Managing Luna HSM Partitions
This section describes how to manage Luna HSM partitions on CCKM.
Before proceeding, make sure to fulfill prerequisites.
Adding Luna HSM Partitions
Warning
Thales strongly discourages adding an Luna HSM partition that contains the CipherTrust Manager's root of trust (RoT) key to CCKM. Do not add a connection to a Luna HSM root-of-trust partition with Connection Manager.
To add a Luna HSM partition to CCKM:
Log on to the CipherTrust Manager GUI as administrator.
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Luna HSM Partitions. The Luna HSM Partitions page is displayed.
Click Add Partition. The Add Existing Partition page is displayed.
From the Select Connection drop-down list, select the desired connection.
Click Add.
The Luna HSM partition is added to CCKM.
A message partition added successfully... is displayed on the screen.
Refreshing Luna HSM Keys
Refreshing is the process of downloading keys created on the Luna HSM partitions to CCKM. Refresh can be achieved using any of the following ways:
Refreshing Specific Partitions
To refresh a specific partition:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Luna HSM Partitions. The Luna HSM Partitions page is displayed. This page displays the list of Luna HSM partitions.
Click the overflow icon () corresponding to the desired Luna HSM partition and click Refresh Now.
A message Refresh started... is displayed on the screen.
After successful refresh, the refreshed keys are listed on the Cloud Keys > Luna > Luna Keys page. Refer to Viewing Luna HSM Keys for details.
Refreshing All Partitions
To refresh all Luna HSM partitions:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Luna HSM Partitions. The Luna HSM Partitions page is displayed. This page displays the list of Luna HSM partitions.
Click Refresh All. The "This may take a while..." message is displayed.
Note
Refreshing all Luna HSM partitions is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > Luna > Luna Keys page. Refer to Viewing Luna HSM Keys for details.
Syncing All Partitions
Syncing is the process of synchronizing keys in Luna HSM partitions. After successful sync, the partitions have the synced Luna HSM keys. Syncing is useful for Luna HSM partitions in the High Availability (HA) mode.
To synchronize all Luna HSM partitions:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Luna HSM Partitions. The Luna HSM Partitions page is displayed. This page displays the list of Luna HSM partitions.
Click Sync All. The "This may take a while..." message is displayed.
Note
Synchronizing all Luna HSM partitions is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
Click Sync All to continue.
A message Sync started... is displayed on the screen. To cancel the sync, click Cancel Sync.
The synchronized keys are listed on the Cloud Keys > Luna > Luna Keys page. Refer to Viewing Luna HSM Keys for details.
Viewing/Editing Details of Luna HSM Partitions
The Luna HSM Partitions page shows the list of existing Luna HSM partitions. Search for partitions by Partition ID, Connection, or Label.
Viewing Luna HSM Partitions Details
To view the details of Luna HSM partitions:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Luna HSM Partitions. The Luna HSM Partitions page displays the following details.
Column Description Partition ID ID of the partition. Click the link to view more details about the partition. Label Label of the Luna HSM partition. Firmware Firmware running on the Luna HSM partition. HA Enabled Whether high availability (HA) is enabled () on the Luna HSM partition. For partitions that do not have HA enabled, is displayed. Connection Name of the connection. Last Refreshed When the partition was last refreshed. Never
is displayed for partitions that are never refreshed.Model Model of the Luna HSM partition. By default, this column is not visible. Click the Customize View () icon, select Model, and click OK to display the column.
Note
The Label and Firmware details will be visible only after the linked Luna HSM connection is in Ready state after performing Test Connection (on the CipherTrust Manager GUI).
Modifying Luna HSM Partition Details
To modify the details of a Luna HSM partition:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Luna HSM Partitions. The Luna HSM Partitions page displays the list of added Luna HSM partitions.
Click the overflow icon () corresponding to the desired Luna HSM partition and click View/Edit Details.
You can change the Luna HSM connection and modify user/group permissions on the Luna HSM partition. For details, refer to:
Changing the Luna HSM Connection
To change the Luna HSM connection:
Expand Connection.
From the Connection ID drop-down list, select the desired Luna HSM connection.
Click Update.
A message Updated connection for this partition is displayed on the screen.
Managing User Permissions on Luna HSM Partitions
To work with Luna HSM, users/groups must have the minimum set of permissions that allow them to use the Luna HSM resources such as Luna HSM keys and partitions. Initially, the user only has permission to view the keys. However, if required, the CCKM administrator can grant and revoke permissions.
Note
Only the users who are member of the CCKM Users group will be granted permissions to perform operations on the Luna HSM partition.
To add permission for a user/group:
In the Access Control section, click Assign User/Group.
On the Assign User/Group screen, select the user or group to be assigned permissions from the User/Group drop-down list.
Click Save.
The newly added user/group is displayed under Name in the Access Control section.
CCKM allows the following operations on the Luna HSM partitions:
View Keys, Create Key, Edit Key, Sync Key, and Delete Key
Refresh Partition, Sync Partition
Unassign
Granting Permission to Perform an Operation
To grant permissions to the user or group to perform any of the above mentioned operations:
Select the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A message Updated access control for this partition is displayed on the screen.
Removing a Permission
To remove a permission assigned to a user or group:
Clear the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A message Updated access control for this partition is displayed on the screen.
Removing Permission from a User/Group
To remove current permissions assigned to the user/group:
Under Unassign, click the X button corresponding to the desired user/group.
On the Unassign User / Unassign Group screen, click Unassign.
Note
Unassigning this user/group will remove all permissions currently assigned to the user/group. Are you sure you want to continue?
Click Unassign.
A message Updated access control for this key partition is displayed on the screen.
Deleting Luna HSM Partitions
To delete a Luna HSM partition:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Luna HSM Partitions. The Luna HSM Partitions page displays the list of added Luna HSM partitions.
Click the overflow icon () corresponding to the desired Luna HSM partition and click Delete.
On the Delete Luna HSM Partition screen, select I wish to delete this partition.
Click Delete Partition.
A message Luna HSM partition deleted is displayed on the screen.
Warning
The deleted partition's keys will no longer be available on the Luna Keys page, but the keys will still exist on the Luna HSM. If you later add this partition with the same ID, the keys will be available again.