|
Home > |
|---|
This topic describes what to do if you wish to invoke Secure Transport Mode (STM) on a remote SafeNet Network HSM, when shipping the appliance:
• to your customer or
• to your partner organization or
• to your own personnel at another site within your organization,
That is, as the appliance administrator and the HSM Admin or SO, you are not present when Secure Transport Mode is invoked and the appliance is packed for shipment, and you are not present at its destination when the appliance is unpacked and readied for use.
On-site technical personnel are performing the physical take-down, packing, unpacking and setup, but you remain at your remote location, administering the appliance and HSM via SSH and controlling access via Remote PED.
You could also use STM for securely storing the HSM, where "transport" would take place simply into, and later out of, your warehouse or vault. However, you would also need to manage separate secure storage and handling of the imprinted purple PED Key (SRK) for that HSM until it was time to recover the HSM and return it to service.
This page applies to PED Authenticated HSMs only. It does not apply to Password Authenticated HSMs.
This page assumes that you have a remote-capable SafeNet PED 2 (Remote Capable), and associated pedserver.exe software installed on your local-to-you computer.
You have already set up the SafeNet Network HSM for Remote PED operation, before you shipped it to its current remote location - that is, you imprinted the HSM and an orange PED Key with the Remote PED Vector (RPV), and you have that orange key available.
CAUTION: If the HSM contents are of any value, perform backups of your partitions before you continue with Secure Transport Mode procedure. See Remote Application-Partition Backup and Restore Using the Backup HSM for more information.
First, using an ssh session, display the current status of the remotely located SafeNet Network HSM, to know your starting point.
[192.168.9.72] lunash:>hsm ped show
Ped Client Version 1.0.5 (10005)
Ped Client launched in status mode.
Ped PedClient is not currently running.
Show command passed.
Command Result : 0 (Success)
[192.168.9.72] lunash:>
Start pedServer.exe on your local computer.
Via SSH, tell the Remote PED Client on the SafeNet Network HSM to find and connect to the PED Server (pedServer.exe) on the selected computer - most likely the computer where you are currently working.
[192.168.9.72] lunash:>hsm ped connect -ip 192.168.10.175 -port 1503
Luna PED operation required to connect to Remote PED - use orange PED key(s).
Ped Client Version 1.0.5 (10005)
Ped Client launched in startup mode.
Starting background process
Background process started
Ped Client Process created, exiting this process.
Command Result : 0 (Success)
[192.168.9.72] lunash:>
Confirm that the link is established.
[192.168.9.72] lunash:>
[192.168.9.72] lunash:>hsm ped show
Ped Client Version 1.0.5 (10005)
Ped Client launched in status mode.
Ped Client is connected to a Ped Server.
Client Information
Hostname: 192.168.9.72
IP: 192.168.9.72/192.168.254.254
Firmware Version: 6.0.7
HSM Cmd Protocol Version: 15
Callback IO Version: 1
Callback Protocol Version: 1
Software Version: 1.0.5 (10005)
Server Information
Hostname: OTT1-202011
IP: 192.168.10.175
Firmware Version: 2.4.0-3
PedII Protocol Version: 1.0.1-0
Software Version: 1.0.5 (10005)
Ped2 Connection Status: Connected
Ped2 RPK Count 1
Ped2 RPK Serial Numbers (70540100834a2301)
Operating Information
Server Port: 1503
Admin Port: 1501
External Admin Interface: No
Client Up Time: 31 (secs)
Client Current Idle Time: 7 (secs)
Client Total Idle Time: 9 (secs) (29%)
Idle Timeout Value: 1800 (secs
Show command passed.
Command Result : 0 (Success)
[192.168.9.72] lunash:>
[192.168.9.72] lunash:>hsm srk show
Secure Recovery State flags:
=================================
External split enabled: no
SRK resplit required: no
Hardware tampered: no
Transport mode: no
Command Result : 0 (Success)
192.168.9.72] lunash:>hsm srk enable
Luna PED operation required to enable external SRK split - use Secure Recovery (purple) PED key.
In RemotePED, answer the following prompts:
M value (1-16)
N value (M-16)
Insert a SRK PED key and press ENTER
This PED Key is for SRK, overwrite? Yes/No
**warning** Are you sure you want to overwrite this PED Key? Yes/No
Enter new PED PIN:
Confirm new PED PIN:
Are you duplicating this keyset? (Y/N)
PED shows “STM Enabled”
Command Result : 0 (Success)
[192.168.9.72] lunash:>hsm srk show
Secure Recovery State flags:
=================================
External split enabled: yes
SRK resplit required: no
Hardware tampered: no
Transport mode: no
Command Result : 0 (Success)
[192.168.9.72] lunash:>hsm srk transportMode enter
CAUTION: You are about configure the HSM in transport mode.
If you proceed, the HSM will be inoperable until it
is recovered with the Secure Recovery Key.
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
Configuring the HSM for transport mode...
Luna PED operation required to enter transport mode - use Secure Recovery (purple) PED key.
Be sure to record the verification string that is displayed after the MTK is zeroized.
In RemotePED, answer following prompts:
Insert a SRK PED key and press ENTER
Generating a verify string ECSK-W7xT-Ep9E-psGb, Continue? (Y/N)
PED shows “SRK was zeroized”
HSM is now in Transport Mode.
Command Result : 0 (Success)
[192.168.9.72] lunash:>hsm srk show
Secure Recovery State flags:
=================================
External split enabled: yes
SRK resplit required: no
Hardware tampered: no
Transport mode: yes
Command Result : 0 (Success)
At this point, pack the HSM appliance and ship to your eventual recipient via the most secure means (courier) available.
