Install Physical CipherTrust Manager Appliance
This section describes the installation tasks you perform in your data center to set up a k470 or k570 CipherTrust Manager appliance.
Note
k160 set up instructions are available here.
Set up tasks include:
Unpacking and physically installing the appliance into a rack.
Changing default passwords for the System Administrator (ksadmin) and the initial admin user using a local serial connection and the initial DHCP assigned IP address.
For PED authenticated k570 models, initializing the embedded Luna PCIe HSM and PED key roles.
The basic workflow for deploying a physical appliance is shown in the below diagram.
k470 and k570 Prerequisites
The following items are required to install the CipherTrust Manager appliance in a rack, and deploy the CipherTrust Manager firmware.
Supported Appliances: CipherTrust Manager k470 or k570
#2 Phillips screwdriver
hydraulic equipment lift
Terminal server, dumb terminal, PC, or laptop to establish an install serial connection to the appliance using the supplied USB to RJ45 adapter.
Firmware: CipherTrust Manager release 2.0 or later. (Contact Technical Support)
For PED authenticated k570 model only:
PIN Entry Device (PED)
Three PED keys (blue, red and black)
Verify the Integrity of Your k470 or k570 Shipment
Caution
Thales employs a number of security measures to allow you to verify that your new hardware was not intercepted in transit or otherwise tampered with before you received it. To verify the authenticity and handling history of your received items, review the following checklist before you unpack your new hardware, and then follow the checklist as you unpack each received item.
Do the items received (individual items, part numbers) match those listed in the enclosed packing list? If yes, go to the next step. If no, contact Thales support.
Before you received the product, did you receive an advanced shipping notification providing details regarding the shipment (part numbers and serial numbers for the product and tamper-evident bags)? If yes, go to the next step. If no, contact Thales support.
Are all of the tamper-evident bag serial numbers and tamper-evident label serial numbers listed in the advanced shipping notification present, and do they match the actual tamper-evident bag/label serial numbers received? If yes, go to the next step. If no, contact Thales support.
Did you receive any tamper-evident bag/label serial numbers that are not listed on the advance shipping notification? If yes, contact Thales support. If no, go to the next step.
Are there any signs of physical tampering? If tamper-evident labels are affixed to the received product, have any of these labels been damaged? Have the tamper evident bags been damaged in any way? The tamper seals on the sides indicate tampering if they show the ALERT markings as illustrated below. If yes, contact Thales support. If no, go to the next step.
Check Received k470 or k570 Items
This section provides a list of the components you should have received with your CipherTrust Manager k470 or k570 order. If you ordered a PED-authenticated k570 model, some additional components are included as described in PED related order items.
Basic Order Items
1 CipherTrust Manager Appliance: Fits any standard 19-inch server rack.
Note
You can use the part number on the product label to verify the if the appliance's model is k470 or k570. The part number for k570 models also indicates whether the appliance is password-authenticated or PED authenticated.
2 power supply cords: One for each power supply, with connectors appropriate to your region of operation.
1 Adapter Cable: RJ45 to USB with a standard eight-pin, eight connector (8P8C) modular connector: Used to connect a console terminal to the appliance during initial configuration.
1 Front Ear Bracket Set: Set includes 2 front ear brackets and 4 bracket screws
1 Friction Rail Mounting Bracket Set: See Using the Supplied Mounting Brackets for installation instructions. Set includes: 2 side rails, 8 side rail screws, 2 sliding rear brackets (fit into the rails for rear support adjustable positioning)
Caution
The included mounting hardware is meant for static positioning of the appliance. The long tab that slides into the bracket, applied to each side of the appliance, is adjustable for fitting the appliance into racks of varying depth - it must not be used to extend the appliance out of the rack.
Optional gliding rails with rolling bearings are available for situations where rolling excursion of the appliance, while attached to the rack, is required for maintenance. See Optional Items.1 Friction Rail Rack Mounting Screws/Cage Nuts: Set includes 8 M5 cage nuts and 8 M5x14 rack screws. If you did not receive this set, you can request one from Thales Group (part number: 216-000035-001) or obtain your own suitable screws/nuts.
