Replacing the Luna PCIe HSM 7 Battery
The Luna PCIe HSM 7 uses a 3.6 V non-rechargeable lithium battery to provide backup power to its memory. This enables the HSM to preserve cryptographic material even when the host system loses power. The battery may need replacement over the course of the HSM's lifetime. To see if your battery needs to be replaced, run hsm envshow in LunaCM.
The original battery, when installed in the Luna PCIe HSM 7, produced 3.6 V. A voltage regulator on the HSM card adjusts that voltage lower to be suitable for the tamper circuit. LunaCM reports the regulated voltage value. A warning is returned if the battery's regulated voltage drops below 2.75 V. When the battery falls below 2.5 V, the HSM is tampered and you must replace the battery before operations can resume. If Policy 48: Do Controlled Tamper Recovery is enabled, you cannot run the hsm tamperclear LunaCM command unless the battery is replaced. For more information about recovery after a tamper event, refer to Recovering from a Tamper Event. If the battery is not replaced, all key material will eventually be lost when the on-board RAM loses power and cannot maintain its memory.
CAUTION! Unless temporary battery power is supplied to the HSM while the main battery is replaced, all cryptographic material will be erased. Use the Luna PCIe HSM 7 Temporary Battery Holder to ensure a continuous power supply.
Required Items
To replace the battery, you will need the following items. Battery manufacturer information is suggested.
CAUTION! You must use the temporary battery specified. Standard AA voltage is too low to power the Luna PCIe HSM 7.
| Qty | Item | Description/Specifications | Manufacturer | Part Number |
|---|---|---|---|---|
| 1 | Luna PCIe HSM 7 replacement battery | 2/3AA, 3.6V, 1650 mAh, Li-COCl2, length 33.5 mm, diameter 14.55 mm | OmniCel | ER14335/S |
| Xeno Energy | XL-055F | |||
| 1 | Temporary Battery Holder |
Used with a temporary battery to maintain power to the Luna PCIe HSM 7 during the replacement process. Can be requested from Thales.
|
Thales | 908-000408-001 |
| 1 | Temporary Battery | AA, 3.6V, 1650 mAh, Li-COCl2, length 50.3 mm, diameter 14.55 mm | Saft | LS14500-AA |
Prerequisites
To replace the battery, you must first remove the Luna PCIe HSM 7 card from the host system.
CAUTION! Back up any important cryptographic material on the HSM before proceeding. Removing the card from the host system will cause a tamper event. If HSM policy 40: Decommission on Tamper is enabled, the application partition and all roles are destroyed, and you must reconfigure the HSM after this procedure.
This product uses semiconductors that can be damaged by electro-static discharge (ESD). When handling the device, avoid contact with exposed components, and always use an anti-static wrist strap connected to an earth ground. In rare cases, ESD can trigger a tamper or decommission event on the HSM. If this happens, all existing roles and cryptographic objects are deleted.
1.Test the temporary and replacement batteries with a voltmeter or multimeter. A measurement of 3.1 V taken directly from the battery terminals with a voltmeter is approximately equivalent to a regulated value of 2.75 V as reported by LunaCM, and indicates that the battery has reached the end of its useful life. Before proceeding with the battery replacement:
•ensure that the temporary battery tests higher than 3.1 V with a voltmeter
•for best result and battery life, ensure that the replacement battery tests near 3.6 V
2.[Optional] If the card will not be in your possession the entire time it is out of service, you can enable Secure Transport Mode. This allows you to know if the card has been tampered with while it was out of your possession.
3.Power off the host machine and disconnect it from power.
4.Use an anti-static wrist strap (provided with your Luna PCIe HSM 7) to ground yourself to an exposed metal part of the computer chassis.
5.Remove the Luna PCIe HSM 7 from its PCIe slot.
Replacing the Luna PCIe HSM 7 Battery
To maintain HSM power, you must connect a temporary battery while replacing the main battery.
To replace the Luna PCIe HSM 7 battery
1.Install the temporary battery in the temporary battery replacement holder.
2.Install the 2-pin plug from the battery holder onto the 2-pin header marked P8 on the Luna PCIe HSM 7 card.
NOTE The polarity on the P8 header is not reversible. The jumper will only fit onto the header in the correct direction.
The Luna PCIe HSM 7 card's green D4 LED is illuminated. This indicates that the card is receiving power from the temporary battery. If the LED appears dim, ensure that the temporary battery's voltage is greater than 3.1 V.
3.If necessary, remove the screw securing the battery cover.
4.Replace the 2/3AA battery on the card. Note the correct polarity.
5.Replace the battery cover and secure it with the screw.
6.Remove the jumper from the P8 header to disconnect the temporary power.
7.Reinstall the Luna PCIe HSM 7 card.
8.Dispose of the depleted battery according to regional recycling regulations.