The options now are:
•You keep the purple PED Key and the verification string and ship only the HSM - you will perform the recovery from your administrative location, once the HSM is installed at the remote location. This would be the situation if you were shipping within your organization and retaining control centrally, or if you were shipping to a customer who is leasing the equipment, but you are retaining ultimate administrative control.
OR
•You have remotely configured and administered the HSM, while personnel at your own remote location did the physical work to make connections, then they disconnected the HSM when you finished accessing it, and packed it for shipment. From that transshipment point, the HSM is now being forwarded to your customer, who will take over complete responsibility.
If you keep control
In the first scenario, you retain all PED Keys and will perform further administrative actions from your location when the HSM reaches its new destination - you retain control; you manage the physical security of the purple PED Key and the verification string, which you will use when you perform STM recovery remotely (below).
The subsequent instructions on this page assume this scenario, where you have remotely set the HSM into Secure Transport Mode, and you will be remotely taking the HSM out of Secure Transport Mode, once it has arrived at its next location and been set up.
If you transfer control
In the second scenario, you relinquish administrative control of the HSM, so you ship the purple PED Key and the verification string to the eventual owners/administrators of the HSM.
•Send the HSM to your recipient by the most secure means available.
•Send the purple PED Key, from the above steps, to your recipient via a different carrier (courier, post, other).
•Send the verification string that you just recorded (above) to your recipient by yet another means.
In this way, you are ensuring that the three components (HSM, purple PED Key, and verification string for that specific PED Key) cannot be brought together between the time they leave your hands and the time that they arrive (separately) at the recipient destination.
In this scenario, your recipient should also have this Help, and they can decide whether to use the local instructions or the remote instructions (below) to bring the received HSM out of Secure Transport Mode.
The HSM refuses to allow such action. Here is an example of an attempt, and the result.
[192.168.9.72] lunash:>hsm srk keys resplit
Error: The Secure Recovery Key cannot be resplit when the HSM is in tranport mode or tampered. Use the recover command to restore the HSM to a functional state.
Error: 'hsm srk keys resplit' failed. (C0000400 : RC_TOKEN_STATE_INVALID)
Command Result : 65535 (Luna Shell execution)
[192.168.9.72] lunash:>hsm srk keys verify
Error: The SRK cannot be verified when the HSM is in transport mode or tampered. Use the recover command to restore the HSM to a functional state.
Error: 'hsm srk keys verify' failed. (C0000400 : RC_TOKEN_STATE_INVALID)
Command Result : 65535 (Luna Shell execution)
[192.168.9.72] lunash:>hsm srk transportMode recover
Attempting to recover from Transport Mode...
Luna PED operation required to recover the HSM - use Secure Recovery (purple) PED key.
In RemotePED, respond to the following prompts as appropriate:
Insert a SRK PED key and press ENTER
Generating a verify string ECSK-W7xT-Ep9E-psGb, Continue? (Y/N)
Luna PED shows “SRK was restored” and lunash command line shows:
Successfully recovered from transport mode.
HSM restored to normal operation.
Command Result : 0 (Success)
[192.168.9.72] lunash:>hsm srk show
Secure Recovery State flags:
=================================
External split enabled: yes
SRK resplit required: no
Hardware tampered: no
Transport mode: no
Command Result : 0 (Success)
Having received and unlocked your HSM, you might now prefer to invalidate the current SRK and create a new external split for future use.
[192.168.9.72] lunash:>hsm srk keys resplit
Luna PED operation required to resplit the SRK - use Secure Recovery (purple) PED key.
In RemotePED, answer following question accordingly:
Insert a SRK PED key and press ENTER
M value (1-16)
N value (M-16)
Insert a
SRK PED key and
press ENTER (insert old SRK key here)This PED Key is for SRK, overwrite? Yes/No
Note, you see the above message if the key that you present has previously been imprinted with a Secure Recovery Vector.
**warning** Are you sure you want to overwrite this PED Key? Yes/No
Enter new PED PIN:
Confirm new PED PIN:
Are you duplicating this keyset? (Y/N)
Ped shows “SRK was resplit”
SRK resplit succeeded.
Command Result : 0 (Success)
[192.168.9.72] lunash:>hsm srk show
Secure Recovery State flags:
=================================
External split enabled: yes
SRK resplit required: no
Hardware tampered: no
Transport mode: no
Command Result : 0 (Success)
Verify the new SRK
[192.168.9.72] lunash:>hsm srk keys verify
Luna PED operation required to verify the SRK split - use Secure Recovery (purple) PED key.
On the Remote PED, respond to the prompts:
Insert a SRK PED key and press ENTER
PED shows “SRK was restored”
SRK verified.
Command Result : 0 (Success)
[192.168.9.72] lunash:>hsm srk show
Secure Recovery State flags:
=================================
External split enabled: yes
SRK resplit required: no
Hardware tampered: no
Transport mode: no
Command Result : 0 (Success)
This section shows how to disable SRK - returning the external split (Secure Recovery Vector) of the Master Key from its location on the external purple PED Key to a location inside the HSM. After this action, Secure Transport Mode is not possible unless you Enable again. Also, with the two recovery splits held inside the HSM, the HSM can recover from a physical tamper event with only a reboot.
[192.168.9.72] lunash:>hsm srk disable
Luna PED operation required to disable external SRK split - use Secure Recovery (purple) PED key.
In RemotePED, respond to the following prompts:
Insert a SRK PED key and press ENTR
SafeNet PED shows “STM Disabled”
Command Result : 0 (Success)
[192.168.9.72] lunash:>hsm srk show
Secure Recovery State flags:
=================================
External split enabled: no
SRK resplit required: no
Hardware tampered: no
Transport mode: no
Command Result : 0 (Success)
[192.168.9.72] lunash:>