|
Home > |
|---|
If STC is enabled on the HSM, you can enable STC on the specific partitions on which you want to use STC instead of NTLS. This allows you to use both NTLS and STC links on different partitions on the same HSM.
Before you can enable STC on a partition, you must enable STC on the HSM, as described in Enabling or Disabling STC on the HSM. After enabling STC on the HSM, you can enable STC on a partition by turning on partition policy 37: Force Secure Trusted Channel. Enabling partition policy 37 disables NTLS for the partition and forces it to use STC to provide the network link between the partition and a client application.
To use STC on a partition, you must also create a client token and client identity key pair and exchange and register the partition and client identity public keys between the partition and client, as described in Creating an STC Link Between a Client and a Partition in the Configuration Guide. Note that the partition token and identity is created automatically when you create a partition, regardless of whether STC is enabled or not.
Note: HSM zeroization disables partition policy 37: Force Secure Trusted Channel. After zeroization, you will need to re-establish your STC links, as described in Restoring STC After HSM Zeroization and in Creating an STC Link Between a Client and a Partition in the Configuration Guide.
1.Ensure that STC is enabled on the HSM, as described in Enabling or Disabling STC on the HSM.
2.Enter the following command to turn on partition policy 37: Force Secure Trusted Channel, which enables STC on the specified partition. You must be the HSM SO to use this command:
partition changepolicy -partition <partition_name> -policy 37 -value 1
For example:
lunash:> partition changepolicy -partition stc_partition -policy 37 -value 1
'partition changePolicy' successful.
Policy “Force Secure Trusted Channel” is now set to: 1
3.Enter the following command to verify that the policy is enabled:
partition showpolicies -partition <partition_name>
For example:
lunash:>partition showpolicies
.
Description Value Code
.
Allow CBC-PAD (un)wrap keys of any size On 34
Force Secure Trusted Channel On 37
Command Result : 0 (Success)
You can disable STC on a partition by turning off partition policy 37: Force Secure Trusted Channel. Disabling this policy terminates the existing STC connection to the partition and turns off the ability to use STC to provide the network link between the partition and a client application, so that only NTLS links are permitted.
•To disable STC on a legacy partition, use LunaSH, as described in To disable STC on a legacy partition
•To disable STC on a partition with SO, use LunaCM, as described in To disable STC on a partition with SO
1.Enter the following command to turn off partition policy 37: Force Secure Trusted Channel, which terminates the existing STC connection to the partition. You must be the HSM SO to use this command:
lunash:> partition changepolicy -partition <partition_name> -policy 37 -value 0
You are prompted to confirm the action.
2.Enter the following command to verify that the policy is disabled:
lunash:> partition showpolicies -partition <partition_name>
For example:
lunash:>partition showpolicies
.
Description Value Code
.
Allow CBC-PAD (un)wrap keys of any size On 34
Force Secure Trusted Channel On 37
Command Result : 0 (Success)
1.Go to the slot for the partition you want to disable STC on:
lunacm:> slot set <slot_number>
2.Enter the following command to turn off HSM policy 37: Allow Secure Trusted Channel, which terminates the existing STC connection to the partition. You must be the partition SO to use this command:
lunacm:> partition changepolicy -policy 37 -value 0
You are prompted to confirm the action.
3.Enter the following command to verify that the policy is disabled:
lunacm:> partition showpolicies
For example:
lunacm:>partition showpolicies
.
Description Value Code
.
Allow CBC-PAD (un)wrap keys of any size On 34
Force Secure Trusted Channel On 37
Command Result : 0 (Success)