|
Home > |
Configuration Guide > Initializing an HSM (SO and Cloning Domain) > PED-Authenticated HSM > Initializing a Luna PED-Authenticated PCI-E HSM
|
|---|
Your SafeNet PCI-E HSM 5 HSM arrives in "Zeroized" state, and in a default, pre-initialized condition (see below). It might also be in Secure Transport Mode, if you selected that option at purchase time.
The LunaCM utility presents status information for connected HSMs when lunacm is launched.
bash-3.00# ./lunacm
LunaCM V2.3.3 - Copyright (c) 2006-2010 SafeNet, Inc.
Available HSMs:
Slot Id -> 1
Tunnel Slot Id -> 3
HSM Label -> no label
HSM Serial Number -> 151433
HSM Model -> K6 Base
HSM Firmware Version -> 6.2.1
HSM Configuration -> Luna PCI (PED) Undefined Mode / Uninitialized
HSM Status -> Transport Mode, Zeroized
Slot Id -> 2
Tunnel Slot Id -> 4
HSM Label -> no label
HSM Serial Number -> 151446
HSM Model -> K6 Base
HSM Firmware Version -> 6.2.1
HSM Configuration -> Luna PCI (PED) Undefined Mode / Uninitialized
HSM Status -> Transport Mode, Zeroized
Current Slot Id: 1
lunacm:>
“Transport Mode” refers to a user-invoked tamper event.
“Zeroized” state results from the battery being disengaged and the Real Time Clock and the battery-backed memory left un-powered. This renders any HSM contents unrecoverable (at the factory, we would have created only unimportant test objects on the HSM - if you have previously had the HSM in service, and then either "decommissioned" it or performed hsm factoryreset your valid objects and keys are similarly rendered permanently unrecoverable and the HSM is completely safe to store or ship ).
The above two states are addressed by configuring and initializing your SafeNet PCI-E HSM 5 HSM. Instructions start on this page.
If you requested Secure Transport Mode shipment from SafeNet, then a couple of additional steps are required (also included in these instructions).
Before you can make use of it, the HSM must be initialized. This establishes your ownership for current and future HSM administration. Initialization assigns a meaningful label, as well as Security Officer authentication (PED Key) and Domain (another PED Key), and places the HSM in a state ready to use.
Use the instructions on this page if you have SafeNet PCI-E HSM with PED (Trusted Path) authentication.
Some HSM Policy changes are destructive. A destructive policy change is one that requires the HSM to be initialized again, before it can be used. Thus if you intend to perform a destructive HSM Policy change, you might need to perform this initialization step again, after the Policy change.
C:\Program Files\LunaPCI>lunacm
LunaCM V2.3 - Copyright (c) 2006-2010 SafeNet, Inc.
Available HSMs:
Slot Id -> 1
Tunnel Slot Id -> 2
HSM Label -> no label
HSM Serial Number -> 8000001
HSM Model -> K6Base
HSM Firmware Version -> 6.1.3
HSM Configuration -> Luna PCI (PED) Signing with Cloning Mode
Current Slot Id: 1
lunacm:>
Notice that the HSM does not yet have a label, indicating that it has not been initialized since manufacture.
1.Have the SafeNet PED connected and ready (in local mode and "Awaiting command...").
2.Insert a blank PED Key into the USB connector at the top of the PED.
3.In a terminal
window (DOS command-line window in Windows), go to the LunaPCI directory
and start the lunacm utility:
lunacm:>
4.Run the "hsm init" command, giving a label for your SafeNet PCI-E HSM. If Secure Transport Mode was set, you must unlock the HSM with the purple PED Key before you can proceed.
The following is an example of initialization dialog, with PED interactions inserted to show the sequence of events.
lunacm:> hsm init -label myPCI
You are about to initialize the HSM.
All contents of the HSM will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Please attend to the PED.
5.SafeNet PED asks preliminary setup questions [ The simplest scenario is your first-ever HSM and new PED Keys. However, you might have previously initialized this HSM and be starting over. Or you might have other HSMs already initialized and need to share the authentication or the domain with your new HSM. ] the HSM and PED need to know, prior to imprinting the first HSM Adminstrator / SO PED Key.
Slot 01
SETTING SO PIN...
Would you like to
reuse an existing
keyset? (Y/N)
6.If you say [ NO ] (on the PED keypad), then you are indicating there is nothing of value on your PED Keys to preserve. On the assumption that you will now be writing onto a new blank PED Key, or onto one that contains old unwanted authentication, SafeNet PED asks you to set MofN values.
Slot 01
SETTING SO PIN...
M value? (1-16)
>01
and
Slot 01
SETTING SO PIN...
N value? (M-16)
>01
Setting M and N equal to "1" means that the authentication is not to be split, and only a single PED Key will be necessary when the authentication is called for in future.
Setting M and N larger than "1" means that the authentication is split into N different "splits", of which quantity M of them must be presented each time you are required to authenticate. MofN allows you to enforce multi-person access control - no single person can access the HSM without cooperation of other holders.
7.If you say [ YES ], you indicate that you have a PED Key (or set of PED Keys) from another HSM and you wish your current/new HSM to share the authentication with that other HSM. Authentication will be read from the PED Key that you present and imprinted onto the current HSM.
SafeNet PED now asks you to provide the appropriate PED Key - a fresh blank key, or a previously used key that you intend to overwrite, or a previously used key that you intend to preserve and share with this HSM.
SLOT 01
SETTING SO PIN...
Insert a SO /
HSM Admin
PED Key.
Press ENTER.
Slot 01
SETTING SO PIN...
**WARNING**
This PED Key is
blank.
Overwrite? YES/NO
OR
Slot 01
Initialize HSM
**WARNING**
This PED Key is for
SO / HSM Admin.
