|
Home > |
|---|
The HSM is available in PED-authenticated or password-authenticated versions. Use the configuration steps in this chapter to configure a PED-authenticated HSM.
There is no externally visible difference between a password-authenticated or PED-authenticated HSM. For an installed HSM, you can determine its mode of authentication by attempting to log in. A Trusted Path version will direct you to the Luna PED. A Password Authenticated version will prompt you for the password. You cannot change the authentication type of a Luna HSM. It is a manufacturing configuration, set at the factory. If you have a PED-authenticated (Trusted Path) version, you cannot access the HSM and partitions by means of passwords.
For PED-authenticated HSMs, you authenticate to the HSM as Security Officer, or User, etc., by presenting an iKey PED Key device that contains the authentication. This method has the advantage that you don't need to remember (or write down) passwords, and when the PED Key is presented, the authentication is never exposed on a computer screen, never typed on a keyboard, and never exists on the computer bus or memory - thus the authentication data is never vulnerable to eavesdropping or software attacks. On the other hand, you need additional hardware (the Luna PED and cable, and the PED Keys), and you must enact procedures to track and keep secure those physical PED Keys.
1.If the HSM has been shipped in Secure Transport Mode, you must recover the MTK by providing the external split of the Secure Recovery Vector (SRV) that is carried on the Secure Recovery Key (SRK), together with the internal split, combines to recreate the MTK, as described in "Recovering the SRK".
2.Initialize the HSM, as described in "Initializing a PED-Authenticated Luna G5 HSM ".
3.Change the HSM policies, if desired, as described in "Setting Luna G5 HSM Policies [Optional]". If any of the policies you set are destructive, you must re-initialize the HSM after setting the polices.
4.Create a partition on the HSM, as described in "Creating a Partition on Luna G5 HSM".
5.Change the partition policies, if desired, as described in "Setting Luna G5 Partition Policies [Optional]"