manualshive.com logo in svg

SafeNet Luna SA, Руководство по настройке

Поделиться
Скачать
SafeNet Luna SA Скачать руководство пользователя страница 67

CHAPTER 4

HSM Capabilities and Policies

SafeNet Luna HSMs are built on one of our general-purpose HSM platforms (hardware plus firmware), and then are
loaded with what we call "personality", to make them into specific types of HSM with specific abilities and constraints,
to suit different markets and applications.

The built-in attributes are called "Capabilities" and describe what the HSM can do as it comes to you from the factory.

Some capabilities are unalterable, except by re-manufacturing the HSM.

Many HSM capabilities can be altered by means of HSM Policies, which coincide one-for-one with the capabilities that
they alter.

You can view the current HSM capabilities and policies with the

hsm showpolicies

command:

You can change a current HSM policy with the

hsm changepolicy

command.

This section describes how to modify HSM Policies, and suggests some examples of changes best made before the
HSM is further configured for use in your environment. Refer to the instructions for your HSM authentication type:

"Set HSM Policies (Password Authentication)" on page 67

"Set HSM Policies - PED (Trusted Path) Authentication" on page 69

Set HSM Policies (Password Authentication)

Set any of the alterable policies that are to apply to the HSM.

Note: Capability vs Policy Interaction

Capabilities identify the purchased features of the product and are set at time of manufacture.
Policies represent the HSM Admin’s enabling (or restriction) of those features.

1.

Type the

hsm showPolicies

command, to display the current policy set for the HSM.

[myluna] lunash:>hsm showPolicies

HSM Label:

myhsm

Serial #:

700022

Firmware:

6.21.0.

The following capabilities describe this HSM, and cannot be altered

except via firmware or capability updates.

Description

Value

============

=====

Enable PIN-based authentication  

Allowed   

Enable PED-based authentication  

Disallowed   

Performance level  

15

Enable domestic mechanisms & key sizes

Allowed   

Enable masking  

Allowed   

Enable cloning  

Allowed 

Enable special cloning certificate  

Disallowed   

Luna SA Configuration Guide

Release 5.4.1 007-011136-007Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

67

Содержание Luna SA

Страница 1: ...Luna SA Configuration Guide ...

Страница 2: ...ims any implied warranties of merchantability or fitness for any particular purpose Furthermore SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes We have attempted to make these documents complete accurate and useful but we cannot...

Страница 3: ...omain and the Red Domain PED Key 18 Partition Owner User and the black PED Key 18 Remote PED Orange PED Key RPK 19 Auditor 19 Secure Recovery Purple PED Key SRK 20 Other Considerations 20 Luna PED Planning 20 What each PED prompt means 21 HSM Initialization and the Blue SO PED Key 22 HSM Cloning Domain and the Red Domain PED Key 23 Partition Owner User and the black PED Key 23 Remote PED Orange PE...

Страница 4: ...g a Partition on the HSM 72 Prepare to Create a Partition Password Authenticated 72 About HSM Partitions on the Initialized HSM 72 Create the Partition PW 73 Partition creation audit log entry 74 Next steps 74 Prepare to Create a Partition PED Authenticated 75 About HSM Partitions on the Initialized HSM 75 Create Initialize the Partition PED Authenticated 76 Partition creation audit log entry 84 R...

Страница 5: ... Export a Client Cert to an HSM Appliance UNIX 104 Register the Client Certificate to an HSM Server 105 How Many Clients 106 Register VM Clients 106 What s the Next Step 106 CHAPTER 8 Assign a Client to an HSM Partition 107 Assign a Client to a Partition 107 Verify Your Setup 107 Client Connection Limits 108 Applications and Integrations 108 CHAPTER 9 Optional Configuration Tasks 109 Luna SA Confi...

Страница 6: ...onventions on page 7 Support Contacts on page 8 For information regarding the document status and revision history see Document Information on page 2 Customer release notes The customer release notes CRN provide important information about this release that is not included in the customer documentation Read the CRN to fully understand the capabilities limitations and known issues for this release ...

Страница 7: ... that may help prevent unexpected results or data loss Warnings Warnings are used to alert you to the potential for catastrophic data loss or personal injury They use the following format WARNING Be extremely careful and obey all safety and security measures In this situation you might do something that could result in catastrophic data loss or personal injury Command syntax and typeface conventio...

Страница 8: ...sired Choices are separated by vertical OR bars Support Contacts If you encounter a problem while installing registering or operating this product please ensure that you have read the documentation If you cannot resolve the issue please contact your supplier or SafeNet support SafeNet support operates 24 hours a day 7 days a week Your level of access to this service is governed by the support plan...

