Administration Guide
User Manual:
Open the PDF directly: View PDF .
Page Count: 338
Download | |
Open PDF In Browser | View PDF |
SafeNet Luna Network HSM 7.0 Administration Guide Document Information Product Version 7.0 Document Part Number 007-013576-002 Release Date 05 June 2017 Revision History Revision Date Reason Rev. A 05 June 2017 Initial release. Trademarks, Copyrights, and Third-Party Software Copyright 2001-2017 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. Table 1: Third-party software used in this product Software License and copyright editline This product incorporates editline licensed under Apache v2.0 Open Software. Copyright 1992,1993 Simmule Turner and Rich Salz. All rights reserved. You can obtain the full text of the Apache v2.0 Open Software license at the following URL: https://www.apache.org/licenses/LICENSE-2.0 libFDT Dual License Choice of BSD or GPL-2.0 Copyright (C) 2006 David Gibson, IBM Corporation. libsodium ISC License (ISCL) Copyright (C) 2013-2016 Linux Kernel GPL-2.0 OpenSSH This product uses a derived version of OpenSSH Copyright 1995 Tatu Ylonen , Espoo, Finland. All rights reserved . Copyright 1995, 1996 by David Mazieres . Copyright 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved You can obtain the full text of the OpenSSH license at the following URL: https://www.openbsd.org/policy.html OpenSSL SSLeay License Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) OpenSSL license SafeNet Luna Network HSM Administration Guide Rellease 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 2 Software License and copyright Copyright (C) 1998-2002 The OpenSSL Project Software implementation of SHA2 Proprietary license Software implementation of AES Proprietary license Copyright (C) 2002, Dr Brian Gladman, Worcester, UK. Copyright (C) 2001, Dr Brian Gladman, Worcester, UK. Disclaimer All information herein is either public information or is the property of and owned solely by Gemalto and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information. This document can be used for informational, non-commercial, internal, and personal use only provided that: • The copyright notice, the confidentiality and proprietary legend and this full warning notice appear in all copies. • This document shall not be posted on any publicly accessible network computer or broadcast in any media, and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service, or loss of privacy. All intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without the prior written permission of Gemalto. SafeNet Luna Network HSM Administration Guide Rellease 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 3 Regulatory Compliance This product complies with the following regulatory regulations. To ensure compliancy, ensure that you install the products as specified in the installation instructions and use only Gemalto-supplied or approved accessories. USA, FCC This equipment has been tested and found to comply with the limits for a “Class B” digital device, pursuant to part 15 of the FCC rules. Canada This class B digital apparatus meets all requirements of the Canadian interference-causing equipment regulations. Europe This product is in conformity with the protection requirements of EC Council Directive 2014/30/EU. This product satisfies the CLASS B limits of EN55032. SafeNet Luna Network HSM Administration Guide Rellease 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 4 CONTENTS PREFACE About the Administration Guide Customer Release Notes Audience Document Conventions Notes Cautions Warnings Command syntax and typeface conventions Support Contacts 1 Audit Logging Audit Logging Overview The Audit Role Audit Log Records Audit Log Message Format Configuring and Using Audit Logging Configuring Audit Logging Copying Log Files Off the Appliance Exporting the Audit Logging Secret and Importing to a Verifying HSM Deciphering the Audit Log Records Audit Role Authentication Considerations Audit Logging General Advice and Recommendations Audit Log Categories and HSM Events Remote Audit Logging 2 Backup and Restore HSMs and Partitions Backup and Restore Overview and Best Practices Objects are Smaller When Stored on Backup HSM About the SafeNet Luna Backup HSM Functionality of the SafeNet Luna Backup HSM Backup HSM Installation, Storage, and Maintenance Backup and Restore From the Client to a Local Backup HSM (LunaCM) Backing Up a Partition to a Locally Connected Backup HSM Restoring a Partition from a Locally Connected Backup HSM Backup and Restore From the Client to a Remote Backup HSM (LunaCM, RBS) Backup and Restore From the Appliance to a Local Backup HSM (LunaSH) Backing Up a Partition to a Locally Connected Backup HSM Restoring a Partition from a Locally Connected Backup HSM Troubleshooting Warning: This token is not in the factory reset (zeroized) state 3 Capabilities and Policies SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 11 12 12 12 12 12 12 13 14 15 15 17 19 20 22 23 25 25 26 27 27 28 34 36 36 39 41 41 49 54 55 58 59 72 73 76 77 77 79 5 HSM Capabilities and Policies Partition Capabilities and Policies 79 83 4 Configuration File Summary 89 5 Decommissioning, Zeroizing, or Resetting an HSM to Factory Conditions 98 Decommissioning the HSM Appliance Disabling Decommissioning Comparing