|
Home > |
|---|
The per-partition SO feature has a high impact on the customer documentation. Since Luna SA is the only product that supports multiple partitions, the PPSO feature is primarily aimed at Luna SA. Since all products share common firmware, however, the UI changes introduced for PPSO are also reflected in the G5 and PCI products, specifically in LunaCM and in various utilities, such as ckdemo.
The PPSO feature documentation is complicated by the way in which the feature is activated. PPSO is implemented in firmware and activated by applying a CUF. Luna 5.5 will ship with FIPS-approved firmware that does not support PPSO. A firmware upgrade can be applied that activates any firmware-dependent features in Luna 5.5. The PPSO features, however, are not enabled until the PPSO CUF is applied.
As a result, there are potentially three different operating modes for the PPSO feature:
|
Pre-6.22 firmware |
Behaves exactly as 5.4. No changes to the UI. |
|
6.22.x (and higher) firmware only |
Can see new PPSO UI, unless these items are only exposed by the addition of a CUF. If the UI is exposed, some commands will be executable (for example, on PCI/G5) while others will throw an error if you attempt to execute (for example, trying to create a partition with SO). |
|
6.22.x (and higher) firmware + CUF |
Can see and execute the PPSO commands. |
The following documents are impacted by this feature:
•"LunaCM Command Reference Guide"
•"LunaSH Command Reference Guide"
|
Story |
Tasks |
Status |
Prime |
|---|---|---|---|
| LHSM-12620 | DOC: need new illustration and revised text for roles_and_users.htm page (changes summarized in comments section of the Jira Issue.) UPDATE: The text and illustrations were changed in the project source, and were correct in the Luna SA published output, but failed to publish for Luna PCI-E and Luna G5, due to a file/folder permissions problem. |
Sent for peer review... again | KM |
|
|
Add a paragraph to the Luna SA Introduction section.Overview of PPSO on SA [ Find or create Jira issue for this and promote it ] |
½ day
|
KM |
The Configuration Guide is the document most impacted by the PPSO feature. There are three distinct versions of the Configuration Guide, each of which are impacted differently:
•Luna SA Configuration Guide
•Luna PCI/G5 Configuration Guide
•Luna SA SO Partition Configuration Guide
Some of the required changes apply to all products, while others are specific to the multiple-partition Luna SA HSM or the single-partition PCI/G5/Remote SA Partition HSMs. The task descriptions, below, indicate the product version to which the documentation applies.
Note: Although these documents are published separately, they share a common set of source files. Only product-specific sections differ between the different product versions of the documents.
|
Story |
Tasks |
Status |
Prime |
|---|---|---|---|
|
Describe the different ways in which the HSM can operate. Update the "Planning Your Configuration" chapter to add a "Modes of Operation" section that provides an overview of the differences in behavior between the following: •5.5 s/w, pre 6.22.x f/w •5.5 s/w, 6.22 (or later) f/w •5.5 s/w, 6.22 (or later) f/w, PPSO CUF Separate topics are required for Luna SA and PCI/G5/SO Partition |
|
|
|
| Provide an overview of PPSO. | |||
| Document the new roles. | |||
| Document how to create a partition with SO. Add a new section - "Creating an SO Partition" that contains procedures for creating an SO partition (both PW and PED). This content is specific to the Luna SA Configuration Guide. | |||
| Document difference between PPSO and legacy app partitions w.r.t. challenge secrets. PPSO partitions do not force creation of a challenge, while HSM-Admin-owned partitions DO force creation of a challenge [LHSM-11692]. Modify topic administration/ped_auth/about_ped_keys.htm - try to think of other places to mention this... | |||
| Update the procedures to reflect the new role commands. | |||
| Document the steps required to create the network link (NTLS) between the client and the remote SA partition and register the client with the partition. | |||
