Creating a PED-Authenticated Partition
An application owner/user has requested an application partition on the HSM, in which applications will run cryptographic operations. These instructions are the actions to be taken by the HSM Security Officer or SO. These instructions assume you are using a PED-authenticated SafeNet Luna Network HSM.
The SafeNet Luna Network HSM is initially accessed via SSH, and LunaSH is used to create the partition. After the partition is created, administrative access to that partition moves to a host computer where SafeNet Luna HSM Client software is installed, and where administrative actions are carried out through a Network Trust Link (NTL) or Secure Trusted Channel (STC) via the LunaCM tool.
Requirements
You will need:
>The appliance configured for network operation and server certificate created.
>SafeNet Luna Network HSM and your application host computer having exchanged certificates.
>The HSM in initialized state.
>A Luna PED and PED keys with labels.
>Local physical access to your SafeNet Luna Network HSM appliance for local PED connection, an already-imprinted RPK (orange PED key) with your Luna PED remotely connected. See About Remote PED and Remote PED Setup.
Preparation
If you are using a Luna PED connected locally to the SafeNet Luna Network HSM, skip to Create the Partition below.
1.If necessary, have a Luna PED connected to a host computer (can be the same computer that acts as your SafeNet Luna HSM Client, but can be another host if desired), with the PED set to "Remote PED mode," and an orange PED key ready containing the same RPV as your SafeNet Luna Network HSM.
2.On the host computer, launch PedServer.exe.
C:\Program Files\SafeNet\LunaClient>pedserver -mode start -ip 192.20.10.217 -port 1503
Ped Server Version 1.0.6 (10006)
Failed to load configuration file. Using default settings.
Ped Server launched in startup mode.
Starting background process
Background process started
Ped Server Process created, exiting this process.
C:\Program Files\SafeNet\LunaClient>pedserver -mode show
Ped Server Version 1.0.6 (10006)
Failed to load configuration file. Using default settings.
Ped Server launched in status mode.
failed to unlock: GetLastError(): 183 0xb7
Server Information:
Hostname: MyRPEDhost
IP: 192.20.10.217
Firmware Version: 2.7.1-0
PedII Protocol Version: 1.0.1-0
Software Version: 1.0.6 (10006)
Ped2 Connection Status: Connected
Ped2 RPK Count 0
Ped2 RPK Serial Numbers (none)
Client Information: Not Available
Operating Information:
Server Port: 1503
External Server Interface: Yes
Admin Port: 1502
External Admin Interface: No
Server Up Time: 52 (secs)
Server Idle Time: 52 (secs) (100%)
Idle Timeout Value: 1800 (secs)
Current Connection Time: 0 (secs)
Current Connection Idle Time: 0 (secs)
Current Connection Total Idle Time: 0 (secs) (100%)
Total Connection Time: 0 (secs)
Total Connection Idle Time: 0 (secs) (100%)
Show command passed.
3.On the SafeNet Luna Network HSM, start the PED Client service, pointing to the PedServer that you just started.
[mynethsm] lunash:>hsm ped connect -ip 192.20.10.217 -port 1503 Luna PED operation required to connect to Remote PED - use orange PED key(s). Command Result : 0 (Success)
Create the Partition
1.Login to the SafeNet Luna Network HSM as HSM SO.
lunash:>hsm login Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key. 'hsm login' successful. Command Result : 0 (Success)
2.Use the partition create command to create a new partition, specifying at least a partition name. Other command parameters are available. See partition create in the LunaSH Command Reference Guide for details.
lunash:>partition create -partition LunaPar1
Type 'proceed' to create the partition, or
'quit' to quit now.
> proceed
'partition create' successful.
Command Result : 0 (Success)
3.Verify that the partition has been created.
lunash:>hsm show
Appliance Details:
==================
Software Version: 7.0.0
HSM Details:
============
HSM Label: myLunaHSM
Serial #: 532018
Firmware: 7.0.1
HSM Model: Luna K7
HSM Part Number: 808-000048-002
Authentication Method: PED keys
HSM Admin login status: Logged In
HSM Admin login attempts left: 3 before HSM zeroization!
RPV Initialized: No
Audit Role Initialized: No
Remote Login Initialized: No
Manually Zeroized: No
Secure Transport Mode: No
HSM Tamper State: No tamper(s)
Partitions created on HSM:
==============================
Partition: 154438865287, Name: LunaPar1
Number of partitions allowed: 100
Number of partitions created: 1
FIPS 140-2 Operation:
=====================
The HSM is NOT in FIPS 140-2 approved operation mode.
HSM Storage Information:
========================
Maximum HSM Storage Space (Bytes): 33554432
Space In Use (Bytes): 335544
Free Space Left (Bytes): 33218888
Environmental Information on HSM:
=================================
Battery Voltage: 3.093 V
Battery Warning Threshold Voltage: 2.750 V
System Temp: 40 deg. C
System Temp Warning Threshold: 75 deg. C
Command Result : 0 (Success)
The partition now exists, and all future configuration and management of that partition will be handed over to the person who is to become the Partition SO. Once the partition is initialized, the HSM SO's administrative access is limited to the following actions:
>resizing the partition
>deleting the partition
>backing up the partition contents
>restoring the contents of the partition from backup
The Partition SO (and any additional roles that are created for the partition) performs all configuration and management actions on the partition, using LunaCM via a client connection.
The next step, depending on your configuration, is one of the following:
