Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CipherTrust Manager Deployment

Install Physical CipherTrust Manager Appliance

search

Please Note:

Install Physical CipherTrust Manager Appliance

This section describes all the tasks you perform in your data center to:

  • Unpack and physically install a CipherTrust Manager appliance into a rack.

  • Change default passwords for the System Administrator (ksadmin) and the initial admin user using a local serial connection and the initial DHCP assigned IP address.

  • For PED authenticated k570 models, initialize the embedded Luna PCIe HSM and PED key roles.

The basic workflow for deploying a physical appliance is shown in the below diagram.

Prerequisites

The following items are required to install the CipherTrust Manager appliance in a rack, and deploy the CipherTrust Manager firmware.

  • Supported Appliances: CipherTrust Manager k470 or k570

  • #2 Phillips screwdriver

  • hydraulic equipment lift

  • Terminal server, dumb terminal, PC, or laptop to establish an install serial connection to the appliance using the supplied USB to RJ45 adapter.

  • Firmware: CipherTrust Manager release 2.0 or later. (Contact Technical Support)

For PED authenticated k570 model only:

  • PIN Entry Device (PED)

  • Three PED keys (blue, red and black)

Verify the Integrity of Your Shipment

Thales employs a number of security measures to allow you to verify that your new hardware was not intercepted in transit or otherwise tampered with before you received it. To verify the authenticity and handling history of your received items, review the following checklist before you unpack your new hardware, and then follow the checklist as you unpack each received item.

  1. Do the items received (individual items, part numbers) match those listed in the enclosed packing list? If yes, go to the next step. If no, contact Thales support.

  2. Before you received the product, did you receive an advanced shipping notification providing details regarding the shipment (part numbers and serial numbers for the product and tamper-evident bags)? If yes, go to the next step. If no, contact Thales support.

  3. Are all of the tamper-evident bag serial numbers and tamper-evident label serial numbers listed in the advanced shipping notification present, and do they match the actual tamper-evident bag/label serial numbers received? If yes, go to the next step. If no, contact Thales support.

  4. Did you receive any tamper-evident bag/label serial numbers that are not listed on the advance shipping notification? If yes, contact Thales support. If no, go to the next step.

  5. Are there any signs of physical tampering? If tamper-evident labels are affixed to the received product, have any of these labels been damaged? Have the tamper evident bags been damaged in any way? The tamper seals on the sides indicate tampering if they show the ALERT markings as illustrated below. If yes, contact Thales support. If no, go to the next step.

    Tamper Seal

Check Received Items

This section provides a list of the components you should have received with your CipherTrust Manager order. If you ordered a PED-authenticated k570 model, some additional components are included as described in PED related order items.

Basic Order Items

  • 1 CipherTrust Manager Appliance: Fits any standard 19-inch server rack.

    You can use the part number on the product label to verify the if the appliance's model is k470 or k570. The part number for k570 models also indicates whether the appliance is password-authenticated or PED authenticated.

    CipherTrust Manager Appliance

  • 2 power supply cords: One for each power supply, with connectors appropriate to your region of operation.

    Power Supply Cords

  • 1 Adapter Cable: RJ45 to USB with a standard eight-pin, eight connector (8P8C) modular connector: Used to connect a console terminal to the appliance during initial configuration.

    RJ45 to USB cable

  • 1 Front Ear Bracket Set: Set includes 2 front ear brackets and 4 bracket screws

    Front Ear Bracket Set

  • 1 Friction Rail Mounting Bracket Set: See Using the Supplied Mounting Brackets for installation instructions. Set includes: 2 side rails, 8 side rail screws, 2 sliding rear brackets (fit into the rails for rear support adjustable positioning)

    Rail Mounting Bracket Set

    The included mounting hardware is meant for static positioning of the appliance. The long tab that slides into the bracket, applied to each side of the appliance, is adjustable for fitting the appliance into racks of varying depth - it must not be used to extend the appliance out of the rack.
    Optional gliding rails with rolling bearings are available for situations where rolling excursion of the appliance, while attached to the rack, is required for maintenance. See Optional Items.

  • 1 Friction Rail Rack Mounting Screws/Cage Nuts: Set includes 8 M5 cage nuts and 8 M5x14 rack screws. If you did not receive this set, you can request one from Thales Group (part number: 216-000035-001) or obtain your own suitable screws/nuts.