| LHSM-14564 | DOC: Luna PCI-E and Luna G5 PED-auth and PW-auth need new hsm showinfo and showpolicies outputs |
|
Story |
Tasks |
Status |
Prime |
|---|---|---|---|
|
|
Update HSM Initialization chapter. Review and update chapter as required. |
|
|
| Update HSM Partitions chapter | |||
| Update the Backup and Restore HSMs and Partitions chapter | |||
| Update the High Availability (HA) Configuration and Operation chapter. Much of this information is still to be defined. Updates likely in conjunction with the Migration Guide. | |||
| Update the Audit Logging chapter. Audit log formatting changes. | |||
| LHSM-12850 |
http://172.20.18.90/LunaSA/6.0/#administration/slot_numbering.htm |
||
| LHSM-12674 | Update "How many PED Keys..." for PPSO. Edit the topic for improved organization and readability, while adding PPSO content. | Sent to peer review | KM |
| LHSM-11863 | DOC - PED based SA - Partition activation process on a partition with SO | In progress | KM |
| LHSM-11752 | DOC: "About PED Keys" page in docs needs new PPSO roles and artwork | Sent to peer review | KM |
| LHSM-11692 | DOC: SA PED-Auth Partitions with SO don't require a challenge, without SO they do Statement added |
Closed | KM |
|
Story |
Tasks |
Status |
Prime |
|---|---|---|---|
|
Update LunaCM commands. Add new commands and update existing command descriptions, syntax, and examples for the commands affected by PPSO. New commands: role command hierarchy
Changed commands: |
|
|
|
| LHSM-14831 | DOC: par ar restore is missing output details http://172.20.18.90/LunaSA/6.0/#lunacm/commands/partition/partition_archive_restore.htm |
Closed 2015/03/23 | KM |
| LHSM-14169 |
DOC: partition command list in docs must differentiate what sub-commands are seen in different circumstances ■the current slot is the HSM administrative partition for an HSM with firmware version 6.22.0 or newer ■the current slot is an application partition that has its own SO (a PPSO partition), on an HSM with firmware version 6.22.0 or newer ■the current slot is a separate-but-not-independent application partition that is administered by the HSM SO, and does not have its own separate SO (a legacy-style partition) on an HSM with firmware version 6.22.0 or newer ■the current slot is the HSM administrative partition and application partition for an HSM with firmware older than version 6.22.0 (a true legacy partition). |
Closed 2015/03/26 | KM |
| LHSM-14131 | DOC: Role List command output is changed, need to reflect on doc. Changed the header above the list of roles to say: Roles ============== |
Closed 2015/03/27 | KM |
| LHSM-13536 | DOC - Max Failed logins no longer shows up under hsm showpolicies This is a symptom of the larger change, where "SO Capabilities" and "SO Policies" are no longer reported with the command "hsm show policies" (it shows HSM Capabilities and HSM Policies only); rather the SO capabilities and policies are displayed by command "partition show policies" when the current slot is a suitable partition (HSM admin partition, or PPSO partition). |
Verification 2015/03/24 | KM |
| LHSM-12989 | Can't create challenge for CO on legacy G5/K6 partition For f/w 6.22.0, command par createChallenge is "added" back in with options: Options Short Description ------------------------------------- -slot -sl slot of creating user challenge -defchallenge -d Use Default Challenge Password Syntax: partition createChallenge -slot <number> [-defchallenge] This command is available only on an Admin-owned partition. |
Closed 2015/03/26 | KM |
|
LHSM-12927 |
DOC: "Accessing Lunacm" topic needs correction and more complete info Separated the incorrect "Linux and Solaris" heading into a "Linux and AIX" and a "HP-UX and Solaris" section, per the conversation in the Description for this issue. Added two Notes in the General Operation section. |
Closed | KM |
| LHSM-12909 | DOC: "Accessing LunaCM" topic intro needs fixing Fix the introductory page "Accessing Lunacm" with updated intro |
Closed | KM |
| LHSM-11608 | DOC:par showInfo output vastly different between pre-PPSO and PPSO partitions | Closed 2015/04/01 | KM |
