Initializing the Luna USB HSM 7

Initialization prepares a new Luna USB HSM 7 for use, or an existing HSM for reuse. You must initialize the HSM before you can generate and store objects, or perform cryptographic operations.

>On a new or factory-reset Luna USB HSM 7, initialization sets the HSM Security Officer credentials (password string or USB iKey), the HSM label, and the cloning domain (password string or USB iKey) of the HSM Admin partition. This is often referred to as a 'hard' initialization. See Initializing a New or Factory-reset HSM.

>On an initialized HSM, re-initialization destroys all existing partitions and objects, but retains the HSM SO credentials and cloning domain (password strings or USB iKeys). You have the option to change or retain the existing label. This is sometimes referred to as a 'soft' initialization. See Re-initializing the Luna USB HSM 7.

NOTE   To ensure accurate auditing, perform initialization only after you have set the system time parameters (time, date, time zone, use of Network Time Protocol). You can use the -authtimeconfig option when initializing the HSM to require HSM SO authorization of any time-related changes once the HSM is initialized.

The following table summarizes the differences between a hard and soft initialization.

Condition/Effect

Soft init

Hard init

HSM SO authentication required Yes No
Can set new HSM label Yes Yes
Creates new HSM SO identity No Yes
Creates new Domain No Yes
Destroys partitions Yes No (none exist to destroy)
Destroys objects Yes No (none exist to destroy)

Initializing a New or Factory-reset HSM

During the initialization procedure, you select password or multifactor quorum (iKey) authentication as your preferred authentication method. This cannot be changed later without destroying all cryptographic objects on the HSM. Ensure that you use the same method that the rest of your HSM deployment uses.

On a new, or factory-reset HSM (using hsm factoryreset), the following attributes are set during a hard initialization:

HSM Label

The label is a string that uniquely identifies this HSM.

The HSM label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~

Spaces are allowed; enclose the label in double quotes if it includes spaces. Including both spaces and quotation marks in a label may cause unexpected labeling behavior.

For more information, refer to Name, Label, and Password Requirements.

HSM SO credentials

If you select multifactor quorum authentication (-iped option), you create a new HSM SO (blue) iKey (set) or re-use an existing key(set) from an HSM you want to share credentials with. If you are using multifactor quorum authentication, ensure that you have an iKey strategy before beginning. See Multifactor Quorum Authentication.

If you select password authentication (-ipwd option), you specify the HSM SO password. Employ standard password-security practices.

NOTE   To change the authentication type of a Luna USB HSM 7 between Password auth and Multifactor Quorum auth, or the reverse, (with the -ipwd option or the -iped option of the hsm init command) requires a factory reset first (hsm factoryreset).

The factory reset is not needed if you are initializing the HSM to the same mode of authentication as is currently configured.

In LunaCM, passwords and activation challenge secrets must be 8-255 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~

Double quotation marks (") are problematic and should not be used within passwords.

Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.

Cloning domain for the HSM Admin partition

The cloning domain is a shared identifier that makes cloning possible among a group of HSM partitions. On the Luna 7 HSM Admin partition, it must be set, but has no practical function.

NOTE   This is distinct from the domain on an application partition, which is a critical component required for key cloning, backup/restore, and high availability groups. Refer to Domain Planning for more information.

If you select multifactor quorum authentication (-iped option), you create a new Domain (red) iKey(set) or re-use an existing key(set) from an HSM you want to be able to clone with.

If you select password authentication (-ipwd option), you create a new domain string or re-use an existing string from an HSM you want to be able to clone with.

The domain string must be 1-128 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*-_=+[]{}/:',.~

The following characters are problematic or invalid and must not be used in a domain string: "&;<>\`|()

Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks.

For password-authenticated HSMs, the domain string should match the complexity of the partition password.

Prerequisites

Before you begin, ensure that you are familiar with the concepts in the following sections

>Multifactor Quorum Authentication (if you plan to use this authentication method)

>HSM Roles

To initialize a new or factory-reset HSM

1.Open a LunaCM session and set the active slot to the HSM Admin partition.

2. If Secure Transport Mode is set, you must unlock the HSM before proceeding. New Luna USB HSM 7s are shipped from the factory in Secure Transport Mode (STM). STM allows you to verify that an HSM has not been tampered while out of your possession, such as when it is shipped to another location, or placed into storage. See Secure Transport Mode for more information.

To recover your HSM from Secure Transport Mode, follow the procedure in Recovering an HSM From Secure Transport Mode.

3.If you are initializing the HSM to use multifactor quorum authentication, ensure that you have sufficient iKeys available.

4.Initialize the HSM, specifying a label for your Luna USB HSM 7 and your preferred method of authentication, password (-ipwd) or multifactor quorum (-iped):

lunacm:> hsm init -label <label> { -ipwd | -iped }

5.Respond to the prompts to complete the initialization process:

If you selected password authentication, you are prompted to set the HSM SO password and the HSM Admin partition cloning domain string.

If you selected multifactor quorum authentication, you receive the prompt "Attend to the PED". These operations are completed using the Luna USB HSM 7 touchscreen. Follow the instructions on the touchscreen to complete the initialization procedure. You can create MofN quorum keysets and duplicate keys as required. See Creating iKey Using Luna USB HSM 7 for more information.

Re-initializing the Luna USB HSM 7

On an initialized Luna USB HSM 7, re-initialization clears all existing partitions and objects, but retains the HSM SO credentials and cloning domain. You have the option to change or retain the existing label. Re-initialization is also referred to as a soft initialization. If you do not want to do a soft init, and also change the SO credentials and cloning domain, you reset the HSM to factory conditions using hsm factoryreset, and then perform the procedure described in Initializing a New or Factory-reset HSM.

CAUTION!   Ensure you have backups for any partitions and objects you want to keep, before re-initializing the HSM.

To re-initialize the HSM (soft init)

1.Open a LunaCM session and set the slot to the HSM Admin partition.

2. Log in as the HSM SO.

3.If Secure Transport Mode is set, you must unlock the HSM before proceeding. See Recovering an HSM From Secure Transport Mode.

4.If you are initializing a multifactor quorum-authenticated HSM, have the appropriate iKeys ready.

5.Re-initialize the HSM, specifying a label for your Luna USB HSM 7:

lunacm:> hsm init -label <label>