Install Physical CipherTrust Manager Appliance
This section describes all the tasks you perform in your data center to:
Unpack and physically install a CipherTrust Manager appliance into a rack.
Change default passwords for the System Administrator (ksadmin) and the initial Admin user using a local serial connection and the initial DHCP assigned IP address.
For PED authenticated k570 models, initialize the embedded Luna PCIe HSM and PED key roles.
Prerequisites
The following items are required to install the CipherTrust Manager appliance in a rack, and deploy the CipherTrust Manager firmware.
Supported Appliances: CipherTrust Manager k470 or k570
#2 Philips screwdriver
hydraulic equipment lift
Terminal server, dumb terminal, PC, or laptop to establish an install serial connection to the appliance using the supplied USB to RJ45 adapter.
Firmware: CipherTrust Manager release 2.0 or later. (Contact Technical Support)
For PED authenticated k570 model only:
PIN Entry Device (PED)
Three PED keys (blue, red and black)
Verify the Integrity of Your Shipment
Caution
Thales employs a number of security measures to allow you to verify that your new hardware was not intercepted in transit or otherwise tampered with before you received it. To verify the authenticity and handling history of your received items, review the following checklist before you unpack your new hardware, and then follow the checklist as you unpack each received item.
Do the items received (individual items, part numbers) match those listed in the enclosed packing list? If yes, go to the next step. If no, contact Thales support.
Before you received the product, did you receive an advanced shipping notification providing details regarding the shipment (part numbers and serial numbers for the product and tamper-evident bags)? If yes, go to the next step. If no, contact Thales support.
Are all of the tamper-evident bag serial numbers and tamper-evident label serial numbers listed in the advanced shipping notification present, and do they match the actual tamper-evident bag/label serial numbers received? If yes, go to the next step. If no, contact Thales support.
Did you receive any tamper-evident bag/label serial numbers that are not listed on the advance shipping notification? If yes, contact Thales support. If no, go to the next step.
Are there any signs of physical tampering? If tamper-evident labels are affixed to the received product, have any of these labels been damaged? Have the tamper evident bags been damaged in any way? The tamper seals on the sides indicate tampering if they show the ALERT markings as illustrated below. If yes, contact Thales support. If no, go to the next step.
Check Received Items
This section provides a list of the components you should have received with your CipherTrust Manager order. If you ordered a PED-authenticated k570 model, some additional components are included as described in PED related order items.
Basic Order Items
1 CipherTrust Manager Appliance: Fits any standard 19-inch server rack.
Note
You can use the part number on the product label to verify the if the appliance's model is k470 or k570. The part number for k570 models also indicates whether the appliance is password-authenticated or PED authenticated.
2 power supply cords: One for each power supply, with connectors appropriate to your region of operation.
1 Adapter Cable: RJ45 to USB with a standard eight-pin, eight connector (8P8C) modular connector: Used to connect a console terminal to the appliance during initial configuration.
1 Front Ear Bracket Set: Set includes 2 front ear brackets and 4 bracket screws
1 Friction Rail Mounting Bracket Set: See Using the Supplied Mounting Brackets for installation instructions. Set includes: 2 side rails, 8 side rail screws, 2 sliding rear brackets (fit into the rails for rear support adjustable positioning)
Caution
The included mounting hardware is meant for static positioning of the appliance. The long tab that slides into the bracket, applied to each side of the appliance, is adjustable for fitting the appliance into racks of varying depth - it must not be used to extend the appliance out of the rack.
Optional gliding rails with rolling bearings are available for situations where rolling excursion of the appliance, while attached to the rack, is required for maintenance. See Optional Items.1 Friction Rail Rack Mounting Screws/Cage Nuts: Set includes 8 M5 cage nuts and 8 M5x14 rack screws. If you did not receive this set, you can request one from Thales Group (part number: 216-000035-001) or obtain your own suitable screws/nuts.
1 Secure Locking Bezel: For maximum physical security, this faceplate bezel can restrict access to the CipherTrust Manager front-facing inputs. Some security standards require the use of this bezel. Leaving the appliance uncovered for ease of access might compromise physical security. Includes set of three (3) keys for each lock (locks are keyed differently).
Optional Items
You may have also ordered one or more of these optional items:
1 Sliding Rail Mounting Bracket Set: The CipherTrust Manager will fit into any standard 19-inch server rack. The optional sliding rail mounts allow for easy removal and access to the rear face of the appliance. See Using the Optional Sliding Rail System for installation instructions. The set includes 2 sliding rail mounts with removable side rails, 2 transformer brackets, 6 rail screws.