Страница 9: ...al Support Portal https serviceportal safenet inc com Existing customers with a Customer Connection Center account or a Service Portal account can log in to manage incidents get the latest software upgrades and access the SafeNet Knowledge Base Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 9 ...

Страница 10: ...onitor disabled until you enable default password PASSWORD Those three built in accounts can be neither created nor destroyed but admin can enable or disable the other two as needed You can leave that arrangement as is or you can create additional users with names of your own choice and assign them any of the roles and the powers that go with those roles The default password of any created user is...

Страница 11: ...p and Restore of User Profiles The commands sysconf config backup and sysconf config restore allow you to store a snapshot of the administrative user database the names and status of all named Luna Shell users that can later be restored if desired CAUTION Restoring from backup restores the database of user profiles that existed before the backup was made This includes the set of users that existed...

Страница 12: ... HSM follows the standard Cryptoki model appliance admin This is the basic administrative access to the a Luna HSM appliance When you connect via ssh putty exe or other ssh utility the Luna HSM presents the login as prompt The only ID that is accepted is admin You must be logged in as the appliance admin before you can access further authentication layers such as HSM Admin Partition Owner Crypto O...

Страница 13: ...cess the lunash command shell Note Therefore in both access control models a Client with the Password can connect and perform object generation and deletion and can use objects sign verify encrypt decrypt but they cannot perform Partition management operations unless they can also login to Luna Shell lunash as admin Client A Client is a working or production user of one or more Luna SA HSM Partiti...

Страница 14: ...generate and manipulate cryptographic objects in the Partition Crypto User or restricted Client user Read only If the Partition has been readied for access by the black PED Key a Client can connect with a Client application authenticating with the Crypto User Password a challenge secret generated on command by the Luna PED similar to the Crypto Officer or Partition Owner Password that is generated...

Страница 15: ...PED Key or it can be split by the MofN feature over several red keys which are then distributed among trusted personnel such that no single person is able to provide the cloning domain without oversight from other trusted personnel In scenarios where multiple HSM partitions are in use it can be useful to segregate those partitions according to department or business unit or according to function g...

Страница 16: ...he Yes or do reuse option The decision is do you wish this HSM to be accessed by the same secret that accesses this function role on one or more other HSMs Or do you wish this HSM to have a new unique secret that is recognized by no previous HSM Sometimes it is advantageous to have a single secret for a group of HSMs managed by a single person Sometimes security or operational rules require that e...

Страница 17: ...ies of that secret or if you need to make more The more you make the more you must track But you must have enough to satisfy your organization s operational and security protocols The above paragraphs explain the meanings of each of the prompts that you would see from Luna PED while performing an action like initialization that imprints PED Keys with secrets The following sections discuss some imp...

Страница 18: ... below HSM Cloning Domain and the Red Domain PED Key All the points options decisions listed above for the SO key apply equally to the Cloning domain key with two exceptions First you MUST apply the same red key Cloning Domain secret to every HSM that is to clone objects to from each other participate in an HA group synchronization uses cloning backup restore By maintaining close control of the re...

Страница 19: ...fundamental activity like initializing an HSM or creating a partition Instead if you don t expect to use the Remote PED option you never need to create an orange PED Key If you do have a Remote capable Luna PED and want to use it for remote authentication rather than always having the PED locally connected to the HSM then the HSM and the PED that is remotely hosted must share a Remote PED Vector R...

Страница 20: ...ey or outdated secret to be overwritten by a unique new Secure Recovery Vector generated by the HSM Other Considerations In each case have your materials and notes about your previously made decisions on hand before you launch a command that invokes key creation or imprinting Predetermine which of your personnel will have access to which PED Keys how many people should be required to perform a giv...

Страница 21: ...le the full secret and authenticate that role You invoke M of N by providing the M value and the N value using the PED Keypad when prompted You refuse M of N by setting the M value and the N value both to 1 M of N is the more secure choice when you require multiple persons to be present with their splits of the role secret in order to access that role and perform its functions No M of N is the mor...

Страница 22: ...ture HSMs to be administered by that person or role job in your organization would accept that secret from a provided blue PED Key rather than creating their own unique SO PED Keys In that situation you would choose to Reuse an existing keyset when initializing every HSM after the first one Alternatively you might have a very compartmentalized organization where a separate individual must have adm...

Страница 23: ...use or blank or outdated secret to be overwritten by a unique cloning domain secret generated by the HSM Partition Owner User and the black PED Key All the points listed above for the SO key apply equally to the black PED Key when an HSM partition is created The black PED Key Partition Owner User secret secures the HSM partition to which it is applied and all contents of the partition The black PE...