| LHSM-11606 |
DOC: lunacm preserves role login states across multiple slots NOTE: For HSMs with firmware earlier than version 6.22.0, when you used slot set to move the focus from an HSM partition or slot with logged in session(s), to another partition or slot, any sessions on the original slot were automatically closed (thus logged out). For HSMs with firmware version 6.22.0 of newer, you can use slot set to repeatedly shift focus among slots, and whatever login state was in force when you were previously focused on a slot is still in effect when you return to that slot. |
Closed 2015/03/26 | KM |
| LHSM-11594 | DOC : par create no longer overwrites existing partition in default 1 partition config (added a couple of NOTEs to http://172.20.18.90/LunaSA/6.0/#lunacm/commands/partition/partition_create.htm) |
Closed 2015/03/26 | KM |
|
Story |
Tasks |
Status |
Prime |
|---|---|---|---|
|
Update LunaSH commands. Add new commands and update existing command descriptions, syntax, and examples for the commands affected by PPSO. New commands: •role command hierarchy •hsm firmware show Changed commands: •par create •hsm show (remove rollback version) •partition command hierarchy. Warnings when try to execute read/writer par commands (except par del and par create) on an application partition. Read-only commands (par show, par show policies) work as before (?) •all lunash partition admin commands should have a note that they apply only to HSM-Administrator-owned partitions |
|
|
|
| LHSM-14497 | DOC: Inappropriate contraction, "it's" in Lunash partition create http://172.20.18.90/LunaSA/6.0/#lunash/commands/partition/partition_create.htm |
Verification 2015/03/24 | KM |
| LHSM-13754 | DOC: Luna 6 upgrade guide - skip partition resizing/object deletion if immediately applying PPSO cuf afterwards | Verification 2015/03/30 | KM |
| LHSM-12867 | DOC: role init for the Audit user has no way of specifying domain (or default domain) for PWD-Auth "Syntax: role setDomain [-domain <string> | -defaultdomain] [-force] " |
Closed | KM |
|
Story |
Tasks |
Status |
Prime |
|---|---|---|---|
|
Fully document the CKdemo interface and features. This documentation has been out of date for several releases, so both changes related to PPSO and for previously undocumented features are required. Subtasks: 1.AUDIT/LOG menu undocumented functions: all (10) functions 2.CLUSTER EXECUTION menu undocumented functions: Get Cluster State function 3.OFFBOARD KEY STORAGE menu undocumented functions: SIMExtract, SIMInsert, SIMMultiSign, Extract Object, Insert Object 4.OTHERS menu undocumented functions: LKM Commands 5.SCRIPT EXECUTION menu undocumented functions: Execute Script, Execute Asynchronous Script, Execute Single Part Script 6.TOKEN menu changes for the PPSO feature: Init Token, Init PIN, Change PIN 7.OBJECT MANAGEMENT menu changes for the PPSO feature: Create Object, Destroy Object |
|
|
Some other pending tasks were addressed in the customer documents, during times that information or working software, firmware, and systems were not available.
|
Story |
Tasks |
Status |
Prime |
|---|---|---|---|
|
|
Add a paragraph to the Luna SA Introduction section.Overview of PPSO on SA [ Find or create Jira issue for this and promote it ] |
½ day
|
KM |
| LHSM-11629 |
DOC: Cannot create crypto user on existing PWD-AUTH partition updated to 6.22.0
A snippet "cannot_create_pw-auth_crypto-user.flsnp" was added to four files to address the issue, Sent for verification on 2015/01/12. |
Retracted | KM |
This document is currently out of scope. It may be required to help customers understand and remediate any issues they may encounter when upgrading to 6.0.
The complexity of the PPSO feature introduces changes to serial numbers and the way in which slots are numbered. Labels are also no longer a valid method for identifying partitions, since there is no guarantee of uniqueness. As a result, some issues may arise when migrating to 6.0 from a previous release. Specific issues include HA and the way in which applications are associated with a slot.