Managing the Luna Backup HSM 7

This section contains the following procedures for maintaining and using the Luna Backup HSM 7:

>Recovering the Luna Backup HSM 7 from Secure Transport Mode

>Configuring the Luna Backup HSM 7 for FIPS Compliance

>Updating the Luna Backup HSM 7 Firmware

>Rolling Back the Luna Backup HSM 7 Firmware

Recovering the Luna Backup HSM 7 from Secure Transport Mode

The Luna Backup HSM 7 is shipped in Secure Transport Mode (STM). STM provides a logical check on the firmware and critical security parameters (such as configuration, keys, policies, roles, etc.) so that the authorized recipient can determine if these have been altered while the HSM was in transit.

NOTE   This procedure requires connection to a client machine with Luna HSM Client 10.1.0 or newer installed. This operation is not possible while the Backup HSM is connected to the Luna Network HSM 7 appliance.

To recover the Luna Backup HSM 7 from STM

1.Connect the Luna Backup HSM 7 to a USB port on a Luna HSM Client workstation with the Backup option installed (refer to Luna HSM Client Software Installation for your client operating system).

2.Launch LunaCM on the client workstation.

3. Select the slot assigned to the Luna Backup HSM 7 Admin partition.

lunacm:> slot set -slot <slot_id>

4.Recover the HSM from Secure Transport Mode. See Secure Transport Mode for more information about the Random User String:

lunacm:> stm recover -randomuserstring <string>

NOTE   Recovering a Luna Backup HSM 7 from STM may take up to three minutes.

Configuring the Luna Backup HSM 7 for FIPS Compliance

Luna Backup HSM 7 Firmware 7.7.1 and newer uses the same updated cloning protocol as Luna HSM Firmware 7.7.0 and newer. For the Luna Backup HSM 7 to be FIPS-compliant, it must restrict restore operations to application partitions that use the new protocol. This restriction is applied by setting HSM policy 55: Enable Restricted Restore to 1 on the backup HSM. The Luna Backup HSM 7 must be initialized and connected to a Luna HSM Client computer to set this policy.

When this policy is enabled on the Luna Backup HSM 7, objects that have been backed up from partitions using firmware older than Luna HSM Firmware 7.7.0 can be restored to Luna HSM Firmware 7.7.0 or newer (V0 or V1) partitions only.

CAUTION!   FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware, and this includes restoring from Luna Backup HSM 7 firmware.

If you have backups already stored on the Luna Backup HSM 7 that were taken from pre-7.7.0 partitions, turning this policy ON will prevent you from restoring them to the same source partition. You must update the HSM containing the source partition to Luna HSM Firmware 7.7.0 or newer before restoring from backup.

NOTE   HSM policy 12: Allow non-FIPS algorithms, which is used to set FIPS-compliant mode on other Luna HSMs, does not apply to the Luna Backup HSM 7. Attempts to change this policy will fail with the error CKR_CANCEL.

To configure the Luna Backup HSM 7 for FIPS compliance

1.On the Luna HSM Client computer, run LunaCM.

2.Set the active slot to the Luna Backup HSM 7.

lunacm:> slot set -slot <slot_id>

3.Log in as Backup HSM SO.

lunacm:> role login -name so

4.Set HSM policy 55: Enable Restricted Restore to 1.

lunacm:> hsm changehsmpolicy -policy 55 -value 1

5.[Optional] Check that the Luna Backup HSM 7 is now in FIPS approved operation mode.

lunacm:> hsm showinfo

*** The HSM is in FIPS 140-2 approved operation mode. ***

Updating the Luna Backup HSM 7 Firmware

To update the Luna Backup HSM 7, download the desired firmware version from the Thales Support Portal.

Use the following procedure to update the Luna Backup HSM 7 firmware using LunaCM. The Backup HSM SO must complete this procedure.

NOTE   This functionality requires minimum Luna HSM Client 10.3.0.

Prerequisites

>Luna Backup HSM 7 firmware update file (<filename>.fuf)

>firmware update authentication code file (<filename>.txt)

>If you have backups currently stored on the Backup HSM, they must take up less than 60% of storage capacity, or the firmware upgrade will not proceed.

NOTE   If you are updating from Luna Backup HSM 7 Firmware 7.3.2, objects and partitions must be re-sized to include additional object overhead associated with the new V1 partitions - this action is automatic (see V0 and V1 Partitions). This conversion can take a long times, depending on the number of objects stored on the Backup HSM (a few minutes to several hours). Ensure that you can leave the update operation uninterrupted for this amount of time. Do not interrupt the procedure even if the operation appears to have stalled.

To update the Luna Backup HSM 7 firmware using LunaCM

1.Copy the firmware file (<filename>.fuf) and the authentication code file (<filename>.txt) to the Luna HSM Client root directory.

Windows: C:\Program Files\SafeNet\LunaClient

Linux: /usr/safenet/lunaclient/bin

Solaris: /opt/safenet/lunaclient/bin

NOTE   On some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... If this is the case, put the files in a known location that you can reference in a LunaCM command.

2.Launch LunaCM.

3.If more than one HSM is installed, set the active slot to the Admin partition of the HSM you wish to update.

lunacm:> slot set -slot <slot_number>

4.[Multifactor Quorum-Authenticated]

If you are updating a Luna Backup HSM 7 v2, you will insert PED keys directly into the Backup HSM; skip to step 5.

If you are updating a Luna Backup HSM 7 v1, connect to the Remote PED server.

lunacm:> ped connect [-ip <IP_address>] [-port <port#>]

5.Log in as HSM SO.

lunacm:> role login -name so

6.Apply the new firmware update by specifying the update file and the authentication code file. If the files are not located in the Luna HSM Client root directory, specify the full filepaths.

lunacm:> hsm updatefw -fuf <filename>.fuf -authcode <filename>.txt

The previous version of the firmware is stored in reserve on the HSM. To restore the previous firmware version, see Rolling Back the Luna Backup HSM 7 Firmware.

Rolling Back the Luna Backup HSM 7 Firmware

When you update the Luna Backup HSM 7 firmware, the previous version of the firmware is stored in reserve on the HSM. If required, you can use the following procedure to roll back the HSM firmware to the previous version.

CAUTION!   Firmware rollback is destructive; earlier firmware versions might have older mechanisms and security vulnerabilities that a new version does not. Ensure that you do not have any important backups stored on the HSM before you proceed. This procedure zeroizes the HSM and all backups are erased.

Prerequisites

>Connect theLuna Backup HSM 7 to a Luna HSM Client workstation.

To roll back the Luna Backup HSM 7 firmware to the previous version

1.At the LunaCM prompt, set the active slot to the Backup HSM.

lunacm:> slot set -slot <slot_number>

2.Check the previous firmware version that is available on the HSM.

lunacm:> hsm showinfo

3.[Multifactor Quorum-Authenticated]

If you are rolling back a Luna Backup HSM 7 v2, you can insert PED keys directly into the Backup HSM; skip to step 5.

If you are rolling back a Luna Backup HSM 7 v1, connect to the Remote PED server.

lunacm:> ped connect [-ip <IP_address>] [-port <port#>]

4.Log in as HSM SO.

lunacm:> role login -name so

5.Roll back the Backup HSM firmware.

lunacm:> hsm rollbackfw