Страница 24: ...ck PED keys with the same questions choices for you to make about reuse or a fresh new secret about M of N about duplicates etc Before you begin the PED vector init process have your orange PED Keys ready either with an existing RPV secret to reuse or blank or outdated secret to be overwritten by a unique new RPV secret generated by the HSM The first time you set an RPV for an HSM the PED must be ...

Страница 25: ...sions on hand before you launch a command that invokes key creation or imprinting Predetermine which of your personnel will have access to which PED Keys how many people should be required to perform a given authentication action whether they will carry their PED Key s or will need to retrieve them from a secure lockup for each occasion that they are used how many backup sets you expect to maintai...

Страница 26: ...ck panel closest to the power supply and is labeled 1 DNS Entries Ensure that you have configured your DNS Server s with the correct entries for the appliance and the client If you are using DHCP then all references to the Client and the HSM appliance as in Certificates should use hostnames Client Requirements If you are using a client workstation with Linux or UNIX then SSH secure shell and the s...

Страница 27: ...na appliance See http www cisco com warp public 473 12 html bkg for some descriptions of Cisco switches If the switch is configured to run the Spanning Tree Protocol on the port which appears to be the default configuration at least for Cisco switches then there is a delay of about 30 seconds while it runs through a series of discovery commands and waits for responses The switches can be configure...

Страница 28: ...he HSM appliance begins to power up If the appliance was deliberately powered down using the START STOP switch or the poweroff command then it should remain off until you press the START STOP switch However if power was removed while the system was on either a power failure or the power cable was disconnected not good practice then the system should restart without a button press This behavior all...

Страница 29: ... test activity Power Off To power off the HSM appliance locally press and release the START STOP switch Do not hold it in The HSM appliance then performs an orderly shutdown that is it closes the file system and shuts down services in proper order for the next startup This takes approximately 30 seconds to complete In the unlikely event that the system freezes and does not respond to a momentary S...

Страница 30: ...l or a PC for example a laptop that will serve as the administration computer Note A standard null modem serial cable with DB9 connectors is included with the HSM appliance as is a USB to serial adapter if needed For security reasons the USB port on the Luna SA appliance recognizes only SafeNet HSMs and peripheral devices therefore it is prohibited from supporting general USB operations and thus d...

Страница 31: ...e Interface with the lunash prompt is independent of the platform Linux Windows Solaris HP UX or AIX that you used to connect however we assume that most lab server rooms have a Linux or Windows PC available Password defaults Admin appliance default password PASSWORD via local serial link or via SSH Operator appliance default password PASSWORD via local serial link or via SSH Monitor appliance def...

Страница 32: ... appliance and its HSM from vulnerabilities due to weak passwords new passwords must be at least eight characters in length and must include characters from at least three of the following four groups lowercase alphabetic abcd xyz uppercase alphabetic ABCD XYZ numeric 0123456789 special non alphanumeric _ Note You must login within two minutes of opening an administration session or the connection...

Страница 33: ... Date and Time Before proceeding with HSM and HSM Partition setup ensure that the HSM Server s system date time and timezone are appropriate for your network Setting correct system time is important because the next step is to generate your own server certificate The certificate becomes valid at the time of its creation which is recorded as part of the certificate as a GMT value If your local time...

Страница 34: ...d by the minor name The code that you must apply from the list in the appendix may not look exactly like the code displayed by status date For example status date shows EDT i e Eastern Daylight Time but to set that you must type EST5EDT or Canada Eastern or America Montreal a number of values produce the same setting 3 Use sysconf time to set the system time and date HH MM YYYYMMDD in the format s...

Страница 35: ...en you might wish to use the system s clock drift correction protocol See Correcting Time Drift on page 1 in the Appliance Administration Guide for further information Go to Configure IP and Network Parameters on page 35 Configure IP and Network Parameters The HSM appliance is pre configured with network settings left over from our manufacturing process and not recommended for your production netw...

Страница 36: ...e of the network domain in which the HSM Server appliance is to operate lunash net domain safenet inc com 4 Use network dns add nameserver to set the Nameserver IP Address address for the local name server lunash net dns add nameserver 192 168 1 3 substitute an appropriate address for the example ask your Network Administrator Note Your network could have multiple DNS name servers Repeat this step...

Страница 37: ...onfigure it specifically to a test network e g network interface device eth1 ip 192 168 1 254 netmask 255 255 255 0 so that it does not affect the behavior of other Luna features e g remote PED Note If either interface is configured to use DHCP then the DNS parameters are overwritten for the entire HSM appliance It is not possible to have manual settings preserved for one interface while DHCP deri...

