Return Material Authorization (RMA) Guidance
Thales ensures that all of its products are designed, manufactured, and tested to the highest level of quality. On occasion, a product may fail in the field after use by the customer. Products that fail in the field, when covered by a maintenance agreement or during the warranty period, may be eligible for an RMA (Return Material Authorization).
KeySecure and CipherTrust physical appliances may contain sensitive customer key material. Thales recognizes that and assures the customers that our appliances are hardened. KeySecure k450 and k460 appliances are designed to be tamper evident. Visible protections are applied to the chassis to prevent physical attack and thereby negating the chances for stealing the sensitive key material under any circumstances.
The section covers the following appliance models:
Thales CipherTrust Manager k570
Thales CipherTrust Manager k470
KeySecure k460 upgraded to CipherTrust Firmware
KeySecure k450 upgraded to CipherTrust Firmware
To Prepare an Appliance for RMA
Ensure that all the sensitive information such as keys, backup keys, certificates, NAE users, and authorization policies are backed up at all times.
Login to the CipherTrust Manager as ksadmin via serial console or SSH.
Do one of the following:
Perform a factory reset of the CipherTrust Manager using the system configuration utility. This command erases all configuration information, log files and any keys stored on the appliance.
kscfg system factory-resetPerform a hard reset of the CipherTrust Manager using the system configuration utility. This command resets the appliance and removes data associated with CipherTrust Manager. such as keys and certificates. All log information and appliance configuration information remains intact. This remaining information can help us determine the possible cause of the failure.
kscfg system reset
For k570 devices, reset the on-board PCIe HSM card which stores the root keys. Do one of the following:
Login to the CipherTrust Manager as ksadmin via serial console or SSH, and run the lunaCM factory reset command.
lunacm:> hsm factoryResetShort circuit the decommission jumper header on the PCI card. You can use the blade of a screwdriver, or other conductive tool to short-circuit the two pins of the decommission header, or you can connect a switch to the decommission header if desired. Power is not required to decommission the HSM, that is, you can decommission the HSM after removing it from the chassis. The following image shows the two-pin decommission jumper header location on the PCI card:
For upgraded KeySecure k460 devices, reset the on-board PCIe HSM card with LunaCM.
lunacm:> hsm factoryReset
Policy Regarding Replacement of KeySecure Devices Upgraded to CipherTrust Manager
Upgrading legacy KeySecure k450 and k460 appliances to use CipherTrust Manager firmware is a one way process. There is no way to retrograde KeySecure firmware onto the appliance. In addition, there is no reverse compatibility incorporated. For example, keys created on CipherTrust Manager are not necessarily supported on KeySecure. It is important to consider this factor as part of migration planning from KeySecure to CipherTrust.
Should you find yourself in circumstances where you need to re-deploy the appliance with KeySecure firmware, you need to RMA the k450/k460 appliance to Thales for re-configuration. Should inventory be available, we can replace with a like appliance. However, as our inventory dwindles, customers will have no choice but to wait for the re-configured appliance to be returned.