Zeroize, Decommission, and Factory Reset Resetting to Factory Condition End of service and disposal Comparison of Destruction/Denial Actions RMA and Shipping Back to Gemalto Zeroization 6 98 99 99 100 101 102 103 104 High-Availability (HA) Configuration and Operation 105 High Availability (HA) Overview Load Balancing Key Replication Failover Recovery Recovery Conditions Enabling and Configuring Autorecovery Failure of All Members Automatic Reintroduction Synchronization Effect of PED Operations Network failures Performance Maximizing Performance HA and FindObjects Standby Members Planning Your Deployment HA Group Members High Availability Group Sizing Network Requirements Upgrading and Redundancy and Rotation Configuring HA Create the HA Group Verification HA Standby Mode [Optional] Using HA With Your Applications HAOnly Key Generation Application Object Handles Adding, Removing, Replacing, or Reconnecting HA Group Members Adding or Removing an HA Group Member Reconnecting an Offline Unit Replacing a Failed SafeNet Luna Network HSM 105 107 108 109 112 113 113 114 114 115 115 115 117 117 118 118 121 121 122 123 123 124 125 127 128 129 129 129 129 130 130 131 131 SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 6 Replace a SafeNet Luna Network HSM Using the Same IP Summary Client-side - Reconfigure HA If a SafeNet Luna Network HSM Must Be Replaced Replacing the Secondary HA Group Member Managing and Troubleshooting Your HA Groups Slot Enumeration Determining Which Device is in Use Determining Which Devices are Active Duplicate Objects Frequently Asked Questions 7 HSM Initialization Initializing a New or Factory-reset HSM Re-initializing an Existing, Non-factory-reset HSM PED-authenticated HSM Initialization Example Password-authenticated HSM Initialization Example 133 134 134 138 138 138 139 139 139 139 141 142 144 144 150 8 HSM Status Values 151 9 Partitions 153 About HSM Partitions Adjusting Default Partition Parameters Size of Partitions Separation of HSM Workspaces Application Partitions Operation Key Management Commands Normal Usage Commands Unauthenticated Commands Commands That are Valid Only in a Session, But Require Special Handling Configured and Registered Client Using an HSM Partition Activation and Auto-Activation on PED-Authenticated Partitions Auto-Activation Security of Your Partition Challenge Removing Partitions Frequently Asked Questions 10 PED Authentication About the Luna PED Using the PED Initial Setup Performing Prompted Actions Creating New PED Keys Duplicating Existing PED Keys Changing Your Authentication Parameters About Remote PED Remote PED Architecture PED Server-Client Communications SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 153 154 154 156 156 156 157 157 158 159 159 160 164 165 166 166 168 168 174 179 180 180 185 188 193 193 194 7 Remote PED Setup and Configuration Using Remote PED Relinquishing Remote PED Maintaining the Security of Your PED Keys Version Control Summary of PED Operations Troubleshooting The PedServer and PedClient Utilities The PedServer Utility The PedClient Utility The PedClient Commands pedclient mode assignid pedclient mode config pedclient mode deleteid pedclient mode releaseid pedclient mode setid pedclient mode show pedclient mode start pedclient mode stop pedclient mode testid The PedServer Commands pedserver appliance pedserver appliance deregister pedserver appliance list pedserver appliance register pedserver mode pedserver mode config pedserver mode connect pedserver mode disconnect pedserver mode show pedserver mode start pedserver mode stop pedserver regen 11 Performance HSM Information Monitor 12 198 203 209 210 212 213 216 222 222 222 223 224 225 227 228 229 230 231 232 233 234 235 236 237 238 239 240 242 243 244 246 248 249 250 250 Security Effects of Administrative Actions 251 Overt Security Actions Actions with Security- and Content-Affecting Outcomes Factory Reset HSM Zeroize HSM Change Destructive HSM Policy Apply Destructive CUF Update HSM Initialize When Zeroized (hard init) HSM Initialize From Non-Zeroized State (soft init) Partition Initialize When Zeroized (hard init) Partition Initialize From Non-Zeroized State (soft init) Elsewhere 251 251 251 252 252 253 253 253 254 254 255 SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 8 13 Secure Transport Mode Placing an HSM Into Secure Transport Mode Recovering an HSM From Secure Transport Mode 14 Secure Trusted Channel (STC) STC Overview When to Use: Comparing NTLS and STC Security features Client and Partition Identities Secure Tunnel Creation Secure Message Transport Enabling or Disabling STC on the HSM Enabling STC on the HSM Disabling STC on the HSM Enabling or Disabling STC on a Partition Enabling STC on a Partition Disabling STC on a Partition Establishing and Configuring the STC Admin Channel on a SafeNet Luna Network HSM Appliance Using a Hard Token to Store the STC Client Identity Configuring the Network and Security Settings for an STC Link Configurable Options Managing STC Tokens and Identities Restoring STC After HSM Zeroization Troubleshooting Restoring STC After HSM Zeroization Restoring STC After Regenerating the HSM Server Certificate on the SafeNet Luna Network HSM Appliance SAlogin Error 15 Slot Numbering and Behavior Order of Occurrence for Different SafeNet Luna HSMs Settings