Initializing a PED-Authenticated HSM
Your SafeNet HSM arrives in "Zeroized" state, and in a default, pre-initialized condition (see below). It might also be in Secure Transport Mode, if you selected that option at purchase time.
Initialization prepares the HSM for use by setting up the necessary identities, ownership and authentication that are to be associated with the HSM. You must initialize an HSM one time before you can generate or store objects, allow clients to connect, or perform cryptographic operations.
If you have not used SafeNet HSMs and PED Keys before, please read the sub-section PED Key Management Overview in the Administration Guide, before you start initializing.
Once you have initialized an HSM, you would return to this section only to clear an entire HSM and all its contents and HSM Partitions, by re-initializing.
Preparing to Initialize a SafeNet Network HSM [PED-version]
To determine the state of the HSM
The LunaCM utility presents status information for connected HSMs when lunacm is launched.
bash-3.00# ./lunacm
LunaCM V2.3.3 - Copyright (c) 2006-2010 SafeNet, Inc.
Available HSMs:
Slot Id -> 1
Tunnel Slot Id -> 3
HSM Label -> no label
HSM Serial Number -> 151433 HSM Model -> K6 Base
HSM Firmware Version -> 6.10.4
HSM Configuration -> Luna PCI (PED) Undefined Mode / Uninitialized
HSM Status -> Transport Mode, Zeroized
Slot Id -> 2
Tunnel Slot Id ->
HSM Label -> no label
HSM Serial Number -> 151446
HSM Model -> G5 Base
HSM Firmware Version -> 6.2.3
HSM Configuration -> SafeNet USB HSM (PED) Undefined Mode / Uninitialized
HSM Status -> Transport Mode, Zeroized
Current Slot Id: 1
lunacm:>
“Transport Mode” refers to a user-invoked tamper event.
“Zeroized” state is different, and results from any of:
•Factory reset by command.
•The HSM detecting 3 bad login attempts on the SO account.
This renders any HSM contents unrecoverable. At the factory, we would have created only unimportant test objects on the HSM - if you have previously had the HSM in service, and then performed hsm factoryreset your valid objects and keys are similarly rendered permanently unrecoverable and the HSM is completely safe to store or ship.
The above states are addressed by configuring and initializing your SafeNet Network HSM. Instructions start on this page.
If you requested Secure Transport Mode shipment from SafeNet, then a couple of additional steps are required (also included in these instructions).
Why Initialize?
Before you can make use of it, the HSM must be initialized. This establishes your ownership for current and future HSM administration. Initialization assigns a meaningful label, as well as Security Officer authentication (PED Key) and cloning Domain (another PED Key), and places the HSM in a state ready to use.
Use the instructions on this page if you have a SafeNet HSM with PED authentication.
Note: Not the first time? Some HSM Policy changes are destructive. A destructive policy change is one that requires the HSM to be initialized again, before it can be used. Thus if you intend to perform a destructive HSM Policy change, you might need to perform this initialization step again, after the Policy change.
Start a Serial Terminal or SSH session
bash#: ssh 192.20.10.203
login as: admin
admin@192.20.10.202's password:________
Last login: Fri Dec 2 20:16:54 2014 from 192.17.153.225
SafeNet Network HSM 6.0.0 Command Line Shell - Copyright (c) 2001-2014 SafeNet, Inc. All rights reserved.
[myluna] lunash:>
Initialize the HSM
1.Have the Luna PED connected and ready (in local mode and "Awaiting command...").
2.Insert a blank PED Key into the USB connector at the top of the PED.
3.In a serial terminal
window or with an SSH connection, log into LunaSH as the appliance administrator 'admin':
lunash:>
4.Run the hsm init command, giving a label for your SafeNet Network HSM. [If Secure Transport Mode was set, you must unlock the HSM with the purple PED Key before you can proceed; see earlier on this page and the Recover the SRK page. ]
The following is an example of initialization dialog, with PED interactions inserted to show the sequence of events.
lunash:> hsm init -label myLunaHSM
The following warning appears:
CAUTION: Are you sure you wish to re-initialize this HSM?
All partitions and data will be erased.
Type 'proceed' to initialize the HSM, or 'quit'
to quit now.
>
Please attend to the PED.
Note: Respond promptly to avoid PED timeout Error. At this time, the PED becomes active and begins prompting you for PED Keys and other responses. For security reasons, this sequence has a time-out, which is the maximum permitted duration, after which an error is generated and the process stops. If you allow the process to time-out, you must re-issue the initialization command. If the PED has timed out, press the [CLR] key for five seconds to reset, or switch the PED off, and back on, to get to the “Awaiting command....” state before re-issuing another lunash command that invokes the PED.
See Initialization - some additional options and description for additional information and a summary of the options you might choose or encounter during this process - this procedure (below) assumes a relatively straightforward process.
SafeNet PED asks preliminary setup questions.
The simplest scenario is your first-ever HSM and new PED Keys. However, you might have previously initialized this HSM and be starting over. Or you might have other HSMs already initialized and need to share the authentication or the domain with your new HSM.
The HSM and PED need to know, prior to imprinting the first SO PED Key.
If you say [ NO ] (on the PED keypad), then you are indicating there is nothing of value on your PED Keys to preserve. On the assumption that you will now be writing onto a new blank PED Key, or onto one that contains old unwanted authentication, SafeNet PED asks you to set MofN values.
If you say [ YES ], you indicate that you have a PED Key (or set of PED Keys) from another HSM and you wish your current/new HSM to share the authentication with that other HSM. Authentication will be read from the PED Key that you present and imprinted onto the current HSM.
and
Setting M and N equal to "1" means that the authentication is not to be split, and only a single PED Key will be necessary when the authentication is called for in future.
Setting M and N larger than "1" means that the authentication is split into N different "splits", of which quantity M of them must be presented each time you are required to authenticate. MofN allows you to enforce multi-person access control - no single person can access the HSM without cooperation of other holders.
SafeNet PED now asks you to provide the appropriate PED Key - a fresh blank key, or a previously used key that you intend to overwrite, or a previously used key that you intend to preserve and share with this HSM.
Insert a blue HSM Admin / SO PED key [ of course, the unlabeled PED Key is generically black - we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting the key; before, just to ensure it gets done, or after, as a helpful indicator as to which ones are imprinted (with which secret), and which ones still blank ] and press [Enter].
OR
Answer (press the appropriate button on the PED keypad)
–"NO" if the PED key that you provided carries SO authentication data that must be preserved. In that case, you must have made a mistake so the PED goes back to asking you to insert a suitable key.
–"YES"
if the PED should overwrite the PED Key with a new SO authentication.
If you
overwrite a never-used PED Key, nothing is lost; if you overwrite a PED
Key that contains authentication secret for another HSM, then this PED
Key will no longer be able to access the other HSM, only the new HSM that
you are currently initializing with a new, unique authentication secret
- therefore "YES" means 'yes, destroy the contents on the key and create new authentication information in its place' - be sure that this is what you wish to do. (This will be matched on the
SafeNet Network HSM during this initialization).
SafeNet PED makes very sure that you wish to overwrite, by asking again.
For any situation other than reusing a keyset, SafeNet PED now prompts for you to set a PED PIN. For multi-factor authentication security, the physical PED Key is "something you have". You can choose to associate that with "something you know", in the form of a multi-digit PIN code that must always be supplied along with the PED Key for all future HSM access attempts.
Type a numeric password on the PED keypad, if you wish. Otherwise, just press [Enter] twice to indicate that no PED PIN is desired.
SafeNet PED imprints the PED Key, or the HSM, or both, as appropriate, and then prompts the final question for this key:
You can respond [ YES ] and present one or more blank keys, all of which will be imprinted with exact copies of the current PED Key's authentication, or you can say [ NO ], telling the PED to move on to the next part of the initialization sequence. (You should always have backups of your imprinted PED Keys, to guard against loss or damage.)
To begin imprinting a Cloning Domain (red PED Key), you must first log into the HSM, so in this case you can simply leave the blue PED Key in place.
SafeNet PED passes the authentication along to the HSM and then asks the first question toward imprinting a cloning domain:
If this is your first SafeNet HSM, or if this HSM will not be cloning objects with other HSMs that are already initialized, then answer [ NO ]. SafeNet PED prompts for values of M and N.
If you have another HSM and wish that HSM and the current HSM to share their cloning Domain, then you must answer [ YES ]. In that case, SafeNet PED does not prompt for M and N.
SafeNet PED goes through the same sequence that occurred for the blue SO PED Key, except it is now dealing with a red Domain PED Key.
Insert a red HSM Cloning Domain PED key [ of course, the unlabeled PED Key is generically black - we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting the key; before, just to ensure it gets done, or after, as a helpful indicator as to which ones are imprinted (with which secret), and which ones still blank ] and press [Enter].
OR
Just as with the blue SO PED Key, the next message is:
When you confirm that you do wish to overwrite whatever is (or is not) on the currently inserted key, with a Cloning Domain generated by the PED, the PED asks:
And finally:
Once you stop duplicating the Domain key, or you indicate that you do not wish to make any duplicates (you should have backups of all your imprinted PED Keys...), SafeNet PED goes back to "Awaiting command...".
Lunash says:
Command Result : No Error
lunash:>
lmyluna] lunash:>hsm show
Appliance Details:
==================
Software Version: 5.1.0-25
HSM Details:
============
HSM Label: mylunahsm
Serial #: 700022
Firmware: 6.2.1
Hardware Model: Luna K6
Authentication Method: PED keys
HSM Admin login status: Logged In
HSM Admin login attempts left: 3 before HSM zeroization!
RPV Initialized: Yes
Manually Zeroized: No
Partitions created on HSM:
==========================
FIPS 140-2 Operation:
=====================
The HSM is NOT in FIPS 140-2 approved operation mode.
HSM Storage Information:
========================
Maximum HSM Storage Space (Bytes): 2097152
Space In Use (Bytes): 0
Free Space Left (Bytes): 2097152
Command Result : 0 (Success)
[myluna] lunash:>
Notice that the HSM now has a label.
The next step is Prepare to Create a Partition (PED Authenticated) on the HSM.