|
Home > |
|---|
The STC functionality is available with firmware 6.22.0 or higher, and is enabled or disabled by setting HSM policy 39: Allow Secure Trusted Channel (see HSM Capabilities and Policies).
Note: Enabling HSM policy 39: Allow Secure Trusted Channel allows the appliance to use STC or NTLS links between the appliance and its registered partitions. It does not enable STC on the link between the appliance and the HSM (the STC admin channel). If you want to use STC end-to-end (client to HSM) then you must also enable the STC admin channel. See Establishing and Configuring the STC Admin Channel on a SafeNet Network HSM Appliance for more information.
You can enable STC on the HSM by turning on HSM policy 39: Allow Secure Trusted Channel. Enabling HSM policy 39 allows you to use STC or NTLS to provide the network link between an application partition and a client application. To use STC on a partition, you must also enable STC on the partition by turning on partition policy 37: Force Secure Trusted Channel. See Enabling or Disabling STC on a Partition.
Note: HSM zeroization disables partition policy 39: Allow Secure Trusted Channel. After zeroization, you will need to re-establish your STC links, as described in Restoring STC After HSM Zeroization and in Creating an STC Link Between a Client and a Partition in the Configuration Guide.
1.Ensure that firmware 6.22.0, or higher, is installed on the HSM. You can use the following LunaSH command to check the firmware version. If you are not using the correct firmware, refer to the upgrade documentation available on the support portal to upgrade your firmware:
hsm firmware show
For example:
lunash:>hsm firmware show
Current Firmware: 6.22.0
Rollback Firmware: 6.10.2
Upgrade Firmware: N/A
Command Result : 0 (Success)
2.Enter the following command to turn on HSM policy 39: Allow Secure Trusted Channel, which enables STC on the HSM. Enabling the policy is non-destructive. You must be the HSM SO to use this command:
hsm changePolicy -policy 39 -value 1
3.Enter the following command to verify that the policy is enabled:
hsm showpolicies
For example:
lunash:>hsm showpolicies
.
Description Value Code Destructive
.
Allow MofN On 37 No
Allow Secure Trusted Channel On 39 No
Allow partition re-initialize Off 42 No
Command Result : 0 (Success)
4.(Optional) Enable the STC admin channel, as described in Establishing and Configuring the STC Admin Channel on a SafeNet Network HSM Appliance.
You can disable STC on the HSM by turning off HSM policy 39: Allow Secure Trusted Channel. Disabling this policy is destructive. It zeroizes the HSM and turns off the ability to use STC to provide the network link between an application partition and a client application, so that only NTLS links are permitted.
1.Enter the following command to turn off HSM policy 39: Allow Secure Trusted Channel, which disables STC on the HSM and zeroizes the HSM. You must be the HSM SO to use this command:
hsm changePolicy -policy 39 -value 0
You are prompted to confirm the action.
3. Enter the following command to verify that the policy is disabled:
hsm showpolicies
For example:
lunash:>hsm showpolicies
.
Description Value Code Destructive
.
Allow MofN On 37 No
Allow Secure Trusted Channel Off 39 No
Allow partition re-initialize Off 42 No
Command Result : 0 (Success)