1 Secure Locking Bezel: For maximum physical security, this faceplate bezel can restrict access to the CipherTrust Manager front-facing inputs. Some security standards require the use of this bezel. Leaving the appliance uncovered for ease of access might compromise physical security. Includes set of three (3) keys for each lock (locks are keyed differently).
Optional Items
You may have also ordered one or more of these optional items:
1 Sliding Rail Mounting Bracket Set: The CipherTrust Manager will fit into any standard 19-inch server rack. The optional sliding rail mounts allow for easy removal and access to the rear face of the appliance. See Using the Optional Sliding Rail System for installation instructions. The set includes 2 sliding rail mounts with removable side rails, 2 transformer brackets, 6 rail screws.
1 Sliding Rail Rack Mounting Screws Set: Set includes 8 M5x8 flat-headed screws. If you did not receive this set, you can request one from Thales Group (part number: 216-000034-001) or obtain your own suitable screws. If you do not use the screws included in this kit, ensure that the screw heads are flat enough so as not to interfere with the locking bezel.
SFP 10 Gbps Optical Ethernet transceiver modules: If you ordered the model with 2X10Gbps ports and 2X1Gbps ports, you should have received two SFP 10 Gbps Optical Ethernet transceiver modules, packed separately. To install:
Locate the two 2X10Gbps ports on the appliance rear panel. These ports are protected by plastic dust covers during shipment.
Remove these dust covers and insert a transceiver module in each port.
PED related order items for k570 models
If you ordered a PED-authenticated k570 model, you should have received some combination of the following items in addition to the basic order items.
1 PED device: This device is needed for authentication to the on-board PCIe HSM.
1 PED cable: This is a Type A to Mini B USB cable used to connect the PED device to your CipherTrust Manager.
Luna PED Power Supply Kit: If you ordered a Luna PED, your order should also include a Luna PED power supply kit with the appropriate power connection for your region. The power supply is auto-sensing and includes replaceable mains plug modules for international use.
Set of PED Keys and Labels: Your order should include a set of iKey PED keys and peel-and-stick labels.
Rack Mounting k470 or k570
If you intend to mount the CipherTrust Manager in a standard equipment rack, front ear brackets, side rails, rear slider brackets, and the necessary screws are packed separately in the carton. You may also have ordered the optional sliding rail mounting system. See Received Items for details. Instructions for installing both systems are provided below:
If you intend to use the supplied mounting brackets, see Using the Supplied Mounting Brackets.
If your order included the optional sliding rail mounting system, see Using the Optional Sliding Rail System. The sliding rails are recommended for ease of installation and maintenance.
Caution
Do not attempt to mount the appliance using only the front brackets – damage can occur.
Using the Supplied Mounting Brackets
Install and adjust the rails and brackets to suit your equipment rack. The standard mounting bracket set is designed for use in racks with a maximum depth of 27 inches (686 mm). For racks larger than 27 inches, a mounting tray or shelf is recommended.
Caution
The included mounting hardware is meant for static positioning of the appliance. The long tab that slides into the bracket, applied to each side of the appliance, is adjustable for fitting the appliance into racks of varying depth - it must not be used to extend the appliance out of the rack.
Optional gliding rails with rolling bearings are available for situations where rolling excursion of the appliance, while attached to the rack, is required for maintenance. See Using the Optional Sliding Rail System.
Ensure you have all the necessary components before proceeding. In addition to the supplied components, you will need:
#2 Philips screwdriver
hydraulic equipment lift
Caution
If you are installing the appliance in a rack without a mounting tray or shelf, ensure that the appliance is supported at all times or damage may occur. Use of a hydraulic equipment lift is strongly recommended. If you do not have access to a lift, you will need at least one assistant to mount the appliance.
To mount the appliance
Install the two front ear mounting brackets on the appliance using the included screws and a #2 Phillips screwdriver.
Fit eight cage nuts into the rack space where you want to install the appliance. Ensure that they are spaced correctly.
Install the two side rails on either side of the appliance, using the included screws and a Phillips screwdriver. Note how the sliding rear brackets fit into the side rails.
