Initializing an Appliance-Connected Luna Backup HSM (G7)
You must initialize the backup HSM prior to first use. You can initialize the backup HSM by connecting it to a Luna Network HSM and using LunaSH commands to perform the initialization. Initialization does the following:
>Creates the orange (Remote PED vector) key for the backup HSM (PED-authenticated HSMs only). You create the orange key using a one-time, password-secured connection between the PED and the backup HSM. You then use this orange key to secure all subsequent connections between the PED and the backup HSM.
>Sets the authentication mode of the HSM. The authentication mode is set automatically to the same mode as the Luna Network HSM the backup HSM is connected to when it is initialized. PED-authenticated backup HSMs can backup PED-authenticated partitions. Password-authenticated backup HSMs can backup password-authenticated partitions.
>Sets the security domain of the HSM. You can only backup partitions that share the same domain as the backup HSM.
>Creates the HSM SO role on the HSM (see HSM Roles.) This role is required to create or modify a backup partition, and must be logged in to perform a backup.
NOTE This functionality requires minimum Luna Network HSM appliance software 7.7.0. See Version Dependencies by Feature for more information. If you are using an older appliance software version, you must connect the Luna Backup HSM (G7) to a client workstation with Luna HSM Client 10.1.0 or newer.
The procedure is different for PED-authenticated and password-authenticated backups, as detailed in the following sections:
>Recovering the Luna Backup HSM (G7) from Secure Transport Mode
>Initializing a PED-Authenticated HSM
>Initializing a Password-Authenticated HSM
Recovering the Luna Backup HSM (G7) from Secure Transport Mode
The Luna Backup HSM (G7) is shipped in Secure Transport Mode (STM). STM provides a logical check on the G7 firmware and critical security parameters (such as configuration, keys, policies, roles, etc.) so that the authorized recipient can determine if these have been altered while the HSM was in transit. For a more detailed description of STM, see Secure Transport Mode.
NOTE Recovering the Luna Backup HSM (G7) from STM requires connecting it to a client workstation running Luna HSM Client 10.1.0 or newer.
To recover the Luna Backup HSM (G7) from STM
1.Connect the Luna Backup HSM (G7) to a USB port on a client workstation running Luna HSM Client 10.1 or newer, with the Backup option installed (refer to Luna HSM Client Software Installation for your client operating system).
2.Launch LunaCM on the client workstation.
3. Select the slot assigned to the Luna Backup HSM (G7) Admin partition.
lunacm:> slot set -slot <slot_id>
4.Recover the HSM from Secure Transport Mode. See Secure Transport Mode for more information about the Random User String:
lunacm:> stm recover -randomuserstring <string>
NOTE Recovering a Luna Backup HSM (G7) from STM may take up to three minutes.
Initializing a PED-Authenticated HSM
Initializing your backup HSM as PED authenticated allows you to backup PED-authenticated partitions.
Summary
To initialize a PED-authenticated HSM you connect it and a remote PED (using a USB or network connection) to a PED-authenticated Luna Network HSM, and performing the following tasks:
>Create the orange (Remote PED vector) key for the backup HSM.
>Initialize the HSM to set the HSM domain, and create the HSM SO PED key.
Prerequisites
>If necessary, recover the Luna Backup HSM (G7) from Secure Transport Mode as described in Recovering the Luna Backup HSM (G7) from Secure Transport Mode.
>Before beginning, ensure that you are familiar with the concepts in PED Authentication. You will need the following PED keys:
•A blank orange (PED vector) PED key, plus the number required to create duplicate PED keys as necessary.
•N number of blue (HSM SO) PED keys, as defined by the M of N scheme you choose for the HSM SO role, plus the number required to create duplicate PED keys as necessary.
•An existing red (Domain) PED key for the cloning domain of the partitions you want to backup to the HSM. You can also insert a blank red (Domain) PED key if you want to create a new domain for the HSM (although you won't be able to backup any existing partitions if you do).
