Thales KeySecure k570 Скачать руководство пользователя страница 29 | Manualshive

Страница: 29 / 37

background image

NOTE

Although the k570 appliance is shipped with the HSM Card already reset to

factory defaults, this step is still recommended as a precaution. In addition, you may re-
execute the steps in this section in the future if you wish to re-initialize the SafeNet HSM
Card.

4.

Initialize the SO role.

lunacm:> hsm init -label <admin token slot label>

Optional:

lunacm:> slot list

Notice that the slot with description "Admin Token Slot" now has a label.

lunacm:> role login -n so

lunacm:> partition create

Optional:

lunacm:> slot list

Notice the slot with the slot description "User Token Slot". Remember the ID of this slot as this will be
used later.

lunacm:> role logout

5.

Initialize the partition and the partition SO role.

lunacm:> slot set -slot <slot number of user token slot created above>

lunacm:> partition init -label <new partition label>

6.

Initialize the Crypto Officer role.

lunacm:> role login –name Partition SO

You must be logged in as Partition SO to initialize the Crypto Officer role.

lunacm:> role init –name Crypto Officer

Enter the Crypto Officer password.
Does not prompt for cloning domain.
“co” is the short form for “Crypto Officer”.

lunacm:> role logout

Logs out the Partition SO.

7.

(Mandatory) Change the Crypto Officer password set by the Partition SO. Go to

"Resetting the Crypto

Officer Password" below

Resetting the Crypto Officer Password

The Crypto Officer password set by the Partition SO must be changed. If it is not changed, lunacm will generate
a CKR_PIN_EXPIRED error when accessing the partition.

KeySecure k570 Appliance : Installation Guide

16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

29

«
...
27
28
29
30
31
...
»

Содержание KeySecure k570

Страница 1: ...SafeNet KeySecure k570 Appliance INSTALLATION GUIDE ...

Страница 2: ...vice 21 Connecting to the GUI 22 Installing the Locking Bezel 25 Deploying the Appliance 26 Initializing the SafeNet Luna PCIe HSM Card 26 Resetting the Crypto Officer Password 29 Activating the Appliance 31 Configuring the HSM as Root of Trust 33 Licensing 34 Lock Codes 34 Connector Client Licensing 35 Support Contacts 36 Customer Support Portal 36 Telephone Support 36 Email Support 36 Troublesho...

Страница 3: ... listed in Received Items on page 5 3 If you plan to mount the hardware in an equipment rack follow the instructions in Rack Mounting on page 13 4 Connect the appliance to your network and log in as described in Connecting to the Appliance on page 20 5 For maximum physical access security install the Locking Bezel as described in Installing the Locking Bezel on page 25 6 Deploy your appliance as d...

Страница 4: ...contact Thales support 3 Are all of the tamper evident bag serial numbers and tamper evident label serial numbers listed in the advanced shipping notification present and do they match the actual tamper evident bag label serial numbers received If yes go to the next step If no contact Thales support 4 Did you receive any tamper evident bag label serial numbers that are not listed on the advance sh...

Страница 5: ...e k570 Appliance are listed the following table Qty Item 1 KeySecure k570 Appliance Your order should include one password authenticated or PED authenticated KeySecure k570 Appliance Both models appear physically identical NOTE You can verify whether your appliance is password authenticated or PED authenticated using the part number on the product label 2 Power Supply Cord One for each power suppl...

Страница 6: ...8C modular connector Used to connect a console terminal to the appliance during initial configuration 1 Front Ear Bracket Set Set includes 2 front ear brackets 4 bracket screws KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 6 ...

Страница 7: ...tting the appliance into racks of varying depth it must not be used to extend the appliance out of the rack Optional gliding rails with rolling bearings are available for situations where rolling excursion of the appliance while attached to the rack is required for maintenance See Optional Items on page 11 1 Friction Rail Rack Mounting Screws Cage Nuts Set includes 8 M5 cage nuts 8 M5x14 rack scre...

Страница 8: ...you should have received some combination of the following items in addition to the basic order items above Qty Item 1 PED device Your order should include at least one PED device If you intend to back up your KeySecure k570 Appliance Appliance to a SafeNet Luna Backup HSM then you require a Luna PED to connect to that Backup HSM If you intend to combine remote operation and backup you might prefe...

Страница 9: ...Kit If you ordered a Luna PED your order should also include a Luna PED power supply kit with the appropriate power connection for your region The power supply is auto sensing and includes replaceable mains plug modules for international use KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 9 ...

Страница 10: ...1 Set of PED Keys and Labels Your order should include a set of iKey PED keys and peel and stick labels KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 10 ...

