Thales SafeNet Luna Network HSM 7.3 Скачать руководство пользователя страница 39 | Manualshive

Страница: 39 / 59

background image

Chapter 2: Client Connections

NTLS (SSL) Performance Issue

For modern HSM appliances, NTLS uses 2048-bit client/server certificates for client connections, rather than
the 1024-bit certs that were considered secure in the past.

This larger certificate size requires more overhead/system resources than before. For a single connection or
just a few simultaneous connection setups, the increased overhead is insignificant.

However, in a stress environment where (say) hundreds of concurrent connections are launched at once, you
might see connections fail. The appliance attempts to get to all the incoming requests, but inevitably
experiences delay on some. It eventually does get to all the session-open requests, but in a very intense flurry
of session-opening, it might be returning responses to a given client after that client has timed out some of its
own requests.

Once connections are set up, they can remain open and working with no problem up to the limit allowed by the
appliance - 800 concurrent connections.

Workaround

Ensure that your application does not attempt to open hundreds of client connections all at the same time
(space the setups over time - the problem is not how many sessions are open, but how many are in the startup
process at the same time).

Or if high-volume simultaneous launch of sessions from a single client is unavoidable, then increase the
receive timeout value (at the client) from the default 20 seconds to some larger value that eliminates the
problem for you.

The obvious trade-off is that the higher the receive timeout value is set on each client, the longer it takes for
failed connection attempts to be recognized and corrective measures to be taken.

Timeouts

Your network connections will timeout after a period of inactivity, as described below.

SSH Timeout

SSH connections to the appliance are cleaned up and torn down when no network activity has been detected
for 15 seconds. This timeout is not configurable. If your session times out, you must open a new SSH session.

NTLS Timeout

As a general rule, do not adjust timeout settings (either via the interface or in config files) unless instructed to
do so by Thales Group Technical Support.

Changing some settings can appear to improve performance until a situation is encountered where a process
does not have time to complete due to a shortened timeout value.

Making timeouts too long will usually not cause errors, but can cause apparent performance degradation in
some situations (HA).

Default settings have been chosen with some care, and should not be modified without good reason and full
knowledge of the consequences.

SafeNet Luna Network HSM 7.3 Appliance Administration Guide

007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales

39

«
...
37
38
39
40
41
...
»

Содержание SafeNet Luna Network HSM 7.3

Страница 1: ...SafeNet Luna Network HSM 7 3 APPLIANCE ADMINISTRATION GUIDE ...

Страница 2: ...The copyright notice the confidentiality and proprietary legend and this full warning notice appear in all copies This document shall not be posted on any publicly accessible network computer or broadcast in any media and no modification of any part of this document shall be made Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities The informati...

Страница 3: ...n any application in which defective incorrect or insecure functioning could result in damage to persons or property denial of service or loss of privacy All intellectual property is protected by copyright All trademarks and product names used or referred to are the copyright of their respective owners No part of this document may be reproduced stored in a retrieval system or transmitted in any fo...

Страница 4: ... Hard Reboot 20 Automatic Restart Following a Power Interruption 21 Power Supply and Fan Maintenance 21 Replacing a Power Supply 21 The Fans 23 Summary 26 HSM Emergency Decommission Button 27 What the Emergency Decommission Button Does 27 Disabling Decommissioning 28 When to Use the Emergency Decommission Button 28 Serial Connections 28 Serial Pinout 30 Troubleshooting 30 Front Locking Bezel 30 Re...

Страница 5: ...er 43 Securing Your NTP Connection 44 References 45 Chapter 4 System Logging 46 About System Logging 46 Log Severity Levels 46 Hardware Monitoring and Logging 47 Configuring System Logging 47 Rotating System Logs 47 Customizing Severity Levels 48 Reading System Logs 49 Exporting System Logs 50 Deleting System Logs 51 Remote System Logging 51 Chapter 5 Backing Up the Appliance Configuration 54 Back...

