Preparing the Luna Network HSM to Use FMs
This section provides information on how to prepare your Luna Network HSM to accept Functionality Modules (FMs). FMs require a specific factory configuration, the correct firmware version, a license upgrade, and the correct policy settings, as described below:
>Step 1: Ensure You Have FM-Ready Hardware
>Step 2: Update to Luna Appliance Software and HSM Firmware 7.4.0 or Higher
>Step 3: Purchase and Apply the FM Capability License
>Step 4: Apply HSM Policy Settings
CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset.Refer to FM Deployment Constraints for details before enabling.
If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.
Step 1: Ensure You Have FM-Ready Hardware
The FM feature requires a specific Luna Network HSM hardware configuration that must be created by Thales at the factory. Luna Network HSMs that have this configuration are "FM-ready". If your Luna Network HSM is not FM-ready, contact your Thales representative or Thales Customer Support for further guidance.
Determining Whether the HSM is FM-Ready
Starting with release 7.4, all Luna Network HSMs are FM-ready from the factory. HSMs shipped prior to 7.4 are not. To determine if your HSM is FM-ready, check the Product Part # on the
If the last 3-digit section of the Product Part # is 003 or higher, your HSM is FM-ready. If 002 or lower, contact your Thales representative or Thales Customer Support for guidance on how to obtain FM-ready hardware.
NOTE Exception: If your Luna Network HSM includes 10GB optical Ethernet ports, your HSM is FM-Ready, even though the Product Part # ends in 001.
Step 2: Update to Luna Appliance Software and HSM Firmware 7.4.0 or Higher
To use FMs, you require
When you have completed the upgrade, you can check the output from
Functionality Module HW: FM Ready =======================
Step 3: Purchase and Apply the FM Capability License
To use FMs, contact your Thales sales representative to purchase the FM capability license.
When you have activated your license on the HSM, you can use
HSM CAPABILITY LICENSES
License ID Description
================ ======================================
621000068-000 K7 Base
621010185-003 Key backup via cloning protocol
621000046-002 Maximum 100 partitions
621000134-002 Enable 32 megabytes of object storage
621000135-002 Enable allow decommissioning
621000021-002 Maximum performance
621000138-001 Controlled tamper recovery
621000154-001 Enable decommission on tamper with policy off
621000074-001 Enable Functionality Modules
Step 4: Apply HSM Policy Settings
Applying the FM capability license allows you to set 4 new HSM policies that affect FMs on the Luna Network HSM (see HSM Capabilities and Policies). Use
Description Value Code Destructive =========== ===== ==== =========== Allow Functionality Modules Off 50 Yes Allow SMFS Auto Activation Off 51 Yes Restrict FM Privilege Level Off 52 Yes Encrypt keys passing from FM to HSM Off 53 Yes
HSM Policy 50: Allow Functionality Modules
With this policy enabled, Functionality Modules may be loaded to the HSM, permitting custom cryptographic operations. Allows use of the ctfm utility and FM-related commands, and the use of Functionality Modules in general with this HSM.
The HSM SO must set HSM policy 50 to 1 (ON) to use FMs on the Luna Network HSM. Changing this policy (OFF-to-ON or ON-to-OFF) will zeroize the HSM and it must be re-initialized.
CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset.Refer to FM Deployment Constraints for details before enabling.
If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.
HSM Policy 51: Allow SMFS Auto Activation
With this policy enabled, the Secure Memory File System (SMFS) is automatically activated on startup, providing a secure, tamper-enabled location in the HSM memory where Functionality Modules can load keys and parameters. Auto-activation for SMFS, like auto-activation for PED-authenticated partitions in general, persists through a power outage of up to 2 hours duration.If disabled, the HSM SO must manually activate the SMFS each time the HSM reboots or loses power.
Thales recommends setting HSM policy 51 to 1 (ON) to avoid having to manually re-activate the SMFS if you need to reboot the HSM. Changing this policy destroys all existing application partitions.
HSM Policy 52: Restrict FM Privilege Level
With this policy enabled, FM privilege is restricted. By default, FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria).
FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria).
Unless you require CC certification, Thales does not recommend changing this policy from its default setting (OFF). Changing this policy destroys all existing application partitions.
HSM Policy 53: Encrypt Keys Passing from FM to HSM
With this policy enabled, keys created by an FM are encrypted before crossing from the FM to the Functionality Module Crypto Engine interface (FMCE). This internal encryption may be required to satisfy some certification requirements (such as Common Criteria).
Unless you require CC certification, Thales does not recommend changing this policy from its default setting (OFF). Changing this policy (OFF-to-ON or ON-to-OFF) will destroy all existing application partitions.