Страница 38: ...SM appliance by hostname and by IP address from the Client Repeat for each Client where the Client Software was installed OPTIONAL Once you know your network setup is correct you can invoke network time protocol To use NTP you must add one or more servers to the HSM appliance s NTP server list and then activate enable the servers Use the sysconf ntp command as follows Add servers lunash sysconf nt...

Страница 39: ...em time which would be unwelcome in your system logging When your connection is working got to Generate a New HSM Server Certificate on page 39 Generate a New HSM Server Certificate Although your HSM appliance came with a server certificate good security practice dictates that you should generate a new one 1 Use sysconf regenCert to generate a new Server Certificate lunash sysconf regenCert WARNIN...

Страница 40: ... the Network Trust Link Service From the factory the network trust link service NTLS is bound to the loopback device by default In order to use the appliance on your network you must bind the NTLS to one of the two Ethernet ports ETH0 or ETH1 or to a hostname or IP address You can use the ntls show command to see current status 2 Use ntls bind to bind the service luna23 lunash ntls bind eth0 Succe...

Страница 41: ...s in these pages as part of setting up a new HSM appliance then the next step is to initialize the HSM on your Luna SA appliance Those instructions can be found in the HSM Configuration section Choose one of the following links according to the type of HSM appliance that you have Initializing a Password Authenticated HSM on page 44 Initializing a PED Authenticated HSM on page 48 Luna SA Configurat...

Страница 42: ...sword Authenticated HSM you are asked for the password and the command eventually times out if the password is not given Of course if you provide a wrong password that is applied against the count of bad login attempts However connecting a PED and offering a PED Key to a Password Authenticated HSM has no effect it is ignored If yours is a PED Authenticated Trusted Path HSM the prompt asks you to a...

Страница 43: ...hould have received a PED and PED Keys along with the HSM appliance If you have other PED Authenticated units at your location then you can use a PED from one of them Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 43 ...

Страница 44: ...ference See hsm init on page 1 in the Lunash Command Reference For an HSM with Password Authentication you need to provide a label password and cloning domain The only one that you should type at the command line is the label The password and cloning domain can be typed at the command line but this makes them visible to anyone who can see the computer screen or to anyone who later scrolls back in ...

Страница 45: ...ow proceed hsm init successful When activity is complete lunash displays a success message You have initialized the HSM and created an HSM Admin identity which is an additional capability set overlaid on the HSM appliance administrator identity Appliance admin alone can use lunash to perform some administrator operations on the HSM server such as network configuration but cannot access the HSM wit...

Страница 46: ...u have not used Luna HSMs and PED Keys before please read the sub section Managing PED Keys in the Administration Guide before you start initializing Once you have initialized an HSM you would return to this section only to clear an entire HSM and all its contents and HSM Partitions by re initializing If you received your Luna HSM in Secure Transport Mode then a preliminary step is required before...

Страница 47: ...lit enabled yes SRK resplit1 required no Hardware tampered no Transport mode yes Command Result No Error lunash Recover the srk with the command lunash hsm srk transportMode recover Refer to the Luna PED and follow the prompts to insert the purple PED Key enter responses on the PED keypad etc During the process a validation string is shown You should have received your HSM s validation string by s...

Страница 48: ...M to Secure Transport Mode before placing it into storage or before shipping to your organization s remote location or before shipping to your customer offering them the same Secure Shipping option as is available from SafeNet If you have just received an HSM from SafeNet in Secure Transport Mode and recovered from STM your next step should be to initialize the HSM Go to Initializing a PED Authent...

Страница 49: ...tory Reset mode ensuring that when you receive it it does not contain left over objects and settings from factory burn in and final test Depending on the options that you chose when ordering your Luna SA HSM might also arrive in Secure Transport Mode If the HSM is in Factory Reset mode only then it is ready to be initialized by you If the HSM is also in Secure Transport Mode then you must run the ...

Страница 50: ...any of Factory reset by command The Decommission button being pressed The HSM detecting 3 bad login attempts on the SO account This renders any HSM contents unrecoverable At the factory we would have created only unimportant test objects on the HSM if you have previously had the HSM in service and then either decommissioned it or performed hsm factoryreset your valid objects and keys are similarly...

Страница 51: ...tialize the HSM or quit to quit now Please attend to the PED Note Respond promptly to avoid PED timeout Error At this time the PED becomes active and begins prompting you for PED Keys and other responses For security reasons this sequence has a time out which is the maximum permitted duration after which an error is generated and the process stops If you allow the process to time out you must re i...

Страница 52: ...r onto one that contains old unwanted authentication Luna PED asks you to set M of N values If you say YES you indicate that you have a PED Key or set of PED Keys from another HSM and you wish your current new HSM to share the authentication with that other HSM Authentication will be read from the PED Key that you present and imprinted onto the current HSM and Luna SA Configuration Guide Release 5...

