Luna HSM Resources
This section describes prerequisites to manage Luna HSM resources on CCKM.
This release supports:
Luna Network HSM Software and Firmware versions v7.3.x and higher. STC partitions are only supported with Luna Network HSM versions 7.7 and higher.
PED and Password-based HSM configurations.
Import of RSA-4096 keys from Luna HSM Software and Firmware versions 7.4.x and higher.
Symmetric and asymmetric keys with Luna HSM.
Note
The information presented in this section also applies to Azure Dedicated HSM.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Prerequisites
Note
Depending on the use case, the Luna HSM partitions can be configured in the Key Export or Clone mode. For AWS HYOK operations, you can configure the partitions in either mode. For BYOK operations, the partitions must be configured in the Key Export mode.
If the Luna HSM partitions are configured in Clone mode but the connection manager is configured in Key Export mode, the key is created on the primary partition but you receive a wrap key error.
If the Luna HSM partitions are configured in Export mode but the connection manager is configured in Clone mode, the key is created with an error. The public key will be present on all partitions, but the private key will only be present on the primary partition.
Before proceeding:
Make sure that a common cipher is enabled on the Luna HSM and the CipherTrust Manager to allow successful connection between them.
On Luna HSM, disable the HSM NTLS IP check by running the
ntls ipcheck disable
command.
Also, make sure the CipherTrust Manager is registered with the Luna HSM, as described below:
On the Luna HSM
Create a Client. Refer to Luna HSM Client Software Installation.
The client certificate needed when creating the client on the Luna HSM can be downloaded by clicking Download Luna Client Cert on the CipherTrust Manager GUI. When uploading the certificate file to the Luna HSM, the file must have the same name as the internally generated CN. You can use
openssl
(or some other tool) to inspect the certificate CN. The name will look similar tocckm-client-c2b39a4b-0f02-4be8-b37f-f3cadfc3ac11
.Register the Client with the Luna HSM. Refer to Multi-Step NTLS Connection Procedure.
Assign a Partition to the Client. Refer to Client Partition Connections.
On the CipherTrust Manager
Add the Luna HSM Server to the CipherTrust Manager. Refer to Adding an Internal Connection (Server) under Connection Manager.
Add Connection to the Luna HSM Server on the CipherTrust Manager. Refer to Creating a Luna Connection.
Test the Connection. Refer to Testing a New Luna Connection. Make sure the "connection_status" is
connection ok
.The connection test can fail if:
CipherTrust Manager is not successfully authenticated to the Luna HSM device
NTLS service is down on the Luna HSM Server
Luna HSM partition is not assigned to a Luna HSM client
Inspect the logs on the Luna HSM for details.
Now, Luna HSM partitions and Luna HSM keys can be managed on the CipherTrust Manager.