stm transport

Place the HSM in Secure Transport Mode (STM).

You must be logged in as HSM SO to invoke Secure Transport Mode.

>for multifactor quorum authenticated HSMs, the blue HSM SO PED key is required

>for password authentication have the HSM SO password ready

NOTE   The stm commands appear only when LunaCM's active slot is set to the administrative partition on a Luna PCIe HSM 7, Luna USB HSM, or Luna Backup HSM 7. On Luna Backup HSM G5s, Secure Transport Mode is implemented using a secure recovery key (SRK). See About Luna Backup HSM G5 Secure Transport and Tamper Recovery and lunacm:> srk for more information. To access the STM feature on Luna Network HSM 7, use lunash:> hsm stm.

When you enter this command, two strings are displayed: a verification string and a random user string. Record both of these to confirm later that the HSM was not tampered with while in STM. When you recover from STM, enter the random user string and compare the generated verification string to the original one you received. If the strings match, the HSM has not been tampered while in STM (see stm recover).

CAUTION!   Before issuing a command for a multifactor quorum-authenticated HSM to enter Secure Transport Mode, ensure that all roles for the HSM are deactivated, using role deactivate with each role name.

For Luna Network HSM 7s, roles must be deactivated for all partitions, from LunaCM in a connected client, then use lunash commands hsm stm transport and hsm stm recover to invoke and recover from STM.

Failure to deactivate roles first can result in mismatch when the generated strings are later compared during Secure Transport Mode recovery.

Syntax

stm transport

Example

lunacm:>stm transport

        You are about to configure the HSM in STM.
        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now ->proceed

        Configuring the HSM for transport (may take a few seconds)...

        HSM was successfully configured for transport.

        Please record the displayed verification & random user strings.
        These are required to recover from Secure Transport Mode.


        Verification String: SL7P-GWtA-JFKt-psCH

        Random User  String: Gxbx-dXFM-x4bW-bMWN

Command Result : No Error