Configuring STC Identities and Settings
Depending on your organization's security needs, you may need to customize some aspects of your Secure Trusted Channel (STC) connections. This can include encryption levels for message verification, request timeouts, periodic replacement of client identities, and more. Luna Network HSM 7 provides configurable options for customizing your STC connections.
>Configuring STC Tokens and Identities
Configuring STC Settings
STC provides configurable options that define network settings for an STC link, and security settings for the messages transmitted over that link. Although default values are provided that provide the optimal balance between security and performance, you can override the defaults, if desired.
>Message Integrity Verification
For client-partition STC links, these options are set individually for each partition. Using Luna Appliance Software 7.4.0 and earlier, they can be set by the HSM SO (using LunaSH) before the STC connection is established, or by the Partition SO (using LunaCM) after the STC partition is initialized. Using Luna Appliance Software 7.7.0 and newer, only the Partition SO can configure STC options, after the partition is initialized.
For the STC admin channel, the configuration applies to all communications between the HSM and local services on the appliance, such as LunaSH and NTLS. The STC admin channel options are set by the HSM SO.
NOTE The STC admin channel is configurable using Luna Appliance Software 7.4.0 and older, and Luna HSM Firmware 7.4.2 and older. This feature is not available in Luna HSM Firmware 7.7.0 and newer.
Link Activation Timeout
The activation timeout is the maximum time allowed to establish the STC link before the channel request is dropped. You can use the following commands to specify the activation timeout for STC links to this partition.
STC admin channel (HSM SO, Luna HSM Firmware 7.4.2 and earlier)
lunash:> hsm stc activationTimeOut show
lunash:> hsm stc activationTimeOut set -time <seconds>
Uninitialized STC Partition (HSM SO, Luna HSM Firmware 7.4.2 and earlier)
lunash:> stc activationTimeOut show
lunash:> stc activationTimeOut set -partition <partition> -time <seconds>
Initialized STC Partition (Partition SO)
lunacm:> stcconfig activationtimeoutshow
lunacm:> stcconfig activationtimeoutset -time <seconds>
Message Encryption
By default, all messages traversing an STC link are encrypted. You can use the following commands to specify the level of encryption used (AES 128, AES 192, or AES 256) on all STC links to a partition, or to disable encryption on all STC links to a partition.
STC admin channel (HSM SO, Luna HSM Firmware 7.4.2 and earlier)
lunash:> hsm stc cipher show
lunash:> hsm stc cipher enable {-all | -id <cipher_id>}
lunash:> hsm stc cipher disable {-all | -id <cipher_id>}
Uninitialized STC Partition (HSM SO, Luna HSM Firmware 7.4.2 and earlier)
lunash:> stc cipher show
lunash:> stc cipher enable -partition <partition_name> {-all | -id <cipher_id>}
lunash:> stc cipher disable -partition <partition_name> {-all | -id <cipher_id>}
Initialized STC Partition (Partition SO)
lunacm:> stcconfig ciphershow
lunacm:> stcconfig cipherenable {-id <cipher_ID> -all}
lunacm:> stcconfig cipherdisable {-id <cipher_ID> -all}
Message Integrity Verification
By default, the integrity of all messages traversing an STC link is verified using an HMAC message digest algorithm. You can use the following commands to specify the algorithm used (HMAC with SHA 256, or HMAC with SHA 512).
STC admin channel (HSM SO, Luna HSM Firmware 7.4.2 and earlier)
lunash:> hsm stc hmac show
lunash:> hsm stc hmac enable -id <hmac_ID>
lunash:> hsm stc hmac disable -id <hmac_ID>
Uninitialized STC Partition (HSM SO, Luna HSM Firmware 7.4.2 and earlier)
lunash:> stc hmac show
lunash:> stc hmac enable -partition <partition_name> -id <hmac_ID>
lunash:> stc hmac disable -partition <partition_name> -id <hmac_ID>
Initialized STC Partition (Partition SO)
lunacm:> stcconfig hmacshow
lunacm:> stcconfig hmacenable -id <hmac_ID>
lunacm:> stcconfig hmacdisable -id <hmac_ID>
Rekey Threshold
The session keys and encryption keys created when an STC tunnel is established are automatically regenerated after the number of messages specified by the rekey threshold have traversed the link. You can use the following commands to specify the key life for the session and encryption keys used on all STC links to a partition. Specify the <threshold> value in millions of messages.
STC admin channel (HSM SO)
lunash:> hsm stc rekeyThreshold show
lunash:> hsm stc rekeyThreshold set -value <threshold>
Uninitialized STC Partition (HSM SO)
lunash:> stc rekeyThreshold show
lunash:> stc rekeyThreshold set -partition <partition_name> -value <threshold>
Initialized STC Partition (Partition SO)
lunacm:> stcconfig rekeythresholdshow
lunacm:> stcconfig rekeythresholdset -value <threshold>
Configuring STC Tokens and Identities
Each Luna HSM Client and partition that serves as an STC endpoint (including the HSM SO partition and the appliance operating system) has a unique identity, defined by a 2048-bit RSA asymmetric public/private key pair. The STC identity key pair is stored in the STC token associated with the client or partition (or the appliance or HSM). Before STC can create secure tunnels, trust must be established through the exchange of public keys.
Partition and HSM tokens and identities are created automatically and cannot be recreated. Client tokens and identities are created manually using LunaCM. The appliance token and identity is created automatically but can be recreated if necessary using LunaSH.
Under normal operating conditions, you should not need to recreate the STC tokens or identities. If you have operational or security reasons to do so, use the following commands:
Client Tokens and Identities
Use the following LunaCM commands:
Command | Description |
---|---|
stc identitycreate | Create a client identity on the STC client token. |
stc identitydelete | Delete a client identity from the STC identity token. |
stc identityexport | Export the STC client identify to a file. |
stc identityshow | Display the client name, public key hash, and registered partitions for the STC client token. |
stc partitionderegister | Remove a partition identity from the STC client token. |
stc partitionregister | Register a partition to the STC client token. |
stc tokeninit | Initialize a client token. |
stc tokenlist | List the available STC client identity tokens. |
STC Admin Channel Appliance Identity
NOTE The STC admin channel is configurable using Luna Appliance Software 7.4.0 and older, and Luna HSM Firmware 7.4.2 and older. This feature is not available in Luna HSM Firmware 7.7.0 and newer.
To ensure the integrity of existing STC connections, many of the following commands cannot be used when HSM policy 39: Allow Secure Trusted Channel is on. You must disable HSM policy 39 before recreating the admin channel identity.
Use the following LunaSH commands:
Command | Description |
---|---|
hsm stc identity create | Create a STC client identity for the STC admin channel. |
hsm stc identity delete | Delete the STC admin channel client identity. |
hsm stc identity initialize | Initialize the STC admin channel client token. |
hsm stc identity partition deregister | Remove the HSM SO partition identity public key that is currently registered with the STC admin channel client token. |
hsm stc identity partition register | Register the HSM SO partition identity public key with the STC admin channel client token. |
hsm stc identity show | Display the name, public key hash, and registered partitions for the STC admin channel client token. |