Home > |
---|
Client access to Partitions, on an HSM with PED Authentication, needs to be as efficient and convenient as Client access to a Password Authenticated HSM . Activation and auto-Activation are ways to manage the additional layer of authentication - the PED and PED Keys - so that Clients can reliably connect using just their passwords.
SafeNet Network HSM, in general, requires authentication from anyone wishing to use the appliance. Access falls into two categories, defined by purpose:
•Administrative - you can log in locally via a terminal connected to the serial interface, or remotely via SSH session, to perform administration/maintenance/housekeeping tasks (detailed elsewhere)
•Client
- you can connect remotely via TLS to perform "production" activities,
using objects and cryptographic functions on an HSM Partition within the
HSM
To perform any administrative task on the HSM appliance, you must first login at the console or via an SSH session and provide the "admin", or "operator", or "monitor" password (as appropriate), in order to reach the lunash prompt. This is how you access the lunash commands. In this explanation, we will assume that you are using the "admin" identity, for greatest administrative scope.
At that first level of authentication and administrative access (an SSH admin session or a locally connected serial console session) you can perform some basic, appliance-wide administrative functions (such as configuring or modifying network settings, time setting, handling of logs, updating the system with update packages, etc.) that do not involve the HSM* or any of the Partitions* (virtual HSMs that you might have created within the HSM -- you need to create and assign Partitions if you are to use the HSM appliance in any meaningful way) .
(* Exceptions are HSM and Partition list and view commands that do not involve security-sensitive operations in the HSM.)
Subsets of the lunash command menu require a further level of authentication in order to perform HSM or Partition administrative commands. The HSM and Partition commands require the appropriate blue and black PED Keys. See PED Keys and Operational Roles.
When a command is issued to the HSM appliance that requires HSM or Partition authentication, the HSM with Trusted Path looks to the PED. The PED responds by prompting you for actions involving the appropriate PED Keys and the PED keypad. If the PED gets the appropriate response, it confirms the authentication back to the HSM, via the PED interface (the Trusted Path). The required PED Keys would be:
•the blue key(s) needed when the HSM Security Officer logs in, or issues an hsm command.
•the black key(s), needed when the Crypto Officer issues Partition administration commands, or creates, deletes (or otherwise manipulates) non-public objects.
•the gray key(s), needed when the Crypto User issues Partition administration commands, or uses non-public objects.
Those PED Keys (as appropriate), are demanded by SafeNet PED when you perform administrative operations via the lunash interface (meaning that you must be logged in as the appliance admin first, either at a local, serial console, or via ssh). The authentication can consist of:
•presenting the required PED Key(s) and pressing [ENTER] on the keypad, or
•presenting the required PED Key(s), pressing [ENTER], entering a PED PIN (if one had been assigned at initialization) and pressing [ENTER] again.
Performing the above actions gets you to a login state in which HSM appliance will carry out HSM or Partition commands (according to the level of authentication that you invoked).
However, the point of the HSM appliance is that authorized remote Client applications must be able to access their Partitions, in order to perform useful work (such as signing, verifying, encrypting, decrypting), and also that unauthorized clients be prevented from doing so. Before authorized access can happen, the Partition must be in a logged-in state (as described above) by means of the black PED Key.
To preclude access by unauthorized clients/applications, the HSM appliance requires that three authentication conditions be in place:
•The Client and HSM appliance certificates must have been exchanged, and the Client registered to the Partition (during Setup and Configuration). This gives provisional access to the appliance, but not yet to the HSM or any of its Partitions. The Certificate exchange and registration can be initiated by a potential client, but are controlled at the HSM appliance. That is, no potential Client can register without the explicit approval of the HSM appliance administrator.
•The Partition must be readied to accept Client access in a login state authenticated by the black PED Key which is accepted only via the PED (this gives administrative access to the Partition, and opens the Partition to Client access, but only if the third authentication element is supplied),
•The Client must provide its credentials in the form of an authentication (a text-string password).
The Client authentication is the Partition Password that was displayed by the PED, and recorded by you, at the time the Partition was created (or it is the string to which you changed that original Partition Password, for your convenience, or to fit your security scheme).
If you provide that Partition Password only to registered, authorized Clients, and if they in turn keep it secret, then no unauthorized client can ever access the HSM appliance or its HSM. If you place an HSM Partition into a login state, then any registered application that presents the Partition Password is welcomed as an authorized Client.
The login state continues as long as a Client has the connection open to the Partition.
Activation is just a login with explicit caching of the login data, on the HSM.
•For legacy partitions, the cached authentication data is referred to as partition login data, handled by partition commands.
