Restoring Broken NTLS or STC Connections

If a certificate used to authenticate NTLS or STC connections is deleted or regenerated, those connections must be re-established before crypto operations can resume. This can be the result of HSM or partition zeroization, or regeneration of the HSM server certificate (server.pem) on the SafeNet Luna Network HSM appliance. The procedures on this page will allow you to restore your broken connections, wherever possible.

>Restoring NTLS/STC Connections after Regenerating the HSM Server Certificate

>Restoring Connections After HSM Zeroization

>Restoring STC Connections After Partition Zeroization

Restoring NTLS/STC Connections after Regenerating the HSM Server Certificate

If you regenerate the HSM server certificate (server.pem) using lunash:> sysconf regencert, you must restore all NTLS and STC connections using the new certificate.

To restore NTLS or STC connections using a self-signed HSM server certificate

Appliance admin:

1.Using LunaSH, restart the NTLS and STC services.

lunash:> service restart ntls

lunash:> service restart stc

2.Provide the new HSM Server Certificate (server.pem) to each client by scp, pscp, or other secure means.

Client administrators:

1.If you have access to LunaSH on the SafeNet Luna Network HSM appliance, you can retrieve the new HSM server certificate (server.pem) using scp or pscp (see SCP and PSCP). Otherwise, the appliance administrator must provide it.

2.Delete the original server identity from the client.

>vtl deleteServer -n <hostname/IP>

3.Register the new HSM server certificate with the client.

>vtl addServer -n <hostname/IP> -c <cert_filename>

4.If you are restoring STC connections, launch LunaCM, find the new Server ID, and enable STC for the server.

lunacm:> clientconfig listservers

lunacm:> stc enable -id <server_ID>

Restoring Connections After HSM Zeroization

If the HSM is zeroized, all partitions and their contents are erased. New partitions must be created and assigned to their clients via the usual connection procedure.

NTLS connections

The HSM SO must re-initialize the HSM, create new partitions, and assign them to their respective registered clients (see Assigning or Revoking NTLS Client Access to a Partition). You do not need to register new appliance/client certificates unless they are regenerated.

STC connections

When the HSM is zeroized, the following occurs:

>HSM policy 39: Allow Secure Trusted Channel is turned off.

>The STC application partition identities are deleted along with the partitions.

>If the STC admin channel is enabled, the STC admin partition identity is deleted, breaking the STC admin channel between LunaSH and the HSM.

Create new STC connections using the standard procedure found in Creating a Client-Partition STC Connection. You can use the existing client tokens/identities. You do not need to register a new HSM server certificate unless it was regenerated using lunash:> sysconf regencert.

Restoring STC Connections After Partition Zeroization

The registered client identities used to validate STC clients are stored on each partition. Since they are not cryptographic objects, they are not backed up as part of a normal partition backup operation. If the partition is zeroized due to multiple login failures, the registered client identities are erased and regenerated. The HSM SO must provide the new partition identity to the client administrator, who must register the new identity.

To restore an STC connection after partition zeroization

HSM SO:

1.Log in to LunaSH and log in as HSM SO.

lunash:> hsm login

2.Export the new partition identity key to the appliance filesystem.

lunash:> stc partition export -partition <label>

3.Provide the new partition identity key (<partitionSN>.pem) to the client by scp, pscp, or other secure means.

Client administrator:

1.If you have access to LunaSH on the SafeNet Luna Network HSM appliance, you can retrieve the new partition identity key (<partitionSN>.pem) using scp or pscp (see SCP and PSCP). Otherwise, the HSM SO must provide it.

2.Launch LunaCM and de-register the original partition identity from the client.

lunacm:> stc partitionderegister -serial <partitionSN>

3.Register the new partition identity key (<partitionSN>.pem)to the client.

lunacm:> stc partitionregister -file <path/filename> [-label <label>]

4.Restart LunaCM.

lunacm:> clientconfig restart

You can now re-initialize the STC partition.