Managing the Luna Backup HSM G5

This section contains the following procedures for maintaining and using the Luna Backup HSM G5:

>Storage and Maintenance

>Updating the Luna Backup HSM G5 Firmware

>Resetting the Luna Backup HSM G5 to Factory Conditions

>Installing or Replacing the Luna Backup HSM G5 Battery

Storage and Maintenance

The Luna Backup HSM G5 can be safely stored, containing backups, when not in use. When stored properly, the hardware has a lifetime of 10+ years. Newer Luna Backup HSM G5s ship with an external power supply.

The Luna Backup HSM G5 Battery

The battery powers the NVRAM and Real-Time-Clock (RTC), and must be installed for use. The battery can be removed for storage, and this is generally good practice. Thales uses high-quality, industrial-grade batteries that are unlikely to leak and damage the HSM hardware, but an externally-stored battery will last longer. The battery must be stored in a clean, dry area (less than 30% Relative Humidity). Temperature should not exceed +30 ºC. When properly stored, the battery has a shelf life of 10 years.

If the battery dies or is removed, and the main power is not connected, NVRAM and the RTC lose power. Battery removal triggers a tamper event. After replacing the battery, the HSM SO must clear the tamper event before operation can resume. The working copy of the Master Tamper Key (MTK) is lost (see Managing the Luna Backup HSM G5). Backup objects are stored in non-volatile memory, so they are preserved and remain uncorrupted.

There is no low battery indicator, or other provision for checking the battery status. The voltage remains constant until the very end of battery life.

Your stored (backed-up) content is in long-term memory and is not affected by the state of the battery. A failure or removal of the battery does cause a tamper event, but this is intended as an alert to bring the condition to your attention for action, and does not affect the stored content. A situation where battery removal could affect your ability to recover archived data from the Luna Backup HSM G5 is where you have previously extracted a portion of the MTK onto an iKey (PED Key) and then have lost/destroyed/overwritten all copies of that key, leaving the MTK unrecoverable.

Updating the Luna Backup HSM G5 Firmware

To update Luna Backup HSM G5 firmware, use LunaCM on a client computer that is connected to the Luna Backup HSM G5. You require:

>Luna Backup HSM G5 firmware update file (<filename>.fuf)

>the firmware update authentication code file(s) (<filename>.txt)

CAUTION!   Use an uninterruptible power supply (UPS) to power your HSM. There is a small chance that a power failure during an update could leave your HSM in an unrecoverable condition.

To update the Luna Backup HSM G5 firmware

1.Copy the firmware file (<filename>.fuf) and the authentication code file (<filename>.txt) to the HSM Client root directory.

•Windows: C:\Program Files\SafeNet\LunaClient

•Linux: /usr/safenet/lunaclient/bin

NOTE   On some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... If this is the case, put the files in a known location that you can reference in a LunaCM command.

2.Launch LunaCM.

3.If more than one HSM is installed, set the active slot to the Admin partition of the HSM you wish to update.

lunacm:> slot set -slot <slot_number>

4.Log in as HSM SO. Depending on the currently-installed firmware version, use one of the following two commands:

•lunacm:> role login -name so

•lunacm:> hsm login

5.Apply the new firmware update by specifying the update file and the authentication code file. If the files are not located in the HSM Client root directory, specify the filepaths.

lunacm:> hsm updatefw -fuf <filename>.fuf -authcode <filename>.txt

Resetting the Luna Backup HSM G5 to Factory Conditions

These instructions will allow you to restore your Luna Backup HSM G5 to its original factory conditions, erasing its contents. This could be necessary if you have old backups that you do not wish to keep. If you have performed firmware updates, they are unaffected. Factory reset can be performed via LunaCM.

To reset the Luna Backup HSM G5 to factory conditions

1.Launch LunaCM on the Luna Backup HSM G5 workstation.

2.Set the active slot to the Luna Backup HSM G5.

lunacm:> slot set -slot <slotnum>

3.Reset the Backup HSM.

lunacm:> hsm factoryreset

Installing or Replacing the Luna Backup HSM G5 Battery

The Luna Backup HSM G5 must have a functioning battery installed to preserve the NVRAM and RTC in case of primary power loss. You can purchase a replacement battery from any supplier who can match the following specifications:

>3.6 V Primary lithium-thionyl chloride (Li-SOCl2)

>Fast voltage recovery after long term storage and/or usage

>Low self discharge rate

>10 years shelf life

>Operating temperature range -55 ºC to +85 ºC

>U.L. Component Recognition, MH 12193

Prerequisites

>Removing the battery causes a tamper event.

To install or replace the Luna Backup HSM G5 battery

1.Remove the front bezel. It is held in place by two spring clips.

2.The battery compartment is spring-loaded and can be removed without much pressure. Use a coin or your fingers to press in the compartment cover and turn counter-clockwise to remove it.

3.If you are replacing the old battery, remove it from the battery compartment.

4.Insert the new battery, negative end first. The positive end should be visible.

5.Use the battery compartment cover to push the battery into the compartment, aligning the tabs on the cover with the compartment slots. Twist the cover clockwise to lock the compartment.

6.Replace the front bezel by aligning the clips with their posts and pushing it into place.

Removing the battery causes a tamper event on the Luna Backup HSM G5.