Initializing a Client-Connected Luna Backup HSM (G7)
You must initialize the backup HSM prior to first use. Initialization does the following:
>Recovers the HSM from Secure Transit Mode (STM). STM allows you to verify that the HSM was not tampered in transit. All new HSMs are shipped from the factory in Secure Transport Mode.
>Creates the orange (Remote PED vector) key for the backup HSM (PED-authenticated HSMs only). You create the orange key using a one-time, password-secured connection between the PED and the backup HSM. You then use this orange key to secure all subsequent connections between the PED and the backup HSM.
>Sets the authentication mode of the HSM. PED-authenticated backup HSMs can backup PED-authenticated partitions. Password-authenticated backup HSMs can backup password-authenticated partitions.
>Sets the security domain of the HSM. You can only backup partitions that share the same domain as the backup HSM.
>Creates the HSM SO role on the HSM (see HSM Roles). This role is required to create or modify a backup partition, and must be logged in to perform a backup.
The procedure is different for PED-authenticated and password-authenticated backups, as detailed in the following sections:
>Initializing a PED-Authenticated HSM
>Initializing a Password-Authenticated HSM
NOTE This feature requires minimum client version 10.1. See Version Dependencies by Feature for more information.
Initializing a PED-Authenticated HSM
Initializing your backup HSM as PED authenticated allows you to backup PED-authenticated partitions.
Summary
To initialize a PED-authenticated HSM you connect it and a remote PED (using a USB or network connection) to a Luna HSM Client workstation, and performing the following tasks:
>Recover the HSM from Secure Transport Mode.
>Create the orange (Remote PED vector) key for the backup HSM.
>Initialize the HSM to set the authentication mode (PED) and HSM domain, and create the HSM SO PED key.
Prerequisites
Before beginning, ensure that you are familiar with the concepts in PED Authentication. You will need the following PED keys:
>A blank orange (PED vector) PED key, plus the number required to create duplicate PED keys as necessary.
CAUTION! Always make copies of your orange PED Keys, or declare MofN as one-of-several, and store at least one safely. For the Luna Backup HSM (G7), the orange PED Key is as important as the HSM SO blue key or the Domain red key. (This contrasts with other Luna HSMs, where a lost or damaged orange key can be easily replaced via a local PED connection.)
A Remote PED Vector (RPV), on an orange PED Key (RPK) or on an associated HSM, is not a role; it is required to set up the secure tunnel for Remote PED operation.
When used with a PED-authenticated Luna Backup HSM (G7), the PED always connects remotely. The single USB port on the Backup HSM is for the connection to a Client computer or to a Luna Network HSM appliance - the PED is never connected locally/directly to the Luna Backup HSM (G7). Therefore, losing the RPK for that Luna Backup HSM (G7), without access to a copy, would mean losing the material backed-up on that Backup HSM.
>N number of blue (HSM SO) PED keys, as defined by the M of N scheme you choose for the HSM SO role, plus the number required to create duplicate PED keys as necessary.
>An existing red (Domain) PED key for the cloning domain of the partitions you want to backup to the HSM. You can also insert a blank red (Domain) PED key if you want to create a new domain for the HSM (although you won't be able to backup any existing partitions if you do).
To initialize a PED-authenticated Backup HSM
1.Configure your Luna HSM Client workstation using one of the following configurations:
a.Install the required client software on the Luna HSM Client workstation. See Initializing a Client-Connected Luna Backup HSM (G7) for details.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most workstations, the USB connection provides adequate power to the backup HSM and it will begin the boot sequence. If you are using a low-power workstation, such as a netbook, the USB connection may not provide adequate power, in which case you will also need to connect the external power supply.
c.Connect the PED to the Luna HSM Client workstation used to host the remote PED, using the PED USB cable.
NOTE You connect to the remote PED using the IP address of the workstation used to host the PED. This can be the same workstation that hosts the user and backup partition slots, or a different workstation. The workstation used to host the PED must be running pedServer.
2.Start the pedserver service on the workstation used to host the remote PED:
| Windows | C:\Program Files\Safenet\LunaClient> pedserver -mode start |
| Linux | /usr/safenet/lunaclient> pedserver -mode start |
3.Launch LunaCM on the workstation that hosts the user and backup partition slots.