1 Sliding Rail Rack Mounting Screws Set: Set includes 8 M5x8 flat-headed screws. If you did not receive this set, you can request one from Thales Group (part number: 216-000034-001) or obtain your own suitable screws. If you do not use the screws included in this kit, ensure that the screw heads are flat enough so as not to interfere with the locking bezel.
SFP 10 Gbps Optical Ethernet transceiver modules: If you ordered the model with 2X10Gbps ports and 2X1Gbps ports, you should have received two SFP 10 Gbps Optical Ethernet transceiver modules, packed separately. To install:
Locate the two 2X10Gbps ports on the appliance rear panel. These ports are protected by plastic dust covers during shipment.
Remove these dust covers and insert a transceiver module in each port.
PED related order items for k570 models
If you ordered a PED-authenticated k570 model, you should have received some combination of the following items in addition to the basic order items.
1 PED device: This device is needed for authentication to the on-board PCIe HSM.
1 PED cable: This is a Type A to Mini B USB cable used to connect the PED device to your CipherTrust Manager.
Luna PED Power Supply Kit: If you ordered a Luna PED, your order should also include a Luna PED power supply kit with the appropriate power connection for your region. The power supply is auto-sensing and includes replaceable mains plug modules for international use.
Set of PED Keys and Labels: Your order should include a set of iKey PED keys and peel-and-stick labels.
Rack Mounting
If you intend to mount the CipherTrust Manager in a standard equipment rack, front ear brackets, side rails, rear slider brackets, and the necessary screws are packed separately in the carton. You may also have ordered the optional sliding rail mounting system. See Received Items for details. Instructions for installing both systems are provided below:
If you intend to use the supplied mounting brackets, see Using the Supplied Mounting Brackets.
If your order included the optional sliding rail mounting system, see Using the Optional Sliding Rail System. The sliding rails are recommended for ease of installation and maintenance.
Caution
Do not attempt to mount the appliance using only the front brackets – damage can occur.
Using the Supplied Mounting Brackets
Install and adjust the rails and brackets to suit your equipment rack. The standard mounting bracket set is designed for use in racks with a maximum depth of 27 inches (686 mm). For racks larger than 27 inches, a mounting tray or shelf is recommended.
Caution
The included mounting hardware is meant for static positioning of the appliance. The long tab that slides into the bracket, applied to each side of the appliance, is adjustable for fitting the appliance into racks of varying depth - it must not be used to extend the appliance out of the rack.
Optional gliding rails with rolling bearings are available for situations where rolling excursion of the appliance, while attached to the rack, is required for maintenance. See Using the Optional Sliding Rail System.
Ensure you have all the necessary components before proceeding. In addition to the supplied components, you will need:
#2 Philips screwdriver
hydraulic equipment lift
Caution
If you are installing the appliance in a rack without a mounting tray or shelf, ensure that the appliance is supported at all times or damage may occur. Use of a hydraulic equipment lift is strongly recommended. If you do not have access to a lift, you will need at least one assistant to mount the appliance.
To mount the appliance
Install the two front ear mounting brackets on the appliance using the included screws and a #2 Phillips screwdriver.
Fit eight cage nuts into the rack space where you want to install the appliance. Ensure that they are spaced correctly.
Install the two side rails on either side of the appliance, using the included screws and a Phillips screwdriver. Note how the sliding rear brackets fit into the side rails.
Install the two sliding rear brackets in your equipment rack using four rack mounting screws.
Note
While any standard equipment rack screws should fit the brackets, certain large-headed screws may interfere with the operation of the secure locking bezel.
Using a hydraulic lift, raise the appliance to the level of the brackets and extend the lift into the rack.
Caution
Perform the next step from the rear of the server rack. Do not push the appliance off the lift without supporting its rear end.
From the rear of the server rack, pull the appliance back towards you until the sliding rear brackets fit into the side rails. Pull the appliance back onto the rear brackets until the front ear brackets meet the equipment rack.
Caution
Support the weight of the appliance with the hydraulic lift until all four brackets are secured.
Secure the front ear brackets using rack mounting screws.
Continue to Establish a Connection and Change Default Passwords.
Using the Optional Sliding Rail System
The optional sliding rail system allows for the appliance to be extended out in front of the equipment rack, possibly easing access to other racked appliances. This is rarely necessary.
The sliding rail mounts fit into any standard 19" equipment rack.
Ensure you have all the necessary components before proceeding. In addition to the supplied components, you will need a #2 Philips screwdriver.