    Rack Screws Cage Nuts

  • 1 Secure Locking Bezel: For maximum physical security, this faceplate bezel can restrict access to the CipherTrust Manager front-facing inputs. Some security standards require the use of this bezel. Leaving the appliance uncovered for ease of access might compromise physical security. Includes set of three (3) keys for each lock (locks are keyed differently).

    Secure Locking Bezel

Optional Items

You may have also ordered one or more of these optional items:

  • 1 Sliding Rail Mounting Bracket Set: The CipherTrust Manager will fit into any standard 19-inch server rack. The optional sliding rail mounts allow for easy removal and access to the rear face of the appliance. See Using the Optional Sliding Rail System for installation instructions. The set includes 2 sliding rail mounts with removable side rails, 2 transformer brackets, 6 rail screws.

    Sliding Rail Mounting Set

    Transformer Brackets

    Rail Screws

  • 1 Sliding Rail Rack Mounting Screws Set: Set includes 8 M5x8 flat-headed screws. If you did not receive this set, you can request one from Thales Group (part number: 216-000034-001) or obtain your own suitable screws. If you do not use the screws included in this kit, ensure that the screw heads are flat enough so as not to interfere with the locking bezel.

    Rail Screw Set

  • SFP 10 Gbps Optical Ethernet transceiver modules: If you ordered the model with 2X10Gbps ports and 2X1Gbps ports, you should have received two SFP 10 Gbps Optical Ethernet transceiver modules, packed separately. To install:

    1. Locate the two 2X10Gbps ports on the appliance rear panel. These ports are protected by plastic dust covers during shipment.

    2. Remove these dust covers and insert a transceiver module in each port.

    SFP modules in packaging

    SFP modules

If you ordered a PED-authenticated k570 model, you should have received some combination of the following items in addition to the basic order items.

  • 1 PED device: This device is needed for authentication to the on-board PCIe HSM.

    PED

  • 1 PED cable: This is a Type A to Mini B USB cable used to connect the PED device to your CipherTrust Manager.

    PED cable

  • Luna PED Power Supply Kit: If you ordered a Luna PED, your order should also include a Luna PED power supply kit with the appropriate power connection for your region. The power supply is auto-sensing and includes replaceable mains plug modules for international use.

    PED power supply

  • Set of PED Keys and Labels: Your order should include a set of iKey PED keys and peel-and-stick labels.

    PED keys and labels

Rack Mounting

If you intend to mount the CipherTrust Manager in a standard equipment rack, front ear brackets, side rails, rear slider brackets, and the necessary screws are packed separately in the carton. You may also have ordered the optional sliding rail mounting system. See Received Items for details. Instructions for installing both systems are provided below:

Do not attempt to mount the appliance using only the front brackets – damage can occur.

Using the Supplied Mounting Brackets

Install and adjust the rails and brackets to suit your equipment rack. The standard mounting bracket set is designed for use in racks with a maximum depth of 27 inches (686 mm). For racks larger than 27 inches, a mounting tray or shelf is recommended.

The included mounting hardware is meant for static positioning of the appliance. The long tab that slides into the bracket, applied to each side of the appliance, is adjustable for fitting the appliance into racks of varying depth - it must not be used to extend the appliance out of the rack.
Optional gliding rails with rolling bearings are available for situations where rolling excursion of the appliance, while attached to the rack, is required for maintenance. See Using the Optional Sliding Rail System.

Ensure you have all the necessary components before proceeding. In addition to the supplied components, you will need:

  • #2 Philips screwdriver

  • hydraulic equipment lift

If you are installing the appliance in a rack without a mounting tray or shelf, ensure that the appliance is supported at all times or damage may occur. Use of a hydraulic equipment lift is strongly recommended. If you do not have access to a lift, you will need at least one assistant to mount the appliance.

To mount the appliance
  1. Install the two front ear mounting brackets on the appliance using the included screws and a #2 Phillips screwdriver.

    Install front ear brackets

  2. Fit eight cage nuts into the rack space where you want to install the appliance. Ensure that they are spaced correctly.