Страница 53: ...ccess control no single person can access the HSM without cooperation of other holders Luna PED now asks you to provide the appropriate PED Key a fresh blank key or a previously used key that you intend to overwrite or a previously used key that you intend to preserve and share with this HSM Insert a blue HSM Admin SO PED key of course the PED Key is generically black we suggest that you apply the...

Страница 54: ...ED Key that contains authentication secret for another HSM then this PED Key will no longer be able to access the other HSM only the new HSM that you are currently initializing with a new unique authentication secret therefore YES means yes destroy the contents on the key and create new authentication information in its place be sure that this is what you wish to do This will be matched on the Lun...

Страница 55: ... of a multi digit PIN code that must always be supplied along with the PED Key for all future HSM access attempts Type a numeric password on the PED keypad if you wish Otherwise just press Enter twice to indicate that no PED PIN is desired Luna PED imprints the PED Key or the HSM or both as appropriate and then prompts the final question for this key Luna SA Configuration Guide Release 5 4 1 007 0...

Страница 56: ...should always have backups of your imprinted PED Keys to guard against loss or damage To begin imprinting a Cloning Domain red PED Key you must first log into the HSM so in this case you can simply leave the blue PED Key in place Luna PED passes the authentication along to the HSM and then asks the first question toward imprinting a cloning domain Luna SA Configuration Guide Release 5 4 1 007 0111...

Страница 57: ...ed then answer NO Luna PED prompts for values of M and N If you have another HSM and wish that HSM and the current HSM to share their cloning Domain then you must answer YES In that case Luna PED does not prompt for M and N Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 57 ...

Страница 58: ...ain PED Key Insert a red HSM Cloning Domain PED key of course the PED Key is generically black we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting and press Enter Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 58 ...

Страница 59: ...PTER 3 HSM Initialization OR Just as with the blue SO PED Key the next message is Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 59 ...

Страница 60: ...wish to overwrite whatever is or is not on the currently inserted key with a Cloning Domain generated by the PED the PED asks And finally Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 60 ...

Страница 61: ...022 Firmware 6 2 1 Hardware Model Luna K6 Authentication Method PED keys HSM Admin login status Logged In HSM Admin login attempts left 3 before HSM zeroization RPV Initialized Yes Manually Zeroized No Partitions created on HSM FIPS 140 2 Operation The HSM is NOT in FIPS 140 2 approved operation mode HSM Storage Information Maximum HSM Storage Space Bytes 2097152 Space In Use Bytes 0 Free Space Le...

Страница 62: ...ected Luna PED demands the first SO HSM Admin PED Key Insert the Blue PED Key This table below summarizes the steps involving Luna PED immediately after you invoke the command hsm init The first column is the simplest and most like what you would encounter the very first time you initialize using fresh from the carton iKey PED Keys The next two columns of the table show some differences if you are...

Страница 63: ... the questions are more important since the keys to be overwritten already have material on them SLOT 01 SETTING SO PIN Insert a SO HSM Admin PED Key Press ENTER SLOT 01 SETTING SO PIN Insert a SO HSM Admin PED Key Press ENTER Slot 01 SETTING SO PIN Insert a SO HSM Admin PED Key Press ENTER This PED Key is blank Overwrite YES NO Warning This PED Key is for SO HSM Admin Overwrite YES NO Warning Thi...

Страница 64: ...have just the one key with that secret don t lose it Same as in first column Same as in first column Login SO HSM Admin Insert a SO HSM Admin PED Key Press ENTER Login SO HSM Admin Insert a SO HSM Admin PED Key Press ENTER Login SO HSM Admin Insert a SO HSM Admin PED Key Press ENTER Having created imprinted the HSM Admin or SO secret the HSM now requires you to login in order to go further This is...

Страница 65: ...it correctly In future every time you are required to present that PED Key you must also enter the PED PIN on the PED keypad if you created a PED PIN at initialization time then you must provide that exact PED PIN along with the PED Key in order to gain access to the HSM If you did not create a PED PIN when you initialized then just press Enter at the PED prompt when you insert the requested PED K...

Страница 66: ... If the domain data on the key should be preserved as valid and recorded on the current HSM or token What to do This allows the PED Key to work with both the previous and the current HSM or token that is they will all share the same cloning backup domain Therefore to preserve the existing domain answer YES to reuse an existing keyset OR b If the domain data that was found on the red key must be ov...

