Migrating the Orange Remote PED Key For Luna 7.7.0 or Newer
Luna HSM firmware 7.7.0 introduces a new PED protocol for securing local and remote PED connections. In addition to the Luna PED firmware upgrade, any existing orange keys must be migrated to use the new protocol, or you must create a new orange key using a local PED connection after updating the HSM to firmware 7.7.0+ (see Initializing the Remote PED Vector and Creating an Orange Remote PED Key). If you choose to migrate existing orange key(s), use one of the following procedures:
>Migrating the Orange RPK(s) Using a Remote PED Connection
>Migrating the Orange RPK(s) Using a Local PED Connection
Prerequisites
>Ensure that you have a backup orange PED key (or M of N set). If you do not have backups, see Duplicating Existing PED Keys for the procedure.
>Thales recommends migrating the full M of N set of orange keys at the same time. You must have the full set, and any existing duplicate sets, present at the time of migration. If you do not have all duplicate keysets present, they can be migrated at a later time using this same procedure, or you can create new duplicates from an already-migrated keyset.
>Depending on your Luna PED hardware, you require the following minimum firmware versions to authenticate with Luna 7.7.0 (see Updating Luna PED Firmware (for older-version PED that requires a power-block)):
•Luna PED firmware 2.7.4 or newer for older PED
•Luna PED firmware 2.9.0 or newer for refreshed PED
>The Luna Network HSM firmware must be at minimum firmware version 7.7.0 (see Updating the Luna HSM Firmware).
>The migration process takes about one minute per key. If you are migrating many keys (multiple duplicate copies of M of N splits, for example) you may need to adjust the PED timeouts on your
For example, if you are migrating an M of N split of 3 keys, with one set of backups, Thales recommends using the following minimum timeout settings under the Luna section of the Luna HSM Client configuration file (see Configuration File Summary). Estimate your actual settings based on the number of keys you are migrating:
•PEDTimeout2 = 600000 (PED key interaction time)
•CommandTimeOutPedSet = 1220000 (Overall PED Operation timeout)
If you are using LunaSH to initiate the key migration, use the following commands to adjust the timeout settings:
lunash:> hsm ped timeout set -type pedk -seconds 600
lunash:> hsm ped timeout set -type pedo -seconds 1220
Migrating the Orange RPK(s) Using a Remote PED Connection
You can use your existing Remote PED connections to migrate your orange PED keys (see Remote PED Setup). This is useful if you have multiple remote PED servers used by different administrators, as they can each migrate their own orange key or M of N keyset. The migration process will begin the first time you attempt remote PED connection after updating the Luna Network HSM firmware to 7.7.0+.
To migrate the orange RPK(s) using a remote Luna PED
1.Choose LunaSH or LunaCM to initiate the procedure:
•Connect to the appliance via SSH or a serial connection and log in to LunaSH as admin or a custom user with an admin role (see Logging In to LunaSH).
•Launch LunaCM on the Luna HSM Client workstation and set the active slot to a partition on the updated HSM.
lunacm:> slot set slot <slotnum>
2.Ensure that you have the orange PED key(s) ready, and initiate a PED connection:
lunash:> hsm ped connect [-ip <ip_address>] [-port <number>]
lunacm:> ped connect [-ip <ip_address>] [-port <number>]
3.The remote Luna PED prompts you to insert an orange key. Insert the orange key and press Enter.
4.The Luna PED informs you that this PED key must be migrated, and that the existing RPV will be preserved. It prompts you to confirm that you want to migrate this key. Press Yes.
•If you are migrating a single orange key (M = 1 and N = 1), the migration process begins, and takes about a minute.
The Luna PED then asks if you wish to migrate another key in this keyset. If you have duplicate orange keys to migrate, press Yes and repeat steps 3-4 for each duplicate.
•If you are migrating an M of N keyset, you must present the required M keys to reconstruct the RPV before the migration process can begin. Repeat steps 3-4 until you reach M keys. The migration process begins on the Mth key, and takes about a minute.
The Luna PED then asks if you wish to migrate another key in this keyset. Press Yes and repeat steps 3-4 for each key until all N keys have been migrated, including the keys you presented to meet the M requirement.
If you have duplicate orange M of N keysets, repeat steps 3-4 for each key in each duplicate keyset.
Migrating the Orange RPK(s) Using a Local PED Connection
If it is possible to gather all your existing orange keys into one place, you can also migrate your orange keys for Luna 7.7.0 using a Luna PED connected directly to the Luna Network HSM (see Local PED Setup).
To migrate the orange RPK(s) using a locally-connected Luna PED
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin or a custom user with an admin role (see Logging In to LunaSH).
2.Log in to the HSM.
lunash:> hsm login
3.Ensure that the Luna PED is in Local-USB mode (see Changing Modes).
4.Ensure that you have the orange PED key(s) ready. Proceed as if you were initializing the Remote PED vector.
lunash:> hsm ped vector init
5.The Luna PED prompts you to confirm that you want to use an existing keyset. Press Yes.
6.The Luna PED prompts you to insert an orange key. Insert the orange key and press Enter.
7.The Luna PED informs you that this PED key must be migrated, and that the existing RPV will be preserved. It prompts you to confirm that you want to migrate this key. Press Yes.
•If you are migrating a single orange key (M = 1 and N = 1), the migration process begins, and takes about a minute.
The Luna PED then asks if you wish to migrate another key in this keyset. If you have duplicate orange keys to migrate, press Yes and repeat steps 6-7 for each duplicate.
•If you are migrating an M of N keyset, you must present the required M keys to reconstruct the RPV before the migration process can begin. Repeat steps 6-7 until you reach M keys. The migration process begins on the Mth key, and takes about a minute.
The Luna PED then asks if you wish to migrate another key in this keyset. Press Yes and repeat steps 6-7 for each key until all N keys have been migrated.
If you have duplicate orange M of N keysets, repeat steps 6-7 for each key in each duplicate keyset.
