|
Home > |
Administration Guide > Secure Trusted Channel (STC) > Establishing and Configuring the STC Admin Channel on a Luna SA Appliance
|
|---|
STC allows you to protect all communications to the HSM, including those that originate on the SafeNet Network HSM appliance by enabling the STC admin channel on the appliance. The STC admin channel is local to the appliance, and is used to transmit data between the local services and applications running on the appliance (such as LunaSH, NTLS, and the STC service) and the HSM SO partition. The STC admin channel link is configured separately from the client-partition links, and can be enabled or disabled as required.
Note: Enabling the STC admin channel forces all client-partition links (NTLS or STC) to use STC on the portion of the link from the appliance to the HSM. This may affect NTLS link performance.
When enabled, all communications from the appliance operating system to the HSM are transmitted over the STC admin channel.
CAUTION: Enabling the STC admin channel is service affecting. It causes an STC service restart, which temporarily terminates all existing STC links to the appliance. It also terminates the existing HSM login session.
1.Open a LunaSH session on the appliance and log in as the HSM SO.
2.Enter the following command to enable the STC admin channel:
hsm stc enable
For example:
lunash:>hsm stc enable
Enabling local STC will require a restart of STC service.
Any existing STC connections will be terminated.
Type 'proceed' to enable STC on the admin channel, or 'quit'
to quit now.
> proceed
Successfully enabled STC on the admin channel.
Command Result : 0 (Success)
When disabled, all communications from the appliance operating system to the HSM are transmitted, unencrypted, over the local bus.
Note: Disabling the STC admin channel is service affecting. It causes an STC service restart, which temporarily terminates all existing STC links to the appliance. It also terminates the existing HSM login session.
1.Open a LunaSH session on the appliance and log in as the HSM SO.
2.Enter the following command to enable the STC admin channel:
hsm stc disable
For example:
lunash:>hsm stc disable
Disabling STC on the admin channel will require a restart of STC service.
Any existing STC connections will be terminated.
Type 'proceed' to disable STC on the admin channel, or 'quit'
to quit now.
> proceed
Successfully disabled STC on the admin channel.
Command Result : 0 (Success)
STC provides several configurable options that define the network settings for an STC link, and the security settings for the messages transmitted over the link. Although default values are provided that provide the optimal balance between security and performance, you can override the defaults, if desired. See Configuring the Network and Security Settings for an STC Link for more information.
To change a partition password of a legacy partition (a partition that does not have its own SO) when STC is in use, you have two options:
•Use the command partition changepw in the lunacm utility on a registered LunaClient host.
•Use the partition changepw command in lunash, but ensure that the STC admin channel is enabled with hsm stc enable (to avoid "Unknown ResultCode value" error). See "Establishing and Configuring the STC Admin Channel on a SafeNet Network HSM Appliance" in the Administration Guide for more information. If you prefer to not keep STC admin channel enabled, for performance reasons, you can enable before changing a legacy partition password in lunash, and then disable with hsm stc disable immediately afterward.