the clear sub command Verify that all clients are password p...

Page 38: ...er methods of debugging should be attempted before restarting NTLS Examples are Confirming the fingerprint of the client certificate and the server certificate at both the client and the server the SafeNet appliance Verifying that the client is registered and has at least one Partition assigned to it Impact of the service restart ntls Command If you perform a service restart ntls on a live or prod...

Page 39: ...igh volume simultaneous launch of sessions from a single client is unavoidable then increase the receive timeout value at the client from the default 20 seconds to some larger value that eliminates the problem for you The obvious trade off is that the higher the receive timeout value is set on each client the longer it takes for failed connection attempts to be recognized and corrective measures t...

Page 40: ...alue of 20 seconds provides a worst case scenario over a larger WAN but may be inappropriate for some SafeNet Luna Network HSM deployments such as SafeNet Luna HSMs in an HA configuration where a quicker determination of the health of the SafeNet Luna Network HSM system is required This value can be set in the SafeNet Luna Network HSM configuration file as follows Windows crystoki ini LunaSA Clien...

Page 41: ...how is a localized abbreviation For example the following three commands set the time zone code to EST or EDT depending on whether Daylight Saving Time DST is currently in effect sysconf timezone set America Kentucky Louisville sysconf timezone set America Toronto sysconf timezone set EST5EDT If you choose a named time zone the system automatically adjusts for DST on the appropriate dates If you c...

Page 42: ...r several days and describe how to correct it using the appliance s sysconf drift local drift correction commands To establish time drift and set drift correction 1 Begin drift measurement This also sets the time In order to establish the drift and its correction accurate time must be used when beginning and ending drift measurement One method is to use NTP on a different computer that has no conn...

Page 43: ...le from a variety of public servers We recommend using a more secure NTP server that supports symmetric or public key authentication as described in Securing Your NTP Connection on the next page Alternatively your organization might have established its own NTP server s Contact your IT manager or security officer for details For more information about NTP authentication see References on page 45 N...

Page 44: ...list of trusted keys lunash sysconf ntp symmetricauth trustedkeys add keyID 4 Add the trusted NTP server using the key option to enter the key ID for that server lunash sysconf ntp addserver NTPserver key keyID 5 Check the NTP connection lunash sysconf ntp status Using Public Key AutoKey Authentication This method uses asymmetric keys held by the NTP server and client An identity scheme is used to...

Page 45: ...q NTP s config adv htm S CONFIG ADV AUTH 3 NTP Public Key Authentication http www ntp org ntpfaq NTP s config adv htm Q CONFIG ADV AUTH AUTOKEY 4 Autokey Identity Schemes http www eecis udel edu mills ident html 5 ntp keygen tool http doc ntp org 4 2 6 keygen html 6 NTP Server configuration options http doc ntp org 4 2 6 confopt html SafeNet Luna Network HSM 7 3 Appliance Administration Guide 007 ...

Page 46: ...1 where you set rotation and other parameters to suit your own monitoring and management schedule You can configure flexible logs to gather only information you consider relevant or send different logs to different remote hosts NOTE Syslog format is in accordance with RFC 5424 See Syslog Introduction on page 1 for information on reading and interpreting system log messages Log Severity Levels Even...

Page 47: ... the current logging configuration in LunaSH with syslog show This section contains the following system logging procedures Rotating System Logs below Customizing Severity Levels on the next page Reading System Logs on page 49 Exporting System Logs on page 50 Deleting System Logs on page 51 Rotating System Logs System logs are gathered in a current log file that is periodically rotated and saved o...

Page 48: ...he appliance maximum 100 logs rotated monthly lunash syslog rotations _of_rotations lunash syslog rotations 5 Log rotations set to 5 Command Result 0 Success To manually rotate the current log file Use syslog rotate see syslog rotate on page 1 This command ensures that the most recent logs are included when exporting them off the appliance lunash syslog rotate lunash syslog rotate Command Result 0...

Page 49: ...wish to customize lunalogs messages cron secure boot Reading System Logs You can search the current log rotation for recent events without exporting log files Rotated logs must be exported to a client workstation to be read For a detailed guide to reading and interpreting system log messages see About the Monitoring Guide on page 1 in the Syslog and SNMP Monitoring Guide Syslog format is in accord...

Page 50: ...ple this command will display all alarm messages from the last 200000 log entries lunash syslog tail logname messages entries 200000 search ALM 2017 Apr 17 11 00 45 local_host kern info kernel k7pf0 HSM ALM2006 HSM decommissioned by FW 2017 Apr 17 11 00 48 local_host kern info kernel k7pf0 HSM ALM2014 Auto activation data invalid HSM deactivated 2017 Apr 17 11 01 12 local_host kern info kernel k7p...

Page 51: ...rrent logs then deletes ALL THE LOG FILES If you are sure that you wish to proceed then type proceed otherwise type quit proceed Proceeding Creating tarlogs then deleting all log files The tar file containing logs is now available via scp as filename logs_cleanup_20170301_ 1443 tgz Please copy logs_cleanup_20170301_1443 tgz to a client machine with scp Deleting log files restart the rsyslogd servi...