To mount the appliance
Install the two front ear mounting brackets on the appliance using the included screws and a #2 Phillips screwdriver.
Fit the front end of each mount into either side of the rack and pull the spring-loaded latch at the rear to snap it in place.
Secure the rear end of each mount to the rack with two wide flat-headed screws.
Fasten the transformer bracket to each sliding mount with two wide flat-headed screws.
Loosely thread two small flat-headed screws into each side of the appliance. Fit each sliding rail over the screw heads and slide it forward into place before tightening the screws. Fasten each sliding rail with a third screw where it lines up with the hole on the appliance.
Fit the sliding rails onto the rack mounts until they lock into place.
The appliance now moves smoothly and securely on the rails.
Push the appliance all the way back and secure it to the transformer bracket with four rack screws.
Note
Screws with heads that are too large can prevent the locking bezel from fitting to the faceplate. Use the screws included with the appliance, or other screws with suitable heads.
Continue to Establish a Connection and Change Default Passwords.
Establish a Connection and Change Default Passwords
After you have rack-mounted the appliance, you must log in to the console to create a secure password for the ksadmin user, and then log in to the GUI to change the default SSH key and admin user password. Changing these defaults ensures the security of CipherTrust Manager and is required before beginning to create keys or engage in any other cryptographic usecases.
Connecting network cables
Insert the power (a) and network cables (b) at the rear panel.
Note
The physical location of the network ports (Eth0, Eth1, Eth2 and Eth3) are dependent on the appliance model. Correct locations for your model are printed on the rear panel.
For proper redundancy and best reliability, the power cables should connect to two completely independent power sources.
If you have a PED-authenticated k570 appliance, connect the PED directly to the appliance's USB port (on the rear panel's left side), using the included USB-to-MiniUSB PED cable.
Press and release the Start/Stop switch on the front panel to power up the appliance.
Connecting the Appliance to a Console Device
From the console you log in a the System Administrator ('ksadmin' user), create a secure password, start-up the system and access the IP address of the Graphical User Interface (GUI). You can connect a computer directly to the console port of the CipherTrust Manager Appliance using a serial connection.
Direct administration connection to the console via serial terminal is required for these reasons:
During initial configuration, you do not yet know the IP address dynamically allocated by your DHCP server.
After deployment, if you re-configure network settings (change the IP address) via SSH, you will lose the old IP address connection.
To open a serial connection:
Connect the serial port on the appliance's rear panel to a terminal server, dumb terminal, PC, or laptop, using the supplied Prolific Technology Inc. USB to RJ45 (with 8P8C connector) adapter.
If the driver for the Prolific Technology Inc. USB to RJ45 (with 8P8C connector) adapter did not download and install automatically, go to the Prolific Technology Inc website to download and install the PL2303 USB-to-Serial Windows driver.
Open Device Manager (Control Panel > Hardware > Device Manager) and expand the Ports (COM and LPT) folder. If the driver installed successfully, an entry is displayed for the Prolific USB-to-Serial Comm Port, followed by the port associated with the adapter. For example:
Prolific USB-to-Serial Comm Port (COM4)
Record the COM port (COM4 in this example) associated with the adapter. You will need this port number when you open a serial connection.
Use a terminal emulation package, such as PuTTY, to open a serial connection to the COM port associated with your Prolific USB-to-Serial adapter. Set the serial connection parameters as follows:
Baud rate: 19200
Data bits: 8
Parity: None
Stop bits: 1
Serial Port Pinout
The serial port uses a configuration equivalent to the Cisco Terminal Console. The Prolific Technologies Inc. RJ45-to-USB serial adapter cable uses a standard RJ45 pinout configuration:
When the connection is made, IP address information appears together with the appliance log in prompt: ciphertrust login:
Note
You may need to press ENTER several times to initiate the session.
Note
Windows 10 occasionally crashes when trying to detect a serial port. This is a known issue with the Windows 10 PL2303 drivers. If you experience trouble opening a serial connection using Windows 10, use another supported operating system.
As the System Administrator, enter "ksadmin" to log in and follow the prompts to create a secure password.
Caution
Be sure to retain this password - it will be required to access the system in case of network connectivity problems.
The system starts up, which can take several minutes.
Connecting to the GUI for the First Time
After the system starts up, in the Console Window, choose the KeySecure IP address for your network. Use this address to browse to the CipherTrust Manager GUI.