Install the two sliding rear brackets in your equipment rack using four rack mounting screws.
Note
While any standard equipment rack screws should fit the brackets, certain large-headed screws may interfere with the operation of the secure locking bezel.
Using a hydraulic lift, raise the appliance to the level of the brackets and extend the lift into the rack.
Caution
Perform the next step from the rear of the server rack. Do not push the appliance off the lift without supporting its rear end.
From the rear of the server rack, pull the appliance back towards you until the sliding rear brackets fit into the side rails. Pull the appliance back onto the rear brackets until the front ear brackets meet the equipment rack.
Caution
Support the weight of the appliance with the hydraulic lift until all four brackets are secured.
Secure the front ear brackets using rack mounting screws.
Continue to Establish a Connection and Change Default Passwords.
Using the Optional Sliding Rail System
The optional sliding rail system allows for the appliance to be extended out in front of the equipment rack, possibly easing access to other racked appliances. This is rarely necessary.
The sliding rail mounts fit into any standard 19" equipment rack.
Ensure you have all the necessary components before proceeding. In addition to the supplied components, you will need a #2 Philips screwdriver.
To mount the appliance
Install the two front ear mounting brackets on the appliance using the included screws and a #2 Phillips screwdriver.
Fit the front end of each mount into either side of the rack and pull the spring-loaded latch at the rear to snap it in place.
Secure the rear end of each mount to the rack with two wide flat-headed screws.
Fasten the transformer bracket to each sliding mount with two wide flat-headed screws.
Loosely thread two small flat-headed screws into each side of the appliance. Fit each sliding rail over the screw heads and slide it forward into place before tightening the screws. Fasten each sliding rail with a third screw where it lines up with the hole on the appliance.
Fit the sliding rails onto the rack mounts until they lock into place.
The appliance now moves smoothly and securely on the rails.
Push the appliance all the way back and secure it to the transformer bracket with four rack screws.
Note
Screws with heads that are too large can prevent the locking bezel from fitting to the faceplate. Use the screws included with the appliance, or other screws with suitable heads.
Continue to Establish a Connection and Change Default Passwords.
Establish a Connection and Change Default Passwords for k470 or k570
After you have rack-mounted the appliance, you must log in to the console to create a secure password for the ksadmin user, and then log in to the GUI to change the default SSH key and admin user password. Changing these defaults ensures the security of CipherTrust Manager and is required before beginning to create keys or engage in any other cryptographic usecases.
Connecting network cables
Insert the power (a) and network cables (b) at the rear panel.
Note
The physical location of the network ports (Eth0, Eth1, Eth2 and Eth3) are dependent on the appliance model. Correct locations for your model are printed on the rear panel.
For proper redundancy and best reliability, the power cables should connect to two completely independent power sources.
If you have a PED-authenticated k570 appliance, connect the PED directly to the appliance's USB port (on the rear panel's left side), using the included USB-to-MiniUSB PED cable.
Press and release the Start/Stop switch on the front panel to power up the appliance.
Connecting the Appliance to a Console Device for k470 or k570
From the console you log in a the System Administrator ('ksadmin' user), create a secure password, start-up the system and access the IP address of the Graphical User Interface (GUI). You can connect a computer directly to the console port of the CipherTrust Manager Appliance using a serial connection.
Direct administration connection to the console via serial terminal is required for these reasons:
During initial configuration, you do not yet know the IP address dynamically allocated by your DHCP server.
After deployment, if you re-configure network settings (change the IP address) via SSH, you will lose the old IP address connection.
To open a serial connection
Connect the serial port on the appliance's rear panel to a terminal server, dumb terminal, PC, or laptop, using the supplied Prolific Technology Inc. USB to RJ45 (with 8P8C connector) adapter.
If the driver for the Prolific Technology Inc. USB to RJ45 (with 8P8C connector) adapter did not download and install automatically, go to the Prolific Technology Inc website to download and install the PL2303 USB-to-Serial Windows driver.
