|
Home > |
Administration Guide > Public Key Infrastructure and Removable HSMs > Using Luna G5 or Token-format HSM with Luna SA Appliance
|
|---|
Traditionally, Public Key Infrastructure (PKI) with SafeNet HSMs has been implemented using removable token-style (PCMCIA format) HSMs securely connected to a local workstation via a card reader. The portable HSM contained the PKI root certificate, and was inserted, read, updated, etc., as needed, then removed and returned to safe storage. This was a high-security, low-volume/low-speed environment and requirement.
This differed from the transaction-security world where HSMs needed to be network-available in order to perform and accelerate high volumes of secure transactions.
When those two applications began to converge, the Luna SA, with its model of large, fast, network-connected HSM providing multiple virtual-HSM (Partition) workspaces, was adapted to support the addition of token-format PKI HSMs (such as Luna PCM or Luna CA4).
You can connect a Luna DOCK2 card reader for limited use with Luna Backup tokens (legacy G4 PCMCIA removable token-format HSMs). The removable-token backup HSM was used to backup legacy Luna SA 4.x HSMs and can be connected to Luna SA 5.x or 6.x to restore the legacy key material as part of a one-way migration.
You can connect the more modern Luna G5 HSM as an externally connected PKI slot, for use in the PKI Bundle option. Some customers use this arrangement to hold a root CA. The following caveats apply:
•The token backup commands can see and manage only the backup device, and not PKI devices.
• The token pki commands can see and manage only the PKI devices, and not backup devices.
•The PKI device must use PED authentication only, to be deployed.
• The token pki update commands update the capability and firmware for PKI devices.
• The process to move keys off G4 token HSMs (Luna CA4) is to migrate the keys to a K6 HSM (either the K6 inside Luna SA, or the standalone K6 (Luna PCI-E inside a host computer)) and then to Luna G5. Cloning between G4 and G5 devices is not supported.
CAUTION: Migration is not supported to firmware 6.22.0. Migrate first to an HSM at a firmware version older than 6.22.0, and then update the HSM firmware to version 6.22.0 or newer.
CAUTION: Beginning with Luna HSM 6, we do not support PKI bundle using removable PCMCIA token HSMs (Luna CA4) and the Luna DOCK 2 reader. The Luna DOCK 2 reader is supported only for migration. If you need the PKI bundle function from removable tokens, do not upgrade.
Note: PPSO is not supported for the PKI-bundle configuration using Luna G5. There is no provision to apply PPSO capability via Luna SA to the externally connected Luna G5 HSM. If the Luna G5 HSM was removed to a host computer and updated to firmware 6.22.0 and had the PPSO capability applied (destructive operation), then returned to the Luna SA to resume PKI-bundle operation, the interface has no provision to create a PPSO partition in the external HSM. Rather, a legacy-style partition would be created for PKI-bundle operation.
To use an external PKI HSM directly with Luna SA 5 requires a Luna G5 HSM, or a Luna DOCK2 reader with Luna CA4 token-style HSM at firmware 4.8.7 or later.
Whether you are using the onboard HSM or not, in order to use a Luna SA for PKI bundle operations (using Luna/HSM CA4 or Luna/HSM PCM tokens in the appliance's card-reader) you must at least initialize the onboard (K6) HSM in order to use the connected HSMs. Any further preparation of the onboard HSM depends on how (or if) you intend to make use of it, but having the main HSM initialized before you attempt operations with PKI HSMs connected to it is a minimum requirement.
You can combine the PKI bundle configuration (a Luna G5 HSM, or a Luna DOCK2 with inserted Luna CA4, connected to your Luna SA appliance) with the HA grouping functionality. That is, PKI can be part of HA redundancy and load balancing. However, by design, we do not support the assigning of two or more devices from the same Luna SA to one HA group. That is:
•while Luna SA supports multiple HSM partitions, you cannot combine two or more partitions from one Luna SA into an HA group, and
•while you can attach a Luna G5 HSM or a Luna CA4 token HSM to a Luna SA, you cannot combine two (or more) HSMs or partitions, associated with a single Luna SA, into a single HA group.
In either case, that sort of arrangement would allow the Luna SA to become a potential single-point-of-failure, which defeats HA's redundancy.
Instead, if you have multiple Luna G5 HSMs or Luna CA4 token HSMs that you wish to use in PKI bundling with Luna SA, then you should connect each Luna G5 HSM or Luna CA4 HSM to a separate Luna SA. You should not attempt to include more than one Luna SA partition, or a partition and an externally connected HSM, in a single HA group. The HA logic recognizes HA member slots from different NTLA/NTLS links, only. This is by design.
The client-side utility command "vtl listslot" shows all detected slots, including HSM partitions on the primary HSM, partitions on connected external HSMs, and HA virtual slots. Here is an example:
bash-3.2# ./vtl listslot
Number of slots: 11
The following slots were found:
Slot # Description Label Serial # Status
slot #1 LunaNet Slot - - Not present
slot #2 LunaNet Slot sa76_p1 150518006 Present
slot #3 LunaNet Slot sa77_p1 150475010 Present
slot #4 LunaNet Slot G5179 700179008 Present
slot #5 LunaNet Slot pki1 700180008 Present
slot #6 LunaNet Slot CA4223 300223001 Present
slot #7 LunaNet Slot CA4129 300129001 Present
slot #8 HA Virtual Card Slot - - Not present
slot #9 HA Virtual Card Slot - - Not present
slot #10 HA Virtual Card Slot ha3 343610292 Present
slot #11 HA Virtual Card Slot G5_HA 1700179008 Present
Note: The deploy/undeploy of a PKI device increments/decrements the Luna SA client slot enumeration list (slots appear or disappear from the list, and the slot numbers adjust for the change). When the PKI slot is temporarily not available (e.g., due to NTLS stop, unplugging of LAN/USB cable, power off, etc.), the slot list does not shift.
Note: If you attempt to perform actions (such as deployment) that require PED operations, against a token/HSM, while other applications are accessing either the onboard HSM or another token in your appliance, then the PED-requiring operations might be noticeably slow. In general, try to reserve such maintenance operations for times when clients are not accessing the HSM or other token. The possible slowness is merely inconvenient and does no harm.
See also "Card Reader (Luna DOCK 2) and Token-style HSMs".
Contact SafeNet Technical Support -- e-mail: support@safenet-inc.com or phone 800-545-6608 (+1 410-931-7520 International) for the relevant Key Migration document, which includes explicit instructions to migrate your cryptographic objects between different types of Luna HSM (generally from legacy models to current models of HSM).