Home > |
Configuration Guide > Initialize the HSM
|
---|
In this chapter you will initialize your HSM. To initialize an HSM is to prepare it for operation under the control of an HSM Security Officer or SO (the entity that administers the HSM).
The HSM is available in PED-authenticated or password-authenticated versions. Follow the initialization steps in this chapter to initialize the type of HSM that you have purchased.
There is no externally visible difference between a password-authenticated or PED-authenticated HSM. For an installed HSM, you can determine its mode of authentication by attempting to log in. A PED-authenticated version will direct you to the SafeNet PED. A Password Authenticated version will prompt you for the password. You cannot change the authentication type of a SafeNet HSM. It is a manufacturing configuration, set at the factory. If you have a PED-authenticated version, you cannot access the HSM and partitions by means of passwords.
For password-authenticated HSMs, you authenticate to the HSM as Security Officer, or Crypto Officer, or User, etc., by typing a password on your computer keyboard.
For PED-authenticated HSMs, you authenticate to the HSM as Security Officer, or Crypto Officer, or User, etc., by presenting an iKey PED Key device that contains the authentication.
SafeNet HSMs are shipped from the factory as one or the other type. This is not a field-changeable setting. If you are not sure which kind you have, verify the type of HSM with the command
hsm showinfo in lunacm.
That command is one of several non-sensitive HSM commands that does not require HSM authentication. The output lists the configuration packages (additions to the basic build) that make up your SafeNet HSM. Look for the term FIPS3 appearing in that list to indicate that your SafeNet HSM is PED Authenticated - otherwise, your HSM is Password Authenticated.
See a comparison of Password-authenticated versus PED-authenticated at Comparing Password and PED Authentication.
No harm. Offering the wrong kind of authentication is not harmful - the only result is a brief delay. However, offering the wrong authentication of the correct type starts the counter for "bad login" attempts. The following paragraphs offer a little more detail.
As a general rule, when you attempt to login to the HSM or to issue any command that requires authentication, the command-line prompts you for the needed authentication. If yours is a Password Authenticated HSM, you are asked for the password, and the command eventually times out if the password is not given. (Of course, if you provide a wrong password, that is applied against the count of bad login attempts. However, connecting a PED and offering a PED Key to a Password Authenticated HSM has no effect; it is ignored.)
If yours is a PED Authenticated (Trusted Path) HSM, the prompt asks you to attend to the PED for further instructions. If a PED is not connected and/or you don't supply the appropriate PED Keys and keypad actions, the command eventually times out. (If you do have a PED connected and supply the wrong PED Key [of the type requested], then that action is applied against the count of bad login attempts. However, if you mistakenly provide a password [at the command-line] for a PED Authenticated SafeNet HSM, that password is ignored and the bad-login-attempt count is not incremented.)
In either case, just wait for the timeout (a few minutes) to conclude, then begin again, using the correct authentication method.
Note: We recommend that you read through the pages in the Configuration Guide at least once in advance of starting the procedure, so that you can resolve any questions before beginning any time-limited operations. For a Password Authenticated SafeNet HSM, you should have passwords already determined according to your organization's security policies. For a PED Authenticated SafeNet HSM, you should have a SafeNet PED connected, and an appropriate set of PED Keys available.
If this is your only PED Authenticated SafeNet HSM, then you should have received a PED and PED Keys along with the HSM/appliance. If you have other PED Authenticated units at your location, then you can use a PED from one of them.
1.Initialize the HSM. Choose one or the other of:
a.Initializing a SafeNet PED-Authenticated PCI-E HSM
b.Initializing a Password Authenticated HSM.
2.Change the HSM policies, if desired, as described in
Setting SafeNet PCI-E HSM Policies, PED-authenticated [Optional].
If any of the policies you set are destructive, you must re-initialize the HSM after setting the polices.
3.Create a partition on the HSM, as described in
Creating a Legacy-style PED-authenticated Application Partition.
4.Change the partition policies, if desired, as described in Setting SafeNet PCI-E HSM Partition Policies [Optional]