Configuring the Network and Security Settings for an STC Link
STC provides several configurable options that define the network settings for an STC link, and the security settings for the messages transmitted over the link. Although default values are provided that provide the optimal balance between security and performance, you can override the defaults, if desired.
The configurable options are set at the partition level and apply to all STC links to a specific partition. This allows you to configure different settings for individual partitions. You must have SO privileges to the partition to configure its STC options.
For the STC admin channel, the configurable options apply to all communications between the HSM and the local services and applications on the appliance, such as LunaSH and NTLS.
Configurable Options
You can configure the following options for partition/client STC links
Use LunaCM to configure the STC options for partitions with SO. Use LunaSH to configure the STC options for partitions owned by the HSM SO, and to configure the link between LunaSH and the HSM.
Link Activation Timeout
The activation timeout is the maximum time allowed to establish the STC link before the channel request is dropped. You can configure this option to specify the activation timeout for all STC links to a partition.
See stcconfig activationtimeoutset in the LunaCM Command Reference Guide.
See the following commands in the LunaSH Command Reference Guide:
>stc activationtimeout set for client-partition links.
>hsm stc activationtimeout set for the LunaSA admin channel link.
Message Encryption
By default, all messages traversing an STC link are encrypted. You can configure this option to specify the level of encryption used (AES 128, AES 192, or AES 256) on all STC links to a partition, or to disable encryption on all STC links to a partition.
See stcconfig cipherdisablein the LunaCM Command Reference Guide.
See the following commands in the LunaSH Command Reference Guide:
>stc cipher enable for client-partition links.
>hsm stc cipher enable for the appliance admin channel link.
Message Integrity Verification
By default, the integrity of all messages traversing an STC link is verified using an HMAC message digest algorithm. You can configure this option to specify the algorithm used (HMAC with SHA 256, or HMAC with SHA 512).
See stcconfig hmacdisable in the LunaCM Command Reference Guide.
See the following commands in the LunaSH Command Reference Guide:
>stc hmac enable for client-partition links.
>hsm stc hmac enable for the appliance admin channel link.
Rekey Threshold
The session keys and encryption keys created when an STC tunnel is established are automatically regenerated after the number of messages specified by the rekey threshold have traversed the link. You can configure this option to specify the key life for the session and encryption keys used on all STC links to a partition.
See stcconfig rekeythresholdset in the LunaCM Command Reference Guide.
See the following commands in the LunaSH Command Reference Guide:
> stc rekeythreshold set for client-partition links.
>hsm stc rekeythreshold set for the appliance admin channel link.