Open topic with navigation

Home >

Administration Guide > Secure Trusted Channel (STC) > Enabling or Disabling STC on the HSM

Enabling or Disabling STC on the HSM

The STC functionality is available with firmware 6.22.0 or higher, and is enabled or disabled by setting HSM policy 39: Allow Secure Trusted Channel (see "HSM Capabilities and Policies").

Enabling STC on the HSM

You can enable STC on the HSM by turning on HSM policy 39: Allow Secure Trusted Channel. Enabling HSM policy 39 allows you to use STC or NTLS to provide the network link between an application partition and a client application. To use STC on a partition, you must also enable STC on the partition by turning on partition policy 37: Force Secure Trusted Channel. See "Enabling or Disabling STC on a Partition".

Note:  HSM zeroization disables partition policy 39: Allow Secure Trusted Channel. After zeroization, you will need to re-establish your STC links, as described in "Restoring STC After HSM Zeroization" and in "Creating an STC Link Between a Client and a Partition" in the Configuration Guide.

To enable STC on the HSM

1.Ensure that firmware 6.22.0, or higher, is installed on the HSM. You can use the following LunaSH command to check the firmware version. If you are not using the correct firmware, refer to the upgrade documentation available on the support portal to upgrade your firmware:

hsm firmware show

For example:

lunash:>hsm firmware show
 
Current Firmware:                   6.22.0
Rollback Firmware:                  6.10.2
Upgrade Firmware:                   N/A
 
Command Result : 0 (Success)
 

2.Enter the following command to turn on HSM policy 39: Allow Secure Trusted Channel, which enables STC on the HSM. Enabling the policy is non-destructive. You must be the HSM SO to use this command:

hsm changePolicy -policy 39 -value 1

3. Enter the following command to verify that the policy is enabled:

hsm showpolicies

For example:

lunash:>hsm showpolicies
.
Description                       Value       Code      Destructive
.
Allow MofN                        On          37        No
Allow Secure Trusted Channel      On          39        No
Allow partition re-initialize     Off         42        No
 
Command Result : 0 (Success)

Disabling STC on the HSM

You can disable STC on the HSM by turning off HSM policy 39: Allow Secure Trusted Channel. Disabling this policy is destructive. It zeroizes the HSM and turns off the ability to use STC to provide the network link between an application partition and a client application, so that only NTLS links are permitted.

To disable STC on the HSM

1.Enter the following command to turn off HSM policy 39: Allow Secure Trusted Channel, which disables STC on the HSM and zeroizes the HSM. You must be the HSM SO to use this command:

hsm changePolicy -policy 39 -value 0

You are prompted to confirm the action.

3. Enter the following command to verify that the policy is disabled:

hsm showpolicies

For example:

lunash:>hsm showpolicies
.
Description                       Value       Code      Destructive
.
Allow MofN                        On          37        No
Allow Secure Trusted Channel      Off         39        No
Allow partition re-initialize     Off         42        No
 
Command Result : 0 (Success)

Luna SA 6.0 Product Documentation
007-011136-008 Rev. A May 2015 Copyright 2015 SafeNet, Inc. All rights reserved.

Open topic with navigation