|
Home > |
Configuration Guide > Creating an Application Partition (SO, Crypto Officer, and Domain) > PED-Authenticated Partition > Creating a Legacy-style PED-authenticated Application Partition
|
|---|
This section is application Partition setup for a SafeNet HSM with PED Authentication, where the partition is to remain under the ownership of the HSM Security Officer. The activities in this section are required in two circumstances.
•if you just prepared an HSM for the first time and must now create your first application Partition, or
•if you have deleted or zeroized an application Partition and wish to create a new one to replace it.
At this point, the SafeNet HSM should already have its Security Officer assigned at Initialize the HSM .
Within the HSM, a separate cryptographic work-space must be created, for use by client applications. A workspace, or partition, and all its contents are protected by encryption derived (in part) from its authentication. Only a User who presents the proper authentication is allowed to see the application partition and to work with its contents. That User (or Crypto Officer) and its authentication can be separate from the Security Officer identity. However, in the legacy approach, the HSM SO maintains direct authority and ability to see into the application partition.
In this section, you will:
•Create an application Partition
•Set application Partition Policies (Optional)
If your SafeNet HSM is at a version lower than 6.22.0.he commands available in lunacm are the traditional ones that have been used with SafeNet HSMs. The outcome of this sequence is the creation of a legacy-style application partition that is owned and managed by the HSM SO and does not have its own independent SO.
If your HSM firmware is at version 6.22.0 or higher, then some of the commands have changed, and are the same as those listed for creation of a PPSO application partition, in another section of this guide. That is, with the newer firmware you can use the newer commands to create either a legacy-style partition or a PPSO partition. With the pre-6.22.0 firmware, you have only the older commands, and you can create only a legacy-style partition.
"Legacy" partitions with old firmware behave slightly differently from "legacy" partitions with 6.22-and-newer firmware. In the old firmware, for SafeNet USB HSM and for SafeNet PCI-E HSM, "slot list" shows only one slot, even after a partition has been created. Pre-f/w-6.22, the application partition essentially shares its slot with the HSM's administrative partition. With firmware 6.22, "slot list" shows separate:
- HSM Admin slot ( Configuration -> SafeNet HSM Admin Partition Signing With Cloning Mode )
and
- application partition slot ( Configuration -> SafeNet User Partition, No SO Signing With Cloning Mode ).
To create HSM Partitions, you must login to the SafeNet HSM as Security Officer.
1.In a terminal
window (DOS command-line window in Windows), go to the SafeNet HSM Client directory
and start the lunacm utility.
2.In lunacm, if you have more than one HSM on the current host computer, set the correct slot. At the lunacm:> prompt, type:
lunacm:> slot set slot <number of HSM administrative slot>
3.Log in as the HSM SO.
For firmware older than 6.22.0, at the lunacm:> prompt, type:
lunacm:> hsm login
For firmware 6.22.0 or newer, at the lunacm:> prompt, type:
lunacm:> role login -name Administrator
You are directed to SafeNet PED.
Authenticate as Security Officer by supplying the appropriate HSM SO PED Key that was imprinted during the HSM initialization step. The PED might prompt you for the numeric password PED PIN that might optionally have been assigned to the HSM SO PED Key. SafeNet PED provides the HSM SO authentication secret to the SafeNet HSM.
CAUTION: If you fail three consecutive login attempts
as Security Officer, the HSM is zeroized and cannot be used as-is —
it must be re-initialized. Zeroizing
destroys all key material.
Actions that are flagged as bad login attempts on a PED-authenticated HSM are:
- offering a PED Key that has the correct color/authent-type, but that carries a wrong authentication secret for the current HSM,
- offering a PED Key that contains the correct secret, but just pressing [Enter] on the PED keypad, with no digits, when a PED PIN was expected,
- offering a PED Key that contains the correct secret, but typing any numbers when no PED PIN had previously been set).
Please
note that the SafeNet HSM must actually receive some information before it
logs a failed attempt, so actions that would not trigger the bad-login counter might include:
-if you just press [Enter] on the PED keypad without a PED Key inserted, or
- if you insert a wrong-color* PED Key and press [Enter],
those are not logged as failed attempts.
When you successfully login,
the counter is reset to zero.
(*Wrong color means that the PED Key that you present has been imprinted with an authentication secret for a different function than is currently requested - so inserting a cloning domain (red) key when a blue key is requested is not a bad login attempt; it's just an inconvenience.)
If you are not sure that you are currently logged in as Security Officer, perform an ‘hsm login’. Either you will be directed to the PED to present the blue PED Key and log in, or you will be told that the SO is already logged in.
1.Have the SafeNet PED connected and ready (in Local mode and "Awaiting command...").
2.Have a blank, black-labeled PED Key (or a previously imprinted PED Key that you wish to share, or to overwrite) ready to insert into the USB connector at the top of the PED.
3.Run the "partition create" command.
The following is an example of initialization dialog, with PED interactions inserted to show the sequence of events.
For firmware older than 6.22.0, type:
lunacm:> partition create
For firmware 6.22.0 or newer, type:
lunacm:> partition create -label mylegacypar
The existing Partition will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Please attend to the PED.
Command Result : No Error
Please attend to the PED.
4.SafeNet PED asks preliminary setup questions, prior to imprinting the first black Partition Crypto Officer PED Key.
