Preparing the SafeNet Luna Network HSM to Use FMs

This section provides information on how to prepare your SafeNet Luna Network HSM to accept Functionality Modules (FMs). FMs require a specific factory configuration, the correct firmware version, a license upgrade, and the correct policy settings, as described below:

>Step 1: Ensure You Have FM-Ready Hardware

>Step 2: Update to Luna Appliance Software and HSM Firmware 7.4.0 or Higher

>Step 3: Purchase and Apply the FM Capability License

>Step 4: Apply HSM Policy Settings

CAUTION!   Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. Refer to FM Deployment Constraints for details before enabling.

If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.

Step 1: Ensure You Have FM-Ready Hardware

The FM feature requires a specific SafeNet Luna Network HSM hardware configuration that must be created by Thales Group at the factory. SafeNet Luna Network HSMs that have this configuration are "FM-ready". If your SafeNet Luna Network HSM is not FM-ready, contact your Thales Group representative or Thales Group Customer Support for further guidance.

Determining Whether the HSM is FM-Ready

Starting with release 7.4, all SafeNet Luna Network HSMs are FM-ready from the factory. HSMs shipped prior to 7.4 are not. To determine if your HSM is FM-ready, check the Product Part # on the appliance label:

If the last 3-digit section of the Product Part # is 003 or higher, your HSM is FM-ready. If 002 or lower, contact your Thales Group representative or Thales Group Customer Support for guidance on how to obtain FM-ready hardware.

NOTE   Exception: If your SafeNet Luna Network HSM includes 10GB optical Ethernet ports, your HSM is FM-Ready, even though the Product Part # ends in 001.

Step 2: Update to Luna Appliance Software and HSM Firmware 7.4.0 or Higher

To use FMs, you require appliance software 7.4 or higher, and HSM firmware version 7.4.0 or higher. You can download the latest software/firmware packages from the Thales Group Support Portal (see Updating the SafeNet Luna Network HSM Appliance Software and Updating the SafeNet Luna HSM Firmware).

When you have completed the upgrade, you can check the output from lunash:>hsm show to ensure that the HSM is FM-ready:

Functionality Module HW:            FM Ready
=======================

Step 3: Purchase and Apply the FM Capability License

To use FMs, contact your Thales Group sales representative to purchase the FM capability license. You can validate the license on the Thales Group Licensing Portal (GLP) and install it with LunaSH. Refer to Upgrading HSM Capabilities and Partition Licenses for the procedure.

When you have activated your license on the HSM, you can use lunash:>hsm displaylicenses to check that it is installed:

HSM CAPABILITY LICENSES
License ID          Description
================    ======================================
   621000068-000    K7 Base
   621010185-003    Key backup via cloning protocol
   621000046-002    Maximum 100 partitions
   621000134-002    Enable 32 megabytes of object storage
   621000135-002    Enable allow decommissioning
   621000021-002    Maximum performance
   621000138-001    Controlled tamper recovery
   621000154-001    Enable decommission on tamper with policy off
   621000074-001    Enable Functionality Modules

Step 4: Apply HSM Policy Settings

Applying the FM capability license allows you to set 4 new HSM policies that affect FMs on the SafeNet Luna Network HSM (see HSM Capabilities and Policies). Use lunash:>hsm showpolicies to list HSM policies.

Description                              Value        Code      Destructive
===========                              =====        ====      ===========
Allow Functionality Modules              Off          50        Yes
Allow SMFS Auto Activation               Off          51        Yes
Restrict FM Privilege Level              Off          52        Yes
Encrypt keys passing from FM to HSM      Off          53        Yes

HSM Policy 50: Allow Functionality Modules

With this policy enabled, Functionality Modules may be loaded to the HSM, permitting custom cryptographic operations. Allows use of the ctfm utility and FM-related commands, and the use of Functionality Modules in general with this HSM.

The HSM SO must set HSM policy 50 to 1 (ON) to use FMs on the SafeNet Luna Network HSM. Changing this policy (OFF-to-ON or ON-to-OFF) will zeroize the HSM and it must be re-initialized.

CAUTION!   Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. Refer to FM Deployment Constraints for details before enabling.

If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.

HSM Policy 51: Allow SMFS Auto Activation

With this policy enabled, the Secure Memory File System (SMFS) is automatically activated on startup, providing a secure, tamper-enabled location in the HSM memory where Functionality Modules can load keys and parameters. Auto-activation for SMFS, like auto-activation for PED-authenticated partitions in general, persists through a power outage of up to 2 hours duration.If disabled, the HSM SO must manually activate the SMFS each time the HSM reboots or loses power.

Thales Group recommends setting HSM policy 51 to 1 (ON) to avoid having to manually re-activate the SMFS if you need to reboot the HSM. Changing this policy destroys all existing application partitions.

HSM Policy 52: Restrict FM Privilege Level

With this policy enabled, FM privilege is restricted. By default, FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria).

FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria).

Unless you require CC certification, Thales Group does not recommend changing this policy from its default setting (OFF). Changing this policy destroys all existing application partitions.

HSM Policy 53: Encrypt Keys Passing from FM to HSM

With this policy enabled, keys created by an FM are encrypted before crossing from the FM to the Functionality Module Crypto Engine interface (FMCE). This internal encryption may be required to satisfy some certification requirements (such as Common Criteria).

Unless you require CC certification, Thales Group does not recommend changing this policy from its default setting (OFF). Changing this policy (OFF-to-ON or ON-to-OFF) will destroy all existing application partitions.