Converting Initialized NTLS Partitions to STC
If you have initialized partitions already assigned to a client using NTLS, you can use the following procedure to switch to a more secure STC connection. All of the client's assigned partitions on the specified Luna Network HSM must be converted. It is not possible for a client to connect to multiple partitions on a single Luna Network HSM using a combination of NTLS and STC.
The Partition SO must complete this procedure on the client workstation.
Prerequisites
>If you are using Luna HSM firmware 7.4.x or earlier, the HSM SO must set HSM Policy 39: Allow Secure Trusted Channel to 1 (ON).
To convert an NTLS partition-client connection to STC
1.Launch LunaCM and create the client token and identity.
NOTE This step is not required if you have already created a client token and identity. Verify using stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.
lunacm:> stc tokeninit -label <token_label>
lunacm:> stc identitycreate -label <client_identity>
The STC client identity public key is automatically exported to:
<client_install_directory>/data/client_identities/
2.Log in as Partition SO and export the partition ID key.
lunacm:> slot set -slot <slotnum>
lunacm:> role login -name po
lunacm:> stcconfig partitionidexport
The partition identity public key is named for the partition serial number (<partitionSN>.pid) and automatically exported to:
<client_install_directory>/data/partition_identities/
3.Register the partition's public key with the client identity. Specify the path to the key file.
lunacm:> stc partitionregister -file <path/filename>.pid [-label <partition_label>]
4.Register the client identity to the partition. Specify a label for the client and the path to the client identity file.
NOTE Each client identity registered to a partition uses 2392 bytes of storage on the partition. Ensure that there is enough free space before registering a client identity.
lunacm:> stcconfig clientregister -label <client_label> -file <path/client_identity>
5.Depending on your firmware version, enable partition policy 37: Force STC Connection.
•Luna HSM firmware 7.4.x or earlier: You must enable policy 37 to use STC. All clients accessing this partition must perform the STC registration procedure in steps 1-4.
•Luna HSM firmware 7.7.0 or newer: To enforce STC on all client connections to this partition, enable policy 37. If you want some clients to connect to this partition using NTLS, do not enable this policy.
CAUTION! Any existing NTLS client connections to this partition will be terminated when you enable policy 37. Ensure that all clients that access this partition have performed the STC registration procedure in steps 1-4 before you enable policy 37.
lunacm:> partition changepolicy -slot <slotnum> -policy 37 -value 1
NOTE When you enable partition policy 37, the client loses contact with the partition until you enable the STC connection in step 7. This is expected behavior.
6.Repeat steps 2-5 for each NTLS partition on the same Luna Network HSM you want to register to this client.
7.Find the server ID for the Luna Network HSM hosting the partition and enable its STC connection. You will be prompted to restart LunaCM and all current sessions will be closed.
CAUTION! This forces the client to use STC for all links to the specified appliance. Any remaining NTLS links from this client to the appliance will be terminated. Ensure that you have completed steps 2-5 for each of this client's partitions before continuing.
lunacm:> clientconfig listservers
lunacm:> stc enable -id <server_ID>
If a partition is not visible as a slot when LunaCM restarts, disable STC for the server using lunacm:> stc disable -id <server_ID>, and ensure that you have activated partition policy 37.
STC provides several configurable options that define the network settings for an STC link, and the security settings for the messages transmitted over the link. Although default values are provided that provide the optimal balance between security and performance, you can override the defaults, if desired. See Configuring STC Identities and Settings for more information.