Open Device Manager (Control Panel > Hardware > Device Manager) and expand the Ports (COM and LPT) folder. If the driver installed successfully, an entry is displayed for the Prolific USB-to-Serial Comm Port, followed by the port associated with the adapter. For example:
Prolific USB-to-Serial Comm Port (COM4)
Record the COM port (COM4 in this example) associated with the adapter. You will need this port number when you open a serial connection.
Use a terminal emulation package, such as PuTTY, to open a serial connection to the COM port associated with your Prolific USB-to-Serial adapter. Set the serial connection parameters as follows:
Baud rate: 19200
Data bits: 8
Parity: None
Stop bits: 1
Serial Port Pinout
The serial port uses a configuration equivalent to the Cisco Terminal Console. The Prolific Technologies Inc. RJ45-to-USB serial adapter cable uses a standard RJ45 pinout configuration:
When the connection is made, the appliance log in prompt is displayed: ciphertrust login:
Note
You may need to press ENTER several times to initiate the session.
Note
Windows 10 occasionally crashes when trying to detect a serial port. This is a known issue with the Windows 10 PL2303 drivers. If you experience trouble opening a serial connection using Windows 10, use another supported operating system.
Type "Ctrl+C" to display the IP address. Retain this value to connect to the GUI for the first time.
As the System Administrator, enter "ksadmin" to log in and follow the prompts to create a secure password.
Caution
Be sure to retain this password - it will be required to access the system in case of network connectivity problems.
The system starts up, which can take several minutes.
Connecting to the GUI for the First Time
After the system starts up, in the Console Window, choose the KeySecure IP address for your network. Use this address to browse to the CipherTrust Manager GUI.
Note
The initial IP address is set via DHCP, and is accessible through the Console Window. If you need to set a static IP address, you can set it from the console using the
nmcli
tool. For details, refer to the Network Configuration Tutorial.nmcli
can also be used to set static routes, bond network interfaces, disable IPv6, or configure VLAN, if needed for your network.The initial CipherTrust Manager GUI screen is displayed:
The error displayed is normal and simply requires the default SSH Public Key to be replaced.
As the System Administrator (ksadmin), paste in your SSH Public Key in the box provided and then select Add.
Note
The SSH Public Key must be a 'PEM-formatted RSA key'. You can generate this key using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.
After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment
Warning
Be sure to store and securely protect the associated private SSH key, as this key will be required to SSH to the appliance from this point on.
The initial Application Administrator can now log in.
Log in using the initial default credentials: Username = admin, Password = admin
The following notice is displayed:
Note
If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.
Enter a new password using this default Password Policy:
Min length: 8 Max length: 30 Min number of upper cases: 1 Min number of lower cases: 1 Min number of digits: 1 Min number of other characters: 1
A new Login screen appears.
Using your new password, log in again. The CipherTrust Manager Web Page appears.
At this point, it's strongly recommended to configure an NTP server.
Navigate to Admin Settings > NTP.
Enter in an NTP Server hostname.
For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.
Click the +Add NTP Server button.
See Network Time Protocol Server Configuration for more details.
Installing the Locking Bezel for k570 or k470
For maximum physical access security, after you have powered on the appliance, fit the locking bezel over the appliance's faceplate. Certain security standards require the use of these physical access measures. The locks fit over the posts highlighted below.
Turn the keys to the vertical position to lock the bezel. The keys cannot be removed if the bezel is unlocked. The two locks are keyed differently, so the keys can be issued to different security personnel and kept in secure, separate locations.
Note
Leaving the keys in the bezel could interfere with closing the rack door, and compromise security.
Local HSM Configuration for k570
HSM configuration must be performed for k570 devices before beginning to create keys or engage in any other cryptographic usecases.
For PED-authenticated HSMs, you can also configure the HSM remotely. That configuration requires remote PED access from another site.
Thales k570 Configuration
The Thales CipherTrust Manager k570 differs from the Thales Cyber Technologies (TCT) CipherTrust Manager k570 in the HSM initialization steps. To confirm that you have a Thales CipherTrust Manager k570, you may check the front bezel label, view the order summary, or examine the terminal response for the initial LunaCM command.
