|
Home > |
|---|
This section is HSM Partition setup for Luna G5 with Password Authentication. The activities in this section are required in two circumstances.
•if you just prepared an HSM on the Luna G5 for the first time and must now create your first HSM Partition, or
•if you have deleted or zeroized an HSM Partition and wish to create a new one to replace it.
At this point, the Luna G5 should already have its Security Officer assigned by Initializing an HSM.
Within the HSM, a separate cryptographic workspaces must be created. A workspace, or Partition, and all its contents are protected by encryption derived (in part) from its authentication. Only a User who presents the proper authentication is allowed to see the Partition and to work with its contents. That User and authentication can be separate from the Security Officer identity.
In this section, you will:
•Create an HSM Partition
•Set HSM Partition Policies (Optional)
To create HSM Partitions, you must login to the Luna G5 as Security Officer. At the lunacm:> prompt, type:
lunacm:> hsm login -password <your_password>
Authenticate as Security Officer by supplying the appropriate SO password. The password must be exactly as the HSM expects it, including proper use of uppercase/lowercase.
Note: If you fail three consecutive login attempts as Security Officer, the HSM is zeroized and cannot be used — it must be re-initialized. Zeroizing destroys all key material. Please note that the Luna HSM must actually receive some information before it logs a failed attempt, so if you just press [Enter] without typing a password, that is not logged as a failed attempt. Also, when you successfully login, the counter is reset to zero.
If you are not sure that you are currently logged in as Security Officer, perform an ‘hsm login’.
At the lunacm:> prompt, type:
lunacm:> partition create -password <a_partition_password>
Luna G5 replies "Command Result : No Error"
If an error occurs, perhaps you have requested a too-short password. The password must be at least eight characters in length unless the SO sets a different minimum.
View the partition information, including Capabilities and Policies, to see if you need to change anything. Type:
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 0
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 0
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
Partition Policies
0: Allow private key cloning : 0
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 0
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
14: Challenge for authentication not needed : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 0
Command Result : No Error
lunacm:>
As an example of a change, you could type:
lunacm:> partition changePolicy -policy 16 -value 0
This would have the effect of switching off RSA blinding.
For more detail, see "Setting Luna G5 Partition Policies [Optional]".
Having set up your Luna G5, you want to use it.
Either you have created an application of your own that can make use of an HSM, or you are using an existing third-party software. Examples might be Microsoft server applications like Certificate Services, IIS, ISA, RMS or others, which can perform their cryptographic functions in software, using local computer resources (CPU, memory, and hard disk) with their inherent security issues, or which can be configured to make use of an HSM like the Luna G5.
If you are using one of the indicated Microsoft products, you will need to install the Luna CSP software and then install the server application, or else re-configure an existing installation to make use of Luna CSP (which provides the bridge between the application and the Luna HSM).
Another option is a Java-based application, in which case you should install the Luna JSP, which comes with Javadocs and sample code.