.png){kind=logo}
HSM Initialization for Luna S790
Before the HSM can be initialized:
the PED must be configured via webconf
the STM must have been removed
and the PED keys should be prepared.
Configuring an HSM for the Next Generation Hardware Appliance is irrevocable. To change an HSM configuration, you must reset the Next Generation Hardware Appliance.
Initialization
Log in to your Next Generation Hardware Appliance.
Open the Security page or click Configure HSM in the Overview.
The Next Generation Hardware Appliance is in Factory Reset State and ready to be configured. A red banner indicates this status and contains the action button: Initialize HSM.
An HSM information table is displayed under HSM Configuration.
It contains general information about the Internal HSM Status.
Verify the following information:
An alarm should be displayed.
Alarm ONClick Initialize HSM in the top red banner.
The HSM Guided Setup-Summary pop-up window is displayed.
For a local PED connection, ensure that the PED is properly connected to the HSM on the back of the device.
For a remote PED connection, ensure that the PED server and client are properly configured.
Make sure that the PED keys are labeled and within reach.
HSM Guided Setup - Summary
First webconf window:
PIN Entry Device (PED)
This field is greyed out when using the local PED connection.
If the PED is connected remotely the box is checked.
The decision how to use the PED was made already while configuring the PED in Webconf.Application Audit Log Settings
Select Use Signed Audit Log if you want to protect the audit log of the application with an additional signature.Click Next Step to continue.
Second webconf window:
First a summary of the HSM setup is displayed, showing the Serial Number and the choices just made on the PED and the Audit Log Settings.
The PED displays shows: Awaiting command…
Click Start Setup in webconf.
Initialize HSM (PED interaction)
Slot
Setting SO Pin…
Would you like to reuse an existing keyset? Y/N
press No on the PED
During the first initialization you can not reuse a keyset because the PED keys are blank.
M value? (1-16)
>00
Press 1 on the PED and Enter.
Repeat for N value? (1-16)
PED requests to insert the blue labeled Security Officer PED key. The key should light up green.
Press Enter and follow the prompts on the PED
overwrite key?
Press YES, and Confirm.
Enter new PED PIN:
Press Enter and Confirm.
Are you duplicating this keyset? Y/N
Press Yes if you need more than one Security Officer PED Key for different security officers. Repeat the previous steps.
Setting Domain
Insert the red labeled Domain PED key.
Follow the instructions on the PED to continue initializing the HSM.
A series of steps with various queries for the different keys must be run through.
e.g.
Security Officer Login
To authorize as a Security Officer follow the instructions on the PED using the Security Officer PED key.HSM Policies
Follow the instructions on the PED to adjust policies so that the user PIN change is not forced.Create Partition
Follow the instructions on the PED using the Security Officer PED key to create a new partition.Initialize Partition
Follow the instructions on the PED using the Security Officer and the Domain PED key to initialize the new partition.Partition Security Officer Login
To authorize as a Partition Security Officer follow the instructions on the PED using the Security Officer PED key.Partition Policies
Customize the policies to enable activation and automatic activation.Continue the steps until the HSM Guided Setup-Summary is done.
Click Finalize to finish the process.
After the process is completed, another pop-up window appears confirming the Internal HSM successfully set up.
The PIN for slot 1 is also displayed.
It is important to save this PIN, as it cannot be viewed or retrieved again.
Click Close to exit.
Webconf offers the option to cancel/abort the process at various points during initialization.