To initialize a PED-authenticated Backup HSM
1.Configure your PED-authenticated Luna Network HSM using one of the following configurations:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to one of the USB ports on the Luna Network HSM appliance using the included USB cable.
c.Connect the Remote PED to the Luna Network HSM appliance. You can connect a Remote PED directly to one of the USB ports on the Luna Network HSM appliance using the included USB cable, or you can connect to a network-attached Luna HSM Client workstation that hosts a remote PED:
–If you connect the Remote PED directly to a USB port on the appliance, use the appliance loopback IP address (127.0.0.1) to connect to the local pedserver service running on the appliance, and specify the serial number of the connected backup HSM you want to use. You can read the serial number from the Backup HSM display screen. The pedserver service must be running on the appliance. You can use the lunash:> service commands to administer the service:
lunash:> hsm ped connect -ip 127.0.0.1 -serial <backup_hsm_serial_number>
–If you are using a network-attached Remote PED, connect to the IP address of the workstation used to host the Remote PED. This can be the same workstation you are using to host the LunaSH session, or a different workstation.
lunash:> hsm ped connect -ip <pedserver_host>
NOTE You can connect the backup HSM to any USB port on the client workstation
2.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen.
lunash:> token backup list
3.Create a Remote PED Vector (orange) PED key for the backup HSM:
lunash:> hsm ped vector init-serial <backup_hsm_serial_number>
LunaSH generates and displays a one-time password that is used to set up a secure channel between the backup HSM and the PED, allowing you to securely initialize the orange (Remote PED Vector) key. Enter the displayed password on the PED when prompted to complete setup of the secure channel and respond to the prompts to create the Remote PED Vector (orange) PED key.
Please attend to the PED and enter following password: 94485995
CAUTION! The orange PED key is required for all Luna G7 Backup HSM operations. If this key is lost, your backups will become irretrievable. Thales recommends keeping multiple backups of all PED keys stored in a secure location.
4.Initialize the backup HSM:
lunash:> token backup init -label <backup_hsm_label> -serial <backup_hsm_serial_number>
You are prompted by the PED for the red Domain key(s) (existing or new) and black HSM SO key(s) (new). Respond to the PED prompts and insert and set the PINs on the required keys when requested. Ensure that you label any new PED keys that you create during this process.
5.Use the Duplicate function on the PED to create and label duplicates of the new PED keys, as required. See Duplicating Existing PED Keys for details.
6.Disconnect the PED when done:
•If you connected the Remote PED directly to a USB port on the appliance:
lunash:> hsm ped disconnect -serial <backup_hsm_serial_number>
•If you connected to a network-attached Remote PED:
lunash:> hsm ped disconnect
Initializing a Password-Authenticated HSM
Initializing your backup HSM as password-authenticated allows you to backup password-authenticated partitions.
Summary
To initialize a password-authenticated HSM you connect it to a password-authenticated Luna Network HSM and perform the following tasks:
>Initialize the HSM to set the HSM domain, and set the initial password for the HSM SO role.
Prerequisites
>If necessary, recover the Luna Backup HSM (G7) from Secure Transport Mode as described in Recovering the Luna Backup HSM (G7) from Secure Transport Mode.
>You require the password for the cloning domain of the partitions you want to backup to the HSM. You can also enter a new password to create a new domain for the HSM (although you won't be able to backup any existing partitions if you do).
To initialize a password-authenticated HSM
1.Configure your password-authenticated Luna Network HSM as illustrated below:
a.Open a network (SSH) or serial connection to the appliance and log in as admin, or other admin-level user, to start a LunaSH session.
b.Connect the backup HSM directly to the Luna Network HSM using the included USB cable.
2.Get the serial number of the backup HSM, or read the serial number from the Backup HSM display screen.
lunash:> token backup list
3.Initialize the backup HSM:
lunash:> token backup init -label <backup_hsm_label> -serial <backup_hsm_serial_number>
You are prompted for the new HSM SO password and the HSM domain string (existing or new).
