HSM Initialization for Luna S790
Before the HSM can be initialized:
the PED must be configured via Webconf
the HSM must be recovered from the STM
and the PED keys should be labeled and be in place.
The initialization of the HSM for the Next Generation Hardware Appliance is irrevocable. To change a configuration that was set during HSM initialization, you must reset the Next Generation Hardware Appliance.
Initialization
Log in to your Next Generation Hardware Appliance.
Open the Security page or click Configure HSM in the Overview.
The Next Generation Hardware Appliance is in Factory Reset State and ready to be configured. A red banner indicates this status and contains the action button: Initialize HSM.
An HSM information table is displayed under HSM Configuration.
It contains general information about the Internal HSM Status.
Name | Value |
---|---|
Serial Number | xxxxxx |
Firmware | x.x.x |
Fan 1 | standby (depending on the temperature) |
Fan 2 | active |
Battery | e.g. 3.115 V |
Temperature | e.g. 34°[C]. |
| ON |
Status | zeroized |
Secure Transport Mode | OFF |
Verify the following information: An alarm should be displayed.
Alarm ON
Click Initialize HSM in the top red banner.
The HSM Guided Setup modal dialog window is displayed.
For a local PED connection, ensure that the PED is properly connected to the HSM on the back of the device.
For a remote PED connection, ensure that the PED server and client are properly configured.
Make sure that the PED keys are labeled and within reach.
HSM Guided Setup
PIN Entry Device (PED)
Use Remote PED
This entry is greyed out when using the local PED connection.
If the PED is connected remotely the box is checked.
The decision as to whether the PED should be used locally or remotely was already made during the configuration of the PED in Webconf.
For the prerequisites when initializing an with Remote PED please see PED Entry Device for Remote Workstations.Application Audit Log Settings
Select Use Signed Audit Log if you want to protect the audit log of the application with an additional signature.HSM Mode Selection
Select Run HSM in FIPS Mode if applicable.
* Enabling FIPS mode may limit the set of available cryptographic algorithms, as only FIPS-validated algorithms are permitted.
Important:
Switching to FIPS mode is typically not easily reversible and may have destructive effects on existing systems and configurations.
Careful planning and thorough testing are strongly recommended before enabling FIPS mode.Click Next Step to continue.
The HSM Guided Setup - Summary is displayed, listing all selected settings.
Option | Choice |
---|---|
Serial Number | xxxxxx |
Use Remote PED | Yes (IP address) or No |
Use Signed Audit Log | Yes/No |
Run HSM in FIPS Mode | Enabled/No |
The PED displays shows: Awaiting command…
Click Start Setup in Webconf.
Connect to Remote PED (if applicable, no PED interaction required).
The guided setup with local PED differs slightly from that with remote PED.Initialize HSM (PED interaction required)
Slot
Setting SO Pin…
Would you like to reuse an existing keyset? Y/N.
Press No on the PED.
During the first initialization you can not reuse a keyset because the PED keys are blank.
If No is selected for a key that has already been used, the key PIN will be overwritten.
M value? (1-16)
>00
Press 1 on the PED and Enter.
Repeat for N value? (1-16)
PED requests to insert the blue labeled Security Officer PED key. The key should light up green.
Press Enter and follow the prompts on the PED
overwrite key?
Press YES, and Confirm.
Enter new PED PIN:
Press Enter and Confirm.
Are you duplicating this keyset? Y/N
Press Yes if you need more than one Security Officer PED Key for different security officers. Repeat the previous steps.
Setting Domain
Insert the red labeled Domain PED key.
Follow the instructions on the PED to continue initializing the HSM.
A series of steps with various queries for the different keys must be run through.
e.g.
Security Officer Login
To authorize as a Security Officer follow the instructions on the PED using the Security Officer PED key.HSM Policies (FIPS)
Follow the instructions on the PED to customize the policies to disable forcing a PIN change by the user and set up FIPS mode if applicable (this can be done with or without FIPS, depending on the user's selection in the guided setup form).Security Officer Login (this step is only required if FIPS is enabled)
Authorize as a Security Officer using the (Remote PED if applicable) and the Security Officer PED key.Create Partition
Follow the instructions on the PED using the Security Officer PED key (use the one from the HSM initialization step) to create a new partition.Initialize Partition
Follow the instructions on the PED using the Security Officer and the Domain PED key (use the PED keys from the HSM initialization step or generate new keys) to initialize the new partition.Partition Security Officer Login
To authorize as a Partition Security Officer follow the instructions on the PED using the Security Officer PED key.Partition Policies
Customize the policies to enable activation and auto activation.
Setting User PIN > Crypto Officer (black) PED key.
Set Slot PIN
User Login > Crypto Officer (black) PED key.
Write Partition Metadata > Crypto Officer (black) PED key.
Slot #1: Create Partition > Security Officer PED key.
Slot #1: Initialize Partition > Security Officer PED key and Domain PED key (use the PED keys from the HSM initialization step or generate new keys).
Slot #1: Partition Security Officer Login > Security Officer PED key.
Slot #1: Partition Policies.
Slot #1: Setting user PIN > Crypto Officer (black) PED key.
Slot #1: Set Slot PIN.
Slot #1: Write Partition Metadata > Crypto Officer (black) PED key.
Initialize HSM > (Remote PED if applicable), the Security Officer and Domain PED key.
Create Crypto TokenClick Finalize to finish the process.
After the process is completed, another modal dialog window is displayed confirming the Internal HSM successfully set up.
The PIN for Slot 1 is also displayed.
It is important to save this PIN, as it cannot be viewed or retrieved again.
Click Close to exit.
Webconf offers the option to cancel the process at various points during initialization.