|
Home > |
Configuration Guide > Configuring a PED-Authenticated HSM > Initializing a PED-Authenticated Luna G5 HSM
|
|---|
The Luna G5 arrives in a default, pre-initialized state. Before you can make use of it, the HSM must be initialized. This establishes your ownership for current and future HSM administration. Initialization assigns a meaningful label, as well as Security Officer authentication (PED Key) and Domain (another PED Key), and places the HSM in a state ready to use.
Use the instructions on this page if you have a Luna G5 with Trusted Path authentication.
Initialize the HSM(required before you can create Partitions or Groups and use the HSM) to set up the necessary identities, ownership and authentication at the HSM Server level. To initialize a Luna HSM with Trusted Path Authentication, you must have the Luna PED connected and switched on, and in the “Awaiting command..”(when you power on the Luna PED, the screen displays the PED's firmware version while it goes through its self-test routine; it is not ready to accept commands from the Luna HSM until it completes that process (a few seconds), switches to "SCP mode..." or "Local" mode, and displays "Awaiting command..") state, and you must have a set of PED Keys.
A minimum set of PED Keys consists of:
•one Security Officer key (represented by the blue label),
•one Partition User key (represented by the black label)
•one Domain key (represented by the red label).
If you invoke M of N shared-secret authentication for any of those, you
will need additional blanks of the same color to achieve quantity "N"
of those PED Keys ["N" and "M" are values that you
declare via Luna PED, during initialization, so you control how many imprintable
PED Keys you will need]. For
example if the Luna PED is imprinting blue SO PED Keys and asks for the
N value and you select 1, then M of N is not invoked and you need to provide
only a single blue key. However, if you select an N value greater than
1, then M of N is invoked and you will need to provide quantity N of blue
keys for imprinting with portions of the SO secret. Note that this number
is separate and distinct from any Duplicate PED Keys that you may choose
to imprint.
If you invoke M of N and also choose to duplicate PED Keys [for backup
or other purpose] then you must have enough of the current color of keys
to duplicate the complete M of N set -- thus if you set M of N to 1 of
3, and choose to duplicate, then you would need three blue keys to complete
the original secret shares, and additional groups of three [different]
blue keys to form each duplicate set.) The
above applies to the red Domain keys, as well - however, your choice to
invoke, or not invoke, M of N for the blue keys does not affect your choice
to invoke (or not) M of N for the red keys, and vice-versa.
You do not make these choices at the command line. They are made via the
Luna PED, once the 'hsm init' command is received from the lunacm command
line.
In addition, you might have orange RPV (Remote PED Vector) keys for use with the remote PED option, but these are not needed during initialization. See "Remote PED and pedclient and pedserver" on page 1 in the Administration Guide.
Some HSM Policy changes are destructive. A destructive policy change is one that requires the HSM to be initialized again, before it can be used. Thus if you intend to perform a destructive HSM Policy change, you might need to perform this initialization step again, after the Policy change.
You should have ready a sufficient number of blue-labeled PED Keys for HSM authentication secret and its backups/duplicates, and a sufficient number of red-labeled PED Keys for the Domain secret and its backups/duplicates. If the blank keys are not already labelled, do so before you invoke the initialization - otherwise you might not have time to finish the task before timeout occurs.
The following is an example of initialization dialog, with PED interactions inserted to show the sequence of events.
Luna PED operation is required several times throughout the procedure. If, for any reason, the Luna HSM is allowed to timeout during a PED operation, you can switch the PED off, then switch it on again, or press and hold the [Clear] button and wait for "Awaiting command..." before re-starting the command that timed out.
What does "a sufficient number"
of PED Keys mean? It means at least one of each for the absolute minimum setup, as
you might prepare in a lab. For a production environment, you might prefer
to have one or more backups of each type of PED Key for disaster recovery
and for operational reasons - the number is, of course, up to you and
your security rules.
Additionally, if you expect to use the MofN option
(splitting the Security Officer, User, or Domain secrets among sets of
keys that must be recombined for access) then you will need quantity N
of each set, and then as many sets as your security rules require.
The first time you initialize, the system uses the default login (the default login requires no PED Key, because the HSM has not been initialized, and thus does not yet contain anything that needs protection - the default login occurs only on a zeroized hsm; thus if you ever see the words "Default login..." on the Luna PED, you must be attempting to login or to initialize an empty HSM) on the Luna PED. Subsequently, you login with the blue SO PED Key.
1.Have the Luna PED connected and ready (in SCP mode [or Local PED mode] and "Awaiting command...").
