Respond to PED prompts to create the Crypto Officer token.
“co” is the short form for “Crypto Officer”.
lunacm:> role createChallenge –name Crypto Officer
A partition password is created.
Required if using the Activation\Auto-Activation partition policies.
“co” is the short form for “Crypto Officer”.
lunacm:> role logout
Logs out the Partition SO.
NOTE
The sequence of commands above activates the newly created partition and
enables the HSM auto-activation policy. This instructs the HSM to cache PED credentials
and allows the k570 appliance to authenticate to the HSM using only the challenge secret
(password) without requiring the black PED key to always be connected to the HSM.
However, in the event of a power outage of more than 2 hours, the HSM cached PED
credentials will expire and the k570 appliance will fail to run its services. In this case,
instruct the k570 appliance to re-authenticate with the HSM using the black PED key.
8.
(Mandatory) Change the Crypto Officer password set by the Partition SO. Go to
Officer Password" on the next page
.
Initializing the HSM Card in a Password-authenticated appliance
1.
As the System Administrator (ksadmin), SSH in to the appliance (or connect via serial port using your
password) and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.
The utility displays information on the detected HSM card and allows you to execute various HSM
management commands.
NOTE
Refer to the Gemalto Luna PCIe HSM documentation for more details on these
HSM commands.
2.
Make sure an HSM admin slot is selected.
Optional:
To see the available slots, enter:
lunacm:> slot list
Look for a slot with description "Admin Token Slot".
To select the active slot, enter:
lunacm:> slot set -slot <number>
3.
Re-initialize the HSM Card.
lunacm:> hsm factoryReset
KeySecure k570 Appliance : Installation Guide
16 June 2020, Copyright © 2020 Thales Group. All rights reserved.
28