Traditionally, Public Key Infrastructure (PKI) with SafeNet HSMs has been implemented using removable token-style (PCMCIA format) HSMs securely connected to a local workstation via a card reader. The portable HSM contained the PKI root certificate, and was inserted, read, updated, etc., as needed, then removed and returned to safe storage. This was a high-security, low-volume/low-speed environment and requirement.
This differed from the transaction-security world where HSMs needed to be network-available in order to perform and accelerate high volumes of secure transactions.
When those two applications began to converge, the Luna SA, with its model of large, fast, network-connected HSM providing multiple virtual-HSM (Partition) workspaces, was adapted to support the addition of token-format PKI HSMs (such as Luna PCM or Luna CA4).
External HSMs (Token-style and G5 style)
You can connect a Luna DOCK2 card reader for use with Luna Backup tokens or Luna CA4 tokens (legacy G4 (generation 4) PCMCIA removable token-format HSMs).
The first was used to backup legacy Luna SA 4.x HSMs and can be connected to Luna SA 5 to restore the legacy key material as part of a one-way migration.
The second is used for the PKI bundle function, where the token-style HSM in the externally connected reader becomes available as a crypto slot of the Luna SA appliance. The PKI function also supports the more modern Luna G5 HSM as the externally connected PKI slot(s).
The following caveats apply:
1) The "token backup" commands can see and manage only the backup device, and NOT PKI devices.
2) The "token pki" commands can see and manage only the PKI devices, and NOT backup devices.
3) The PKI device must use PED authentication only, to be deployed.
4) Luna SA 5.x supports three (3) USB connections at one time, and thus three (3) backup/PKI devices. For example, you could attach one backup token and two PKI tokens, or three PKI tokens.
5) The "token pki update" commands update the capability and firmware for PKI devices.
6) The process to move keys off G4 token HSMs (Luna CA4) is to migrate the keys to a K6 HSM (either the K6 inside Luna SA, or the standalone K6 (Luna PCI-E 5.x)) and then to Luna G5. Cloning between G4 and G5 devices is not supported.
Constraints
To use an external PKI HSM directly with Luna SA 5 requires a Luna G5 HSM, or a Luna DOCK2 reader with Luna CA4 token-style HSM at firmware 4.8.7 or later.
Whether you are using the onboard HSM or not, in order to use a Luna SA for PKI bundle operations (using Luna/HSM CA4 or Luna/HSM PCM tokens in the appliance's card-reader) you must at least initialize the onboard (K6) HSM in order to use the connected HSMs. Any further preparation of the onboard HSM depends on how (or if) you intend to make use of it, but having the main HSM initialized before you attempt operations with PKI HSMs connected to it is a minimum requirement.
PKI and HA
You can combine the PKI bundle configuration (a Luna G5 HSM, or a Luna DOCK2 with inserted Luna CA4, connected to your Luna SA appliance) with the HA grouping functionality. That is, PKI can be part of HA redundancy and load balancing. However, by design, we do not support the assigning of two or more devices from the same Luna SA to one HA group. That is:
In either case, that sort of arrangement would allow the Luna SA to become a potential single-point-of-failure, which defeats HA's redundancy.
Instead, if you have multiple Luna G5 HSMs or Luna CA4 token HSMs that you wish to use in PKI bundling with Luna SA, then you should connect each Luna G5 HSM or Luna CA4 HSM to a separate Luna SA. You should not attempt to include more than one Luna SA partition, or a partition and an externally connected HSM, in a single HA group. The HA logic recognizes HA member slots from different NTLA/NTLS links, only. This is by design.
Slot Enumeration
The client-side utility command "vtl listslot" shows all detected slots, including HSM partitions on the primary HSM, partitions on connected external HSMs, and HA virtual slots. Here is an example:
bash-3.2# ./vtl listslot
Number of slots: 11
The following slots were found:
| Slot # | Description | Label | Serial # | Status |
|---|---|---|---|---|
| slot #1 | LunaNet Slot | - | - | Not present |
| slot #2 | LunaNet Slot | sa76_p1 | 150518006 | Present |
| slot #3 | LunaNet Slot | sa77_p1 | 150475010 | Present |
| slot #4 | LunaNet Slot | G5179 | 700179008 | Present |
| slot #5 | LunaNet Slot | pki1 | 700180008 | Present |
| slot #6 | LunaNet Slot | CA4223 | 300223001 | Present |
| slot #7 | LunaNet Slot | CA4129 | 300129001 | Present |
| slot #8 | HA Virtual Card Slot | - | - | Not present |
| slot #9 | HA Virtual Card Slot | - | - | Not present |
| slot #10 | HA Virtual Card Slot | ha3 | 343610292 | Present |
| slot #11 | HA Virtual Card Slot | G5_HA | 1700179008 | Present |
bash-3.2#
- The deploy/undeploy of a PKI device increments/decrements the Luna SA client slot enumeration list (slots appear or disappear from the list, and the slot numbers adjust for the change).
- When the PKI slot is temporarily not available (e.g., due to NTLS stop, unplugging of LAN/USB cable, power off, etc.), the slot list does not shift.
If you attempt to perform actions (such as deployment) that require PED operations, against a token/HSM, while other applications are accessing either the onboard HSM or another token in your appliance, then the PED-requiring operations might be noticeably slow. In general, try to reserve such maintenance operations for times when clients are not accessing the HSM or other token. The possible slowness is merely inconvenient and does no harm.
See also Card Reader (Luna DOCK 2) and Token-style HSMs.
Contact SafeNet Technical Support -- e-mail: support@safenet-inc.com or phone 800-545-6608 (+1 410-931-7520 International) for the relevant Key Migration document, which includes explicit instructions to migrate your cryptographic objects between different types of Luna HSM (generally from legacy models to current models of HSM).