|
Home > |
Administration Guide > Public Key Infrastructure and Removable HSMs > Card Reader (Luna DOCK 2) and Token-style HSMs
|
|---|
The card reader sold for use with Luna products (PKI) is the Luna DOCK 2.
Uses with Luna SA 6 are:
• for migration from earlier backups or PKI tokens
•for current (limited) use of legacy PKI tokens (Luna CA4) with Luna SA.
You can connect a Luna DOCK2 card reader for limited use with Luna Backup tokens (legacy G4 PCMCIA removable token-format HSMs). The removable-token backup HSM was used to backup legacy Luna SA 4.x HSMs and can be connected to Luna SA 5.x or 6.x to restore the legacy key material as part of a one-way migration.
You can connect the more modern Luna G5 HSM as an externally connected PKI slot, for use in the PKI Bundle option. Some customers use this arrangement to hold a root CA. The following caveats apply:
•The token backup commands can see and manage only the backup device, and not PKI devices.
• The token pki commands can see and manage only the PKI devices, and not backup devices.
•The PKI device must use PED authentication only, to be deployed.
• The token pki update commands update the capability and firmware for PKI devices.
• The process to move keys off G4 token HSMs (Luna CA4) is to migrate the keys to a K6 HSM (either the K6 inside Luna SA, or the standalone K6 (Luna PCI-E inside a host computer)) and then to Luna G5. Cloning between G4 and G5 devices is not supported.
CAUTION: Migration is not supported to firmware 6.22.0. Migrate first to an HSM at a firmware version older than 6.22.0, and then update the HSM firmware to version 6.22.0 or newer.
CAUTION: Beginning with Luna HSM 6, we do not support PKI bundle using removable PCMCIA token HSMs (Luna CA4) and the Luna DOCK 2 reader. The Luna DOCK 2 reader is supported only for migration. If you need the PKI bundle function from removable tokens, do not upgrade.
Note: PPSO is not supported for the PKI-bundle configuration using Luna G5. There is no provision to apply PPSO capability via Luna SA to the externally connected Luna G5 HSM. If the Luna G5 HSM was removed to a host computer and updated to firmware 6.22.0 and had the PPSO capability applied (destructive operation), then returned to the Luna SA to resume PKI-bundle operation, the interface has no provision to create a PPSO partition in the external HSM. Rather, a legacy-style partition would be created for PKI-bundle operation.
Do not install Luna client software on the same system as legacy Luna CA3, Luna CA4, Luna PCM, or Luna PCI software. The software is intended for modern/current Luna HSMs, Luna SA, Luna PCI-E, Luna G5, Luna (Remote) Backup HSM.
Connect the Luna DOCK2 card reader:
a) to the AC main power, and
b) via supplied USB cable to the USB port of your Luna SA 5.x.
If power is disconnected for any reason, you might need to restart your application.
The Luna PKI Bundle feature supports PED-authenticated PKI HSMs only (Luna CA4 for legacy, and Luna G5 for modern). Use of password-authenticated PKI tokens is not supported. There is no "pass-through" of PED data and commands from Luna SA, so your Luna DOCK2 (or Luna G5) must have its own Luna PED connected directly.
Your Luna SA needs its own Luna PED.
Luna SA can be served by a locally-connected PED, if the administrator is located near the appliance, or Luna SA can be served by Remote PED, but Luna DOCK2 and any inserted token HSMs require a PED to be connected directly and locally to the reader - use of Remote PED to serve an external HSM (such as Luna G5, Luna Backup HSM, or Luna CA4) connected to Luna SA is not supported.
See also PKI - Using an external HSM with Luna SA Appliance.
Contact SafeNet Technical Support -- e-mail: support@safenet-inc.com or phone 800-545-6608 (+1 410-931-7520 International) for the relevant Key Migration document, which includes explicit instructions to migrate your cryptographic objects between different types of Luna HSM (generally from legacy models to current models of HSM).