The card reader sold for use with Luna products (PKI) is the Luna DOCK 2.
Uses with Luna SA 5 are:
External HSMs (Token-style and G5 style)
You can connect a Luna DOCK2 card reader for use with Luna Backup tokens or Luna CA4 tokens (legacy G4 (generation 4) PCMCIA removable token-format HSMs).
The first was used to backup legacy Luna SA 4.x HSMs and can be connected to Luna SA 5 to restore the legacy key material as part of a one-way migration.
The second is used for the PKI bundle function, where the token-style HSM in the externally connected reader becomes available as a crypto slot of the Luna SA appliance. The PKI function also supports the more modern Luna G5 HSM as the externally connected PKI slot(s).
The following caveats apply:
1) The "token backup" commands can see and manage only the backup device, and NOT PKI devices.
2) The "token pki" commands can see and manage only the PKI devices, and NOT backup devices.
3) The PKI device must use PED authentication only, to be deployed.
4) Luna SA 5.x supports three (3) USB connections at one time, and thus three (3) backup/PKI devices. For example, you could attach one backup token and two PKI tokens, or three PKI tokens.
5) The "token pki update" commands update the capability and firmware for PKI devices.
6) The process to move keys off G4 token HSMs (Luna CA4) is to migrate the keys to a K6 HSM (either the K6 inside Luna SA, or the standalone K6 (Luna PCI-E 5.x)) and then to Luna G5. Cloning between G4 and G5 devices is not supported.
Do NOT install LunaClient software
on the same system as legacy Luna CA3, Luna CA4, Luna PCM, or Luna PCI software.
The software is intended for modern/current Luna HSMs, Luna SA, Luna PCI-E, Luna G5, Luna (Remote) Backup HSM.
Connect the Luna DOCK2 card reader:
a) to the AC main power, and
b) via supplied USB cable to the USB port of your Luna SA 5.x.
If power is disconnected for any reason, you might need to restart your application.
The Luna PKI Bundle feature supports PED-authenticated PKI HSMs only (Luna CA4 for legacy, and Luna G5 for modern). Use of password-authenticated PKI tokens is not supported. There is no "pass-through" of PED data and commands from Luna SA, so your Luna DOCK2 (or Luna G5) must have its own Luna PED connected directly.
Your Luna SA needs its own Luna PED.
Luna SA can be served by a locally-connected PED, if the administrator is located near the appliance, or Luna SA can be served by Remote PED, but Luna DOCK2 and any inserted token HSMs require a PED to be connected directly and locally to the reader - use of Remote PED to serve an external HSM (such as Luna G5, Luna Backup HSM, or Luna CA4) connected to Luna SA is not supported.
See also PKI - Using an external HSM with Luna SA Appliance.
Contact SafeNet Technical Support -- e-mail: support@safenet-inc.com or phone 800-545-6608 (+1 410-931-7520 International) for the relevant Key Migration document, which includes explicit instructions to migrate your cryptographic objects between different types of Luna HSM (generally from legacy models to current models of HSM).