Tip
Retain the 'partition-label' and the 'partition challenge' created during the HSM initialization procedure for later root-of-trust configuration.
Note
If you are using PED authentication, and using the multifactor quorum feature (previously known as M of N) to split secrets across multiple PED keys, the default PED timeout value might not be long enough to imprint all PED keys. If you notice the error CKR_Timeout
, contact client services to increase the PED timeout values through the Support CLI.
As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.The displayed
Model
should beLuna K7
. If theModel
value isLuna T7
follow the configuration for the Trusted Cyber Technologies k570 appliance.The utility displays information on the detected HSM card and allows you to execute various HSM management commands.
Refer to the Luna PCIe HSM documentation for more details on these HSM commands.
Make sure an HSM admin slot is selected.
To see the available slots, enter:
lunacm:> slot list
Look for a slot with description "Admin Token Slot".
To select the active slot, enter:
lunacm:> slot set -slot <number>
Re-initialize the HSM.
lunacm:> hsm factoryReset lunacm:> hsm init -label <admin token slot label>
Note
At this point, you can use
slot list
to see that the slot with description "Admin Token Slot" now has a label.Initialize the Security Officer (SO) role:
lunacm:> role login -n so
For PED-authenticated devices, you are asked to present a blue HSM SO key to the PED for the SO
role login
. You can re-use an existing key or imprint a new key. Prompts on the PED screen guide you through these options.Decide if you wish to operate the HSM in a mode compliant with the Federal Information Processing Standard (FIPS) 140-2. By default the HSM is not in FIPS compliant mode.
If you don't need this mode, skip to the next step.
If you do need this mode, change the HSM policy 12 to off. Refer to Luna PCIe documentation or contact customer support for more details.
lunacm:> hsm changehsmpolicy -policy 12 -value 0
Warning
This policy is destructive, meaning that HSM partitions and root keys are deleted when the policy is changed. It is strongly recommended that you decide on this configuration now, and do not change it later. If you wish to change the policy after creating user keys, you must backup your user keys in a cluster or risk losing access to user keys. Contact customer support for guidance for changing FIPS mode after the initial setup.
Create the first partition:
lunacm:> partition create lunacm:> slot list
Notice the slot with the slot description "User Token Slot". Remember the slot ID of this slot as this will be used in the next step.
lunacm:> role logout
Initialize partition and the partition SO role:
lunacm:> slot set -slot <slot number of user token slot created above> lunacm:> partition init -label <new partition label>
If your k570 is password authenticated, skip this step. If your k570 is PED-authenticated:
Respond to PED prompts to create the partition. You create PED keys for the partition SO token (blue) and the partition cloning domain token (red).
As the Partition SO, activate the partition.
Note
This instructs the HSM to cache PED credentials and allows the k570 appliance to authenticate to the HSM using only the challenge secret (password) without requiring the black PED key to always be connected to the HSM. However, in the event of a power outage of more than 2 hours, the HSM cached PED credentials will expire and the k570 appliance will fail to run its services. In this case, reboot the CipherTrust Manager, disconnect and reconnect the PED USB cable, and re-authenticate with the HSM using the black PED key when prompted. With auto-activation enabled, the HSM re-caches the PED credentials.. You can also configure remote PED access.
lunacm:> role login -name Partition SO lunacm:> partition changepolicy -policy 22 -value 1 lunacm:> partition changepolicy -policy 23 -value 1
As the Partition SO, initialize the Crypto officer role:
Enter the command to initialize.
lunacm:> role init -name Crypto Officer
Respond to prompts on the terminal and PED to create the initial Crypto Officer credential.
Caution
The Crypto Officer PED key or password is valid for the initial login only. The Crypto Officer must change this initial credential using the command
role changepw
immediately. Failing to change the credential results in a CKR_PIN_EXPIRED error when accessing the partition.If using PED authentication, create an initial Crypto Officer challenge secret. As with the PED key, it is valid for the first Crypto Officer login only and must be changed immediately.
lunacm:>role createchallenge -name Crypto Officer
Reset the Crypto Officer's credentials.
