Show the Table of Contents

You are here: Configuration Manual (Set up Luna Appliance after Installing) > System-specific Instructions

System-specific Instructions to Initialize an HSM

To initialize an HSM is to prepare it for operation, under the control of an HSM Admin.

Choose instructions for the type of HSM that you own:

 

This version requires a password, typed at the computer keyboard, to authenticate (gain administrative access) to the HSM.

"About Initializing a Password Authenticated HSM"

OR

"About Initializing a PED Authenticated HSM"

This version requires the PED and PED Keys to authenticate to the HSM.

(which kind do I have?)

Luna SA HSMs are shipped from the factory as one or the other type. This is not a field-changeable setting. If you are not sure which kind you have, verify the type of HSM with the hsm displayLicenses command. You can run that command from the Luna shell (logged in as appliance admin). The hsm displayLicences command is one of several non-sensitive HSM commands that does not require HSM authentication. The output lists the configuration packages (additions to the basic build) that make up your Luna SA. Look for the term "FIPS3" appearing in that list to indicate that your Luna SA is PED Authenticated (uses the Trusted Path) - otherwise, your HSM is Password Authenticated.

What if I Make a Mistake?

No harm. Offering the wrong kind of authentication is not harmful - the only result is a brief delay. However, offering the wrong authentication of the correct type starts the counter for "bad login" attempts. The following paragraphs offer a little more detail.

As a general rule, when you attempt to login to the HSM or to issue any command that requires authentication, the lunash command-line prompts you for the needed authentication. If yours is a Password Authenticated HSM, you are asked for the password, and the command eventually times out if the password is not given. (Of course, if you provide a wrong password, that is applied against the count of bad login attempts. However, connecting a PED and offering a PED Key to a Password Authenticated HSM has no effect; it is ignored.)

If yours is a PED Authenticated (Trusted Path) HSM, the prompt asks you to attend to the PED for further instructions. If a PED is not connected and/or you don't supply the appropriate PED Keys and keypad actions, the command eventually times out. (If you do have a PED connected and supply the wrong PED Key [of the type requested], then that action is applied against the count of bad login attempts. However, if you mistakenly provide a password [at the command-line] for a PED Authenticated Luna HSM, that password is ignored and the bad-login-attempt count is not incremented.)

In either case, just wait for the timeout (a few minutes) to conclude, then begin again, using the correct authentication method.

We recommend that you read through the pages in the Configuration section of this help at least once in advance of starting the procedure, so that you can resolve any questions before beginning any time-limited operations. For a Password Authenticated Luna HSM, you should have passwords already determined according to your organization's security policies. For a PED Authenticated Luna HSM, you should have a Luna PED connected, and an appropriate set of PED Keys available.

If this is your only PED Authenticated Luna HSM, then you should have received a PED and PED Keys along with the HSM/appliance. If you have other PED Authenticated units at your location, then you can use a PED from one of them.

 

Initializing an HSM (Password Authenticated option)

Use hsm-init to Initialize an HSM

Initializing an HSM (PED Authenticated option)

About Initializing a PED Authenticated [Trusted Path] HSM

Options and choices when imprinting a blue (SO) PED Key

 

Show the Table of Contents