stm transport
Place the HSM in Secure Transport Mode (STM).
You must be logged in as HSM SO to invoke Secure Transport Mode.
>for multi-factor authenticated HSMs [PED-authenticated] the blue HSM SO PED Key is required;
>for password authentication have the HSM SO password ready.
NOTE The stm commands appear only when LunaCM's active slot is set to the administrative partition
When you enter this command, two strings are displayed: a verification string and a random user string. Record both of these to confirm later that the HSM was not tampered with while in STM. When you recover from STM, enter the random user string and compare the generated verification string to the original one you received. If the strings match, the HSM has not been tampered while in STM (see stm recover).
CAUTION! PRE-REQUISITE - Before issuing a command for a multi-factor authenticated (PED-auth) HSM to enter Secure Transport Mode, ensure that all roles for the HSM are deactivated, using role deactivate with each role name.
For Network HSMs, roles must be deactivated for all partitions, from LunaCM in a connected client, then use lunash commands hsm stm transport and hsm stm recover to invoke and recover from STM.
Failure to deactivate roles first can result in mismatch when the generated strings are later compared during Secure Transport Mode recovery.
Syntax
stm transport
Example
lunacm:>stm transport
You are about to configure the HSM in STM.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Configuring the HSM for transport (may take a few seconds)...
HSM was successfully configured for transport.
Please record the displayed verification & random user strings.
These are required to recover from Secure Transport Mode.
Verification String: SL7P-GWtA-JFKt-psCH
Random User String: Gxbx-dXFM-x4bW-bMWN
Command Result : No Error