2.Insert a blank PED Key into the USB connector at the top of the PED.
3.Start the lunacm utility:
C:\Program Files\SafeNet\LunaClient>lunacm
.
LunaCM V2.3 - Copyright (c) 2009 SafeNet, Inc.
Available
HSM's:
Slot
Id -> 1
HSM
Label -> no
label
HSM
Serial Number -> 8000001
HSM
Model -> K5Base
HSM
Firmware Version -> 4.7
HSM
Configuration -> Luna
G5 Undefined Mode
Current
Slot Id: 1
lunacm:>
Notice that the HSM does not yet have a label, indicating that it has
not been initialized since manufacture
4.Begin HSM initialization. At the lunacm prompt,
type:
lunacm:> hsm
init -label myLunaHSM
The following warning appears only if you are re-initializing an HSM:
WARNING !! This
command will delete all HSM partitions and data.
If you are sure that you wish to proceed, then enter 'proceed',
otherwise this command will abort.
>
Type:
proceed
The system responds:
Luna PED operation required to initialize HSM - use blue PED key.
5.At this time, the Luna PED becomes active
and begins prompting you for PED Keys and other responses.
For security reasons, this sequence has a time-out, which is the maximum
permitted duration, after which an error is generated and the process
stops.
If you allow the process to time-out, you must re-issue the initialization
command.
If the operation has timed out, leaving the Luna PED waiting for an action that is no longer needed, press and hold the the [Clear] key to reset the PED, and wait for "Awaiting
command...", before you (re-)issue a lunacm
command that invokes the PED. The Luna PED generally must be in the “Awaiting
command..” state before it is invoked by the Luna HSM.
If you make a mistake (perhaps an inadvertent choice with the PED), and
wish to re-do the command, simply [Clear] the PED and let the lunacm
command time-out. Then re-issue the lunacm
command.
6.Luna PED asks preliminary setup questions, prior to imprinting the first blue (SO) PED Key.
Token found at 01
SO login...
Default SO login...
Writing SO PIN...
Would you like to reuse an existing
keyset? (y/n)
7.If data is encountered on the PED Key that you provide, the system can treat it in one of two ways:
–It can act on the premise that you have another HSM for which the existing authentication secret is valid, and you wish the current HSM to be provided with that same secret. Therefore, you want to preserve the secret that is found on the PED Key and imprint that same secret onto the new HSM. You will be able to use this SO PED Key to unlock both HSMs. If that is the case, answer "Yes" (press the YES button on the PED keypad).
–It can act on the premise that any data or secret that is found on the PED Key is invalid and not to be used. In that case, a new secret is created, overwriting whatever was on the PED Key before, and that same secret is imprinted onto the HSM. The PED Key can then unlock only the new HSM - any previous authentication secret that it might have held is gone. If that is the case, answer "No" (press the NO button on the PED keypad).
8.Answer the question (press the appropriate button on the PED keypad). The next prompt to appear on the PED is:
Slot 01:
Prompt for numeric...
M value? (1-16)
>00
9.If you do not wish to invoke M of N , then press "1" and press "ENTER" on the PED keypad.
10. Luna PED wants to know if you wish to invoke M of N. This splits the SO authentication across quantity "N" blue keys (up to 16) and requires that quantity "M" of them be presented whenever SO access is desired. This is an extra security measure that prevents any one person from gaining access without the co-operation of additional key-holders. It is required only in very-high-security regimes with exceptionally rigorous procedures.
This prompt is asking you to decide the "M" the minimum number of key-holders who will be required to unlock the HSM in future. "M" is normally chosen less than "N".
These M of N prompts appear only if you have chosen to create a new SO authentication secret (that is, if you answered "NO" to the earlier question "Would you like to reuse an existing keyset?")
Slot 01:
Prompt for numeric...
N value? (M-16)>00
Luna PED is now asking for the other value in the M of N definition (N is the size of the full M of N set, therefore a number between M and 16 - usually, you would make "N" larger than "M", so that your HSM could by accessed while some trusted key-holders were not available). Again, if you are not invoking M of N, then press "1" and "ENTER".
11.Luna PED demands the first blue PED Key.
Slot 01:
Setting SO PIN...
Insert a SO /
HSM Admin
PED Key
Press ENTER.
Insert the blue SO (Security Officer) PED Key and press ENTER. A unique SO PIN is to be imprinted on both the PED Key and the HSM. You might see the following message, depending upon your earlier response to the "reuse" question.
Slot 01:
Setting SO PIN...
*WARNING***
This PED Key is for
SO / HSM Admin.