Log in the Crypto Officer. When prompted for the password, provide the initial password (password authentication) or challenge secret (PED authentication).
lunacm:> role login –name Crypto Officer
Run the following command, which will reset the Crypto Officer PED key secret or initial password. Respond to the PED and terminal prompts.
lunacm:> role changePw –name Crypto Officer
For PED authenticated HSM, change the initial challenge password. The passwords are not masked.
lunacm:> role changePw –name Crypto Officer –old <existing challenge secret> -newpw <new challenge secret>
Log in again to activate/cache the new Crypto Officer credentials.
lunacm:> role login –name Crypto Officer
Exit the
lunacm
utility.Proceed to HSM root of trust configuration.
Trusted Cyber Technologies k570 Local HSM Configuration
The Trusted Cyber Technologies CipherTrust Manager k570's HSM has different steps to initialize than the Thales CipherTrust Manager k570 appliance's HSM.
This appliance has the label "Trusted Cyber Technologies CipherTrust k570" on the front bezel and on the order summary. In addition, the initial LunaCM response contains the SafeNet Assured Technologies, LLC
and indicates an HSM Model of Luna-T7
.
You can configure the HSM to use password authentication or PED authentication.
Configure for Password Authentication
As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility. The initial response looks like the following for TCT k570s, including theSafeNet Assured Technologies, LLC
heading, and theLuna-T7
model:lunacm (64-bit) v7.11.1-5 (7.11.1-5-ga24a9e8). Copyright (c) 2020 SafeNet Assured Technologies, LLC. All rights reserved. Available HSMs: Slot Id -> 0 HSM Label -> no label HSM Serial Number -> XXXXXX HSM Model -> Luna-T7 HSM Firmware Version -> 7.11.0 HSM Configuration -> Luna PCI (PED) Undefined Mode / Uninitialized HSM Status -> Zeroized Current Slot Id: 0
If the LunaCM response does not include these elements, you likely have a Thales CipherTrust Manager k570 device
The utility displays information on the detected HSM card and allows you to execute various HSM management commands.
Refer to the latest Luna T-Series Documentation for more details on these HSM commands. To access this documentation, login to the TCT Customer Support Portal, and navigate to Knowledge Base > Luna T-series.
Re-initialize the HSM. You must set an HSM label, a password for the HSM Security Officer, and a string for the Security Officer domain.
The Security Officer password is needed for the initial HSM configuration.
Retain the HSM label value. This value is needed later to set the HSM as root of trust.
lunacm:> hsm init -initwithpwd -label <HSM label> -password <Security Officer password> -domain <Security Officer domain name>
Login to the HSM with the security officer password.
lunacm:> hsm login -password <Security Officer password>
Decide if you wish to operate the HSM in a mode compliant with the Federal Information Processing Standard (FIPS) 140-2. By default the HSM is not in FIPS compliant mode.
If you don't need this mode, skip to the next step.
If you do need this mode, change the HSM policy 12 to off. Refer to the latest Luna T-Series HSM documentation for more details. To access this documentation, login to the TCT Customer Support Portal, and navigate to Knowledge Base > Luna T-series.
lunacm:> hsm changehsmpolicy -policy 12 -value 0
Warning
This policy is destructive, meaning that HSM partitions and root keys are deleted when the policy is changed. It is strongly recommended that you decide on this configuration now, and do not change it later. If you wish to change the policy after creating user keys, you must backup your user keys in a cluster or risk losing access to user keys. Contact customer support for guidance for changing FIPS mode after the initial setup.
Log back into the HSM as the security officer.
lunacm:> hsm login -password <security officer password>
Create the partition. Set a partition password and domain name. Retain the partition password. This password is needed later for HSM root of trust setup.
lunacm:> partition create -password <partition password> -domain <domain name>
Exit the
lunacm
utility.Proceed to HSM root of trust configuration.