Page 52: ...log OK Starting syslog OK 192 10 10 101 added successfully Make sure the rsyslog service on 192 10 10 101 is properly configured to receive the logs Command Result 0 Success By default the remote server will now receive lunalogs messages secure and boot logs at the info level and above and cron logs at the notice level and above See Customizing Remote Logging Severity Levels on the next page to sp...

Page 53: ...age 1 lunash syslog severity set logname logname loglevel loglevel host hostname IP lunash syslog severity set logname lunalogs loglevel critical host 192 10 10 101 This command sets the severity level of lunalogs remote log messages Only messages with the severity equal to or higher than the new log level critical will be sent to 192 10 10 101 Stopping syslog OK Starting syslog OK Command Result ...

Page 54: ... config backup command at any time to create a backup file that contains the current state of all service parameters configured on the appliance You can create multiple backup files and provide a description for each file allowing you to backup and restore multiple different configurations The backup files are stored on the file system by default You can export them to the internal HSM or an exter...

Page 55: ...conf config restore command with the file created after upgrade Managing your configuration backup files If you wish you can keep only the backup files that you find useful and individually delete any others using the sysconf config delete command You can also use the sysconf config clear command to delete all of your configuration files if desired Note that the configuration backup file area is a...

Page 56: ... factory reset of the chosen configuration parameter users Net_HSM lunash sysconf config factoryReset service users WARNING This command resets the configuration of the selected service s to factory defaults Resetting services to factory defaults can affect connectivity and the operation of the HSM If you are sure that you wish to proceed then type proceed otherwise type quit proceed Proceeding Re...

Page 57: ...fully Password change successful The reset to factory appliance settings for the users parameter seems to have worked Our admin password was reset to the default password PASSWORD and we had to apply a non default password 5 With that done we can verify if additional aspects of the users parameters were also reset to factory spec Net_HSM lunash user list Users Roles Status RADIUS admin admin enabl...

Page 58: ... you are sure that you wish to proceed then type proceed otherwise type quit proceed Proceeding hsm supportInfo successful Use scp from a client machine to get file named supportInfo txt Broadcast message from root pts 1 Wed Feb 22 08 00 41 2012 The system is going down for reboot NOW Reboot commencing Command Result 0 Success 7 After rebooting again we are able to log in with our original admin p...

Page 59: ...ives you two target options The internal HSM of your SafeNet Luna Network HSM appliance This could be useful if a component failed in the appliance you sent the appliance back to SafeNet for rework under the RMA procedure received it back repaired and then retrieved the file from your HSM to restore your appliance settings An external HSM such as a Backup HSM or token This could be useful if the c...

Reviews:

No comments

Related manuals for SafeNet Luna Network HSM 7.3

DW DWC-BL2651TIR Manual preview
DWC-BL2651TIR
Brand: DW Pages: 32
AccuBANKER D500 Quick Start Manual preview
D500
Brand: AccuBANKER Pages: 2
Panamalar F9 Quick Manual preview
F9
Brand: Panamalar Pages: 32
Yamaha YAS-306 Owner'S Manual preview
YAS-306
Brand: Yamaha Pages: 40
Yamaha YAS-109 Update Manual preview
YAS-109
Brand: Yamaha Pages: 8
Yamaha DVR-S60 Service Manual preview
DVR-S60
Brand: Yamaha Pages: 108
Yamaha NS-C150 Owner'S Manual preview
NS-C150
Brand: Yamaha Pages: 3
Niles Cynema Soundfield CSF48A Installation Manual preview
Cynema Soundfield CSF48A
Brand: Niles Pages: 37
StarVedia IC731z Quick Installation Manual preview
IC731z
Brand: StarVedia Pages: 2
Hama 00173143 Operating Instructions Manual preview
00173143
Brand: Hama Pages: 75
hyfire TAURUS TAU-TH-01-BL Quick Manual preview
TAURUS TAU-TH-01-BL
Brand: hyfire Pages: 2
König SAS-DUMMYCAM25 Manual preview
SAS-DUMMYCAM25
Brand: König Pages: 51
Youly Electric YL Powership MMA-250FI Operator'S Manual preview
YL Powership MMA-250FI
Brand: Youly Electric Pages: 16
GSD Wi-Corporate Controller Installation & User Manual preview
Wi-Corporate Controller
Brand: GSD Pages: 14
Soca ST-660 Operation And Installation Manual preview
ST-660
Brand: Soca Pages: 19
Eaton FHF DSLB 20 LED Technical Manual preview
FHF DSLB 20 LED
Brand: Eaton Pages: 28
System Sensor SpectrAlert S1224MCW Installation And Maintenance Instructions preview
SpectrAlert S1224MCW
Brand: System Sensor Pages: 4
4CR 6.5600.1000 Operation Manual preview
6.5600.1000
Brand: 4CR Pages: 7

Brands by name

Popular brands

Load more brands