Troubleshooting
This section attends to appliance-level problems and their solutions.
Failed Logins and Lockout on Appliance
In addition to the bad login responses at the HSM and partition level, for all SafeNet Luna HSMs (see Failed Logins), SafeNet Luna Network HSM also has the appliance-level authentication layer for admin, operator, monitor, auditor, and for any named users you have created.
The response pattern for those is all the same, and is limited by default SSH settings:
>If you initiate an SSH session against the appliance, and fail to respond to the prompts, the system waits for the 120-second grace period to run out, and expires the session. You must restart or launch a new session in your SSH terminal tool.
>If you initiate an SSH session against the appliance, provide a user name, and then provide an incorrect password, the session prompts you to re-attempt the correct password for that user account. If you fail to provide the correct authentication six times, the session is dropped. You must restart or launch a new session in your SSH terminal tool.
The maximum number of simultaneous sessions per channel is the SSH default of 10.
You can configure SafeNet Luna Network HSM to accept administrative connections (SSH) on only one Ethernet channel, and client (NTLS) connections on the other.
Due to the pace at which the appliance SSH service evaluates submitted passwords and then prompts for retry, it generally takes more than 15 seconds to submit six bad attempts in a session to reach the maximum permitted, causing the session to drop. Then, there is the individual session tear-down and restart time to consider, before new attempts can resume. These factors help to limit the pace of brute-force attacks, while still allowing timely recovery from mistyping or forgetfulness by an administrative user.
Appliance Hardware Function Troubleshooting
This section provides additional information by answering questions that are frequently asked by our customers.
We were configuring rack power for several SafeNet Luna Network HSMs - planning peak load, etc. When we re-connected rack power, not all the appliances came on.
Did you verify that they were all on before you removed rack power?
SafeNet Luna Network HSM is configured to return to its previous state on application of AC power. If the appliance was running, and power was removed, then when power is re-applied the appliance re-boots. If the appliance was not running when power was removed, then the appliance does not restart when power becomes available again, and you must manually toggle the appliance power switch.
What actions must I take to move a SafeNet Luna Network HSM appliance from one datacenter to another?
Each installation will have its own issues and peculiarities. For this discussion we will assume that both the SafeNet Luna Network HSM appliance and the application server - PKI, web, other - that is the main client of the SafeNet Luna Network HSM are being moved. Here are some common steps to consider:
>Change the IP address of the SafeNet Luna Network HSM
>Change/update any other IP dependencies that are configured on the SafeNet Luna Network HSM, such as NTP servers, Syslog servers, NTLS binding by IP, etc.
>On the client computer (PKI server, web server, other) change the IP address of the SafeNet Luna Network HSM as found in the client computer's crystoki.ini/chrystoki.conf file
>Regenerate certificates on both the SafeNet Luna Network HSM and the client computer(s), if you used IP addresses rather than hostnames (no name resolution configured)
>Delete the client from the SafeNet Luna HSM server
>Exchange the new certificates
>Re-register the client on the SafeNet Luna HSM server
>Re-assign the appropriate HSM partition to the client
>If the application is Windows-based and identical client/server computers (or complete clones) are not used in the new datacenter, then there might be some Windows issues to complete, such as making/updating registry entries, running certutil -repairstore, and so on
>Before you transport the SafeNet Luna Network HSM, place the appliance in Secure Transport Mode
Client Connections Troubleshooting
This section contains information for troubleshooting.
Messages During an SSH Session
If during an SSH session you see a message similar to the following example, do not be alarmed. The message originates from the operating system within SafeNet Luna Network HSM and is benign.
Message from syslogd@172 at Jun 18 03:14:44 ... kernel:
Disabling IRQ #225