Configure for PED Authentication
As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility. The initial response looks like the following for TCT k570s, including theSafeNet Assured Technologies, LLC
heading, and theLuna-T7
model:lunacm (64-bit) v7.11.1-5 (7.11.1-5-ga24a9e8). Copyright (c) 2020 SafeNet Assured Technologies, LLC. All rights reserved. Available HSMs: Slot Id -> 0 HSM Label -> no label HSM Serial Number -> XXXXXX HSM Model -> Luna-T7 HSM Firmware Version -> 7.11.0 HSM Configuration -> Luna PCI (PED) Undefined Mode / Uninitialized HSM Status -> Zeroized Current Slot Id: 0
If the LunaCM response does not include these elements, you likely have a Thales k570 device
The utility displays information on the detected HSM card and allows you to execute various HSM management commands.
Refer to the latest Luna T-Series Documentation for more details on these HSM commands. To access this documentation, login to the TCT Customer Support Portal, and navigate to Knowledge Base > Luna T-series.
Initialize the HSM to allow for PED authentication. Provide an HSM label, which is used for root of trust setup.
These values are temporary and needed for the initial setup.
lunacm:> hsm init -initwithped -label <HSM label>
You are prompted to create a Security Officer (blue) iKey on the PED.
Respond to PED prompts to create the Domain (red) iKey.
Decide if you wish to operate the HSM in a mode compliant with the Federal Information Processing Standard (FIPS) 140-2. By default the HSM is not in FIPS compliant mode.
If you don't need this mode, skip to the next step.
If you do need this mode, change the HSM policy 12 to off.
Refer to the latest Luna T-Series Documentation for more details. To access this documentation, login to the TCT Customer Support Portal, and navigate to Knowledge Base > Luna T-series.
lunacm:> hsm changehsmpolicy -policy 12 -value 0
Warning
This policy is destructive, meaning that HSM partitions and root keys are deleted when the policy is changed. It is strongly recommended that you decide on this configuration now, and do not change it later. If you wish to change the policy after creating user keys, you must backup your user keys in a cluster or risk losing access to user keys. Contact customer support for guidance for changing FIPS mode after the initial setup.
Login to the HSM as the SO using the Security Officer (blue) Key.
lunacm:> hsm login
Create a partition.
lunacm:>partition create
Respond to the PED prompts to insert USER/Partition Owner (black) iKey and set a PIN.
Respond to the PED prompts to insert Domain (red) iKey and set its PIN.
Login to the new partition.
lunacm:>partition login
You are prompted to re-insert the USER (black) iKey.
Request the challenge password from the PED.
lunacm:> partition createChallenge
The Login Secret Value is displayed on the PED. Take note of this value. This is the partition password which is needed for root of trust setup.
Activate the partition.
lunacm:>partition changepolicy -policy 22 -value 1
Note
This instructs the HSM to cache PED credentials and allows the k570 appliance to authenticate to the HSM using only the challenge secret (password) without requiring the black PED key to always be connected to the HSM.
Changing policies causes the Security Officer to be logged out. To log back in:
lunacm:>hsm login
Present the Security Officer (blue) iKey when prompted.
Change the partition policy to allow auto-activation.
lunacm:>partition changepolicy -policy 23 -value 1
Note
This instructs the HSM to cache PED credentials for up to two hours after loss of power. After two hours, the HSM cached PED credentials expires and the k570 appliance fails to run its services. In this case, reboot the CipherTrust Manager, disconnect and reconnect the PED USB cable, and re-authenticate with the HSM using the black PED key when prompted. With auto-activation enabled, the HSM re-caches the PED credentials. You can also configure remote PED access.
Changing policies causes the Security Officer to be logged out. To log back in:
lunacm:>hsm login
Present the Security Officer (blue) iKey when prompted.
Exit the lunaCM utility.
Proceed to HSM root of trust configuration.
HSM Root of Trust Configuration
Caution
If you intend to restore root of trust keys from a Backup HSM, restore the keys before performing root of trust configuration.
Configuring root of trust and then restoring root of trust keys can result in the CipherTrust Manager application becoming unavailable after reboot, requiring customer support to recover.
