Configuring STC Identities and Settings

Depending on your organization's security needs, you may need to customize some aspects of your Secure Trusted Channel (STC) connections. This can include encryption levels for message verification, request timeouts, periodic replacement of client identities, and more. Luna Network HSM 7 provides configurable options for customizing your STC connections.

>Configuring STC Settings

>Configuring STC Tokens and Identities

Configuring STC Settings

STC provides configurable options that define network settings for an STC link, and security settings for the messages transmitted over that link. Although default values are provided that provide the optimal balance between security and performance, you can override the defaults, if desired.

>Link Activation Timeout

>Message Encryption

>Message Integrity Verification

>Rekey Threshold

For client-partition STC links, these options are set individually for each partition. Using Luna Appliance Software 7.4.0 and earlier, they can be set by the HSM SO (using LunaSH) before the STC connection is established, or by the Partition SO (using LunaCM) after the STC partition is initialized. Using Luna Appliance Software 7.7.0 and newer, only the Partition SO can configure STC options, after the partition is initialized.

For the STC admin channel, the configuration applies to all communications between the HSM and local services on the appliance, such as LunaSH and NTLS. The STC admin channel options are set by the HSM SO.

NOTE   The STC admin channel is configurable using Luna Appliance Software 7.4.0 and older, and Luna HSM Firmware 7.4.2 and older. This feature is not available in Luna HSM Firmware 7.7.0 and newer.

Link Activation Timeout

The activation timeout is the maximum time allowed to establish the STC link before the channel request is dropped. You can use the following commands to specify the activation timeout for STC links to this partition.

STC admin channel (HSM SO, Luna HSM Firmware 7.4.2 and earlier)

lunash:> hsm stc activationTimeOut show

lunash:> hsm stc activationTimeOut set -time <seconds>

Uninitialized STC Partition (HSM SO, Luna HSM Firmware 7.4.2 and earlier)

lunash:> stc activationTimeOut show

lunash:> stc activationTimeOut set -partition <partition> -time <seconds>

Initialized STC Partition (Partition SO)

lunacm:> stcconfig activationtimeoutshow

lunacm:> stcconfig activationtimeoutset -time <seconds>

Message Encryption

By default, all messages traversing an STC link are encrypted. You can use the following commands to specify the level of encryption used (AES 128, AES 192, or AES 256) on all STC links to a partition, or to disable encryption on all STC links to a partition.

STC admin channel (HSM SO, Luna HSM Firmware 7.4.2 and earlier)

lunash:> hsm stc cipher show

lunash:> hsm stc cipher enable {-all | -id <cipher_id>}

lunash:> hsm stc cipher disable {-all | -id <cipher_id>}

Uninitialized STC Partition (HSM SO, Luna HSM Firmware 7.4.2 and earlier)

lunash:> stc cipher show

lunash:> stc cipher enable -partition <partition_name> {-all | -id <cipher_id>}

lunash:> stc cipher disable -partition <partition_name> {-all | -id <cipher_id>}

Initialized STC Partition (Partition SO)

lunacm:> stcconfig ciphershow

lunacm:> stcconfig cipherenable {-id <cipher_ID> -all}

lunacm:> stcconfig cipherdisable {-id <cipher_ID> -all}

Message Integrity Verification

By default, the integrity of all messages traversing an STC link is verified using an HMAC message digest algorithm. You can use the following commands to specify the algorithm used (HMAC with SHA 256, or HMAC with SHA 512).

STC admin channel (HSM SO, Luna HSM Firmware 7.4.2 and earlier)

lunash:> hsm stc hmac show

lunash:> hsm stc hmac enable -id <hmac_ID>

lunash:> hsm stc hmac disable -id <hmac_ID>

Uninitialized STC Partition (HSM SO, Luna HSM Firmware 7.4.2 and earlier)

lunash:> stc hmac show

lunash:> stc hmac enable -partition <partition_name> -id <hmac_ID>

lunash:> stc hmac disable -partition <partition_name> -id <hmac_ID>

Initialized STC Partition (Partition SO)

lunacm:> stcconfig hmacshow

lunacm:> stcconfig hmacenable -id <hmac_ID>

lunacm:> stcconfig hmacdisable -id <hmac_ID>

Rekey Threshold

The session keys and encryption keys created when an STC tunnel is established are automatically regenerated after the number of messages specified by the rekey threshold have traversed the link. You can use the following commands to specify the key life for the session and encryption keys used on all STC links to a partition. Specify the <threshold> value in millions of messages.

STC admin channel (HSM SO)

lunash:> hsm stc rekeyThreshold show

lunash:> hsm stc rekeyThreshold set -value <threshold>

Uninitialized STC Partition (HSM SO)

lunash:> stc rekeyThreshold show

lunash:> stc rekeyThreshold set -partition <partition_name> -value <threshold>

Initialized STC Partition (Partition SO)

lunacm:> stcconfig rekeythresholdshow

lunacm:> stcconfig rekeythresholdset -value <threshold>

Configuring STC Tokens and Identities

Each Luna HSM Client and partition that serves as an STC endpoint (including the HSM SO partition and the appliance operating system) has a unique identity, defined by a 2048-bit RSA asymmetric public/private key pair. The STC identity key pair is stored in the STC token associated with the client or partition (or the appliance or HSM). Before STC can create secure tunnels, trust must be established through the exchange of public keys.

Partition and HSM tokens and identities are created automatically and cannot be recreated. Client tokens and identities are created manually using LunaCM. The appliance token and identity is created automatically but can be recreated if necessary using LunaSH.

Under normal operating conditions, you should not need to recreate the STC tokens or identities. If you have operational or security reasons to do so, use the following commands:

Client Tokens and Identities

Use the following LunaCM commands:

Command Description
stc identitycreate Create a client identity on the STC client token.
stc identitydelete Delete a client identity from the STC identity token.
stc identityexport Export the STC client identify to a file.
stc identityshow Display the client name, public key hash, and registered partitions for the STC client token.
stc partitionderegister Remove a partition identity from the STC client token.
stc partitionregister Register a partition to the STC client token.
stc tokeninit Initialize a client token.
stc tokenlist List the available STC client identity tokens.

STC Admin Channel Appliance Identity

NOTE   The STC admin channel is configurable using Luna Appliance Software 7.4.0 and older, and Luna HSM Firmware 7.4.2 and older. This feature is not available in Luna HSM Firmware 7.7.0 and newer.

To ensure the integrity of existing STC connections, many of the following commands cannot be used when HSM policy 39: Allow Secure Trusted Channel is on. You must disable HSM policy 39 before recreating the admin channel identity.

Use the following LunaSH commands:

Command Description
hsm stc identity create Create a STC client identity for the STC admin channel.
hsm stc identity delete Delete the STC admin channel client identity.
hsm stc identity initialize Initialize the STC admin channel client token.
hsm stc identity partition deregister Remove the HSM SO partition identity public key that is currently registered with the STC admin channel client token.
hsm stc identity partition register Register the HSM SO partition identity public key with the STC admin channel client token.
hsm stc identity show Display the name, public key hash, and registered partitions for the STC admin channel client token.