|
Home > |
|---|
If STC is enabled on the HSM, you can enable STC on the specific partitions on which you want to use STC instead of NTLS. This allows you to use both NTLS and STC links on different partitions on the same HSM. The following instructions are for the Partition SO.
Before you can enable STC on a partition, the HSM SO must enable STC on the HSM, as described in Enabling or Disabling STC on the HSM. The partition SO can then enable STC on a partition by turning on partition policy 37: Force Secure Trusted Channel. Enabling partition policy 37 disables NTLS for the partition and forces it to use STC to provide the network link between the partition and a client application.
To use STC on a partition, you must also create a client token and client identity key pair and exchange and register the partition and client identity public keys between the partition and client, as described in Creating an STC Link Between a Client and a Partition in the Configuration Guide. Note that the partition token and identity is created automatically when you create a partition, regardless of whether STC is enabled or not.
Note: HSM zeroization disables partition policy 37: Force Secure Trusted Channel. After zeroization, you will need to re-establish your STC links, as described in Restoring STC After HSM Zeroization and in Creating an STC Link Between a Client and a Partition in the Configuration Guide.
1.Confirm with the HSM SO that STC is enabled on the HSM, as described in Enabling or Disabling STC on the HSM.
2.Run LunaCM, set the active slot to the desired partition, and login as Partition SO.
slot set slot <slotnum>
role login -name po
3.Turn on partition policy 37: Force Secure Trusted Channel, which enables STC on the specified partition.
partition changepolicy -policy 37 -value 1
4.Verify that the policy is enabled:
partition showpolicies
lunash:>partition showpolicies
.
Description Value Code
.
Allow CBC-PAD (un)wrap keys of any size On 34
Force Secure Trusted Channel On 37
Command Result : 0 (Success)
The Partition SO can disable STC on a partition by turning off partition policy 37: Force Secure Trusted Channel. Disabling this policy terminates the existing STC connection to the partition and turns off the ability to use STC to provide the network link between the partition and a client application, so that only NTLS links are permitted.
1.In LunaCM, set the active slot to the desired partition, and login as Partition SO:
slot set slot <slotnum>
role login -name po
2.Turn off HSM policy 37: Allow Secure Trusted Channel, which terminates the existing STC connection to the partition.
partition changepolicy -policy 37 -value 0
You are prompted to confirm the action.
3.Verify that the policy is disabled:
partition showpolicies
lunacm:>partition showpolicies
.
Description Value Code
.
Allow CBC-PAD (un)wrap keys of any size On 34
Force Secure Trusted Channel Off 37
Command Result : 0 (Success)