Note
The initial IP address is set via DHCP, which is displayed in the Console Window. If you need to set a static IP address, you can set it from the console using the
nmcli
tool after initializing the appliance. For details, refer to the Network Interface Configuration.The initial CipherTrust Manager GUI screen is displayed:
The error displayed is normal and simply requires the default SSH Public Key to be replaced.
As the System Administrator (ksadmin), paste in your SSH Public Key in the box provided and then select Add.
Note
The SSH Public Key must be a 'PEM-formatted RSA key'. You can generate this key using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.
After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment
Warning
Be sure to store and securely protect the associated private SSH key, as this key will be required to SSH to the appliance from this point on.
The initial Application Administrator can now log in.
Log in using the initial default credentials: Username = admin, Password = admin
The following notice is displayed:
Note
If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.
Enter a new password using this default Password Policy:
Min length: 8 Max length: 30 Min number of upper cases: 1 Min number of lower cases: 1 Min number of digits: 1 Min number of other characters: 1
A new Login screen appears.
Using your new password, log in again. The CipherTrust Manager Web Page appears.
Installing the Locking Bezel
For maximum physical access security, after you have powered on the appliance, fit the locking bezel over the appliance's faceplate. Certain security standards require the use of these physical access measures. The locks fit over the posts highlighted below.
Turn the keys to the vertical position to lock the bezel. The keys cannot be removed if the bezel is unlocked. The two locks are keyed differently, so the keys can be issued to different security personnel and kept in secure, separate locations.
Note
Leaving the keys in the bezel could interfere with closing the rack door, and compromise security.
Local HSM Configuration for k570
HSM configuration must be performed for k570 devices before beginning to create keys or engage in any other cryptographic usecases.
For PED-authenticated HSMs, you can also configure the HSM remotely. That configuration requires remote PED access from another site.
As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.The utility displays information on the detected HSM card and allows you to execute various HSM management commands.
Refer to the Luna PCIe HSM documentation for more details on these HSM commands.
Make sure an HSM admin slot is selected.
To see the available slots, enter:
lunacm:> slot list
Look for a slot with description "Admin Token Slot".
To select the active slot, enter:
lunacm:> slot set -slot <number>
Re-initialize the HSM.
lunacm:> hsm factoryReset lunacm:> hsm init -label <admin token slot label>
Note
At this point, you can use
slot list
to see that the slot with description "Admin Token Slot" now has a label.Initialize the Security Officer (SO) role:
lunacm:> role login -n so
For PED-authenticated devices, you are asked to present a blue HSM SO key to the PED for the SO
role login
. You can re-use an existing key or imprint a new key. Prompts on the PED screen guide you through these options.Decide if you wish to operate the HSM in a mode compliant with the Federal Information Processing Standard (FIPS) 140-2. By default the HSM is not in FIPS compliant mode.
If you don't need this mode, skip to the next step.
If you do need this mode, change the HSM policy 12 to off. Refer to Luna PCI-e documentation or contact customer support for more details.
lunacm:> hsm changehsmpolicy -policy 12 -value 0
Warning
This policy is destructive, meaning that HSM partitions and root keys are deleted when the policy is changed. It is strongly recommended that you decide on this configuration now, and do not change it later. If you wish to change the policy after creating user keys, you must backup your user keys in a cluster or risk losing access to user keys. Contact customer support for guidance for changing FIPS mode after the initial setup.
Create the first partition:
lunacm:> partition create lunacm:> slot list
Notice the slot with the slot description "User Token Slot". Remember the slot ID of this slot as this will be used in the next step.
lunacm:> role logout
Initialize partition and the partition SO role:
lunacm:> slot set -slot <slot number of user token slot created above> lunacm:> partition init -label <new partition label>
If your k570 is password authenticated, skip this step. If your k570 is PED-authenticated:
Respond to PED prompts to create the partition. You create PED keys for the partition SO token (blue) and the partition cloning domain token (red).
As the Partition SO, activate the partition.
Note
This instructs the HSM to cache PED credentials and allows the k570 appliance to authenticate to the HSM using only the challenge secret (password) without requiring the black PED key to always be connected to the HSM. However, in the event of a power outage of more than 2 hours, the HSM cached PED credentials will expire and the k570 appliance will fail to run its services. In this case, instruct the k570 appliance to re-authenticate with the HSM using the black PED key. You can also configure remote PED access.
lunacm:> role login -name Partition SO lunacm:> partition changepolicy -policy 22 -value 1 lunacm:> partition changepolicy -policy 23 -value 1
As the Partition SO, initialize the Crypto officer role:
Enter the command to initialize.
lunacm:> role init -name Crypto Officer
Respond to prompts on the terminal and PED to create the initial Crypto Officer credential.
