Installing and Configuring Your New SafeNet Luna PCIe HSM
This page will guide you through key concepts and procedures required to set up and begin using your new SafeNet Luna PCIe HSM, including hardware installation, HSM initialization, client setup, and partition provisioning. These procedures are divided into operations at the level of the HSM and the partition/client.
HSM/Client Operations
This series of procedures will help you to install
1.SafeNet Luna PCIe HSM Hardware Installation
This section describes how to verify that your SafeNet Luna PCIe HSM adapter has remained secure while in transit, confirm that you have received all required items, and install the HSM in a host system.
a.Verifying the Integrity of Your Shipment
b.SafeNet Luna PCIe HSM Required Items
c.Installing the SafeNet Luna PCIe HSM Hardware
2.Luna HSM Client Software Installation
To use the SafeNet Luna PCIe HSM, you must first install Luna HSM Client on the host system. This section guides you through the client software installation procedure for your supported operating system, and provides information on configuring the client software for your organization's needs.
•Windows Luna HSM Client Installation
•Linux Luna HSM Client Installation
•AIX Luna HSM Client Installation
•Solaris Luna HSM Client Installation
If you purchased an S-series SafeNet Luna PCIe HSM, your HSM uses multi-factor authentication via the Luna PIN Entry Device (PED). Multi-factor authentication credentials are stored on USB PED keys that must be presented to the PED to authenticate the identities of HSM users. This section describes how to set up the Luna PED in a local or remote configuration, which will allow you to initialize the HSM. This section also contains important information on creating, managing, and using PED authentication, that you should be familiar with before initialization.
a.SafeNet Luna PED Received Items
Your SafeNet Luna PCIe HSM was shipped in Secure Transport Mode (STM), to provide assurance that the HSM has not been modified while in transit. This section describes how STM works. You must recover the HSM from STM before you can configure it for your use.
Each event that occurs on the HSM can be recorded in the HSM event log, allowing you to audit your HSM usage. These logs are controlled by a specialized Auditor role on the HSM. To ensure that your audit logs cover the HSM's entire span of use, your appointed Auditor should set up audit logging before you initialize the HSM. This section describes how to initialize the Auditor role and configure audit logging.
a.Configuring and Using Audit Logging
Initialization prepares a new HSM for use, and creates the HSM Security Officer role. You must initialize the HSM before you can generate or store objects or perform cryptographic operations.
NOTE If you prefer to set your HSM Policies using a template, refer to Setting HSM Policies Using a Template before initializing the HSM.
7.HSM Capabilities and Policies
The HSM SO can set policies on the HSM to configure its functionality. This section describes all the configurable policies on the HSM and how to change them to suit the cryptographic needs of your organization.
•Setting HSM Policies Manually
Next, the HSM SO must create the application partition, where cryptographic objects are stored. Your application(s) on the host system will query the application partition to perform cryptographic operations.
•Creating or Deleting an Application Partition
REST/XTC Link to an HSM on Demand Service
•Adding a DPoD HSM on Demand Service
Partition/Client Operations
This series of procedures will help you configure the
The SafeNet Luna PCIe HSM uses a protocol called cloning to ensure that your cryptographic objects are always stored safely within the confines of a SafeNet HSM. This section contains important information about how cloning works using specialized cryptographic secrets called domains. Each partition is initialized with a cloning domain that ensures that its objects can be cloned only to another partition sharing that domain. This is necessary for the partition to perform backups. This section will help you plan a cloning domain configuration that works for your organization's deployment strategy.
10.Initializing an Application Partition
Initializing the partition creates the Partition Security Officer role and sets the partition's cloning domain.
NOTE If you prefer to set your partition policies using a template, refer to Setting Partition Policies Using a Template before initializing the partition.
11.Partition Capabilities and Policies
The Partition SO can set policies on the partition to configure its functionality. This section describes all the configurable policies on the partition and how to change them based on the desired functionality of your cryptographic applications.
•Setting Partition Policies Manually
While the Partition SO administers the partition by defining what functions are permitted, access to the objects on a partition are controlled by the read-write Crypto Officer (CO) and the read-only Crypto User (CU) roles. This section describes all the partition roles, and how to initialize and manage them.
a.Initializing the Crypto Officer Role
c.Initializing the Crypto User Role
d.Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions
13.Migrating Keys to Your New HSM
This section provides guidance on how to migrate cryptographic objects from a version 5/6 Luna HSM to your new SafeNet Luna PCIe HSM partition.
•SafeNet Network HSM (5.x or 6.x) to SafeNet Luna Network HSM (7.x)
•SafeNet Luna USB HSM (5.x or 6.x) to SafeNet Luna Network HSM (7.x)
•SafeNet PCIe HSM (5.x or 6.x) to SafeNet Luna Network HSM (7.x)
•SafeNet Luna PCIe HSM or USB HSM (5.x or 6.x) to SafeNet Luna PCIe HSM (7.x)