Overwrite? YES/NO>
Luna PED is reminding you that whatever is written on this PED Key will now be overwritten by a new SO authentication secret. If this is a new PED Key, the message is of no importance. If this PED Key has been used before, and possibly has an authentication secret to unlock another Luna HSM, then this is your last chance to preserve that authentication data and use another blue key instead. If you said YES to the question "Would you like to reuse an existing keyset?", above, then this message about overwriting does not appear.
Just to be sure that you were paying attention, it asks you again:
Slot 01:
Setting SO PIN...
*WARNING***
Are you sure you
want to overwrite
this PED Key? YES/NO>
Next, you are asked to provide a PED PIN that
must be typed on the PED keypad at the time a PED Key is presented – can
be 4-to-48 digits, or can be set to no digits if a PED PIN is not desired;
if you wish to have a PED PIN incorporated as part of the SO authentication
hereafter, then type a series of numbers on the PED keypad [at this prompt]
and press ENTER.
Note: do not begin your PED PIN with a zero.
(When the leading digit is zero, the PED ignores any digits following the
exact PED PIN. Thus an an attacker attempting to guess the PED PIN must
get the first digits correct, but does not need to know the exact length
of the PED PIN. If the PED PIN is started with any digit other than zero,
extra digits are detected as an incorrect attempt. This is not considered
a serious vulnerability since any attacker must
a) have physical possession of the PED KEY,
b) have physical access to the HSM and PED, and
c) gets only three tries to guess correctly, before the HSM is zeroized.
)
.
Slot 01:
Setting SO PIN...
Enter new PED PINPassword::
Enter a PIN if you wish, and press ENTER to inform Luna PED that you are finished entering PED PIN digits, or that you have decided not to use a PED PIN (no digits entered).
Slot 01:
Setting SO PIN...
Confirm new PED PIN
Password:
Confirm(When you provide a PED PIN – even if it is the null PIN (by just pressing ENT with no digits) – Luna PED asks for it a second time, to ensure that you entered it correctly.) , by entering the same PED PIN(or nothing if you did not enter a PIN the first time) , and pressing ENTER again.
Setting SO PIN
Please wait..
It is only at this point that the key is actually imprinted.
You are prompted
Slot 01:
Prompt for YES/NO...
Are you duplicating
this keyset Y/N?
If you respond “NO”, Luna PED goes on to the next step in initialization
of the HSM (creating/imprinting a domain). The PED behaves differently for "first" and "duplicate"
PED Keys, depending on how you answered the question about reusing an
existing keyset.
If you chose to generate new authentication data (you chose "NO"
to "reuse an existing keyset"), then the PED must ask you about
M of N and about the PED PIN option when creating the primary PED Key,
and must ask again about the PED PIN when creating the duplicate(s). ]
.
If you respond “YES”, Luna PED asks
for more blue PED Keys, until you have imprinted (duplicated) as many
as you require. The PED behaves differently for "first" and "duplicate"
PED Keys, depending on how you answered the question about reusing an
existing keyset.
If you are re-using the authentication data, then the PED just accepts
the blue key (or keyset), as-is, and gives the authentication data to
the HSM to become the HSM's new authentication secret. Therefore, the
PED does not ask you about M of N or about PED PINs. The assumption is
that this PED Key is from another Luna HSM and must remain unchanged,
so that it can continue to unlock that other HSM.
When the time comes to create duplicates, the PED can see whether the secret
is split (M of N) or not and prompts accordingly, but it always asks the
PED PIN question because the PED PIN is an optional overlay for any key.]
.
This is your opportunity to make additional copies. The prompt is worded "keyset" in case you chose to invoke M of N. If no M of N, then the single SO key is duplicated until you run out of blank blue keys or decide to stop. If you invoked M of N earlier for the SO key, then the entire set of N blue keys must be duplicated; therefore you must have enough blanks to make complete additional sets. ) of the imprinted SO PED Key, for backup or other operational purpose.
It is recommended to have at least one backup set of imprinted PED Keys, stored in a safe place, in case of loss or damage to the primary keys.
When you have finished with blue SO keys, Luna PED prompts for an imprinted blue SO key(If you had invoked M of N, then you will be prompted to insert quantity M of the imprinted blue SO keys, enough to reconstruct the split SO secret.) , because you now must use that key to login to the HSM (At this point, the new authentication data has been imprinted onto the HSM, but the HSM, being freshly initialized, is not yet in the login state using that new authentication data. The HSM demands a login now, before going ahead with the next step.) as SO, to perform the next step.