    Install cage nuts

  3. Install the two side rails on either side of the appliance, using the included screws and a Phillips screwdriver. Note how the sliding rear brackets fit into the side rails.

    Install side rails

    Side rails and sliding rear brackets

  4. Install the two sliding rear brackets in your equipment rack using four rack mounting screws.

    While any standard equipment rack screws should fit the brackets, certain large-headed screws may interfere with the operation of the secure locking bezel.

    Install rear brackets

  5. Using a hydraulic lift, raise the appliance to the level of the brackets and extend the lift into the rack.

    Perform the next step from the rear of the server rack. Do not push the appliance off the lift without supporting its rear end.

  6. From the rear of the server rack, pull the appliance back towards you until the sliding rear brackets fit into the side rails. Pull the appliance back onto the rear brackets until the front ear brackets meet the equipment rack.

    Support the weight of the appliance with the hydraulic lift until all four brackets are secured.

    Fit rear brackets to side railsInstall from lift

  7. Secure the front ear brackets using rack mounting screws.

    Install Front Ear Brackets

  8. Continue to Establish a Connection and Change Default Passwords.

Using the Optional Sliding Rail System

The optional sliding rail system allows for the appliance to be extended out in front of the equipment rack, possibly easing access to other racked appliances. This is rarely necessary.

The sliding rail mounts fit into any standard 19" equipment rack.

Ensure you have all the necessary components before proceeding. In addition to the supplied components, you will need a #2 Philips screwdriver.

To mount the appliance
  1. Install the two front ear mounting brackets on the appliance using the included screws and a #2 Phillips screwdriver.

    Install front ear brackets

  2. Fit the front end of each mount into either side of the rack and pull the spring-loaded latch at the rear to snap it in place.

    Install sliding mount set

  3. Secure the rear end of each mount to the rack with two wide flat-headed screws.

    Secure rear mount

  4. Fasten the transformer bracket to each sliding mount with two wide flat-headed screws.

    Fasten transformer bracket

  5. Loosely thread two small flat-headed screws into each side of the appliance. Fit each sliding rail over the screw heads and slide it forward into place before tightening the screws. Fasten each sliding rail with a third screw where it lines up with the hole on the appliance.

    Fasten sliding rails

  6. Fit the sliding rails onto the rack mounts until they lock into place.

    Fit sliding rails

    The appliance now moves smoothly and securely on the rails.

  7. Push the appliance all the way back and secure it to the transformer bracket with four rack screws.

    Screws with heads that are too large can prevent the locking bezel from fitting to the faceplate. Use the screws included with the appliance, or other screws with suitable heads.

    Fasten faceplate

  8. Continue to Establish a Connection and Change Default Passwords.

Establish a Connection and Change Default Passwords

After you have rack-mounted the appliance, you must log in to the console to create a secure password for the ksadmin user, and then log in to the GUI to change the default SSH key and admin user password. Changing these defaults ensures the security of CipherTrust Manager and is required before beginning to create keys or engage in any other cryptographic usecases.

Connecting network cables

  1. Insert the power (a) and network cables (b) at the rear panel.

    The physical location of the network ports (Eth0, Eth1, Eth2 and Eth3) are dependent on the appliance model. Correct locations for your model are printed on the rear panel.

    For proper redundancy and best reliability, the power cables should connect to two completely independent power sources.

    Insert cables

  2. If you have a PED-authenticated k570 appliance, connect the PED directly to the appliance's USB port (on the rear panel's left side), using the included USB-to-MiniUSB PED cable.

    PED port

  3. Press and release the Start/Stop switch on the front panel to power up the appliance.

    Power switch

Connecting the Appliance to a Console Device

From the console you log in a the System Administrator ('ksadmin' user), create a secure password, start-up the system and access the IP address of the Graphical User Interface (GUI). You can connect a computer directly to the console port of the CipherTrust Manager Appliance using a serial connection.

Direct administration connection to the console via serial terminal is required for these reasons:

  • During initial configuration, you do not yet know the IP address dynamically allocated by your DHCP server.

  • After deployment, if you re-configure network settings (change the IP address) via SSH, you will lose the old IP address connection.

To open a serial connection
  1. Connect the serial port on the appliance's rear panel to a terminal server, dumb terminal, PC, or laptop, using the supplied Prolific Technology Inc. USB to RJ45 (with 8P8C connector) adapter.

