|
Home > |
|---|
It could happen that you initiate an SRK re-split operation (See hsm srk keys resplit of the LunaSH Command Reference Guide) and, for whatever reason, the process is interrupted. One possible reason might be that you are interrupted before you can complete the PED transaction, and when you return your attention to SafeNet PED, the operation has timed out.
SafeNet PED can be reset by simply unplugging it and then reconnecting so that it reboots.
However, the HSM - having started the re-splitting operation - is left in a non-responsive state. The following example illustrates what that looks like, and how you can get back to normal operation.If you get into that situation, you can't run any other HSM command except to reboot the appliance and then re-run the hsm srk keys resplit command. When that command completes properly, the HSM is back in normal operation and accepts other commands.
[myluna] lunash:>hsm srk keys resplit
Luna PED operation required to resplit the SRK - use Secure Recovery (purple) PED key.
Note: (This is where the operator took too long to respond and the operation timed out.)
Error: 'hsm srk keys resplit' failed. (300000 : LUNA_RET_DEVICE_ERROR)
Command Result : 65535 (Luna Shell execution)
[myluna] lunash:>
Note: We attempt to resume the operation.
[myluna] lunash:>hsm srk keys resplit
ERROR: Secure Recovery Keys are not supported on this HSM.
Error: 'hsm srk keys resplit' failed. (C0000105 : RC_FUNCTION_NOT_SUPPORTED)
Command Result : 65535 (Luna Shell execution)
[myluna] lunash:>
Note: But that doesn't work. Perhaps if we just log out and log back in...
[myluna] lunash:>hsm logout
Error: Unable to communicate with HSM.
Please run 'hsm supportInfo' and contact customer support.
Command Result : 65535 (Luna Shell Execution)
[myluna] lunash:>
Note: Perhaps a reboot of the entire system.
[myluna] lunash:>sysconf appliance reboot
WARNING !! This command will reboot the appliance.
All clients will be disconnected.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'
> proceed
Proceeding...
Error: Unable to establish communication with the HSM.
Contact customer support.
Broadcast message from root (pts/0) (Wed May 18 08:58:44 2011):
The system is going down for reboot NOW!
Reboot commencing
Command Result : 0 (Success).......
Note: After a couple of minutes the appliance has restarted and is ready for use again.
[myluna] lunash:>
login as: admin
admin@192.20.10.300's password:
Last login: Mon Feb 66 07:43:29 2012 from 192.20.10.173
SafeNet Network HSM 5.1.0-22 Command Line Shell - Copyright (c) 2001-2011 SafeNet, Inc. All rights reserved.
Note: Now that reboot is done and we have logged back into the appliance, can we log into the HSM?
[myluna] lunash:>hsm login
Error: 'hsm login' failed. (80000532 : LUNA_RET_MTK_STATE_INVALID)
Command Result : 65535 (Luna Shell execution)
[myluna] lunash:>
Note: Not just yet. Perhaps if we try the re-splitting operation again, now that the appliance and HSM are rebooted...
[myluna] lunash:>hsm srk keys resplit
Luna PED operation required to resplit the SRK - use Secure Recovery (purple) PED key.
SRK resplit succeeded.
Command Result : 0 (Success)
[myluna] lunash:>
Note: This is looking much more hopeful.
[myluna] lunash:>hsm login
Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED Key.
'hsm login' successful.
Command Result : 0 (Success)
[myluna] lunash:>
Note: Our HSM is entirely back in operation, and the MTK recovery key has been re-split and a new external split imprinted on a purple PED Key (SRK).
When re-split was invoked above, SafeNet PED would have refused to overwrite the current purple PED Keys (keys containing the currently valid Secure Recovery Vector). This is a safety feature to ensure that a valid purple key remains valid if the re-split operation is interrupted. It affects only the current purple PED Key(s). If you previously performed a re-split or disabled SRK (brought the external split back into the HSM), then those previous purple PED Keys are no longer valid and can be used as "blanks" for the re-split that you perform today.