Страница 67: ...nment Refer to the instructions for your HSM authentication type Set HSM Policies Password Authentication on page 67 Set HSM Policies PED Trusted Path Authentication on page 69 Set HSM Policies Password Authentication Set any of the alterable policies that are to apply to the HSM Note Capability vs Policy Interaction Capabilities identify the purchased features of the product and are set at time o...

Страница 68: ...will zeroize erase completely the entire HSM Description Value Code Destructive Allow masking On 6 Yes Allow cloning On 7 Yes Allow non FIPS algorithms On 12 Yes SO can reset partition PIN On 15 Yes Allow network replication On 16 No Allow Remote Authentication On 20 Yes Force user PIN change after set reset Off 21 No Allow off board storage On 22 Yes Allow acceleration On 29 Yes Allow unmasking O...

Страница 69: ...IN turning it off Refer to the Reference section for a description of all and their meanings If you have been following the instructions on this page as part of setting up a new HSM system then the next step is to create virtual HSMs or HSM Partitions on the HSM that you just configured Prepare to Create a Partition Password Authenticated on page 72 Set HSM Policies PED Trusted Path Authentication...

Страница 70: ... describe the current configuration of this HSM and may by changed by the HSM Administrator Changing policies marked destructive will zeroize erase completely the entire HSM Description Value Code Destructive Allow masking On 6 Yes Allow cloning On 7 Yes Allow non FIPS algorithms On 12 Yes SO can reset partition PIN On 15 Yes Allow network replication On 16 No Allow Remote Authentication On 20 Yes...

Страница 71: ...icyCode value policyValue As an example change code 15 from a value of 1 On to 0 Off Example Change of HSM Policy lunash hsm changePolicy policy 15 value 0 That command assigns a value of zero 0 to the HSM Admin can reset partition PIN policy turning it off WARNING The above example is a change to a destructive policy meaning that if you apply this policy the HSM is zeroized and all contents are l...

Страница 72: ...itialized HSM At this point the Luna appliance should already have its network settings configured by Configure the Luna Appliance for your Network on page 26 have its HSM Administrator assigned by Initializing a Password Authenticated HSM on page 44 Within the HSM separate cryptographic work spaces must be initialized and designated for clients A workspace or Partition and all its contents are pr...

Страница 73: ...tion names must be unique in the HSM You are not permitted to create two partitions with the same label on one HSM This will be the label seen by PKCS 11 applications A partition name can be from 1 to 64 characters in length and can include any of the following characters 0123456789 ABCDEFGHIJKLMNOPQRSTUVWXYZ _abcdefghijklmnopqrstuvwxyz No spaces When labeling HSMs or partitions never use a numera...

Страница 74: ...llowing is generated when a partition is created on the HSM 5 12 12 17 16 14 14 S N 150718 session 1 Access 2147483651 2669 SO container operation LUNA_ CREATE_CONTAINER returned RC_OK 0x00000000 container 20 using PIN entry LUNA_ENTRY_DATA_ AREA It is not obvious from this entry what the serial number is for the created partition This information however can be derived from the log entry since th...

Страница 75: ...c work spaces must be initialized and designated for clients A workspace or Partition and all its contents are protected by encryption derived in part from its authentication Only a Client that presents the proper authentication is allowed to see the Partition and to work with its contents In this section you will Create an HSM Partition First Establish a Connection to your HSM Appliance 1 If you ...

Страница 76: ...at you are currently logged in as HSM Admin or SO perform an hsm logout then log in again Create Initialize the Partition PED Authenticated Having logged in you can now use the partition create command to create an HSM Partition You must supply a label or name for the new Partition when you issue the command lunash partition create partition name for new Partition The angle brackets and indicate t...

Страница 77: ...tend to reuse a pre existing imprinted black PED Key Respond Yes if you have a key from another HSM partition with a partition Owner ID already imprinted on it that you wish to share reuse Respond No if you have a fresh never imprinted key or if you have a key previously imprinted with an ID that you do not wish to preserve 3 The PED requests values for Luna SA Configuration Guide Release 5 4 1 00...

Страница 78: ...u wish to invoke M of N split secret multi person access control Using M of N on page 1 4 The PED then demands the black Owner PED key with the message Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 78 ...

Страница 79: ...apply the appropriate color sticker either immediately before or immediately after imprinting and press Enter A unique Partition Owner PIN is to be imprinted on both the PED key and the HSM Partition 5 The PED might continue with Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 79 ...

Страница 80: ...ED PIN is not desired You must press Enter to inform the PED that you are finished entering PED PIN digits or that you have decided not to use a PED PIN no digits entered When you provide a PED PIN even if it is the null PIN by just pressing Enter with no digits the PED requests it a second time to ensure that you entered it correctly Press ENTER again 7 You are then prompted Luna SA Configuration...

