|
Home > |
|---|
It could happen that you initiate an SRK re-split operation (see the lunacm command srk generate ) and, for whatever reason, the process is interrupted. One possible reason might be that you are interrupted before you can complete the PED transaction, and when you return your attention to SafeNet PED, the operation has timed out.
SafeNet PED can be reset by simply unplugging it and then reconnecting so that it reboots.
However, the HSM - having started the re-splitting operation - is left in a non-responsive state. The following example illustrates what that looks like, and how you can get back to normal operation.If you get into that situation, you can't run any other HSM command except to reboot the appliance and then re-run the srk generate command. When that command completes properly, the HSM is back in normal operation and accepts other commands.
[myluna] lunacm:>srk generate
Luna PED operation required to resplit the SRK - use Secure Recovery (purple) PED key.
Note: (This is where the operator took too long to respond and the operation timed out.)
Error: 'hsm srk keys resplit' failed.
Command Result : 0x300000 (LUNA_RET_DEVICE_ERROR)
[myluna] lunacm:>
Note: We attempt to resume the operation.
[myluna] lunacm:>srk generate
This command is not supported in the current configuration.
Command Result : C0000105 (RC_FUNCTION_NOT_SUPPORTED)
[myluna] lunacm:>
Note: But that doesn't work. Perhaps if we just log out and log back in...
[myluna] lunacm:>hsm logout
Unable to communicate with HSM.
Please run 'hsm supportInfo' and contact customer support.
Command Result : 65535 (Luna Shell Execution)
[myluna] lunacm:>
Note: Perhaps a reset of the HSM.
[myluna] lunacm:>hsm reset
Resetting HSM
Command Result : No Error
Note: After several seconds the HSM has restarted and should be ready for use again.Can we log into the HSM?
[myluna] lunacm:>hsm login
Command Result : 80000532 (LUNA_RET_MTK_STATE_INVALID)
[myluna] lunacm:>
Note: Not just yet. Perhaps if we try the re-splitting operation again, now that the HSM has restarted...
[myluna] lunacm:>srk generate
Luna PED operation required to generate the SRK - use Secure Recovery (purple) PED key.
SRK generate succeeded.
Command Result : 0 (Success)
[myluna] lunacm:>
Note: This is looking much more hopeful.
[myluna] lunacm:>hsm login
Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED Key.
'hsm login' successful.
Command Result : No Error
[myluna] lunacm:>
Note: Our HSM is entirely back in operation, and the MTK recovery key has been re-split and a new external split imprinted on a purple PED Key (SRK).
When re-split was invoked above, SafeNet PED would have refused to overwrite the current purple PED Keys (keys containing the currently valid Secure Recovery Vector). This is a safety feature to ensure that a valid purple key remains valid if the re-split operation is interrupted. It affects only the current purple PED Key(s). If you previously performed a re-split or disabled SRK (brought the external split back into the HSM), then those previous purple PED Keys are no longer valid and can be used as "blanks" for the re-split that you perform today.