Overwrite? YES/NO
8.Answer (press the appropriate button on the PED keypad)
–"NO" if the PED key that you provided carries SO authentication data that must be preserved. In that case, you must have made a mistake so the PED goes back to asking you to insert a suitable key.
–"YES" if the PED should overwrite (if you overwrite a never-used PED Key, nothing is lost; if you overwrite a PED Key that contains authentication secret for another HSM, then this PED Key will no longer be able to access the other HSM, only the new HSM that you are currently initializing with a new, unique authentication secret - therefore "YES" means 'yes, destroy the contents on the key and create new authentication information in its place' - be sure that this is what you wish to do) the PED Key with a new SO authentication. (This will be matched on the SafeNet PCI-E HSM during this initialization).
9.SafeNet PED makes very sure that you wish to overwrite, by asking again.
SLOT 01
SETTING SO PIN...
***WARNING **
Are you sure you
want to overwrite
this PED Key? YES/NO
10.For any situation other than reusing a keyset, SafeNet PED now prompts for you to set a PED PIN. For multi-factor authentication security, the PED Key is "something you have". You can choose to associate that with "something you know", in the form of a multi-digit PIN code that must always be supplied along with the PED Key for all future HSM access attempts.
SLOT 01
SETTING SO PIN...
Enter new PED PIN:
Confirm new PED PIN:
11.Type a numeric password on the PED keypad, if you wish. Otherwise, just press [Enter] twice to indicate that no PED PIN is desired.
SafeNet PED imprints the PED Key, or the HSM, or both, as appropriate, and then prompts the final question for this key:
SLOT 01
SETTING SO PIN...
Are you duplicating
this keyset? (Y/N)
12.You can respond [ YES ] and present one or more blank keys, all of which will be imprinted with exact copies of the current PED Key's authentication, or you can say [ NO ], telling the PED to move on to the next part of the initialization sequence. (You should always have backups of your imprinted PED Keys, to guard against loss or damage.)
13.To begin imprinting a Cloning Domain (red PED Key), you must first log into the HSM, so you can simply leave the blue PED Key in place.
SLOT 01
SO LOGIN...
Insert a SO /
HSM Admin
PED Key.
Press ENTER.
14.SafeNet PED passes the authentication along to the HSM and then asks the first question toward imprinting a cloning domain:
SLOT 01
SO SETTING DOMAIN...
Would you like to
reuse an existing
keyset? (Y/N)
If this is your first SafeNet HSM, or if this HSM will not be cloning objects with other HSMs that are already initialized, then answer [ NO ]. SafeNet PED prompts for values of M and N.
If you have another HSM and wish that HSM and the current HSM to share their cloning Domain, then you must answer [ YES ]. In that case, SafeNet PED does not prompt for M and N.
SLOT 01
SO SETTING DOMAIN...
M value? (1-16)
>01
SLOT 01
SO SETTING DOMAIN...
M value? (1-16)
>01
SafeNet PED goes through the same sequence that occurred for the blue SO PED Key, except it is now dealing with a red Domain PED Key.
SLOT 01
SO SETTING DOMAIN...
Insert a
Domain
PED Key
Press ENTER.
Slot 01
SO SETTING DOMAIN...
**WARNING**
This PED Key is
blank.
Overwrite? YES/NO
OR
Slot 01
SO SETTING DOMAIN...
**WARNING**
This PED Key is for
Domain.
Overwrite? YES/NO
Just as with the blue SO PED Key, the next message is:
Slot 01
SO SETTING DOMAIN...
**WARNING**
Are you sure you
want to overwrite
this PED Key? YES/NO
15.When you confirm that you do wish to overwrite whatever is (or is not) on the currently inserted key, with a Cloning Domain generated by the PED, the PED asks:
Slot 01
SO SETTING DOMAIN...
Enter new PED PIN:
Confirm new PED PIN:
And finally:
SLOT 01
SO SETTING DOMAIN...
Are you duplicating
this keyset? (Y/N)
16.Once you stop duplicating the Domain key, or you indicate that you do not wish to make any duplicates (you should have backups of all your imprinted PED Keys...), SafeNet PED goes back to "Awaiting command...".
Lunacm says:
Command Result : No Error
lunacm:>
lunacm:> hsm showinfo
HSM Label -> myLuna
HSM Manufacturer -> Safenet, Inc.
HSM Model -> K6 Base
HSM Serial Number -> 150022
HSM Status -> OK
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
Firmware Version -> 6.2.1
Rollback Firmware Version -> Not Available
Slot Id -> 1
Tunnel Slot Id -> 2
Session State -> CKS_RW_PUBLIC_SESSION
SO Status-> Not Logged In
SO Failed Logins-> 0
SO Flags ->
CONTAINER_KCV_CREATED
HSM Storage:
Total Storage Space: 2097152
Used Storage Space: 2097152
Free Storage Space: 0
Allowed Partitions: 1
Number of Partitions: 1
SO Storage:
Total Storage Space: 262144
Used Storage Space: 0
Free Storage Space: 262144
Object Count: 0
*** The HSM is NOT in FIPS 140-2 approved operation mode. ***
License Count -> 7
1. 621000026-000 621-000026-000 K6 BASE CONFIGURATION FILE,HSM UNMASKING
2. 620127-000 ECC
3. 620114-001 Cloning
4. 620109-000 FIPS3
5. 621010358-001 621-010358-001 External MTK - STM disabled
6. 621010089-001 621-010089-001 Remote Ped
7. 621000021-001 SCU K5/K6 Performance 15
Command Result : No Error
lunacm:>
Notice that the HSM now has a label. If you were to exit and restart the lunacm utility, you would see the new label that you have just applied to the HSM.
17.The next step is to create a partition on the HSM. See Creating a Legacy-style PED-authenticated Application Partition.