|
Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 5] Create Application Partitions > HSM SO Configures PED-authenticated SafeNet Network HSM Partition with SO
|
|---|
An application owner/user has requested an application partition on the HSM, in which applications will run cryptographic operations. These instructions are the actions to be taken by the HSM Security Officer or SO. These instructions assume a PED-authenticated SafeNet HSM supporting the creation of a partition with its own Security Officer.
These instructions assume a SafeNet Network HSM. Initially it is accessed via SSH to create the partition using LunaSH (lunash:>), to create the partition. After the PPSO partition is created, administrative access to that partition moves to a host computer where SafeNet HSM Client software is installed, and where administrative actions are carried out through a Network Trust Link (NTL) via the lunacm tool.
You will need:
•The HSM has firmware 6.22.0, or newer, and the Per-Partition SO capability installed.
•The appliance is configured for network operation and server certificate was created.
•SafeNet Network HSM and your application host computer have exchanged certificates.
•The HSM is in initialized state.
•For PED-Authenticated SafeNet HSM only, a SafeNet PED and PED Keys with labels. These instructions assume that you still have local physical access to your SafeNet Network HSM appliance, for local PED connection, or that your SafeNet PED is remotely connected and you have previously imprinted the HSM and an orange PED Key with a common Remote PED vector. See Configuring Remote PED and Using the Remote PED Feature in the Administration Guide.
Note: If you have an existing legacy partition that shares the HSM Administrator (SO) as its SO, and you prefer that it have its own SO, it cannot be directly turned into a partition that has its own SO. You will need to back up any contents, delete the partition, and re-create with an application partition SO.
You can create either type of partition. They can co-exist without conflict on the HSM.
Note: Updating from pre-6.22.0 firmware to firmware version 6.22.0 or newer is necessary to support the PPSO capability, but does not, itself, confer the capability. To enable creation of application partitions with their own Per-Partition Security Officers, you must acquire and install the PPSO capability upgrade.
The PPSO capability Upgrade is destructive. Therefore, you must back up any existing application partition on your HSM, before performing the upgrade, as all partitions and contents are destroyed by the upgrade. After the upgrade is complete, you can create new partitions with Per-Partition SOs, or with legacy-style partitions where the HSM SO retains ownership, or a mix of both, and then restore the pre-existing content to your new partitions from backup.
If you are using a SafeNet PED connected locally to the SafeNet Network HSM, skip to step 4 below.
1.If necessary, have a SafeNet PED connected to a host computer (can be the same computer that acts as your SafeNet HSM Client, but can be another host if desired), with the PED set to "Remote PED mode", and an orange PED Key ready, containing the same RPV as your SafeNet Network HSM.
2.On the host computer, launch PedServer.exe.
C:\Program Files\SafeNet\LunaClient>pedserver -mode start -ip 192.20.10.217 -port 1503
Ped Server Version 1.0.5 (10005)
Failed to load configuration file. Using default settings.
Ped Server launched in startup mode.
Starting background process
Background process started
Ped Server Process created, exiting this process.
C:\Program Files\SafeNet\LunaClient>pedserver -mode show
Ped Server Version 1.0.5 (10005)
Failed to load configuration file. Using default settings.
Ped Server launched in status mode.
failed to unlock: GetLastError(): 183 0xb7
Server Information:
Hostname: MyRPEDhost
IP: 192.20.10.217
Firmware Version: 2.6.0-2
PedII Protocol Version: 1.0.1-0
Software Version: 1.0.5 (10005)
Ped2 Connection Status: Connected
Ped2 RPK Count 0
Ped2 RPK Serial Numbers (none)
Client Information: Not Available
Operating Information:
Server Port: 1503
External Server Interface: Yes
Admin Port: 1502
External Admin Interface: No
Server Up Time: 52 (secs)
Server Idle Time: 52 (secs) (100%)
Idle Timeout Value: 1800 (secs)
Current Connection Time: 0 (secs)
Current Connection Idle Time: 0 (secs)
Current Connection Total Idle Time: 0 (secs) (100%)
Total Connection Time: 0 (secs)
Total Connection Idle Time: 0 (secs) (100%)
Show command passed.
C:\Program Files\SafeNet\LunaClient>
3.On the SafeNet Network HSM, start the PED client service, pointing to the PedServer that you just started.
[mylunasa] lunash:>hsm ped connect -ip 192.20.10.217 -port 1503 Luna PED operation required to connect to Remote PED - use orange PED key(s). Command Result : 0 (Success) [mylunasa] lunash:>hsm login Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key. 'hsm login' successful. Command Result : 0 (Success) [mylunasa] lunash:>
4.Log into the SafeNet Network HSM, if not already logged in.
[mylunasa] lunash:>hsm login Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key. 'hsm login' successful. Command Result : 0 (Success) [mylunasa] lunash:>
1.Run partition create command, specifying a partition name, and being sure to include the "-haspso" parameter.
[mylunasa] lunash:>partition create -haspso -partition mypsopar1
Please ensure that you have purchased licenses for at least this number of partitions: 1
Type 'proceed' to create the uninitialized partition, or
'quit' to quit now.
> proceed
'partition create' successful.
Command Result : 0 (Success)
[mylunasa] lunash:>
Note: The command parameters include an option "-label". This is not used when creating PPSO partitions. If you include it, an error message appears, but the "-label" is ignored.
The "-partition <name>" parameter is required.
2.Verify that the partition has been created.
[mylunasa] lunash:>hsm show
Appliance Details:
==================
Software Version: 6.0.0-22
HSM Details:
============
HSM Label: mysahsm
Serial #: 7000022
Firmware: 6.22.0
Hardware Model: Luna K6
Authentication Method: PED keys
HSM Admin login status: Logged In
HSM Admin login attempts left: 3 before HSM zeroization!
RPV Initialized: Yes
Audit Role Initialized: No
Remote Login Initialized: No
Manually Zeroized: No
Partitions created on HSM (1):
==============================
Partition: 16298193222733, Name: mypsopar1
FIPS 140-2 Operation:
=====================
The HSM is NOT in FIPS 140-2 approved operation mode.
HSM Storage Information:
========================
Maximum HSM Storage Space (Bytes): 2097152
Space In Use (Bytes): 20971
Free Space Left (Bytes): 2076181
Command Result : 0 (Success)
[mylunasa] lunash:>
The PPSO partition now exists, and all future configuration and management of that partition will be handed over to the person who is to become the SO of the new partition. The HSM SO can delete the partition via lunash command, but cannot reach inside the new partition to perform any further administrative actions. This is an important difference from legacy-style partitions, where the HSM SO remains the administrative owner of the application partition and can perform any desired administrative function by means of lunash commands.
In a PPSO partition, the partition SO (and any additional roles that are created for the partition) performs all configuration and management actions via a client connection using LunaCM.
The next step is [Step 7] Create a Network Trust Link Between the Client and the Appliance.