Enabling or Disabling STC on the HSM

The STC functionality is enabled or disabled by setting HSM policy 39: Allow Secure Trusted Channel (see HSM Capabilities and Policies). The following instructions are for the HSM SO.

NOTE   Enabling HSM policy 39: Allow Secure Trusted Channel allows the appliance to use STC or NTLS links between the appliance and its registered partitions. It does not enable STC on the link between the appliance and the HSM (the STC admin channel). If you want to use STC end-to-end (client to HSM) then you must also enable the STC admin channel. See Establishing and Configuring the STC Admin Channel on a SafeNet Luna Network HSM Appliance for more information.

Enabling STC on the HSM

You can enable STC on the HSM by turning on HSM policy 39: Allow Secure Trusted Channel. Enabling HSM policy 39 allows you to use STC or NTLS to provide the network link between an application partition and a client application. To use STC on a partition, you must also enable STC on the partition by turning on partition policy 37: Force Secure Trusted Channel. See Enabling or Disabling STC on a Partition.

NOTE   If you do not plan to use STC in your appliance configuration, do not enable HSM policy 39.

STC links are not supported over an IPv6 network. You must use NTLS to make partition-client connections via IPv6.

When you enable HSM policy 39: Allow Secure Trusted Channel, the following LunaSH STC commands are blocked, to protect the integrity of any existing STC links:

>hsm stc identity create

>hsm stc identity initialize

>hsm stc identity delete

>hsm stc identity partition deregister

NOTE   HSM zeroization disables partition policy 39: Allow Secure Trusted Channel. After zeroization, you will need to re-establish your STC links, as described in Restoring STC After HSM Zeroization and in Creating an STC Link Between a Client and a Partition in the Configuration Guide.

To enable STC on the HSM

1.Login as HSM SO.

lunash:>hsm login

2.Turn on HSM policy 39: Allow Secure Trusted Channel, which enables STC on the HSM. Enabling the policy is non-destructive.

lunash:>hsm changepolicy -policy 39 -value 1

3.Verify that the policy is enabled:

lunash:>hsm showpolicies

For example:

lunash:>hsm showpolicies
.
Description                       Value       Code      Destructive
.
Allow MofN                        On          37        No
Allow Secure Trusted Channel      On          39        No
Allow partition re-initialize     Off         42        No
 
Command Result : 0 (Success)
 

4.(Optional) Enable the STC admin channel, as described in Establishing and Configuring the STC Admin Channel on a SafeNet Luna Network HSM Appliance.

Disabling STC on the HSM

You can disable STC on the HSM by turning off HSM policy 39: Allow Secure Trusted Channel. Disabling this policy is destructive. It zeroizes the HSM and turns off the ability to use STC to provide the network link between an application partition and a client application, so that only NTLS links are permitted.

To disable STC on the HSM:

1.Login as HSM SO.

lunash:>hsm login

2.Turn off HSM policy 39: Allow Secure Trusted Channel, which disables STC on the HSM and zeroizes the HSM.

lunash:>hsm changepolicy -policy 39 -value 0

You are prompted to confirm the action.

3.Verify that the policy is disabled:

lunash:>hsm showpolicies

Description                       Value       Code      Destructive


Allow MofN                        On          37        No
Allow Secure Trusted Channel      Off         39        No
Allow partition re-initialize     Off         42        No

Command Result : 0 (Success)