Decommissioning the HSM Card
The SafeNet Luna PCIe HSM is equipped with a two-pin decommission jumper header, as illustrated below.
By default, short-circuiting the decommission jumper header decommissions the HSM. You can use the blade of a screwdriver, or other conductive tool to short-circuit the two pins of the decommission header, or you can connect a switch to the decommission header if desired. Power is not required to decommission the HSM, that is, you can decommission the HSM after removing it from the chassis.
When you decommission a SafeNet Luna PCIe HSM, the HSM is zeroized, all user accounts are deleted, and the HSM is returned to its factory state. Any firmware or capability updates (CUFs) installed on the HSM are retained.
You can also set HSM Policy 40: Decommission on Tamper to automatically decommission the HSM for selected tamper events. See Tamper Events for details.
Disabling Decommissioning
You can disable the decommissioning feature if desired, by installing the Disable Decommissioning capability update (CUF), which adds HSM Capability 46: Allow Disable Decommission (see HSM Capabilities and Policies). The primary reason for disabling decommissioning is to prevent the HSM from being automatically decommissioned due to loss of battery (see Tamper Events). If decommissioning is disabled, the SafeNet Luna PCIe HSM has an indefinite shelf life, as far as the battery is concerned.
To disable decommissioning
1.Ensure that the Disable Decommissioning capability update (CUF) is installed on the HSM. To verify that the CUF is installed, enter the following command:
lunacm:> hsm showpolicies
If the CUF is installed, HSM Capability 46: Allow Disable Decommission and HSM Policy 46: Disable Decommission are listed. If they are not, contact Technical Support to obtain the Disable Decommissioning capability update (CUF).
2.Enter the following command to enable HSM Policy 46: Disable Decommission:
lunacm:> hsm changehsmpolicy -policy 46 -value 1