Installing and Configuring Your New Luna Network HSM 7
This page will guide you through key concepts and procedures required to set up and begin using your new Luna Network HSM 7, including hardware installation,
>HSM/Cryptographic Module Operations
Appliance Operations
This series of procedures will help you install, set up, and configure the appliance for network access.
1.Luna Network HSM 7 Hardware Installation
This section describes how to verify that your HSM has remained secure while in transit, confirm that you have received all required items, mount the appliance in a standard equipment rack, and install the appliance.
a.Verifying the Integrity of Your Shipment
b.Luna Network HSM 7 Required Items
c.Rack-Mounting the Luna Network HSM 7
d.Installing the Luna Network HSM 7 Hardware
Refer also to Appliance Hardware Functions for important information about the Luna Network HSM 7 hardware.
2.Configuring the Luna Network HSM 7 for Your Network
The procedures in this section describe how to power up the appliance, open a serial connection, and configure the system and network settings using the Luna Shell (LunaSH).
d.Configuring IP and Network Parameters
e.Making Your Network Connection
f.Setting the System Date and Time
g.Generating the Luna Network HSM 7 Server Certificate
The security of an HSM and its cryptographic contents depends on well-controlled access to that HSM. This section provides important information about users and roles, how to enable the default accounts on the appliance, and how to create custom roles and user accounts to delegate responsibilities appropriately to the people in your organization.
Keeping complete and accurate logs is a critical part of your security strategy. This section describes how to set up system logging, configure an optional remote server to gather your system logs, and manage log files on the appliance.
HSM/Cryptographic Module Operations
This series of procedures will help you to install required peripherals such as a Luna PED, initialize the cryptographic module
5.Multifactor Quorum Authentication
If you purchased an S-series Luna Network HSM 7, your HSM uses multifactor quorum authentication via the Luna PIN Entry Device (Luna PED). Multifactor Quorum authentication credentials are stored on USB PED keys that must be presented to authenticate the identities of HSM users. This section describes how to set up the Luna PED in a local or remote configuration, which will allow you to initialize the HSM. This section also contains important information on creating, managing, and using multifactor quorum authentication, that you should be familiar with before initialization.
Your Luna Network HSM 7 was shipped in Secure Transport Mode (STM), to provide assurance that the HSM has not been modified while in transit. This section describes how STM works. You must recover the HSM from STM before you can configure it for your use.
Each event that occurs on the HSM can be recorded in the HSM event log, allowing you to audit your HSM usage. These logs are controlled by a specialized Auditor role on the HSM
a.Configuring and Using Audit Logging
Initialization prepares a new HSM for use, and creates the HSM Security Officer role. You must initialize the HSM before you can generate or store objects
NOTE If you prefer to set your HSM Policies using a template, refer to Setting HSM Policies Using a Template before initializing the HSM.
9.HSM Capabilities and Policies
The HSM SO can set policies on the HSM to configure its functionality. This section describes all the configurable policies on the HSM and how to change them to suit the cryptographic needs of your organization.
•Setting HSM Policies Manually
Next, the HSM SO must create one or more application partitions, where cryptographic objects are stored. Partitions can be assigned to authorized client workstations that run your cryptographic applications. This section describes how to create and customize partitions on the HSM.
•Creating or Deleting an Application Partition
Partition/Client Operations
This series of procedures will help you
11.Luna HSM Client Software Installation
To use application partitions on the Luna Network HSM 7, you must first install Luna HSM Client on the client system. This section guides you through the client software installation procedure for your supported operating system, and provides information on configuring the client software for your organization's needs.
•Windows Interactive Luna HSM Client Installation
•Linux Luna HSM Client Installation
•AIX Luna HSM Client Installation
•Solaris Luna HSM Client Installation
12.Client-Partition Connections
To allow clients to perform cryptographic operations, you must first give them access to an application partition on the HSM. This section describes how to configure the different types of secure client-partition connections.
Network Trust Link Service
a.Creating an NTLS Connection Using Self-Signed Certificates
b.Assigning or Revoking NTLS Client Access to a Partition
Secure Trusted Channel
REST/XTC Link to a Luna Cloud HSM Service
•Adding a Luna Cloud HSM Service
13.Key Cloning
The Luna Network HSM 7 uses a protocol called cloning to ensure that your cryptographic objects are always stored safely within the confines of a Luna HSM. This section contains important information about how cloning works using specialized cryptographic secrets called domains. Each partition is initialized with a cloning domain that ensures that its objects can be cloned only to another partition sharing that domain. This is necessary for the partition to
14.Initializing an Application Partition
Initializing the partition creates the Partition Security Officer role and sets the partition's cloning domain.
NOTE If you prefer to set your partition policies using a template, refer to Setting Partition Policies Using a Template before initializing the partition.
15.Partition Capabilities and Policies
The Partition SO can set policies on the partition to configure its functionality. This section describes all the configurable policies on the partition and how to change them based on the desired functionality of your cryptographic applications.
•Setting Partition Policies Manually
While the Partition SO administers the partition by defining what functions are permitted, access to the objects on a partition are controlled by the read-write Crypto Officer (CO) and the read-only Crypto User (CU) roles. This section describes all the partition roles, and how to initialize and manage them.
a.Initializing the Crypto Officer Role
b.Changing a Partition Role Credential
c.Initializing the Crypto User Role
d.Activation on Multifactor Quorum-Authenticated Partitions
17.Verifying HSM Authenticity or Key Attestation
In cases where the partition has been assigned to the client over an unsecured network or by a third-party HSM SO, Luna Network HSM 7 provides a method for verifying that the partition is located on a genuine Luna HSM. This section describes the verification process.
18.Migrating Keys to Your New HSM
This section provides guidance on how to migrate cryptographic objects from a version 5/6 Luna HSM to your new Luna Network HSM 7 partition.
•Luna Network HSM 5.x/6.x to Luna Network HSM 7
•Luna USB HSM 6.x to Luna Network HSM 7
•Luna PCIe HSM 5.x/6.x to Luna Network HSM 7
•Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM, Password or Multifactor Quorum
•Moving from Pre-7.7.0 to Firmware 7.7.0 or Newer
Cluster Operations
This series of procedures will help you install the cluster secure package, configure a Luna Network HSM 7 appliance to use a cluster, add additional members to the cluster, and manage and use keyrings. Refer to Clusters for more information.
NOTE Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.
19.Installing and Configuring the Cluster Package
This section allows you to install the lnh_cluster secure package, configure the Luna Network HSM 7 to either create a new cluster on the appliance, join the appliance to an existing cluster, and prepare Luna HSM Clients to use keyring objects for cryptographic operations.
These procedures allow you to create a new cluster on the Luna Network HSM 7 appliance, add or remove members to an existing cluster, customize load-balancing affinity groups, and promote your preferred member to primary status on the cluster. You can operate the appliance as a cluster of one, or add up to three other members.
b.Adding a New Member to an Existing Cluster
c.Moving a Member to a Different Affinity Group
d.Promoting a Member to Primary
Instructions for accessing clusters and keyrings from Luna HSM Client.
These procedures guide you through creating keyrings on your new cluster and configuring them for use by your Luna HSM Clients.
