Installing the Luna PCIe HSM Hardware

This section describes how to perform the following tasks:

>Install the Luna PCIe HSM card into the host computer. See Installing the Luna PCIe HSM Card Into the Host Computer.

>Connect a chassis intrusion connector to the tamper header on the card, if necessary. See Connecting a Chassis Intrusion Connector to the Tamper Header

>Connect a local PED, if necessary. See Connecting a Local PED

>Connect a remote PED, if necessary. See Connecting a Remote PED

Server Compatibility

The Luna PCIe HSM conforms to the PCIe 2.0 standard and requires a PCIe x4 or higher slot. There are no known incompatible servers at this time.

NOTE    Do not install the Luna PCIe HSM into a slot reserved for a dedicated function, such as video. If you do, the host system might not boot successfully.

Installing the Luna PCIe HSM Card Into the Host Computer

Install the Luna PCIe HSM card into an open PCIe slot on the host computer.

CAUTION!   This product uses semiconductors that can be damaged by electro-static discharge (ESD). When handling the device, avoid contact with exposed components, and always use an anti-static wrist strap connected to an earth ground. In rare cases, ESD can trigger a tamper or decommission event on the HSM. If this happens, all existing roles and cryptographic objects are deleted.

Prerequisites

>Ensure that the PCIe slot is unpowered before you proceed with the installation.

To install the Luna PCIe HSM hardware

1.Open your computer, and remove the slot-cover bracket from an available PCIe slot. If the bracket is secured by a screw, keep that screw.

2.Use the provided anti-static wrist-strap to ground yourself to an exposed metal part of the computer chassis.

3.Remove the Luna PCIe HSM from its anti-static packaging and prepare to insert the card into your computer.

Your Luna PCIe HSM comes fitted with a full-height mounting bracket, but if you have no full-height slots available, the card can fit into a half-height slot. A half-height mounting bracket is included for this purpose. To install the half-height bracket, remove the two screws connecting the full-height bracket to the card, and use them to mount the half-height bracket in its place.

4.Align the Luna PCIe HSM card with the vacant, unpowered slot. You might need to introduce the tip of the card-hold-down bracket first (the silver-metal part along the back edge of the card), in order to properly align the card with the connector.

You can use a PCIe X4 or larger slot, as long as it is wired for at least four PCI express channels, and not reserved for a dedicated function. For example, we do not recommend that you use your Luna PCIe HSM card in a designated PCI express video slot - different models of computer and their BIOS firmware can differ in how faithfully they support the PCIe standard.

5.Insert the Luna PCIe HSM card into the connector. It should go straight in – angling the card might cause it to bend. The card is properly seated when no portion of the gold-colored contacts of the card-edge protrudes above the connector socket.

6.Secure the card hold-down bracket with a screw or other restraint, as appropriate in your computer.

Connecting a Chassis Intrusion Connector to the Tamper Header

The Luna PCIe HSM is equipped with a two-pin tamper header which, when shorted, places the HSM in a tamper state with a status of Chassis Open. If your chassis is so equipped, you can connect the chassis intrusion connector to the tamper header so that the HSM is placed in a tamper state if the chassis is opened. Refer to the documentation provided by your chassis manufacturer for more information.

To connect a chassis intrusion connector to the tamper header

1.Install the card as described in Installing the Luna PCIe HSM Card Into the Host Computer.

2.Connect the chassis intrusion connector to the tamper input header on the card, shown below.

NOTE   If used, this pin pair would usually be wired to a chassis switch that is held open when the lid or panel is in place. Opening the lid or panel would allow the switch to close, and tamper the HSM. If you are constructing or ordering a cable for this purpose, the header has 2mm pin pitch and mates with a Molex connector (https://www.molex.com/molex/products/datasheet.jsp?part=active/0355070200_CRIMP_HOUSINGS.xml ) or equivalent.

Connecting a Local PED

The local Luna PED (or a Luna PED Remote used locally) connects directly to the USB port on the Luna PCIe HSM card via a USB-to-MiniUSB cable.

To connect a local PED to the Luna PCIe HSM:

1.Use the Luna PED local cable (mini-USB to USB) to connect the Luna PED to the Luna PCIe HSM card:

a.Plug the mini-USB connector on the cable into the mini-USB port on the PED.

b. Plug the USB connector on the cable into the USB port on the card.

Connecting a Remote PED

The Remote-Capable PED can be used either locally, connected directly to a Luna HSM (exactly as for the standard PED), or remotely when connected to a suitable workstation and to the electrical main power supply. The normal local use of a PED with Remote PED capability is to use it in local mode to prepare an HSM (imprint an RPK – the orange key with a Remote PED Vector) before shipping it to its remote location. Then you would switch to Remote PED mode.

To prepare an HSM for Remote PED operation you need to connect it locally and imprint the HSM with a Remote PED key (orange). Once the HSM can be reached via remote desktop connection, and the HSM is associated with an orange PED key, all further configuration and administration can be performed remotely.

To connect a remote PED to the Luna PCIe HSM:

1.Use the Luna PED local cable to connect the Luna PED to the Luna PCIe HSM card. This step is required to imprint the HSM with a Remote PED Vector (RPV) using the orange PED key (RPK). This should be the only time you need to connect a PED locally to the HSM. Once the orange PED key is imprinted with the same RPV as the HSM, all future PED operations can be performed remotely.

2.Follow the instructions in the Administration Guide to configure the remote PED. Note that you must install at least the Remote PED optional component of the Luna HSM Client software before you can configure the remote PED. See Luna HSM Client Software Installation.