Страница 81: ...more black PED Keys until you have imprinted duplicated as many as you wish 8 At the command line session the next part of the sequence is displayed Luna PED operation required to generate cloning domain on the partition use Domain red PED key and control once again goes to the Luna PED 9 The PED inquires if you intend to reuse a previously imprinted red Domain PED Key Luna SA Configuration Guide ...

Страница 82: ...nted key or if you have a key previously imprinted with an ID that you do not wish to preserve 10 As it did for the black key the PED now requests values for M and N Again enter 1 for each unless you wish to invoke M of N splitting 11 The PED then prompts for a red Domain PED key with the message Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc Al...

Страница 83: ...after imprinting and press Enter A unique Partition Owner PIN is to be imprinted on both the PED key and the HSM Partition 12 The PED goes through the same prompts as for the black PED Key Respond as appropriate 13 Luna PED presents the generated partition challenge secret password which you must record Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet...

Страница 84: ...ored in a safe place in case of loss or damage to the primary keys Partition creation audit log entry Each time a partition is created an entry is added to the audit log Any subsequent actions logged against the partition are identified by the partition serial number that was generated when the partition was created Determining the serial number of a created partition from the audit log An audit l...

Страница 85: ...e the partition serial number concatenate the two numbers as follows 150718020 Use this number to identify the partition in subsequent audit log entiries Record the Partition Client Password PED Auth HSMs The PED now generates and displays the Client Password login secret by which Clients will later authenticate themselves to this HSM Partition Record the Login Secret Value from the PED screen wri...

Страница 86: ...cessful At the same time Luna PED goes back to Awaiting command Next you might need to adjust the Partition Policy settings for the new Partition Optional see Partition Policies on page 88 Otherwise see Prepare the Client for Network Trust Link on page 91 Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 86 ...

Страница 87: ...Luna SA Configuration Guide Release 5 4 1 007 011136 007Rev C July 2014 Copyright 2014 SafeNet Inc All rights reserved 87 ...

Страница 88: ...llowed Enable private key wrapping Disallowed Enable private key unwrapping Allowed Enable private key masking Disallowed Enable secret key cloning Allowed Enable secret key wrapping Allowed Enable secret key unwrapping Allowed Enable secret key masking Disallowed Enable multipurpose keys Allowed Enable changing key attributes Allowed Enable PED use without challenge Allowed Allow failed challenge...

Страница 89: ...logins allowed 10 20 Allow high availability recovery On 21 Allow activation Off 22 Allow auto activation Off 23 Minimum pin length inverted 255 min 248 25 Maximum pin length 255 26 Allow Key Management Functions On 28 Perform RSA signing without confirmation On 29 Allow Remote Authentication On 30 Allow private key unmasking On 31 Allow secret key unmasking On 32 Allow RSA PKCS mechanism On 33 Al...

Страница 90: ... HSM whenever you finish operations that require HSM login lunash hsm logout lunash Policy setting example Luna HSM with PED Authentication This is just an example You do not need to change this particular policy or any other except to configure the HSM Partition more appropriately for your use 1 Login Before Changing Policies 2 Change a selected policy for a Partition labeled myPartition1 Type lu...

Страница 91: ...r contact your Network Administrator for assistance This means Configure all the necessary IP settings hostname IP address DNS gateway etc as appropriate to your network and as applicable to your Client s operating system Install an ssh client the scp copy utility should already have been installed during the HSM software installation Start network services on your Client machine and verify that y...

Страница 92: ...r operating system during the general installation refer to the Luna SA QuickStart Guide You will perform the actions in this section the first time you commission a Luna SA appliance and you require a client to exchange certificates with the HSM and to be assigned to an HSM Partition and whenever you have a new client that needs access to an HSM Partition Import a Server Cert Choose the version f...

Страница 93: ...Program Files SafeNet LunaClient cert server You might need to surround the entire filespec path and filename within quotation marks if Windows stumbles at the space between Program and Files If the operations fail and you have verified that the commands are typed correctly then you might lack file permissions in the affected directories If you lack administrator privileges on your computer contac...

Страница 94: ... Program Files SafeNet LunaClient pscp admin 192 168 0 123 server pem admin 192 168 0 123 s password server pem 100 928 00 00 Any time the IP or hostname of the HSM appliance has changed such as moving from a pre production environment the client s that have previously connected via SSH will detect a mismatch in the HSM appliance s server certification information and warn you of potential securit...

Страница 95: ...er C Program Files SafeNet LunaClient vtl addServer n LunaSA hostname or IPaddress c serverCert file Example c Program Files SafeNet LunaClient vtl addServer n myLuna3 c server pem You might need to surround the entire filespec path and filename within quotation marks if Windows stumbles at the space between Program and Files If the operations fail and you have verified that the commands are typed...