Caution
The Crypto Officer PED key or password is valid for the initial login only. The Crypto Officer must change this initial credential using the command
role changepw
immediately. Failing to change the credential results in a CKR_PIN_EXPIRED error when accessing the partition.If using PED authentication, create an initial Crypto Officer challenge secret. As with the PED key, it is valid for the first Crypto Officer login only and must be changed immediately.
lunacm:>role createchallenge -name Crypto Officer
Reset the Crypto Officer's credentials.
Log in the Crypto Officer. When prompted for the password, provide the initial password (password authentication) or challenge secret (PED authentication).
lunacm:> role login –name Crypto Officer
Run the following command, which will reset the Crypto Officer PED key secret or initial password. Respond to the PED and terminal prompts.
lunacm:> role changePw –name Crypto Officer
For PED authenticated HSM, change the initial challenge password. The passwords are not masked.
lunacm:> role changePw –name Crypto Officer –old <existing challenge secret> -newpw <new challenge secret>
Log in again to activate/cache the new Crypto Officer credentials.
lunacm:> role login –name Crypto Officer
Exit the
lunacm
utility.
HSM Root of Trust Configuration
Configure the k570 appliance to use the Luna PCIe HSM card using these steps:
Access the 'partition-label' and the 'partition challenge' created during the HSM initialization procedure. These are needed to use the CipherTrust Manager HSM API or CLI
hsm setup
command.You are now ready to configure the HSM as Root of Trust. Refer to CipherTrust Manager HSM Setup API or the CLI
hsm setup
command to configure the appliance to use your newly initialized Luna PCIe HSM. Root of Trust Configuration provides more details.
Remote PED Configuration
After initial configuration, you can set up remote PED access for the k570. In that way, you do not have to visit the data center to perform lunaCM and PED operations in the future. You might have to perform PED operations after setup to recover from power outages, or for rare, advanced troubleshooting scenarios.
As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.View the available slots with
slot list
.Select the slot with the label "Admin Token Slot".
lunacm:>slot set -slot <slot_id_number>
Login with the Partition Security Officer role. On the PED, you are prompted to present the Blue Partition Security Officer key and enter its PIN.
lunacm:>role login -name so
Initialize the orange remote PED vector key. You are prompted to insert a PED key and follow PED prompts. You may create a new key or re-use an existing orange key.
lunacm:>ped vector -init
Prepare a workstation to act as a remote PED server to access the k570 in the data center.
Note
More details for remote PED server set up are available in Luna HSM Documentation.
Install Luna Client version 7.0.1 or above, with remote PED as an option.
Connect the remote PED to the workstation via USB, and to the power source via the power adapter.
Open a Command Prompt window on the computer (for Windows 7, this must be an Administrator Command Prompt). Locate and run PedServer.exe. Set PedServer.exe to its "listening" mode.
c: > PedServer -m start Ped Server Version 1.0.6 (10006) Ped Server launched in startup mode. Starting background process Background process started Ped Server Process created, exiting this process. c:\PED\ >
Verify that the service has started with
pedserver -mode show
.Look for mention of the default Server Port "1503" (or other, if you specified a different listening port). In addition, "Ped2 Connection Status:" should say "Connected.” This indicates that the Luna PED that you connected was found by PED Server.
Example Output
PedServer.exe -m show Ped Server Version 1.0.6 (10006) Ped Server launched in status mode. Server Information: Hostname: host IP: 0.0.0.0 Firmware Version: 2.9.0-2 PedII Protocol Version: 1.0.1-0 Software Version: 1.0.6 (10006) Ped2 Connection Status: Connected Ped2 RPK Count 0 Ped2 RPK Serial Numbers (none) Client Information: Not Available Operating Information: Server Port: 1503 External Server Interface: Yes Admin Port: 1502 External Admin Interface: No PED Write Delay: 0 (microsecs) Server Up Time: 223 (secs) Server Idle Time: 158 (secs) (70%) Idle Timeout Value: 1800 (secs) Current Connection Time: 0 (secs) Current Connection Idle Time: 0 (secs) Current Connection Total Idle Time: 0 (secs) (100%) Total Connection Time: 122 (secs) Total Connection Idle Time: 62 (secs) (50%) Show command passed.
SSH to the k570 and open LunaCM.
ssh –I <key> ksadmin@<IP> /usr/safenet/lunaclient/bin/lunacm
Start the PED client on the k570.
ped connect -ip <remote_PED_workstation_IP> -port 1503