Restoring STC After HSM Zeroization
The HSM partitions contain the registered client identities used to validate STC clients. Since these are not crypto objects, they are not backed up as part of a normal partition backup. When you perform a destructive operation that results in the HSM being zeroized, such as a login failure, application of a destructive capability upgrade (CUF), factory reset, or HSM decommission, the registered client identities are lost. The partitions must be recreated and STC client connections re-established. The Partition SO can then restore the partition objects from backup using the procedure described in Backup and Restore HSMs and Partitions.
If the HSM or partition is zeroized, the following actions occur:
>HSM policy 39: Allow Secure Trusted Channel is turned off.
>If the STC admin channel is enabled, the STC admin partition identity is deleted, breaking the STC link between LunaSH and the HSM SO partition (the admin channel) on the SafeNet Luna Network HSM appliance.
>The STC application partition identities are deleted, breaking the STC links between the application partitions and their registered clients.
See Creating an STC Link Between a Client and a Partition in the Configuration Guide for a detailed description of how to reconfigure your STC links. You do not need to recreate client tokens or identities. Below is a simplified version of the process to reconfigure STC after HSM zeroization:
HSM SO (LunaSH):
1.Login as HSM SO and enable Policy 39: Allow Secure Trusted Channel.
hsm changepolicy -policy 39 -value 1
2.Create the new partition.
partition create -partition <label>
3.Export the partition identity public key to the file system.
stc partition export -partition <label>
4.Use scp or pscp to transfer the partition identity public key (*.pid) from the appliance and provide it to the client (Partition SO) by secure means.
NOTE If you restored the appliance's NTLS configuration from backup, you do not need to provide the HSM Server Certificate (server.pem). If you choose to regenerate the HSM identity using sysconf regencert, you must provide the new certificate to the Partition SO along with the partition identity public key.
5.Optionally, reestablish STC on the HSM admin channel.
hsm stc enable
service restart stc
Partition SO:
1.If you received a new HSM Server Certificate (server.pem) from the HSM SO, delete the original server identity and register the new one.
vtl deleteserver -n <server_IP_or_hostname>
vtl addserver -n <server_IP_or_hostname> -c <server_certificate_filename>
2.Run LunaCM and register the new partition identity public key to the STC client identity.
stc partitionregister -file <partition_identity> [-label <partition_label>]
3.Restart LunaCM to see the partition slot.
clientconfig restart
4.If you registered a new HSM Server Certificate, find the correct server ID and enable STC.
clientconfig listservers
stc enable -id <server_ID>
5.Initialize the partition.
partition init -label <partition_label>
6.Login as Partition SO and register any additional client identity public keys to the partition. You can use the original public key files, unless the client identities have been recreated. If so, the client administrators must provide them.
stcconfig clientregister -label <client_label> -file <client_identity>
7.Provide the partition identity public key (and, if applicable, the HSM Server Certificate) to each additional client administrator by secure means.
Additional Client Administrators:
1.If you received a new HSM Server Certificate (server.pem) from the Partition SO, delete the original server identity and register the new one.
vtl deleteserver -n <server_IP_or_hostname>
vtl addserver -n <server_IP_or_hostname> -c <server_certificate_filename>
2.Run LunaCM and register the new partition ID public key to the STC client identity.
stc partitionregister -file <partition_identity>
3.If you registered a new HSM Server Certificate, find the correct server ID and enable STC. If not, restart LunaCM to see the partition slot.
•clientconfig listservers
stc enable -id <server_ID>
•clientconfig restart