4. Select the slot assigned to the backup HSM Admin partition.
lunacm:> slot set -slot <slot_id>
5.Recover the HSM from Secure Transport Mode. See Secure Transport Mode for more information:
lunacm:> stm recover -randomuserstring <string>
NOTE Recovering a Luna HSM (G7) from secure transport mode may take up to three minutes.
6.Connect to the Luna HSM Client workstation that hosts the PED. If defaults are not ped set, specify an IP address (and port if required; 1503 is default).
lunacm:> ped connect -ip <ip_address> -pwd
LunaCM generates and displays a one-time password that is used to set up a secure channel between the backup HSM and the PED, allowing you to securely initialize the orange (Remote PED Vector) key. Enter the displayed password on the PED when prompted to complete setup of the secure channel.
7.Create an orange (Remote PED vector) key for the backup HSM. The PED vector key is required for subsequent PED-authenticated sessions to the HSM. Ensure that you label any new PED keys that you create during this process.
lunacm:> ped vector init
CAUTION! The orange PED key is required for all Luna G7 Backup HSM operations. If this key is lost, your backups will become irretrievable. Thales recommends keeping multiple backups of all PED keys stored in a secure location.
8.Tear down the one-time, password-protected secure channel between the backup HSM and the PED you used to create the orange (Remote PED vector) key.
lunacm:> ped disconnect
You are prompted to enter the one-time password that was generated when you performed the ped connect. Enter the password and press Enter to proceed.
9.Set up a new secure channel between the backup HSM and the PED. If defaults are not ped set, specify an IP address (and port if required; 1503 is default). You are prompted to insert the orange PED key you created in step 7.
lunacm:> ped connect
10.Initialize the selected backup HSM in PED-authenticated mode. You are prompted by the PED for the red Domain key(s) (existing or new) and blue HSM SO key(s) (new). Respond to the PED prompts and insert and set the PINs on the required keys when requested. Ensure that you label any new PED keys that you create during this process.
lunacm:> hsm init -iped -label <label>
lunacm:> hsm init -iped -label USB_BACKUP_HSM_G7
11.Use the Duplicate function on the PED to create and label duplicates of the new PED keys, as required. See Duplicating Existing PED Keys for details.
12.Disconnect the PED when done.
lunacm:> ped disconnect
Initializing a Password-Authenticated HSM
Initializing your backup HSM as password-authenticated allows you to backup password-authenticated partitions.
Summary
To initialize a password-authenticated HSM you connect it to a Luna HSM Client workstation and perform the following tasks:
>Recover the HSM from Secure Transport Mode.
>Initialize the HSM to set the authentication mode (password), the HSM domain, and the initial password for the HSM SO role.
Prerequisites
Before beginning, ensure that you have the following:
>The password for the cloning domain of the partitions you want to backup to the HSM. You can also enter a new password to create a new domain for the HSM (although you won't be able to backup any existing partitions if you do).
To initialize a password-authenticated HSM
1.Configure your Luna HSM Client workstation as illustrated below:
a.Install the required client software on the Luna HSM Client workstation. See Initializing a Client-Connected Luna Backup HSM (G7) for details.
b.Connect the backup HSM directly to the Luna HSM Client workstation using the included USB cable.
NOTE On most workstations, the USB connection provides adequate power to the backup HSM and it will begin the boot sequence. If you are using a low-power workstation, such as a netbook, the USB connection may not provide adequate power, in which case you will also need to connect the external power supply.
2.Launch LunaCM on the workstation that hosts the user and backup partition slots.
3.Select the slot assigned to the backup HSM Admin partition:
lunacm:> slot set -slot <slot_id>
4.Recover the HSM from Secure Transport Mode. See Secure Transport Mode for more information:
lunacm:> stm recover
NOTE Recovering a Luna HSM (G7) from secure transport mode may take up to three minutes.
5.Initialize the selected backup HSM in password-authenticated mode. You are prompted for the new HSM SO password and the HSM domain string (existing or new):
lunacm:> hsm init -ipwd -label <label>