    RJ45 USB cable

    Connect Laptop

  2. If the driver for the Prolific Technology Inc. USB to RJ45 (with 8P8C connector) adapter did not download and install automatically, go to the Prolific Technology Inc website to download and install the PL2303 USB-to-Serial Windows driver.

  3. Open Device Manager (Control Panel > Hardware > Device Manager) and expand the Ports (COM and LPT) folder. If the driver installed successfully, an entry is displayed for the Prolific USB-to-Serial Comm Port, followed by the port associated with the adapter. For example: Prolific USB-to-Serial Comm Port (COM4)

  4. Record the COM port (COM4 in this example) associated with the adapter. You will need this port number when you open a serial connection.

  5. Use a terminal emulation package, such as PuTTY, to open a serial connection to the COM port associated with your Prolific USB-to-Serial adapter. Set the serial connection parameters as follows:

    • Baud rate: 19200

    • Data bits: 8

    • Parity: None

    • Stop bits: 1

    Serial Port Pinout

    The serial port uses a configuration equivalent to the Cisco Terminal Console. The Prolific Technologies Inc. RJ45-to-USB serial adapter cable uses a standard RJ45 pinout configuration:

    Port Cable Pinouts

  6. When the connection is made, IP address information appears together with the appliance log in prompt: ciphertrust login:

    You may need to press ENTER several times to initiate the session.

    Windows 10 occasionally crashes when trying to detect a serial port. This is a known issue with the Windows 10 PL2303 drivers. If you experience trouble opening a serial connection using Windows 10, use another supported operating system.

  7. As the System Administrator, enter "ksadmin" to log in and follow the prompts to create a secure password.

    Be sure to retain this password - it will be required to access the system in case of network connectivity problems.

    The system starts up, which can take several minutes.

Connecting to the GUI for the First Time

  1. After the system starts up, in the Console Window, choose the KeySecure IP address for your network. Use this address to browse to the CipherTrust Manager GUI.

    The initial IP address is set via DHCP, which is displayed in the Console Window. If you need to set a static IP address, you can set it from the console using the nmcli tool. For details, refer to the Network Configuration Tutorial. nmcli can also be used to set static routes, bond network interfaces, disable IPv6, or configure VLAN, if needed for your network.

    The initial CipherTrust Manager GUI screen is displayed:

    Initial GUI screen

    The error displayed is normal and simply requires the default SSH Public Key to be replaced.

  2. As the System Administrator (ksadmin), paste in your SSH Public Key in the box provided and then select Add.

    The SSH Public Key must be a 'PEM-formatted RSA key'. You can generate this key using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.

    After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment

    Be sure to store and securely protect the associated private SSH key, as this key will be required to SSH to the appliance from this point on.

    The initial Application Administrator can now log in.

  3. Log in using the initial default credentials: Username = admin, Password = admin

    The following notice is displayed:

    Password change required

    If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.

  4. Enter a new password using this default Password Policy:

    Min length: 8
    Max length: 30
    Min number of upper cases: 1
    Min number of lower cases: 1
    Min number of digits: 1
    Min number of other characters: 1
    

    A new Login screen appears.

  5. Using your new password, log in again. The CipherTrust Manager Web Page appears.

    Home Screen

Installing the Locking Bezel

For maximum physical access security, after you have powered on the appliance, fit the locking bezel over the appliance's faceplate. Certain security standards require the use of these physical access measures. The locks fit over the posts highlighted below.

Turn the keys to the vertical position to lock the bezel. The keys cannot be removed if the bezel is unlocked. The two locks are keyed differently, so the keys can be issued to different security personnel and kept in secure, separate locations.

Leaving the keys in the bezel could interfere with closing the rack door, and compromise security.

Local HSM Configuration for k570

HSM configuration must be performed for k570 devices before beginning to create keys or engage in any other cryptographic usecases.

For PED-authenticated HSMs, you can also configure the HSM remotely. That configuration requires remote PED access from another site.