Respond "Yes" if you have a key from another HSM partition with a partition Owner / Crypto Officer ID already imprinted on it, that you wish to share/reuse.
Respond "No" if you have a fresh, never-imprinted key, or if you have a key previously imprinted with an ID that you do not wish to preserve.
(See Shared or Group PED Keys for more detail)
5.The PED requests values for :
and 
(enter "1" for both, unless you wish to invoke MofN split-secret, multi-person access control, Using MofN).
6.The PED then
demands the black Owner PED key with the message 
Insert the intended black HSM Partition Owner PED key [ of course, the unlabeled PED Key is generically black - we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting the key; before, just to ensure it gets done, or after, as a helpful indicator as to which ones are imprinted (with which secret), and which ones still blank ] and press [Enter]. A unique
Partition Owner / Crypto Officer PIN is to be imprinted on both the PED key and the HSM
Partition.
7.The PED continues with one or the other of these responses:
OR 
Decide whether this should be a group PED Key (see Shared or Group PED Keys ), press [YES] or [NO] on the PED keypad, and press [Enter].
8.This is potentially serious business (if you unintentionally overwrite a PED Key that is needed for other purposes), so SafeNet PED asks one more time if you truly intend to overwrite the key's content.
Press [YES] or [NO] on the PED keypad, and press [Enter].
9.Next, you are
asked to provide a PED PIN (optional, see What is a PED PIN? —
can be 4-to-48 digits, or can be no
digits if a PED PIN is not desired). 
You must press [Enter] to inform the PED that you are finished entering
PED PIN digits, or that you have
decided not to use a PED PIN (no digits entered).
When you provide a PED PIN – even if it is the null PIN (by just pressing
[Enter] with no digits) – the PED requests it a second time, to ensure
that you entered it correctly, as you intended.
Press [ENTER] again.
10.You are then prompted
See Duplicating PED Keys.
Respond “No”, if you want the PED to imprint just the one black HSM Admin
PED Key and go on to the next step in creation of the application Partition.
Respond “Yes”, if you want the PED to imprint the first black key and then
ask for more black PED Keys, until you have imprinted (duplicated) as
many as you wish.
You should probably make at least one copy of this key as a backup. Some security regimes would have a working copy for on-site storage and another copy for off-site backup. As long as you continue to say "Yes" and present more keys to be imprinted, SafeNet PED continues to make copies of the current PED Key.
When you are done, say "No".
11.Having created the black key User or Crypto Officer, the HSM now needs you to log in as that identity, in order to create or imprint a cloning domain for the partition. The PED prompts:
Leave the black key inserted, and press Enter.
12.The PED inquires if you intend to reuse a previously imprinted red Domain PED Key. 
Respond "Yes" if you have a key from another HSM partition with a cloning domain ID already imprinted on it, that you wish to share/reuse to allow the two partitions to clone to each other, or to-and-from the same backup.
Respond "No" if you have a fresh, never-imprinted key, or if you have a key previously imprinted with an ID that you do not wish to preserve.
13.You now have a legacy application partition (owned and ultimately controlled by the HSM SO) with a User or Crypto Officer to manage it, and to determine when it is open for use by applications (activated), and when not. The client applications need a way to authenticate to the application partition that does not involve your presence with PED and PED Key all the time. For this purpose, you request the HSM to create a challenge secret text-string, suitable for use by applications.
Log in as the HSM SO.
For firmware older than 6.22.0, type:
lunacm:> hsm login
For firmware 6.22.0 or newer, type:
lunacm:> role login -name Administrator
14.Create the challenge secret text string:
lunacm:> partition createChallenge
Please attend to the PED.
Command Result : No Error
lunacm:>
The PED screen shows a generated string of characters that you must record accurately and promptly.
Because most problems with a challenge secret seem to result from ambiguous or indecipherable handwriting, we strongly suggest that you record down the string in a text editor.
Note: The dashes/hyphens shown between blocks of characters, in the illustration above, are NOT part of the challenge secret. They are added by the PED, simply for readability while you are recording. When you provide the string for your applications to use, be sure to remove the hyphens.
Alternatively, you can change the challenge secret to something more friendly :
lunacm:> partition changePw -newpw Thisisa$3cr3t -oldpw 6Ys6CSWHs76XTX/P
Please attend to the PED.
Command Result : No Error
lunacm:>
Optionally, go to Setting SafeNet PCI-E HSM Partition Policies [Optional] to adjust behavioral and security parameters for the newly created partition.
Having set up your SafeNet HSM, you want to use it.
Either you have created an application of your own that can make use of an HSM, or you are using an existing third-party software. Examples might be Microsoft server applications like Certificate Services, IIS, ISA, RMS or other applications from other vendors. By default, such applications can perform their cryptographic functions in software, using local computer resources (CPU, memory, and hard disk) with their inherent security issues, or they can be configured to make use of an HSM like the SafeNet HSM.
If you are using one of the indicated Microsoft products, you will need to install the SafeNet CSP / KSP software and then install the server application, or else re-configure an existing installation to make use of SafeNet CSP (for CAPI environment) or SafeNet KSP for CNG environment, to provide the bridge between the application and the SafeNet HSM).
Another option is a Java-based application, in which case you should install the SafeNet JSP, which comes with Javadocs and sample code.