Страница 96: ... are working without DNS then give the server IP number rather than its name as in c Program Files SafeNet LunaClient vtl addServer n sa ip address c server pem When you have completed this step see Create a Client Certificate Windows on page 96 Create a Client Certificate Windows Begin by creating a certificate and private key for the client using the vtl command line interface Luna SA Configurat...

Страница 97: ... the Reference section of this Help for full command syntax and description You might need to surround the entire filespec path and filename within quotation marks if Windows stumbles at the space between Program and Files If the operations fail and you have verified that the commands are typed correctly then you might lack file permissions in the affected directories If you lack administrator pri...

Страница 98: ...rt sub directory and for the client and server sub directories Note If you are working without DNS then supply the client IP numerically instead c Program Files SafeNet LunaClient vtl createCert n clientIPaddress In this case the key and cert files are created with the filename being the IP address of the Client Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 201...

Страница 99: ...ount on the HSM appliance or the client certificate will not register correctly You might need to surround the entire filespec path and filename within quotation marks if Windows stumbles at the space between Program and Files If the operations fail and you have verified that the commands are typed correctly then you might lack file permissions in the affected directories If you lack administrator...

Страница 100: ...cert sub directory and for the client and server sub directories Note For networks without DNS use the HSM appliance s IP address instead of the hostname Example c cd Program Files SafeNet LunaClient cert client c Program Files SafeNet LunaClient cert client dir client ip address Key pem client ip address pem Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 Copyright 2014 S...

Страница 101: ...scp does not recognize the supplied destination as a remote server The file arriving at the HSM is automatically placed in the appropriate directory Do not specify a directory for destination Next see Register the Client Certificate to an HSM Server on page 105 to continue the setup configuration is nearly done at this point Luna SA Configuration Guide Release 5 4 1 007 011136 007 Rev C July 2014 ...

Страница 102: ... previously connected via SSH will detect a mismatch in the HSM appliance s server certification information and warn you of potential security breach In this case you will need to remove that server s certificate information from the client s known host file found in user home dir ssh known_hosts2 If this is happening in a production environment this could potentially be a security breach needing...

Страница 103: ...e using a hostname parameter that is not an exact case match for the client s hostname you might be unable to create an NTLS link bash 2 05 vtl createCert n clientHostname Example bash 2 05 vtl createCert n myClient1 bash 2 05 ls lr total 816 rwxr xr x 1 root root 735720 Apr 19 14 08 vtl rw r r 1 root root 908 Apr 23 14 38 myClient1 pem rw r r 1 root root 887 Apr 23 14 38 myClient1Key pem rwxr xr ...

Страница 104: ... 05 scp myClient1 pem admin myLuna3 You must scp to the admin account on the HSM appliance or the client certificate will not register correctly Note For networks without DNS use the HSM appliance s IP address instead of the hostname Example bash 2 05 cd cert client bash 2 05 ls client ip address Key pem client ip address pem bash 2 05 scp client ip address pem admin appliance ip address Note The ...

Страница 105: ...his is a check that you are registering the client whose pem file you created in the previous steps and scp d to the appliance You can register several clients to the appliance Example lunash client registerClient Command lunash client register client MyClient hostname MyClient Client registration successful lunash client list registered client 1 MyClient lunash Note If you are working without DNS...

Страница 106: ... server The Luna SA appliance is designed for such multi connection operation See Connections to the Appliance Limits on page 1 for a discussion of how total connections are determined Register VM Clients When the client is a virtual machine instance the possibility exists that the VM could be cloned or moved NTL is not aware of such an event For optimum security when registering VM clients with L...

Страница 107: ... client to the HSM Partition The command is lunash client assignPartition client clientname partition partition name Example lunash client assignPartition Command lunash client assignPartition client myClient1 partition myPartition1 client assignpartition successful Note The parameter partition name is the name of the HSM Partition that was created earlier following configuration of the HSM To ver...

Страница 108: ...DONE Yes That was the complete setup We suggest that you browse the Administration Maintenance manuals to develop a deeper understanding of the options and capabilities of your Luna SA appliance and of the housekeeping tasks and utilities that you might need The SDK section is provided for programmers developers Client Connection Limits See Connections to the Appliance Limits for a discussion of t...

Страница 109: ...nce Administration Guide Configure multiple HSMs to operate in high availability HA mode High Availability HA mode allows you to automatically replicate the data on a HSM partition over two or more physical HSMs to provide redundancy and load balancing Applications using an HA HSM partition do not access it directly Instead the HA software creates a virtual slot for the partition and manages which...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды