Enabling or Disabling STC on the HSM
The STC functionality is enabled or disabled by setting HSM policy 39: Allow Secure Trusted Channel (see HSM Capabilities and Policies). The following instructions are for the HSM SO.
NOTE Enabling HSM policy 39: Allow Secure Trusted Channel allows the appliance to use STC or NTLS links between the appliance and its registered partitions. It does not enable STC on the link between the appliance and the HSM (the STC admin channel). If you want to use STC end-to-end (client to HSM) then you must also enable the STC admin channel. See Establishing and Configuring the STC Admin Channel on a SafeNet Luna Network HSM Appliance for more information.
Enabling STC on the HSM
You can enable STC on the HSM by turning on HSM policy 39: Allow Secure Trusted Channel. Enabling HSM policy 39 allows you to use STC or NTLS to provide the network link between an application partition and a client application. To use STC on a partition, you must also enable STC on the partition by turning on partition policy 37: Force Secure Trusted Channel. See Enabling or Disabling STC on a Partition.
NOTE If you do not plan to use STC in your appliance configuration, do not enable HSM policy 39.
STC links are not supported over an IPv6 network. You must use NTLS to make partition-client connections via IPv6.
When you enable HSM policy 39: Allow Secure Trusted Channel, the following LunaSH STC commands are blocked, to protect the integrity of any existing STC links:
>hsm stc identity create
>hsm stc identity initialize
>hsm stc identity delete
>hsm stc identity partition deregister
NOTE HSM zeroization disables partition policy 39: Allow Secure Trusted Channel. After zeroization, you will need to re-establish your STC links, as described in Restoring STC After HSM Zeroization and in Creating an STC Link Between a Client and a Partition in the Configuration Guide.
To enable STC on the HSM
1.Login as HSM SO.
lunash:>hsm login
2.Turn on HSM policy 39: Allow Secure Trusted Channel, which enables STC on the HSM. Enabling the policy is non-destructive.
lunash:>hsm changepolicy -policy 39 -value 1
3.Verify that the policy is enabled:
lunash:>hsm showpolicies
For example:
lunash:>hsm showpolicies
.
Description Value Code Destructive
.
Allow MofN On 37 No
Allow Secure Trusted Channel On 39 No
Allow partition re-initialize Off 42 No
Command Result : 0 (Success)
4.(Optional) Enable the STC admin channel, as described in Establishing and Configuring the STC Admin Channel on a SafeNet Luna Network HSM Appliance.
Disabling STC on the HSM
You can disable STC on the HSM by turning off HSM policy 39: Allow Secure Trusted Channel. Disabling this policy is destructive. It zeroizes the HSM and turns off the ability to use STC to provide the network link between an application partition and a client application, so that only NTLS links are permitted.
To disable STC on the HSM:
1.Login as HSM SO.
lunash:>hsm login
2.Turn off HSM policy 39: Allow Secure Trusted Channel, which disables STC on the HSM and zeroizes the HSM.
lunash:>hsm changepolicy -policy 39 -value 0
You are prompted to confirm the action.
3.Verify that the policy is disabled:
lunash:>hsm showpolicies
Description Value Code Destructive Allow MofN On 37 No Allow Secure Trusted Channel Off 39 No Allow partition re-initialize Off 42 No Command Result : 0 (Success)