Configure the k570 appliance to use the Luna PCIe HSM card using these steps:
Access the 'partition-label' and the 'partition challenge' created during the HSM initialization procedure. These are needed to use the CipherTrust Manager HSM API or CLI
hsm setup
command.You are now ready to configure the HSM as Root of Trust. Refer to CipherTrust Manager HSM Setup API or the CLI
hsm setup
command to configure the appliance to use your newly initialized Luna PCIe HSM. Root of Trust Configuration provides more details.
Remote PED Configuration
After initial configuration, you can set up remote PED access for the k570. In that way, you do not have to visit the data center to perform lunaCM and PED operations in the future. You might have to perform PED operations after setup to recover from power outages, or for rare, advanced troubleshooting scenarios.
Determine if you have a Thales k570 appliance or a Trusted Cyber Technologies k570 appliance.
The Trusted Cyber Technologies k570 appliance has the label "Trusted Cyber Technologies CipherTrust k570" on the front bezel and on the order summary. In addition, the initial LunaCM response contains the
SafeNet Assured Technologies, LLC
and indicates an HSM Model ofLuna-T7
.As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "
/usr/safenet/lunaclient/bin/lunacm
" utility.The displayed
Model
should beLuna K7
for Thales k570 device,Luna T7
for the Trusted Cyber Technologies k570 appliance.For a Thales k570 appliance:
View the available slots with
slot list
.Select the slot with the label "Admin Token Slot".
lunacm:>slot set -slot <slot_id_number>
Login with the Partition Security Officer role. On the PED, you are prompted to present the Blue Partition Security Officer key and enter its PIN.
lunacm:>role login -name so
For a Trusted Cyber Technologies k570 appliance, login with the Security Officer role. On the PED, you are prompted to present the Blue Partition Security Officer key and enter its PIN.
lunacm:>hsm login
Initialize the orange remote PED vector key. You are prompted to insert a PED key and follow PED prompts. You may create a new key or re-use an existing orange key.
lunacm:>ped vector -init
Prepare a workstation to act as a remote PED server to access the k570 in the data center.
Note
More details for remote PED server set up are available in Luna HSM Documentation.
Install Luna Client with remote PED as an option. Luna Client version 7.0.1 or above is required for the Thales k570 appliance. Thales TCT Luna Client version 7.1.1 or above is required for the Trusted Cyber Technologies 570 appliance.
Connect the remote PED to the workstation via USB, and to the power source via the power adapter.
Open a Command Prompt window on the computer (for Windows 7, this must be an Administrator Command Prompt). Locate and run PedServer.exe. Set PedServer.exe to its "listening" mode.
c: > PedServer -m start Ped Server Version 1.0.6 (10006) Ped Server launched in startup mode. Starting background process Background process started Ped Server Process created, exiting this process. c:\PED\ >
Verify that the service has started with
pedserver -mode show
.Look for mention of the default Server Port "1503" (or other, if you specified a different listening port). In addition, "Ped2 Connection Status:" should say "Connected.” This indicates that the Luna PED that you connected was found by PED Server.
Example Output
PedServer.exe -m show Ped Server Version 1.0.6 (10006) Ped Server launched in status mode. Server Information: Hostname: host IP: 0.0.0.0 Firmware Version: 2.9.0-2 PedII Protocol Version: 1.0.1-0 Software Version: 1.0.6 (10006) Ped2 Connection Status: Connected Ped2 RPK Count 0 Ped2 RPK Serial Numbers (none) Client Information: Not Available Operating Information: Server Port: 1503 External Server Interface: Yes Admin Port: 1502 External Admin Interface: No PED Write Delay: 0 (microsecs) Server Up Time: 223 (secs) Server Idle Time: 158 (secs) (70%) Idle Timeout Value: 1800 (secs) Current Connection Time: 0 (secs) Current Connection Idle Time: 0 (secs) Current Connection Total Idle Time: 0 (secs) (100%) Total Connection Time: 122 (secs) Total Connection Idle Time: 62 (secs) (50%) Show command passed.
SSH to the k570 and open LunaCM.
ssh –I <key> ksadmin@<IP> /usr/safenet/lunaclient/bin/lunacm
Start the PED client on the k570.
ped connect -ip <remote_PED_workstation_IP> -port 1503