Anywhere there are choices, options abound. Rather than clutter the main initialization instruction page with a variety of possible paths and branches, we use this page to present some of the other situations that you might encounter while initializing a Luna HSM. So, assume that you have issued the hsm init command. The system told you to attend to the Luna PED, which you already had connected.
Luna PED demands the first "SO/HSM Admin" PED Key.
Insert the Blue PED Key
This table (below) summarizes the steps involving
immediately after you invoke the lunash command "hsm init...".The first column is the simplest, and most like what you would encounter the very first time you initialize, using "fresh from the carton" iKey PED Keys.
The next two columns of the table show some differences if you are using previously-imprinted PED Keys, choosing either to reuse what is found on the key (imprint it on your new HSM - see Group PED Keys) or, in the third column example to overwrite what is found and generate a new secret to be imprinted on both the PED Key and the HSM.
Below the table are some expanded comments about the choices that you might encounter.
"Fresh" PED Keys | Pre-used PED Keys (reuse) |
Pre-used PED Keys (overwrite) |
---|---|---|
SLOT 01 SETTING SO PIN... Would you like to reuse an existing keyset? (Y/N) |
SLOT 01 SETTING SO PIN... Would you like to reuse an existing keyset? (Y/N) |
SLOT 01 SETTING SO PIN... Would you like to reuse an existing keyset? (Y/N) |
[The above question is always asked first. Answering "No" requires the PED to write/overwrite any keys that you present, so it must test and query each time.] | [The above question is always asked first. Answering "Yes" shortens the sequence. The PED will copy a secret from a PED Key to the HSM, and therefore does not need to overwrite a PED Key.]] | [The above question is always asked first. If the PED is not told to reuse PED Keys, then it must overwrite and therefore must test and warn each time. This column is similar to the sequence in the first column, except that the answers to the questions are more important, since the keys to be overwritten already have material on them.]] |
SLOT 01 |
SLOT 01 SETTING SO PIN... Insert a SO / HSM Admin PED Key Press ENTER. |
Slot 01 SETTING SO PIN... Insert a SO / HSM Admin PED Key Press ENTER. |
|
|
****Warning!**** This PED Key is for SO / HSM Admin Overwrite? (YES/NO) |
[The key is blank, so no harm can be done when you say "Yes" on Luna PED to proceed with writing to the key]. Saying "No" would just loop back to the previous prompt. | [If you respond "NO" the key content is preserved and is imprinted onto the current HSM. This key can now unlock the current HSM and any previous HSM that uses the same secret.] | [If you respond "YES" the key content is overwritten and can now unlock only this HSM. It is no longer able to unlock any previous HSM or token.] |
|
Enter a new PED PIN Confirm new PED PIN |
Enter a new PED PIN Confirm new PED PIN |
You can type a number and press ENTER to impose a PED PIN "something you know", or you can just press ENTER (with no digits) for no PED PIN (thus nothing to remember in future). |
Same as in first column. |
|
Are you duplicating this keyset? YES/NO |
Are you duplicating this keyset? YES/NO |
Are you duplicating this keyset? YES/NO |
If you respond "YES", you can keep inserting additional blank (or old-to-be-reused) PED Keys to be imprinted with this same secret. If you say "NO", you have just the one key with that secret - don't lose it. |
Same as in first column. |
Same as in first column. |
Login SO / HSM Admin... Insert a SO/ HSM Admin PED Key Press ENTER |
Login SO / HSM Admin.. Insert a SO/ HSM Admin PED Key Press ENTER |
Login SO / HSM Admin.. Insert a SO/ HSM Admin PED Key Press ENTER |
Having created/imprinted the HSM Admin or SO secret, the HSM now requires you to login, in order to go further. This is a verification step. |
Same as in first column. |
Same as in first column. |
SETTING DOMAIN... Would you like to reuse an existing keyset? (Y/N) |
SETTING DOMAIN... Would you like to reuse an existing keyset? (Y/N) |
SETTING DOMAIN... Would you like to reuse an existing keyset? (Y/N) |
The PED prompts in similar fashion to the steps for the HSM Admin/SO key above (overwrite, copy, etc.). If asked to "Reuse Id", the best option is to say "YES", unless you have good reason to create a new domain not shared with any previous HSM. |
Here, your response to "Reuse ID?" might or might not be the same as you chose for the blue key, above. You might have good reason to make this HSM part of an existing Domain. |
Here, your response to "Reuse ID?" might or might not be the same as you chose for the blue key, above. You might have good reason to make this HSM part of an existing Domain. |
HSM Init process is finished. | HSM Init process is finished. | HSM Init process is finished. |
Some additional comments about some of the choices:
Provide a PED PIN (optional)
A
., by entering the , and pressing [Enter] again.
In future, every time you are required to present that PED Key, you must also enter the PED PIN on the PED keypad - if you created a PED PIN at initialization time, then you must provide that exact PED PIN along with the PED Key, in order to gain access to the HSM. If you did not create a PED PIN when you initialized, then just press [Enter] at the PED prompt when you insert the requested PED Key during login.
When you are attempting to log in, the PED always asks for a PED PIN, regardless whether or not a real PED PIN is expected. That's a security feature, similar to password-protected systems that tell you if you have entered incorrect credentials, but don't specify if it was the login name or the password that was individually the faulty part.
Duplicating Your PED Key
“Are you duplicating this keyset? (Y/N)”
If you respond “NO”, Luna PED imprints just the one blue HSM Admin key (or Domain key (see below) and goes on to the next step in initialization of the HSM.
If you respond “YES”, Luna PED imprints the first blue key and then asks for more blue PED Keys, until you have imprinted (duplicated) as many as you require.
It is recommended to have at least one backup set of imprinted PED Keys, stored in a safe place, in case of loss or damage to the primary keys.
You can also make additional copies of a PED Key at any time, using the PED's own "Admin" menu. This does not require you to log into the HSM or issue commands from the appliance - the PED needs to be connected only to have power supplied to it when you are using the onboard PED menus.
Creating a Cloning Domain
You create the domain for future cloning of the HSM, or you adopt the domain from a previous token or Luna HSM, so that the current Luna HSM (or token) can clone with the previous. A common domain (common between HSM and Backup HSM) is required for HSM backups.
If the red PED Key is blank, then Luna PED goes ahead and imprints
a domain, which is matched on the HSM.
However, if Luna PED detects that the red PED Key contains data, then
Luna PED now needs to know:
a. If the domain data on the key should be preserved as valid,
and recorded on the current HSM or token [ ];
or,
b. If the domain data that was found on the red key must be
overwritten with a new domain that is exclusive to the current HSM or
token [ ].
At this point in the process of configuring your Luna HSM, you can :
optionally modify some of the HSM's Policy settings
or
go directly to "Creating HSM Partitions"