Страница 11: ... instructions The set includes 2 sliding rail mounts with removable side rails 2 transformer brackets 6 rail screws 1 Sliding Rail Rack Mounting Screws Set includes 8 M5x8 flat headed screws If you did not receive this set you can request one from Thales Group part number 216 000034 001 or obtain your own suitable screws If you do not use the screws included in this kit ensure that the screw heads...

Страница 12: ... to back up remotely located HSMs in conjunction with a Remote PED The authentication method for a Backup HSM must match the authentication method password or PED for any HSM with which it is used 2 SFP 10 Gbps Optical Ethernet transceiver modules If you ordered the k570 model with 2X10Gbps ports and 2X1Gbps ports you should have received two SFP 10 Gbps Optical Ethernet transceiver modules packed...

Страница 13: ... CAUTION The included mounting hardware is meant for static positioning of the appliance The long tab that slides into the bracket applied to each side of the appliance is adjustable for fitting the appliance into racks of varying depth it must not be used to extend the appliance out of the rack Optional gliding rails with rolling bearings are available for situations where rolling excursion of th...

Страница 14: ...wdriver Note how the sliding rear brackets fit into the side rails 4 Install the two sliding rear brackets in your equipment rack using four rack mounting screws NOTE While any standard equipment rack screws should fit the brackets certain large headed screws may interfere with the operation of the secure locking bezel KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales ...

Страница 15: ...er rack pull the appliance back towards you until the sliding rear brackets fit into the side rails Pull the appliance back onto the rear brackets until the front ear brackets meet the equipment rack CAUTION Support the weight of the appliance with the hydraulic lift until all four brackets are secured 7 Secure the front ear brackets using rack mounting screws KeySecure k570 Appliance Installation...

Страница 16: ...tandard 19 equipment rack Ensure you have all the necessary components before proceeding In addition to the supplied components you will need a 2 Philips screwdriver To mount the appliance 1 Install the two front ear mounting brackets on the appliance using the included screws and a 2 Phillips screwdriver 2 Fit the front end of each mount into either side of the rack and pull the spring loaded lat...

Страница 17: ...o the rack with two wide flat headed screws 4 Fasten the transformer bracket to each sliding mount with two wide flat headed screws KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 17 ...

Страница 18: ...s onto the rack mounts until they lock into place 7 The appliance now moves smoothly and securely on the rails Push the appliance all the way back and secure it to the transformer bracket with four rack screws NOTE Screws with heads that are too large can prevent the locking bezel from fitting to the faceplate Use the screws included with the appliance or other screws with suitable heads KeySecure...

Страница 19: ...See Connecting to the Appliance on the next page to continue the installation process KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 19 ...

Страница 20: ...orts Eth0 Eth1 Eth2 and Eth3 are dependent on the appliance model Correct locations for your model are printed on the rear panel For proper redundancy and best reliability the power cables should connect to two completely independent power sources 2 If you have a password authenticated appliance skip to the next step If you have a PED authenticated appliance connect the PED directly to the applian...

Страница 21: ...fic Technology Inc USB to RJ45 with 8P8C connector adapter 2 If the driver for the Prolific Technology Inc USB to RJ45 with 8P8C connector adapter did not download and install automatically go to http www prolific com to download and install the PL2303 USB to Serial Windows driver 3 Open Device Manager Control Panel Hardware Device Manager and expand the Ports COM and LPT folder If the driver inst...

Страница 22: ...n issue with the Windows 10 PL2303 drivers If you experience trouble opening a serial connection using Windows 10 use another supported operating system 6 As the System Administrator enter ksadmin to log in and follow the prompts to create a secure password CAUTION Be sure to retain this password it will be required to access the system in case of network connectivity problems The system starts up...

Страница 23: ...he Error displayed is normal and simply requires the default SSH Public Key to be replaced 2 As the System Administrator ksadmin paste in your SSH Public Key in the box provided and then select Add NOTE The SSH Public Key must be a PEM formatted RSA key You can generate this key using PuTTYgen or similar utility Save this SSH Public Key at a safe location You will need this key for future SSH acce...

Страница 24: ...H to the appliance from this point on The initial Application Administrator can now log in This is part of appliance activation which is covered in the following section Deploying the Appliance on page 26 KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 24 ...

Страница 25: ...ts highlighted below Turn the keys to the vertical position to lock the bezel The keys cannot be removed if the bezel is unlocked The two locks are keyed differently so the keys can be issued to different security personnel and kept in secure separate locations NOTE Leaving the keys in the bezel could interfere with closing the rack door and compromise security KeySecure k570 Appliance Installatio...

Страница 26: ...appliance on page 28 Initializing the HSM Card in a PED authenticated appliance 1 As the System Administrator ksadmin SSH in to the appliance or connect via serial port using your password and execute the usr safenet lunaclient bin lunacm utility The utility displays information on the detected HSM card and allows you to execute various HSM management commands NOTE Refer to the Gemalto Luna PCIe H...

Страница 27: ...5 Initialize the partition and the Partition SO role lunacm slot set slot slot number of user token slot created above lunacm partition init label new partition label Respond to PED prompts to create the partition SO token Blue Partition Cloning Domain token Red 6 Activate the partition lunacm role login name Partition SO You must be logged in as Partition SO to change partition policies lunacm pa...

Страница 28: ... case instruct the k570 appliance to re authenticate with the HSM using the black PED key 8 Mandatory Change the Crypto Officer password set by the Partition SO Go to Resetting the Crypto Officer Password on the next page Initializing the HSM Card in a Password authenticated appliance 1 As the System Administrator ksadmin SSH in to the appliance or connect via serial port using your password and e...

Страница 29: ...ole lunacm slot set slot slot number of user token slot created above lunacm partition init label new partition label 6 Initialize the Crypto Officer role lunacm role login name Partition SO You must be logged in as Partition SO to initialize the Crypto Officer role lunacm role init name Crypto Officer Enter the Crypto Officer password Does not prompt for cloning domain co is the short form for Cr...

Страница 30: ...key This step is required to reset the CO PED key created by the Partition SO lunacm role changePw name Crypto Officer Respond to PED Prompts 4 Activate cache the new Crypto Officer credentials by logging in lunacm role login name Crypto Officer 5 Exit the lunacm utility For a Password authenticated appliance 1 Login as Crypto Officer lunacm role login name Crypto Officer 2 Change Password lunacm ...

Страница 31: ... 1 Browse to the KeySecure IP address as you did earlier in the section Connecting to the GUI on page 22 The Log In screen is displayed 2 Log in using the initial default credentials for the initial Application Admin user Username admin Password admin The following Password Change screen is displayed 3 Enter a new password using this default Password Policy KeySecure k570 Appliance Installation Gu...

Страница 32: ... 4 Using your new password log in again The KeySecure k570 Appliance GUI home page appears The KeySecure k570 Appliance has been activated When you are ready you can continue with the following section to configure the PCIe HSM Card as Root of Trust KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 32 ...

Страница 33: ... KeySecure Internal HSM PCIe HSM page a Enter the HSM Partition Label and Password The HSM Partition Label is the label that was assigned using the lunacm command partition init label new partition label in the section Initializing the SafeNet Luna PCIe HSM Card on page 26 The Password is the partition password also known as the Crypto Officer password that was assigned in the section Resetting th...

Страница 34: ...on 30 days prior to license expiration the NextGen KeySecure Server will notify you in the top banner in red that your license is expiring soon Before the expiration a new purchased license must be installed Contact Gemalto Sales representative for assistance in obtaining a license Lock Codes Licensing requires a lock code Each NextGen KeySecure server comes with two lock codes the Key Manager Loc...

Страница 35: ...t by entering the License String ksctl licensing licenses add l license string Connector Client Licensing A separate and unique Connector Lock Code is provided by each NextGen KeySecure Server This lock code is used to license supported SafeNet Connectors Clients e g SafeNet ProtectFile as well to activate the KMIP interface NOTE Unlike the Key Manager Lock Code the Connector Lock Code is cluster ...

Страница 36: ...re downloads Latest product documentation Latest release notes listing known problems and workarounds A knowledge base FAQs Technical notes and more You can also use the portal to create and manage support cases NOTE You require an account to access the Customer Support Portal To create a new account go to the portal and click on the REGISTER link Telephone Support If you have an urgent problem or...

Страница 37: ...ny ssl connection related error message can be filtered from the log file based on ERR and tls tags KeySecure k570 Appliance Installation Guide 16 June 2020 Copyright 2020 Thales Group All rights reserved 37 ...

Отзывы:

Нет отзывов

Похожие инструкции для KeySecure k570

Internet Backup

Бренд: Swisscom Страницы: 2

NetDefend DFL-1600

Бренд: D-Link Страницы: 9

Бренд: Honeywell Страницы: 2

Бренд: IBASE Technology Страницы: 33

Бренд: Palo Alto Страницы: 44

Cisco ASA 5500 Series

Бренд: Cisco Страницы: 20

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды