Safenet Luna sa User manual

Luna SA

Configuration Guide

Document Information

Product Version 5.4.1

Document Part Number 007-011136-007

Release Date 04 July 2014

Revision History

Revision Date Reason

A 26 February 2014 Initial release.

B 17 April 2014 Updates to the SFF Backup feature.

C 04 July 2014 Solaris client support.

Trademarks

All intellectual property is protected by copyright. All trademarks and product names used or referred to are the

transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without

the prior written permission of SafeNet, Inc.

Disclaimer

SafeNet makes no representations or warranties with respect to the contents of this document and specifically

disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet

reserves the right to revise this publication and to make changes from time to time in the content hereof without the

obligation upon SafeNet to notify any person or organization of any such revisions or changes.

We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be

perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in

succeeding releases of the product.

SafeNet invites constructive comments on the contents of this document. Send your comments, together with your

personal and/or company details to the address below.

Contact Method Contact Information

Mail SafeNet, Inc.

4690 Millennium Drive

Belcamp, Maryland 21017

USA

Email techpubs@safenet-inc.com

Luna SA Configuration Guide

CONTENTS

PREFACE About the Configuration Guide 6

Customer release notes 6

Audience 6

Document conventions 7

Notes 7

Cautions 7

Warnings 7

Command syntax and typeface conventions 7

Support Contacts 8

CHAPTER 1 Planning Your Configuration 10

Roles 10

Named Administrative Users and Their Assigned Roles 10

Implications of Backup and Restore of User Profiles 11

Security of Shell User Accounts 12

Crypto Officer & Crypto User 12

How the Roles are Invoked 14

Bad Login Attempts 15

Domain Planning 15

Luna PED Planning 16

What each PED prompt means 16

HSM Initialization and the Blue SOPED Key 17

HSM Cloning Domain and the Red Domain PED Key 18

Partition Owner/User and the black PED Key 18

Remote PED Orange PED Key (RPK) 19

Auditor 19

Secure Recovery Purple PED Key (SRK) 20

Other Considerations 20

Luna PED Planning 20

What each PED prompt means 21

HSM Initialization and the Blue SOPED Key 22

HSM Cloning Domain and the Red Domain PED Key 23

Partition Owner/User and the black PED Key 23

Remote PED Orange PED Key (RPK) 24

Auditor 24

Secure Recovery Purple PED Key (SRK) 24

Other Considerations 25

CHAPTER 2 Configure the Luna Appliance for your Network 26

Gather appliance network setting information 26

Client Requirements 26

Recommended Network Characteristics 27

Power-up the HSM Appliance 27

Luna SA Configuration Guide

Open a Connection 30

First Login & Changing Password 31

Set System Date and Time 33

Configure IP and Network Parameters 35

Make Your Network Connection 37

Generate a New HSM Server Certificate 39

CHAPTER 3 HSM Initialization 42

Initializing a Password-Authenticated HSM 44

Initializing a Password Authenticated HSM 44

Initializing a PED-Authenticated HSM 46

Recover the SRK 46

Re-split[see 'resplit' ] the SRK 48

Other Uses of the SRK 48

Initializing a PED-Authenticated HSM 48

Preparing to Initialize a Luna SA HSM [PED-version] 49

Why Initialize? 50

Start a Serial Terminal or SSHsession 51

Initialize the HSM 51

Initialization - some additional options and description 62

CHAPTER 4 HSM Capabilities and Policies 67

Set HSM Policies (Password Authentication) 67

Set HSM Policies - PED (Trusted Path) Authentication 69

CHAPTER 5 Creating a Partition on the HSM 72

Prepare to Create a Partition (Password Authenticated) 72

About HSM Partitions on the Initialized HSM 72

Create the Partition [PW] 73

Partition creation audit log entry 74

Next steps 74

Prepare to Create a Partition (PED Authenticated) 75

About HSM Partitions on the Initialized HSM 75

Create (Initialize) the Partition - PED Authenticated 76

Partition creation audit log entry 84

Record the Partition Client Password (PED-Auth HSMs) 85

CHAPTER 6 Partition Policies 88

Set Partition Policy 89

Policy setting example, Luna HSM with Password Authentication 90

Policy setting example, Luna HSM with PED Authentication 90

CHAPTER 7 Prepare the Client for Network Trust Link 91

Preparing the Client 91

Import a Server Cert 92

Prepare a Network Trust Link - Windows 93

Import HSM Appliance Server Certificate onto Client (Windows) 93

Luna SA Configuration Guide

Create a Client Certificate (Windows) 96

Export a Client Cert to an HSM Appliance (Windows) 99

Prepare a Network Trust Link - UNIX/Linux 102

Import HSM Appliance Server Certificate onto Client (UNIX) 102

Create a Client Certificate (UNIX) 103

Export a Client Cert to an HSM Appliance (UNIX) 104

How Many Clients? 106

What's the Next Step? 106

CHAPTER 8 Assign a Client to an HSM Partition 107

Assign a Client to a Partition 107

Verify Your Setup 107

Client Connection Limits 108

Applications and Integrations 108

CHAPTER 9 Optional Configuration Tasks 109

Luna SA Configuration Guide

PREFACE

About the Configuration Guide

This document provides step-by-step instructions for configuring your Luna HSM hardware, before you begin using it

with your application(s). The instructions are for a basic configuration. Additional configuration options are described in

"Optional Configuration Tasks" on page 109.

To ensure a trouble-free configuration, perform the following steps in the order indicated:

1. "Planning Your Configuration" on page 10

2. "Configure the Luna Appliance for your Network" on page 26

3. "HSM Initialization" on page 42

4. "HSM Capabilities and Policies" on page 67

5. "Creating a Partition on the HSM" on page 72

6. "Partition Policies" on page 88

7. "Prepare the Client for Network Trust Link" on page 91

8. "Assign a Client to an HSM Partition" on page 107

9. "Optional Configuration Tasks" on page 109

This preface also includes the following information about this document:

•"Customer release notes" on page 6

•"Audience" on page 6

•"Document conventions" on page 7

•"Support Contacts" on page 8

For information regarding the document status and revision history, see "Document Information" on page 2.

Customer release notes

The customer release notes (CRN) provide important information about this release that is not included in the customer

documentation. Read the CRN to fully understand the capabilities, limitations, and known issues for this release. You

can view or download the latest version of the CRN for this release at the following location:

•http://www.securedbysafenet.com/releasenotes/luna/crn_luna_hsm_5-4.pdf

Audience

This document is intended for personnel responsible for maintaining your organization's security infrastructure. This

includes Luna HSM users and security officers, key manager administrators, and network administrators.

All products manufactured and distributed by SafeNet, Inc. are designed to be installed, operated, and maintained by

personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them.

Luna SA Configuration Guide

PREFACE About the Configuration Guide

The information, processes, and procedures contained in this document are intended for use by trained and qualified

personnel only.

It is assumed that the users of this document are proficient with security concepts.

Document conventions

This document uses standard conventions for describing the user interface and for alerting you to important information.

Notes

Notes are used to alert you to important or helpful information. They use the following format:

Note: Take note. Contains important or helpful information.

Cautions

Cautions are used to alert you to important information that may help prevent unexpected results or data loss. They use

the following format:

CAUTION: Exercise caution. Contains important information that may help prevent

unexpected results or data loss.

Warnings

Warnings are used to alert you to the potential for catastrophic data loss or personal injury. They use the following

format:

WARNING! Be extremely careful and obey all safety and security measures. In this

situation you might do something that could result in catastrophic data loss or

personal injury.

Command syntax and typeface conventions

Format Convention

bold The bold attribute is used to indicate the following:

•Command-line commands and options (Type dir /p.)

•Button names (Click Save As.)

•Check box and radio button names (Select the Print Duplex check box.)

•Dialog box titles (On the Protect Document dialog box, click Yes.)

•Field names (User Name: Enter the name of the user.)

•Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)

•User input (In the Date box, type April 1.)

Luna SA Configuration Guide

PREFACE About the Configuration Guide

Format Convention

italics In type, the italic attribute is used for emphasis or to indicate a related document. (See the

Installation Guide for more information.)

<variable> In command descriptions, angle brackets represent variables. You must substitute a value for

command line arguments that are enclosed in angle brackets.

[optional]

[<optional>]

Represent optional keywords or <variables> in a command line description. Optionally enter the

keyword or <variable> that is enclosed in square brackets, if it is necessary or desirable to

complete the task.

{a|b|c}

{<a>|<b>|<c>}

Represent required alternate keywords or <variables> in a command line description. You must

choose one command line argument enclosed within the braces. Choices are separated by vertical

(OR) bars.

[a|b|c]

[<a>|<b>|<c>]

Represent optional alternate keywords or variables in a command line description. Choose one

command line argument enclosed within the braces, if desired. Choices are separated by vertical

(OR) bars.

Support Contacts

If you encounter a problem while installing, registering or operating this product, please ensure that you have read the

documentation. If you cannot resolve the issue, please contact your supplier or SafeNet support. SafeNet support

operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan

arrangements made between SafeNet and your organization. Please consult this support plan for further information

about your entitlements, including the hours when telephone support is available to you.

Contact method Contact

Address SafeNet, Inc.

4690 Millennium Drive

Belcamp, Maryland 21017

USA

Phone United States (800) 545-6608, (410) 931-7520

Australia and New Zealand +1 410-931-7520

China (86) 10 8851 9191

France 0825 341000

Germany 01803 7246269

India +1 410-931-7520

United Kingdom 0870 7529200, +1 410-931-7520

Web www.safenet-inc.com

Support and Downloads www.safenet-inc.com/support

Table 1: Technical support contacts

Luna SA Configuration Guide

PREFACE About the Configuration Guide

Contact method Contact

Provides access to the SafeNet Knowledge Base and quick downloads for

various products.

Customer Technical Support

Portal

https://serviceportal.safenet-inc.com

Existing customers with a Customer Connection Center account, or a Service

Portal account, can log in to manage incidents, get the latest software upgrades,

and access the SafeNet Knowledge Base.

Luna SA Configuration Guide

CHAPTER 1

Planning Your Configuration

Before initializing your HSM, we suggest taking a moment to consider the following available features and options.

Some would be inconvenient to change after your HSM is in service:

•"Roles" on page 10

•"Crypto Officer & Crypto User" on page 12

•"Domain Planning" on page 15

•"Luna PED Considerations" on page 1

•"Luna PED Planning" on page 20

Roles

Luna HSM products offer multiple identities, some mandatory, some optional, that you can invoke in different ways to

map to roles and functions in your organization. The following topics offer some aspects that you might wish to consider

before committing to an HSM configuration.

Named Administrative Users and Their Assigned Roles

By default, the appliance has

•one 'admin' user, with role "admin", always enabled, default password "PASSWORD"

•one 'operator' user, with role "operator", disabled until you enable, default password "PASSWORD"

•one 'monitor' user, with role "monitor", disabled until you enable, default password "PASSWORD"

Those three "built-in" accounts can be neither created nor destroyed, but 'admin' can enable or disable the other two as

needed.

You can leave that arrangement as-is, or you can create additional users with names of your own choice, and assign

them any of the roles (and the powers that go with those roles). The default password of any created user is

"PASSWORD" (yes, all uppercase).

Thus, you could choose to have:

•multiple admin-level users, each with a different name,

•multiple operator-level users (or none, if you prefer), again each with a different name, and

•multiple monitor-level users (or none, if you prefer), each with a different name.

Administrative users' names can be a single character or as many as 128 characters, chosen from letters a-z, or A-Z,

numbers 0-9, the dash, the dot, or the underscore. No spaces.

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._

As with any secure system, no two users (regardless of role) can have the same name.

Luna SA Configuration Guide

Table of contents

Other SafeNet Server manuals

SafeNet

SafeNet ProtectServer External 2 User manual

Popular Server manuals by other brands

HP Tc2120 - Server - 256 MB RAM installation guide

Lenovo

Lenovo ThinkServer RD230 manual

Avocent

Avocent CPS810 Installer/user guide

Dell

Dell PowerEdge R6615 Installation and service manual

FreeWave

FreeWave HT2+ installation guide

GIGA-BYTE TECHNOLOGY

GIGA-BYTE TECHNOLOGY G492-Z50 user manual

Lanner

Lanner HTCA-E400 user manual

Bull

Bull NovaScale T840 E2 user guide

Asus

Asus RS740-E70RS24-EG Configuration guide

Meinberg

Meinberg LANTIME M300/TCR manual 

HP ProLiant SL335s G7 Maintenance and service guide

ZyXEL Communications

ZyXEL Communications VANTAGE RADIUS 50 user guide

Lantronix

Lantronix xDirect-IAP quick start guide

Fujitsu

Fujitsu PRIMEQUEST 2400E3 General description

IBM

IBM 9040-MR9 manual

IBM

IBM 306m - eServer xSeries - 8849 user guide

green hippo

green hippo Hippotizer Nevis+ quick start guide

IBM

IBM 8203-E4A Brochure & specs

SafeNet Luna SA User manual

Popular Server manuals by other brands