Thales k570 Configuration

The Thales CipherTrust Manager k570 differs from the Thales Cyber Technologies (TCT) CipherTrust Manager k570 in the HSM initialization steps. To confirm that you have a Thales CipherTrust Manager k570, you may check the front bezel label, view the order summary, or examine the terminal response for the initial LunaCM command.

  1. As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "/usr/safenet/lunaclient/bin/lunacm" utility.

    The displayed Model should be Luna K7. If the Model value is Luna T7 follow the configuration for the Trusted Cyber Technologies k570 appliance.

    The utility displays information on the detected HSM card and allows you to execute various HSM management commands.

    Refer to the Luna PCIe HSM documentation for more details on these HSM commands.

  2. Make sure an HSM admin slot is selected.

    To see the available slots, enter:

    lunacm:> slot list
    

    Look for a slot with description "Admin Token Slot".

    To select the active slot, enter:

    lunacm:> slot set -slot <number>
    
  3. Re-initialize the HSM.

    lunacm:> hsm factoryReset
    lunacm:> hsm init -label <admin token slot label>
    

    At this point, you can use slot list to see that the slot with description "Admin Token Slot" now has a label.

  4. Initialize the Security Officer (SO) role:

    lunacm:> role login -n so
    

    For PED-authenticated devices, you are asked to present a blue HSM SO key to the PED for the SO role login. You can re-use an existing key or imprint a new key. Prompts on the PED screen guide you through these options.

  5. Decide if you wish to operate the HSM in a mode compliant with the Federal Information Processing Standard (FIPS) 140-2. By default the HSM is not in FIPS compliant mode.

    If you don't need this mode, skip to the next step.

    If you do need this mode, change the HSM policy 12 to off. Refer to Luna PCIe documentation or contact customer support for more details.

    lunacm:> hsm changehsmpolicy -policy 12 -value 0
    

    This policy is destructive, meaning that HSM partitions and root keys are deleted when the policy is changed. It is strongly recommended that you decide on this configuration now, and do not change it later. If you wish to change the policy after creating user keys, you must backup your user keys in a cluster or risk losing access to user keys. Contact customer support for guidance for changing FIPS mode after the initial setup.

  6. Create the first partition:

    lunacm:> partition create
    lunacm:> slot list
    

    Notice the slot with the slot description "User Token Slot". Remember the slot ID of this slot as this will be used in the next step.

    lunacm:> role logout
    
  7. Initialize partition and the partition SO role:

    lunacm:> slot set -slot <slot number of user token slot created above>
    lunacm:> partition init -label <new partition label>
    
  8. If your k570 is password authenticated, skip this step. If your k570 is PED-authenticated:

    1. Respond to PED prompts to create the partition. You create PED keys for the partition SO token (blue) and the partition cloning domain token (red).

    2. As the Partition SO, activate the partition.

      This instructs the HSM to cache PED credentials and allows the k570 appliance to authenticate to the HSM using only the challenge secret (password) without requiring the black PED key to always be connected to the HSM. However, in the event of a power outage of more than 2 hours, the HSM cached PED credentials will expire and the k570 appliance will fail to run its services. In this case, instruct the k570 appliance to re-authenticate with the HSM using the black PED key. You can also configure remote PED access.

      lunacm:> role login -name Partition SO
      lunacm:> partition changepolicy -policy 22 -value 1
      lunacm:> partition changepolicy -policy 23 -value 1
      
  9. As the Partition SO, initialize the Crypto officer role:

    1. Enter the command to initialize.

      lunacm:> role init -name Crypto Officer
      
    2. Respond to prompts on the terminal and PED to create the initial Crypto Officer credential.

      The Crypto Officer PED key or password is valid for the initial login only. The Crypto Officer must change this initial credential using the command role changepw immediately. Failing to change the credential results in a CKR_PIN_EXPIRED error when accessing the partition.

    3. If using PED authentication, create an initial Crypto Officer challenge secret. As with the PED key, it is valid for the first Crypto Officer login only and must be changed immediately.

      lunacm:>role createchallenge -name Crypto Officer
      
  10. Reset the Crypto Officer's credentials.

    1. Log in the Crypto Officer. When prompted for the password, provide the initial password (password authentication) or challenge secret (PED authentication).

      lunacm:> role login –name Crypto Officer
      
    2. Run the following command, which will reset the Crypto Officer PED key secret or initial password. Respond to the PED and terminal prompts.

      lunacm:> role changePw –name Crypto Officer
      
    3. For PED authenticated HSM, change the initial challenge password. The passwords are not masked.

      lunacm:> role changePw –name Crypto Officer –old <existing challenge secret> -newpw <new challenge secret>
      
    4. Log in again to activate/cache the new Crypto Officer credentials.

      lunacm:> role login –name Crypto Officer
      
  11. Exit the lunacm utility.

Trusted Cyber Technologies k570 Local HSM Configuration

The Trusted Cyber Technologies CipherTrust Manager k570's HSM has different steps to initialize than the Thales CipherTrust Manager k570 appliance's HSM.

This appliance has the label "Trusted Cyber Technologies CipherTrust k570" on the front bezel and on the order summary. In addition, the initial LunaCM response contains the SafeNet Assured Technologies, LLC and indicates an HSM Model of Luna-T7.

You can configure the HSM to use password authentication or PED authentication.

Configure for Password Authentication

  1. As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "/usr/safenet/lunaclient/bin/lunacm" utility. The initial response looks like the following for TCT k570s, including the SafeNet Assured Technologies, LLC heading, and the Luna-T7 model:

    lunacm (64-bit) v7.11.1-5 (7.11.1-5-ga24a9e8). Copyright (c) 2020 SafeNet Assured Technologies, LLC. All rights reserved.
    
        Available HSMs:
    
        Slot Id ->              0 
        HSM Label ->            no label                        
        HSM Serial Number ->    XXXXXX
        HSM Model ->            Luna-T7        
        HSM Firmware Version -> 7.11.0 
        HSM Configuration ->    Luna PCI (PED) Undefined Mode / Uninitialized
        HSM Status ->           Zeroized
    
        Current Slot Id: 0
    

    If the LunaCM response does not include these elements, you likely have a Thales CipherTrust Manager k570 device

    The utility displays information on the detected HSM card and allows you to execute various HSM management commands.

    Refer to the latest Luna T-Series Documentation for more details on these HSM commands. To access this documentation, login to the TCT Customer Support Portal, and navigate to Knowledge Base > Luna T-series.

  2. Re-initialize the HSM. You must set an HSM label, a password for the HSM Security Officer, and a string for the Security Officer domain.

    The Security Officer password is needed for the initial HSM configuration.

    Retain the HSM label value. This value is needed later to set the HSM as root of trust.

    lunacm:> hsm init -initwithpwd -label <HSM label> -password <Security Officer password> -domain <Security Officer domain name>
    
  3. Login to the HSM with the security officer password.

    lunacm:> hsm login -password <Security Officer password>
    
  4. Decide if you wish to operate the HSM in a mode compliant with the Federal Information Processing Standard (FIPS) 140-2. By default the HSM is not in FIPS compliant mode.

    If you don't need this mode, skip to the next step.

    If you do need this mode, change the HSM policy 12 to off. Refer to the latest Luna T-Series HSM documentation for more details. To access this documentation, login to the TCT Customer Support Portal, and navigate to Knowledge Base > Luna T-series.

    lunacm:> hsm changehsmpolicy -policy 12 -value 0
    

    This policy is destructive, meaning that HSM partitions and root keys are deleted when the policy is changed. It is strongly recommended that you decide on this configuration now, and do not change it later. If you wish to change the policy after creating user keys, you must backup your user keys in a cluster or risk losing access to user keys. Contact customer support for guidance for changing FIPS mode after the initial setup.

  5. Log back into the HSM as the security officer.

    lunacm:> hsm login -password <security officer password>
    
  6. Create the partition. Set a partition password and domain name. Retain the partition password. This password is needed later for HSM root of trust setup.

    lunacm:> partition create -password <partition password> -domain <domain name>
    
  7. Exit the lunacm utility.

Configure for PED Authentication

  1. As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "/usr/safenet/lunaclient/bin/lunacm" utility. The initial response looks like the following for TCT k570s, including the SafeNet Assured Technologies, LLC heading, and the Luna-T7 model:

    lunacm (64-bit) v7.11.1-5 (7.11.1-5-ga24a9e8). Copyright (c) 2020 SafeNet Assured Technologies, LLC. All rights reserved.
    
        Available HSMs:
    
        Slot Id ->              0 
        HSM Label ->            no label                        
        HSM Serial Number ->    XXXXXX
        HSM Model ->            Luna-T7        
        HSM Firmware Version -> 7.11.0 
        HSM Configuration ->    Luna PCI (PED) Undefined Mode / Uninitialized
        HSM Status ->           Zeroized
    
        Current Slot Id: 0
    

    If the LunaCM response does not include these elements, you likely have a Thales k570 device

    The utility displays information on the detected HSM card and allows you to execute various HSM management commands.

    Refer to the latest Luna T-Series Documentation for more details on these HSM commands. To access this documentation, login to the TCT Customer Support Portal, and navigate to Knowledge Base > Luna T-series.

  2. Initialize the HSM to allow for PED authentication. Provide an HSM label, which is used for root of trust setup.

    These values are temporary and needed for the initial setup.

    lunacm:> hsm init -initwithped -label <HSM label>
    

    You are prompted to create a Security Officer (blue) iKey on the PED.

  3. Respond to PED prompts to create the Domain (red) iKey.

  4. Decide if you wish to operate the HSM in a mode compliant with the Federal Information Processing Standard (FIPS) 140-2. By default the HSM is not in FIPS compliant mode.

    If you don't need this mode, skip to the next step.

    If you do need this mode, change the HSM policy 12 to off.

    Refer to the latest Luna T-Series Documentation for more details. To access this documentation, login to the TCT Customer Support Portal, and navigate to Knowledge Base > Luna T-series.

    lunacm:> hsm changehsmpolicy -policy 12 -value 0
    

    This policy is destructive, meaning that HSM partitions and root keys are deleted when the policy is changed. It is strongly recommended that you decide on this configuration now, and do not change it later. If you wish to change the policy after creating user keys, you must backup your user keys in a cluster or risk losing access to user keys. Contact customer support for guidance for changing FIPS mode after the initial setup.

  5. Login to the HSM as the SO using the Security Officer (blue) Key.

    lunacm:> hsm login
    
  6. Create a partition.

    lunacm:>partition create
    
    1. Respond to the PED prompts to insert USER/Partition Owner (black) iKey and set a PIN.

    2. Respond to the PED prompts to insert Domain (red) iKey and set its PIN.

  7. Login to the new partition.

    lunacm:>partition login
    

    You are prompted to re-insert the USER (black) iKey.

  8. Request the challenge password from the PED.

    lunacm:> partition createChallenge
    

    The Login Secret Value is displayed on the PED. Take note of this value. This is the partition password which is needed for root of trust setup.

  9. Activate the partition.

    lunacm:>partition changepolicy -policy 22 -value 1
    

    This instructs the HSM to cache PED credentials and allows the k570 appliance to authenticate to the HSM using only the challenge secret (password) without requiring the black PED key to always be connected to the HSM.

  10. Changing policies causes the Security Officer to be logged out. To log back in:

    lunacm:>hsm login
    

    Present the Security Officer (blue) iKey when prompted.

  11. Change the partition policy to allow auto-activation.

    lunacm:>partition changepolicy -policy 23 -value 1
    

    This instructs the HSM to cache PED credentials for up to two hours after loss of power. After two hours, the HSM cached PED credentials expires and the k570 appliance fails to run its services. In this case, instruct the k570 appliance to re-authenticate with the HSM using the black PED key. You can also configure remote PED access.

  12. Changing policies causes the Security Officer to be logged out. To log back in:

    lunacm:>hsm login
    

    Present the Security Officer (blue) iKey when prompted.

  13. Exit the lunaCM utility.

HSM Root of Trust Configuration

Configure the k570 appliance to use the Luna PCIe HSM card using these steps:

  1. Access the 'partition-label' and the 'partition challenge' created during the HSM initialization procedure. These are needed to use the CipherTrust Manager HSM API or CLI hsm setup command.

  2. You are now ready to configure the HSM as Root of Trust. Refer to CipherTrust Manager HSM Setup API or the CLI hsm setup command to configure the appliance to use your newly initialized Luna PCIe HSM. Root of Trust Configuration provides more details.

Remote PED Configuration

After initial configuration, you can set up remote PED access for the k570. In that way, you do not have to visit the data center to perform lunaCM and PED operations in the future. You might have to perform PED operations after setup to recover from power outages, or for rare, advanced troubleshooting scenarios.

  1. Determine if you have a Thales k570 appliance or a Trusted Cyber Technologies k570 appliance.

    The Trusted Cyber Technologies k570 appliance has the label "Trusted Cyber Technologies CipherTrust k570" on the front bezel and on the order summary. In addition, the initial LunaCM response contains the SafeNet Assured Technologies, LLC and indicates an HSM Model of Luna-T7.

  2. As the System Administrator (ksadmin) SSH in to the appliance (or connect via serial port using your password) and execute "/usr/safenet/lunaclient/bin/lunacm" utility.

    The displayed Model should be Luna K7 for Thales k570 device, Luna T7 for the Trusted Cyber Technologies k570 appliance.

  3. For a Thales k570 appliance:

    1. View the available slots with slot list.

    2. Select the slot with the label "Admin Token Slot".

      lunacm:>slot set -slot <slot_id_number>
      
    3. Login with the Partition Security Officer role. On the PED, you are prompted to present the Blue Partition Security Officer key and enter its PIN.

      lunacm:>role login -name so
      
  4. For a Trusted Cyber Technologies k570 appliance, login with the Security Officer role. On the PED, you are prompted to present the Blue Partition Security Officer key and enter its PIN.

    lunacm:>hsm login
    
  5. Initialize the orange remote PED vector key. You are prompted to insert a PED key and follow PED prompts. You may create a new key or re-use an existing orange key.

    lunacm:>ped vector -init
    
  6. Prepare a workstation to act as a remote PED server to access the k570 in the data center.

    More details for remote PED server set up are available in Luna HSM Documentation.

    1. Install Luna Client with remote PED as an option. Luna Client version 7.0.1 or above is required for the Thales k570 appliance. Thales TCT Luna Client version 7.1.1 or above is required for the Trusted Cyber Technologies 570 appliance.

    2. Connect the remote PED to the workstation via USB, and to the power source via the power adapter.

    3. Open a Command Prompt window on the computer (for Windows 7, this must be an Administrator Command Prompt). Locate and run PedServer.exe. Set PedServer.exe to its "listening" mode.

      c: > PedServer -m start
      Ped Server Version 1.0.6 (10006) 
      Ped Server launched in startup mode. 
      Starting background process 
      Background process started 
      Ped Server Process created, exiting this process.
      c:\PED\ >
      
    4. Verify that the service has started with pedserver -mode show.

      Look for mention of the default Server Port "1503" (or other, if you specified a different listening port). In addition, "Ped2 Connection Status:" should say "Connected.” This indicates that the Luna PED that you connected was found by PED Server.

      Example Output

      PedServer.exe -m show 
      Ped Server Version 1.0.6 (10006)
      Ped Server launched in status mode.
      
         Server Information:
            Hostname:                           host
            IP:                                 0.0.0.0
            Firmware Version:                   2.9.0-2
            PedII Protocol Version:             1.0.1-0
            Software Version:                   1.0.6 (10006)
      
            Ped2 Connection Status:             Connected
            Ped2 RPK Count                      0
            Ped2 RPK Serial Numbers             (none)
      
         Client Information:                    Not Available
      
         Operating Information:
            Server Port:                        1503
            External Server Interface:          Yes
            Admin Port:                         1502
            External Admin Interface:           No
            PED Write Delay:                    0 (microsecs)
      
            Server Up Time:                     223 (secs)
            Server Idle Time:                   158 (secs) (70%)
            Idle Timeout Value:                 1800 (secs)
      
            Current Connection Time:            0 (secs)
            Current Connection Idle Time:       0 (secs)
            Current Connection Total Idle Time: 0 (secs) (100%)
            Total Connection Time:              122 (secs)
            Total Connection Idle Time:         62 (secs) (50%)
      
      Show command passed.
      
    5. SSH to the k570 and open LunaCM.

      ssh –I <key> ksadmin@<IP>
      /usr/safenet/lunaclient/bin/lunacm
      
    6. Start the PED client on the k570.

      ped connect -ip <remote_PED_workstation_IP> -port 1503