Remote PED-Authenticated k570 Initialization
If you wish to centralize PED (PIN entry Device) key access for k570 appliances from a headquarters, you can have your data center technicians initialize k570s with temporary PED keys. You can then establish a remote PED connection, and re-set the PED keys from a remote location.
Planning Number of PED keys
You will need to ship duplicate HSM SO (blue), HSM domain (red), and remote PED vector (orange) PED keys to the data center to establish the initial remote connection.
You can then reset the HSM SO blue key, and remote PED vector orange keys remotely for more long-term k570 HSM access. You can create new versions of these PED keys for each k570 appliance or reuse the same set of keys for multiple appliances.
For each HSM, you remotely create a partition to act as a root of trust. This partition requires a Partition SO (blue) PED key, a partition cloning domain (red) PED key and a Crypto Officer (black) PED key. You can create new versions of the blue and red partition PED keys for each k570 appliance or reuse the same set of keys for multiple HSMs.
All PED key roles have options for MofN quorum controls, so you may split the key secret across multiple PED keys if desired.
Prepare keys and a remote PED server setup at a central location
Fully install a k570 appliance in a central location, including HSM initialization and PED key imprinting. The PED prompts give options to duplicate blue HSM Security Officer and red Cloning Domain PED keys during initialization.
If you haven't already, duplicate the blue HSM Security Officer PED key and red Cloning Domain PED key. Create one blue key and one red key for each data center location. The PED need only be connected to outlet power. It does not need to be connected to the k570 appliance.
Note
More options for key duplication are described in Luna HSM documentation.
On the Luna PED, insert the desired key and press < to navigate to the main menu. Then, press 4 to enter Admin mode.
Press 7 on the PED keypad to duplicate
When prompted, insert a blank target PED key, or a non-blank whose data is no longer needed. Press Enter and respond to the prompts.
Remove the newly imprinted PED key and press Enter. The PED goes back to PED key mode awaiting further commands.
Repeat the above steps to duplicate the other PED key role.
Identify the new PED keys with tags or other markers, and record a PED PIN (if any) in secure fashion, according to your security policies.
Create an orange Remote PED key and duplicate it. This is required for a remote connection between the central PED and the remote data center. Create one orange key duplicate for each data center location.
Connect the PED to the k570 USB port. If the PED screen doesn't respond, connect the A/C adapter to the PED and to a power outlet as well.
As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.Login as SO with the command
role login -name SO
.Have an orange PED key ready. Create and imprint the RPV (Remote PED Vector):
hsm ped vector init
Respond to the PED prompts, and choose to make duplicate(s). Provide an orange PED key along with additional blanks to make duplicates.
Prepare a workstation to act as a remote PED server.
Note
More details for remote PED server set up are available in Luna HSM Documentation.
Install Luna Client version 7.0.1 or above, with remote PED as an option. This software is available on the Customer Support Portal.
Connect the remote PED to the workstation via USB. If the PED screen doesn't respond, connect the A/C adapter to the PED and to a power outlet as well.
Open a Command Prompt window on the computer (for Windows 7, this must be an Administrator Command Prompt). Locate and run PedServer.exe. Set PedServer.exe to its "listening" mode.
c: > PedServer -m start Ped Server Version 1.0.6 (10006) Ped Server launched in startup mode. Starting background process Background process started Ped Server Process created, exiting this process. c:\PED\ >
Verify that the service has started with
pedserver -mode show
.Look for mention of the default port "1503" (or other, if you specified a different listening port). In addition, "Ped2 Connection Status:" should say "Connected.” This indicates that the Luna PED that you connected was found by PED Server.
Take note of the workstation's IP address. This is required for the k570 in the data center to initiate a connection to the workstation.
Ship the duplicate PED keys to their data center destinations.
Perform initial setup at the data center
As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.The utility displays information on the detected HSM card and allows you to execute various HSM management commands.
Make sure an HSM admin slot is selected.
To see the available slots, enter:
lunacm:> slot list
Look for a slot with description "Admin Token Slot".