Страница 6: ...STC that allows the SafeNet Cryptographic Engine the HSM inside the appliance to be shared as a service to network applications Like traditional servers that provide e mail web pages and file download FTP services to authenticated clients the HSM appliance offers HSM services to clients on the network As an Ethernet attached device the HSM appliance can be shared among many applications on a netwo...

Страница 7: ...ly perform the tasks assigned to them The information processes and procedures contained in this document are intended for use by trained and qualified personnel only It is assumed that the users of this document are proficient with security concepts Document Conventions This document uses standard conventions for describing the user interface and for alerting you to important information Notes No...

Страница 8: ...ommand line description Optionally enter the keyword or variable that is enclosed in square brackets if it is necessary or desirable to complete the task a b c a b c Represent required alternate keywords or variables in a command line description You must choose one command line argument enclosed within the braces Choices are separated by vertical OR bars a b c a b c Represent optional alternate k...

Страница 9: ...elease notes listing known problems and workarounds a knowledge base FAQs product documentation technical notes and more You can also use the portal to create and manage support cases NOTE You require an account to access the Customer Support Portal To create a new account go to the portal and click on the REGISTER link Telephone The support portal also lists telephone numbers for voice contact Co...

Страница 10: ...ff or Reboot the Appliance on page 19 Power Supply and Fan Maintenance on page 21 HSM Emergency Decommission Button on page 27 Serial Connections on page 28 Front Locking Bezel on page 30 Power Consumption on page 32 Physical Features The SafeNet Luna Network HSM is 1U high and fits into standard 19 inch equipment racks Front Panel The front panel is illustrated below with the secure locking bezel...

Страница 11: ...er off or Reboot the Appliance on page 19 F Fan status LEDs The appliance has three 3 cooling fans If these lights are illuminated the fans are working correctly G Ventilation fan filter cover Removable cover allows cleaning of air filter See also Power Supply and Fan Maintenance on page 21 H Fan bay securing screw Torx screw secures the fan bay CAUTION Opening to swap fan modules triggers a tampe...

Страница 12: ... cable see SafeNet Luna Network HSM Required Items on page 1 See also Installing the SafeNet Luna Network HSM Hardware on page 1 G Decommission button This button should only be pressed as part of decommissioning and zeroizing the appliance See also Declassify or Decommission the HSM Appliance on page 1 H Power supplies Connect the appliance to power For proper redundancy and best reliability the ...

Страница 13: ...ion of the LCD displays the current appliance state and related status codes The state can be one of the following ISO In Service Operational The appliance is operating normally All services are running and the appliance is providing encryption signing services as expected IST In Service Trouble The appliance is operational but is experiencing a fault condition The required services are operationa...

Страница 14: ...ut the status of the network interfaces 61 In Service Operational The eth1 interface is offline Use the LunaSH network show and service status network commands to display more information about the status of the network interfaces 62 In Service Operational The eth2 interface is offline Use the LunaSH network show and service status network commands to display more information about the status of t...

Страница 15: ...oot the issue 90 In Service Trouble The SSH service is not running Use the LunaSH service status ssh command to display more information about the status of the syslog service and the syslog tail command to view the system logs to help troubleshoot the issue 110 In Service Trouble Hard disk utilization is too high Use the LunaSH syslog tarlogs command to create a tar archive of the logs and then u...

Страница 16: ...cription What Happens When You Tamper Including Opening the Fan Bay The following sequence illustrates how a tamper event affects the HSM and your use of it You do not need to perform all these steps Many are included for illustrative purposes and to emphasize the state of the appliance and of the enclosed HSM at each stage Action Result State First we place the HSM in its basic operational condit...

Страница 17: ...SM driver times out the command line prompt is still available until you issue a command that attempts to access the HSM at which point the driver goes into time out the entire system stops responding for approximately ten minutes you can wait it out or you can reboot the system has detected a tamper event system resumes run sysconf appliance reboot or press the restart Stop Start switch on the ba...

Страница 18: ...073 logged the following internal event RESTART 0x0000002f 133103 13 01 28 14 47 35 S N 150073 HSM with S N 150073 logged the following internal event LOG resync 0x0000002e Command Result 0 Success hsm tamper show WARNING Tamper s Detected hsm login not permitted LUNA_RET_MTK_ZEROIZED hsm tamper clear Clear the HSM tamper The HSM SO must be logged in to issue this command hsm login This time it wo...

Страница 19: ...M has both splits available and can immediately reconstitute the MTK and go on operating normally without further intervention from you Power on Power off or Reboot the Appliance This section describes how to power on power off or reboot the appliance It contains the following sections Power On below Power Off on the next page Reboot on the next page Hard Reboot on the next page Automatic Restart ...

Страница 20: ... panel of the system or issue the sysconf appliance reboot command To switch off the system issue the sysconf appliance poweroff command or use the START STOP switch on the SafeNet Luna Network HSM front panel If you issue the poweroff command the system requests that you confirm by typing proceed After you type proceed the system returns a success message From that point the orderly shutdown take...

Страница 21: ...Fan Maintenance The two power supplies in the SafeNet Luna Network HSM appliance are hot swap capable meaning that one is sufficient to power the appliance while the other is removed and replaced with no service interruption The indicator light LED on each power supply shows different behavior depending upon conditions Power Supply Condition Power Supply LED DC present only standby output on Flash...

Страница 22: ...ply 3 Press the lever sideways to release the power supply retaining catch and simultaneously pull the handle out toward you Withdraw the power supply completely using your other hand to support the body of the power supply as it emerges SafeNet Luna Network HSM 7 3 Appliance Administration Guide 007 013576 005 Rev A 13 December 2019 Copyright 2001 2019 Thales 22 ...

Страница 23: ...urled captive thumb screw and a Torx T8 screw The knurled screw can be fastened or released without tools It secures the lattice screen that in turn retains the mesh air filter While we recommend controlled atmosphere environments for greatest longevity and reliability of the equipment we recognize that some environments might include some dust in the air The mesh filter traps larger particulate m...

Страница 24: ...or a blunt tool to tuck in the corners 5 Then replace the lattice in front of the mesh by inserting the tabs first then swinging the lattice closed like a door and securing with the knurled screw Replacing a Fan The three fan modules each containing two in line fans provide cooling redundancy If one fan or module fails it is detected by sensors View a summary of appliance sensor conditions by runn...

Страница 25: ... either case you can examine the log for tamper events syslog tail search tamper entries 200 To replace a fan 1 To open the fan bay use a Torx number 8 screwdriver to remove the screw that secures the right side tab of the fan retainer 2 The fan retainer is anchored at its left by two tabs swing the retainer out like a door and remove it There is no need to separate the filter mesh and its retaine...

Страница 26: ...used by opening the fan bay 8 You will also need to re Activate your HSM Partitions partition activate partition name_of_partition so that they once more become available to your registered clients Summary Removing cleaning and replacing the fan filter the black mesh behind the grille does not cause a tamper and can be done at any time without disrupting your Clients Opening the fan bay behind the...

Страница 27: ...ze the HSM 2 Reinitialize the audit role and reconfigure auditing 3 Recreate the partitions 4 Reinitialize the partition roles Event Summary Here is what you would observe after the button is depressed The LCD on the appliance front panel freezes Communication to the HSM key card is blocked as is the software process that polls the HSM for status At this point you must power cycle the SafeNet appl...

Страница 28: ...hin the HSM You might find other uses in your organization What to do after decommission if the SafeNet Luna Network HSM is being returned to Gemalto 1 Obtain a Return Material Authorization and shipping instructions from Gemalto if you have not already done so 2 Pack the appliance and ship it to Gemalto Serial Connections You can use a serial connection to connect a computer directly to the SafeN...

Страница 29: ...d by the port associated with the adapter For example Prolific USB to Serial Comm Port COM4 Record the COM port COM4 in this example associated with the adapter You will need this port number when you open a serial connection 4 Use a terminal emulation package such as PuTTY to open a serial connection to the COM port associated with your Prolific USB to Serial adapter Set the serial connection par...

Страница 30: ...shes when trying to detect a serial port This is a known issue with the Windows 10 PL2303 drivers If you experience trouble opening a serial connection using Windows 10 use another supported operating system Front Locking Bezel Your order may have included an optional front locking bezel pictured below The locking bezel fits over the HSM s faceplate for maximum physical access security Certain sec...

Страница 31: ...zel over the posts with both keys in the horizontal position 2 Turn the keys to the vertical position to lock the bezel Remove the keys and store them in a secure location NOTE Leaving the keys in the bezel may interfere with closing the rack door and compromise security Replacement Keys To obtain replacement keys contact Technical Support see Support Contacts on page 1 Please have the lock serial...

Страница 32: ...trical mains but not powered on 26W typical Power on Input Surge 15A typical 40A at 90 132VAC max 60A at 180 265VAC max Active under load from clients 84W typical 100W max The SafeNet appliance has two power supplies each rated at 350W either of which is capable of running the system alone SafeNet Luna Network HSM 7 3 Appliance Administration Guide 007 013576 005 Rev A 13 December 2019 Copyright 2...

Страница 33: ...s set Maximum number of clients that can connect to one SafeNet Luna Network HSM appliance at the same time No hard limit is set but see below Maximum number of connections per registered client No hard limit is set but see below Maximum number of connections in total to a single SafeNet Luna Network HSM appliance For SafeNet Luna Network HSM 5 2 and newer no hard limit is set SafeNet Luna Network...

Страница 34: ...put gains are intended The following conditions and recommendations apply to the port bonding feature Bonded interfaces must both be attached to the same network segment For example if a bonded interface of IP 192 168 9 126 is chosen both interfaces must be connected to devices that can access the 192 168 9 network Bonded interfaces must use static addressing Avoid executing bonding commands while...

Страница 35: ... SafeNet appliance Administrator account userid admin uses standard password authentication userid password You can also choose to use Public Key based Authentication for SSH access The relevant commands to manage Public Key Authentication are described here Public Key Authentication to a SafeNet Appliance Using UNIX SSH Clients The following is an example exercise to illustrate the use of Public ...

Страница 36: ...a lunash my public key add id_rsa pub Command Result 0 Success 7 Check the list again myLuna lunash my public key list SSH Public Keys for user admin Name Type Bits Fingerprint id_rsa pub ssh rsa 1024 6e 7a 7e e1 2a 54 8f 99 3e 6a 56 f8 38 22 fb a6 Command Result 0 Success Notice that the fingerprint reported is the same as was generated back on mypc 8 From mypc SSH into myLuna you should not be p...

Страница 37: ...Authentication functions you could SSH in again from Windows and other UNIX clients and verify that you are still password prompted as normal for those clients Verify that the client list is always accurate Delete one or two of your public key clients Verify that those clients are password prompted again Clear all public key clients with the clear sub command Verify that all clients are password p...

Страница 38: ...er methods of debugging should be attempted before restarting NTLS Examples are Confirming the fingerprint of the client certificate and the server certificate at both the client and the server the SafeNet appliance Verifying that the client is registered and has at least one Partition assigned to it Impact of the service restart ntls Command If you perform a service restart ntls on a live or prod...

Страница 39: ...igh volume simultaneous launch of sessions from a single client is unavoidable then increase the receive timeout value at the client from the default 20 seconds to some larger value that eliminates the problem for you The obvious trade off is that the higher the receive timeout value is set on each client the longer it takes for failed connection attempts to be recognized and corrective measures t...

Страница 40: ...alue of 20 seconds provides a worst case scenario over a larger WAN but may be inappropriate for some SafeNet Luna Network HSM deployments such as SafeNet Luna HSMs in an HA configuration where a quicker determination of the health of the SafeNet Luna Network HSM system is required This value can be set in the SafeNet Luna Network HSM configuration file as follows Windows crystoki ini LunaSA Clien...

Страница 41: ...how is a localized abbreviation For example the following three commands set the time zone code to EST or EDT depending on whether Daylight Saving Time DST is currently in effect sysconf timezone set America Kentucky Louisville sysconf timezone set America Toronto sysconf timezone set EST5EDT If you choose a named time zone the system automatically adjusts for DST on the appropriate dates If you c...

Страница 42: ...r several days and describe how to correct it using the appliance s sysconf drift local drift correction commands To establish time drift and set drift correction 1 Begin drift measurement This also sets the time In order to establish the drift and its correction accurate time must be used when beginning and ending drift measurement One method is to use NTP on a different computer that has no conn...

Страница 43: ...le from a variety of public servers We recommend using a more secure NTP server that supports symmetric or public key authentication as described in Securing Your NTP Connection on the next page Alternatively your organization might have established its own NTP server s Contact your IT manager or security officer for details For more information about NTP authentication see References on page 45 N...

Страница 44: ...list of trusted keys lunash sysconf ntp symmetricauth trustedkeys add keyID 4 Add the trusted NTP server using the key option to enter the key ID for that server lunash sysconf ntp addserver NTPserver key keyID 5 Check the NTP connection lunash sysconf ntp status Using Public Key AutoKey Authentication This method uses asymmetric keys held by the NTP server and client An identity scheme is used to...

Страница 45: ...q NTP s config adv htm S CONFIG ADV AUTH 3 NTP Public Key Authentication http www ntp org ntpfaq NTP s config adv htm Q CONFIG ADV AUTH AUTOKEY 4 Autokey Identity Schemes http www eecis udel edu mills ident html 5 ntp keygen tool http doc ntp org 4 2 6 keygen html 6 NTP Server configuration options http doc ntp org 4 2 6 confopt html SafeNet Luna Network HSM 7 3 Appliance Administration Guide 007 ...

Страница 46: ...1 where you set rotation and other parameters to suit your own monitoring and management schedule You can configure flexible logs to gather only information you consider relevant or send different logs to different remote hosts NOTE Syslog format is in accordance with RFC 5424 See Syslog Introduction on page 1 for information on reading and interpreting system log messages Log Severity Levels Even...

Страница 47: ... the current logging configuration in LunaSH with syslog show This section contains the following system logging procedures Rotating System Logs below Customizing Severity Levels on the next page Reading System Logs on page 49 Exporting System Logs on page 50 Deleting System Logs on page 51 Rotating System Logs System logs are gathered in a current log file that is periodically rotated and saved o...

Страница 48: ...he appliance maximum 100 logs rotated monthly lunash syslog rotations _of_rotations lunash syslog rotations 5 Log rotations set to 5 Command Result 0 Success To manually rotate the current log file Use syslog rotate see syslog rotate on page 1 This command ensures that the most recent logs are included when exporting them off the appliance lunash syslog rotate lunash syslog rotate Command Result 0...

Страница 49: ...wish to customize lunalogs messages cron secure boot Reading System Logs You can search the current log rotation for recent events without exporting log files Rotated logs must be exported to a client workstation to be read For a detailed guide to reading and interpreting system log messages see About the Monitoring Guide on page 1 in the Syslog and SNMP Monitoring Guide Syslog format is in accord...

Страница 50: ...ple this command will display all alarm messages from the last 200000 log entries lunash syslog tail logname messages entries 200000 search ALM 2017 Apr 17 11 00 45 local_host kern info kernel k7pf0 HSM ALM2006 HSM decommissioned by FW 2017 Apr 17 11 00 48 local_host kern info kernel k7pf0 HSM ALM2014 Auto activation data invalid HSM deactivated 2017 Apr 17 11 01 12 local_host kern info kernel k7p...

Страница 51: ...rrent logs then deletes ALL THE LOG FILES If you are sure that you wish to proceed then type proceed otherwise type quit proceed Proceeding Creating tarlogs then deleting all log files The tar file containing logs is now available via scp as filename logs_cleanup_20170301_ 1443 tgz Please copy logs_cleanup_20170301_1443 tgz to a client machine with scp Deleting log files restart the rsyslogd servi...

Страница 52: ...log OK Starting syslog OK 192 10 10 101 added successfully Make sure the rsyslog service on 192 10 10 101 is properly configured to receive the logs Command Result 0 Success By default the remote server will now receive lunalogs messages secure and boot logs at the info level and above and cron logs at the notice level and above See Customizing Remote Logging Severity Levels on the next page to sp...

Страница 53: ...age 1 lunash syslog severity set logname logname loglevel loglevel host hostname IP lunash syslog severity set logname lunalogs loglevel critical host 192 10 10 101 This command sets the severity level of lunalogs remote log messages Only messages with the severity equal to or higher than the new log level critical will be sent to 192 10 10 101 Stopping syslog OK Starting syslog OK Command Result ...

Страница 54: ... config backup command at any time to create a backup file that contains the current state of all service parameters configured on the appliance You can create multiple backup files and provide a description for each file allowing you to backup and restore multiple different configurations The backup files are stored on the file system by default You can export them to the internal HSM or an exter...

Страница 55: ...conf config restore command with the file created after upgrade Managing your configuration backup files If you wish you can keep only the backup files that you find useful and individually delete any others using the sysconf config delete command You can also use the sysconf config clear command to delete all of your configuration files if desired Note that the configuration backup file area is a...

Страница 56: ... factory reset of the chosen configuration parameter users Net_HSM lunash sysconf config factoryReset service users WARNING This command resets the configuration of the selected service s to factory defaults Resetting services to factory defaults can affect connectivity and the operation of the HSM If you are sure that you wish to proceed then type proceed otherwise type quit proceed Proceeding Re...

Страница 57: ...fully Password change successful The reset to factory appliance settings for the users parameter seems to have worked Our admin password was reset to the default password PASSWORD and we had to apply a non default password 5 With that done we can verify if additional aspects of the users parameters were also reset to factory spec Net_HSM lunash user list Users Roles Status RADIUS admin admin enabl...

Страница 58: ... you are sure that you wish to proceed then type proceed otherwise type quit proceed Proceeding hsm supportInfo successful Use scp from a client machine to get file named supportInfo txt Broadcast message from root pts 1 Wed Feb 22 08 00 41 2012 The system is going down for reboot NOW Reboot commencing Command Result 0 Success 7 After rebooting again we are able to log in with our original admin p...

Страница 59: ...ives you two target options The internal HSM of your SafeNet Luna Network HSM appliance This could be useful if a component failed in the appliance you sent the appliance back to SafeNet for rework under the RMA procedure received it back repaired and then retrieved the file from your HSM to restore your appliance settings An external HSM such as a Backup HSM or token This could be useful if the c...

Отзывы:

Нет отзывов

Похожие инструкции для SafeNet Luna Network HSM 7.3

Бренд: GE Страницы: 2

Spacemaker 7-5400

Бренд: GE Страницы: 12

Split Vision VSLR3

Бренд: Federal Signal Corporation Страницы: 4

Бренд: Japan' Gold Страницы: 5

Бренд: bester Страницы: 68

Бренд: Sylvania Страницы: 12

Бренд: Insignia Страницы: 28

Бренд: CEA Страницы: 92

Бренд: Speco Страницы: 104

Бренд: GE Страницы: 28

EZH2O LZWS-LRPBM28K

Бренд: Elkay Страницы: 4

Бренд: Q-See Страницы: 10

Бренд: Fbt Страницы: 52

Бренд: WAGO Страницы: 46

Бренд: Parweld Страницы: 16

Бренд: Parweld Страницы: 16

Бренд: Black Страницы: 27

Бренд: XtendLan Страницы: 26

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды