Converting Initialized NTLS Partitions to STC

If you have initialized partitions already assigned to a client using NTLS, you can use the following procedure to switch to a more secure STC connection. All of the client's assigned partitions on the specified SafeNet Luna Network HSM must be converted. It is not possible for a client to connect to multiple partitions on a single SafeNet Luna Network HSM using a combination of NTLS and STC.

The Partition SO must complete this procedure on the client workstation.

Prerequisites

>The HSM SO must set HSM Policy 39: Allow Secure Trusted Channel to 1 (ON).

To convert an NTLS partition-client connection to STC

1.Launch LunaCM and create the client token and identity.

NOTE   This step is not required if you have already created a client token and identity. Verify using stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.

lunacm:> stc tokeninit -label <token_label>

lunacm:> stc identitycreate -label <client_identity>

The STC client identity public key is automatically exported to:

<Lunaclient_install_directory>/data/client_identities/

2.Log in as Partition SO and export the partition ID key.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name po

lunacm:> stcconfig partitionidexport

The partition identity public key is named for the partition serial number (<partitionSN>.pid) and automatically exported to:

<Lunaclient_install_directory>/data/partition_identities/

3.Register the partition's public key with the client identity. Specify the path to the key file.

lunacm:> stc partitionregister -file <path/filename>.pid [-label <partition_label>]

4.Register the client identity to the partition. Specify a label for the client and the path to the client identity file.

NOTE   Each client identity registered to a partition uses 2392 bytes of storage on the partition. Ensure that there is enough free space before registering a client identity.

lunacm:> stcconfig clientregister -label <client_label> -file <path/client_identity>

5.Enable partition policy 37: Force STM Connection.

lunacm:> partition changepolicy -slot <slotnum> -policy 37 -value 1

NOTE   If this command returns an error, ensure that the HSM SO has enabled HSM Policy 39.

6.Repeat steps 2-5 for each NTLS partition on the same SafeNet Luna Network HSM you want to register to this client.

7.Find the server ID for the SafeNet Luna Network HSM hosting the partition and enable its STC connection. You will be prompted to restart LunaCM and all current sessions will be closed.

CAUTION!   This forces the client to use STC for all links to the specified appliance. Any remaining NTLS links from this client to the appliance will be terminated. Ensure that you have completed steps 2-5 for each of this client's partitions before continuing.

lunacm:> clientconfig listservers

lunacm:> stc enable -id <server_ID>

If a partition is not visible as a slot when LunaCM restarts, disable STC for the server using lunacm:> stc disable -id <server_ID>, and ensure that you have activated partition policy 37.

STC provides several configurable options that define the network settings for an STC link, and the security settings for the messages transmitted over the link. Although default values are provided that provide the optimal balance between security and performance, you can override the defaults, if desired. See Configuring STC Identities and Settings for more information.


Customer Support Portal

SafeNet Luna Network HSM 10.1 Product Documentation  23 January 2020  Copyright 2001-2020 Thales Group. All rights reserved.