To select the active slot, enter:
lunacm:> slot set -slot <number>
Re-initialize the HSM.
lunacm:> hsm factoryReset lunacm:> hsm init -label <admin token slot label>
Note
At this point, you can use
slot list
to see that the slot with description "Admin Token Slot" now has a label.You are asked to present a red HSM domain key to the PED. Following PED prompts, re-use the shipped red key.
Initialize the HSM Security Officer (SO) role:
lunacm:> role login -n so
You are asked to present a blue HSM SO key to the PED. Following PED prompts, re-use the shipped blue key.
Initialize the remote PED vector, to allow a remote connection from headquarters.
ped vector init
You are asked to present an orange remote PED key to the PED. Following PED prompts, present the shipped orange key.
Initialize the partition and re-set the PED keys
These steps are performed from the central headquarters location, using the Remote PED.
SSH to the remote HSM and open lunacm.
ssh –I <key> ksadmin@<IP> /usr/safenet/lunaclient/bin/lunacm
Establish remote PED connection from the k570 to the remote PED workstation at headquarters.
Note
Other approaches for establishing a PED connection are described in Luna Documentation.
ped connect -ip
-port 1503 Re-imprint blue and orange PED keys to change the passwords.
Overwrite the HSM remote PED vector key. Present the orange key to the remote PED.
role login -name so ped vector init role logout
Overwrite the HSM SO (blue) key to change the password. Present the blue key to the remote PED.
role login -name so role changepw -name so role logout
Exit and relaunch LunaCM to test the new set of orange and blue keys.
Re-establish the remote PED connection.
ped connect -ip <remote_PED_workstation_IP> -port 1503
Authenticate with the newly issued blue and orange keys.
role login -name so
Create the partition for the CipherTrust Manager root of trust and logout.
partition create role logout
Use
slot list
to view the slot number for the new partition and switch to that slot.slot list slot set -slot <slot number of user token slot created above>
Connect again.
ped connect -ip <remote_PED_workstation_IP> -port 1503
Initialize partition and the partition SO role.
partition init -label <new_partition_label> role login -name Partition SO
You are asked to create a new blue Partition SO key, or re-use an old one. Follow the PED prompts.
As the Partition SO, activate the partition.
Note
This instructs the HSM to cache PED credentials and allows the k570 appliance to authenticate to the HSM using only the challenge secret (password) without requiring the black PED key to always be connected to the HSM. However, in the event of a power outage of more than 2 hours, the HSM cached PED credentials will expire and the k570 appliance will fail to run its services. In this case, instruct the k570 appliance to re-authenticate with the HSM using the black PED key.
lunacm:> partition changepolicy -policy 22 -value 1 lunacm:> partition changepolicy -policy 23 -value 1
As the Partition SO, initialize the Crypto officer role:
Enter the command to initialize.
lunacm:> role init -name Crypto Officer
Respond to prompts on the terminal and PED to create the initial Crypto Officer credential.
Caution
The Crypto Officer PED key is valid for the initial login only. The Crypto Officer must change this initial credential using the command
role changepw
immediately. Failing to change the credential results in a CKR_PIN_EXPIRED error when accessing the partition.If using PED authentication, create an initial Crypto Officer challenge secret. As with the PED key, it is valid for the first Crypto Officer login only and must be changed immediately.
lunacm:>role createchallenge -name co
Reset the Crypto Officer's credentials.
Log in the Crypto Officer. When prompted for the password, provide the initial challenge secret (PED authentication).
lunacm:> role login –name Crypto Officer
Run the following command, which will reset the Crypto Officer PED key secret. Respond to the PED and terminal prompts.
lunacm:> role changePw –name Crypto Officer
Change the initial challenge password. The passwords are not masked.
lunacm:> role changePw –name Crypto Officer –old <existing challenge secret> -newpw <new challenge secret>
Log in again to activate/cache the new Crypto Officer credentials.
lunacm:> role login –name Crypto Officer
Exit the
lunacm
utility.Repeat the initial data center set up and remote partition initialization for every k570 device in the data center.