•For PPSO partitions, the cached authentication data is referred to as role login data, handled by role commands.
Login caching, or Activation, is convenient so that you can remove the black or gray PED key (perhaps to allow other uses of the PED, such as administrative logins by the HSM SO, or moving the PED to another HSM), while ensuring that access by Clients is not stopped, and that nobody is required to be present to press [ENTER] on the keypad on behalf of Clients.
To use Activation, you must first allow it by setting Partition Policy 22 (Allow Activation) to on, for each partition that you create. This is done by the HSM SO for legacy application partitions, and by the Partition SO for PPSO application partitions. If the Policy (22, Allow Activation) is on, then the partition Crypto Officer) can issue the partition activate command for legacy partitions. For PPSO partitions, once the policy is active it requires just role login to activate. The PED prompts for the black PED Key(s) and PED PIN if appropriate. Once you provide a black PED Key (Crypto Officer) or gray PED Key (Crypto User), the HSM appliance caches that authentication and the partition remains in a login state (Activated) until:
•you explicitly deactivate (with lunash command partition deactivate, or lunacm command partition deactivate or role deactivate, as appropriate)
•power is lost to the HSM.
You can remove the black PED Key (or gray PED Key) and keep it in your pocket or in safe storage. Activation remains on, and any registered Client with the Partition challenge password is able to connect and perform operations on the partition.
Activation is not a big advantage for Clients that connect and remain connected. It is an indispensable advantage in cases where Clients repeatedly connect to perform a task and then disconnect or close the cryptographic session following completion of each task.
1.Ensure that the partition policy "Allow activation" has been switched on.
For SafeNet Network HSM legacy partitions, type:
partition changepolicy -par <partitionname> -policy 22 -value 1
For SafeNet PCIe HSM or SafeNet USB HSM legacy application partition, type:
partition changepolicy -policy 22 -value 1
For SafeNet PCIe HSM or SafeNet USB HSM or SafeNet Network HSM PPSO application partition, type:
partition changepolicy -slot <slot number> -policy 22 -value 1
2.To start activation of the desired partition, type:
partition activate -par <partitionname>
for legacy application partitions, or type:
role login -name <name of role to log in>
for PPSO application partitions.
Respond to the PED prompts.
AutoActivation is supported for SafeNet Network HSM and for SafeNet PCIe HSM, but not for SafeNet USB HSM.
AutoActivation extends the Activation feature, and allows automatic re-activation of the partition or the role, using the cached Crypto Officer or Crypto User authentication data, in the event of a restart or a short power outage (up to 2 hours). That is, the Activated state can recover to allow Clients to re-connect and continue using the application partition, without need for human intervention to insert the black PED Key (or gray PED Key) and press [ENTER] on the PED keypad.
AutoActivation, which you set by the partition changePolicy command, requires that Partition Policy 23 (Allow AutoActivation) be on, for the affected partition.
When you run the partition activate command for legacy partitions, or when you simply role login for PSO partitions, autoactivation is set as well (if you set policy 23 for that partition). You are directed to the PED , depending upon the current status of cashed data.
If the authentication data requires refreshing, then the PED prompts you to insert the appropriate black or gray PED Key (that is, a PED Key that was imprinted with the partition authentication data for the particular partition [legacy] or role [PPSO]) and press [ENTER]. Once control returns to the command line, and the system announces success, you can remove the black PED Key and store it away. Clients can begin connecting and using the application partition.
We anticipate that most customers will set Partition Policy 23 Allow auto-activation (battery-backed caching of partition authentication) to on for their partitions, to ensure the convenience (uptime) of their clients.
Customers who prefer to not set auto-activation on, but who keep their SafeNet appliances located remotely from their administrative staff, might prefer to 'manually' resume partition activation by means of Remote PED. These options are entirely a matter of your preference and of your security policy.
1.Ensure that Activation is switched on (see previous section).
2.Log in as the partition's administrator (HSM SO for legacy partition, Partition SO for PPSO partition).
3.Ensure that the partition policy "Allow auto-activation" has been switched on.
For SafeNet Network HSM legacy partitions, type:
partition changepolicy -par <partitionname> -policy 23 -value 1
For SafeNet PCIe HSM or SafeNet USB HSM legacy application partition, type:
partition changepolicy -policy 23 -value 1
For SafeNet PCIe HSM or SafeNet USB HSM or SafeNet Network HSM PPSO application partition, type:
partition changepolicy -slot <slot number> -policy 23 -value 1
For best reliability and up-time, in conjunction with the AutoActivation option, you can also set sysconf appliance rebootonpanic enable.