Affecting Slot Order Effects of Settings on Slot List Effects of New Firmware on Slot Login State 16 Software, Firmware, and Capability Upgrades Software and Firmware Upgrades Client Software Upgrades Appliance Software Upgrades HSM Firmware Upgrades Rollback Behavior HSM Capability and Partition Upgrades 17 256 256 257 259 259 259 260 261 262 263 263 263 264 265 265 266 266 268 273 273 275 276 278 278 278 278 279 279 280 280 281 282 282 282 282 284 285 287 SNMP Monitoring 288 Overview and Installation MIB SafeNet SNMP Subagent The SafeNet Chrysalis-UTSP MIB 288 288 289 290 SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 9 The SafeNet Luna HSM MIB hsmPolicyTable hsmPartitionPolicyTable hsmClientRegistrationTable hsmClientPartitionAssignmentTable SNMP output compared to SafeNet tools output The SafeNet Appliance MIB SNMP Operation and Limitations with SafeNet Luna Network HSM SNMP-Related Commands Coverage HSM MIB MIBS You Need for Network Monitoring of SafeNet Luna Network HSM MIBS You Need for Monitoring the Status of the HSM Frequently Asked Questions We want to use SNMP to remotely monitor and manage our installation – why do you not support such standard SNMP traps as CPU and Memory exhaustion? 18 Tamper Events Recovering from a Tamper 19 Troubleshooting 291 294 294 294 295 295 299 299 299 300 300 301 301 301 302 303 304 306 General Troubleshooting Tips 306 System Operational and Error Messages 307 Extra slots that say "token not present"? 307 Error: 'hsm update firmware' failed. (10A0B : LUNA_RET_OPERATION_RESTRICTED) when attempting to perform hsm update firmware 307 KR_ECC_POINT_INVALID Error when decrypting a file encrypted from BSAFE through ECIES using ECC key with any of the curves from the x9_t2 section 307 Error during SSL Connect (RC_OPERATION_TIMED_OUT) logged to /var/log/messages by the SafeNet Luna HSM client 308 Slow/interrupted response from the HSM, and the "hsm show" command shows LUNA_RET_SM_ SESSION_REALLOC_ERROR 308 Low Battery Message 308 Keycard and Token Return Codes 309 Library Codes 324 Vendor-Defined Return Codes 329 20 User and Password Administration About Changing HSM and Partition Passwords Failed Logins Resetting Passwords HSM SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 334 334 335 337 337 10 PREFACE About the Administration Guide This document describes the operational and administrative tasks you can perform to maintain the functionality and efficiency of your HSMs. It contains the following chapters: • "Audit Logging" on page 15 • "Backup and Restore HSMs and Partitions" on page 36 • "Capabilities and Policies" on page 79 • "Configuration File Summary" on page 89 • "Decommissioning, Zeroizing, or Resetting an HSM to Factory Conditions" on page 98 • "High-Availability (HA) Configuration and Operation" on page 105 • "HSM Initialization" on page 141 • "HSM Status Values" on page 151 • "Partitions" on page 153 • "PED Authentication" on page 168 • "Performance" on page 250 • "Security Effects of Administrative Actions" on page 251 • "Secure Transport Mode" on page 256 • "Secure Trusted Channel (STC)" on page 259 • "Slot Numbering and Behavior" on page 279 • "Software, Firmware, and Capability Upgrades" on page 282 • "SNMP Monitoring" on page 288 • "Troubleshooting" on page 306 • "User and Password Administration" on page 334 This preface also includes the following information about this document: • "Customer Release Notes" on the next page • "Audience" on the next page • "Document Conventions" on the next page • "Support Contacts" on page 14 For information regarding the document status and revision history, see "Document Information" on page 2. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 11 PREFACE About the Administration Guide Customer Release Notes The customer release notes (CRN) provide important information about this release that is not included in the customer documentation. Read the CRN to fully understand the capabilities, limitations, and known issues for this release. You can view or download the latest version of the CRN from the Technical Support Customer Portal at https://supportportal.gemalto.com. Audience This document is intended for personnel responsible for maintaining your organization's security infrastructure. This includes SafeNet Luna HSM users and security officers, key manager administrators, and network administrators. All products manufactured and distributed by Gemalto are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them. The information, processes, and procedures contained in this document are intended for use by trained and qualified personnel only. It is assumed that the users of this document are proficient with security concepts. Document Conventions This document uses standard conventions for describing the user interface and for alerting you to important information. Notes Notes are used to alert you to important or helpful information. They use the following format: Note: Take note. Contains important or helpful information. Cautions Cautions are used to alert you to important information that may help prevent unexpected results or data loss. They use the following format: CAUTION: Exercise caution. Contains important information that may help prevent unexpected results or data loss. Warnings Warnings are used to alert you to the potential for catastrophic data loss or personal injury. They use the following format: WARNING! Be extremely careful and obey all safety and security measures. In this situation you might do something that could result in catastrophic data loss or personal injury. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 12 PREFACE About the Administration Guide Command syntax and typeface conventions Format Convention bold The bold attribute is used to indicate the following: • Command-line commands and options (Type dir /p.) • Button names (Click Save As.) • Check box and radio button names (Select the Print Duplex check box.) • Dialog box titles (On the Protect Document dialog box, click Yes.) • Field names (User Name: Enter the name of the user.) • Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.) • User input (In the Date box, type April 1.) italics In type, the italic attribute is used for emphasis or to indicate a related document. (See the Installation Guide for more information.) In command descriptions, angle brackets represent variables. You must substitute a value for command line arguments that are enclosed in angle brackets. [optional] [ ] Represent optional keywords or in a command line description. Optionally enter the keyword or that is enclosed in square brackets, if it is necessary or desirable to complete the task. {a|b|c} {|| } Represent required alternate keywords or in a command line description. You must choose one command line argument enclosed within the braces. Choices are separated by vertical (OR) bars. [a|b|c] [|| ] Represent optional alternate keywords or variables in a command line description. Choose one command line argument enclosed within the braces, if desired. Choices are separated by vertical (OR) bars. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 13 PREFACE About the Administration Guide Support Contacts Contact method Contact Phone Global +1 410-931-7520 Australia 1800.020.183 India 000.800.100.4290 Netherlands 0800.022.2996 New Zealand 0800.440.359 Portugal 800.863.499 Singapore 800.1302.029 Spain 900.938.717 Sweden 020.791.028 Switzerland 0800.564.849 United Kingdom 0800.056.3158 United States (800) 545-6608 (Subject to change. An up-todate list is maintained on the Technical Support Customer Portal) Web https://safenet.gemalto.com Technical Support Customer Portal https://supportportal.gemalto.com Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the Knowledge Base. To create a new account, click the Register link at the top of the page. You will need your Customer Identifier number. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 14 1 Audit Logging This chapter describes how to use audit logging to provide security audits of HSM activity. It contains the following sections: • "Audit Logging Overview" below • "Configuring and Using Audit Logging" on page 22 • "Audit Logging General Advice and Recommendations" on page 27 • "Audit Log Categories and HSM Events" on page 28 • "Remote Audit Logging" on page 34 Audit Logging Overview Each event that occurs on the HSM can be recorded in the HSM event log, allowing you to audit your HSM usage. The HSM event log is viewable and configurable only by the audit user role. This audit role is disabled by default and must be explicitly enabled. Types of events included in the logs The events that are included in the log is configurable by the audit role. The types of events that can be logged include the following: • log access attempts (logins) • log HSM management (init/reset/etc) • key management events (key create/delete) • asymmetric key usage (sig/ver) • first asymmetric key usage only (sig/ver) • symmetric key usage (enc/dec) • first symmetric key usage only (enc/dec) • log messages from CA_LogExternal • log events relating to log configuration Each of these events can be logged if they fail, succeed, or both. Event log storage When the HSM logs an event, the log is stored on the HSM. The audit user cannot view these log entries. Before a log can be viewed, it must be rotated. Log rotation saves the log entries on the HSM to the HSM appliance, where they can be viewed. Log records are HMACed using an audit log secret to ensure their authenticity. The audit log secret is unique to the HSM where the log was created, and is required to view the HSM event logs. The secret can be exported, allowing you to view and verify the logs on another HSM. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 15 1 Audit Logging Event logging impacts HSM performance Each audit log record generated requires HSM resources. Configuring event logging to record most, or all, events may have an impact on HSM performance. You may need to adjust your logging configuration to provide adequate logging without significantly affecting performance. By default, only critical events are logged, imposing virtually no load on the HSM. Audit Logging Features The following list summarizes the functionality of the audit logging feature: • Log entries originate from the SafeNet Luna HSM - the feature is implemented via HSM firmware (rather than in the library) for maximum security. • Log origin is assured. • Logs and individual records can be validated by any SafeNet Luna HSM that is a member of the same domain. • Audit Logging can be performed on password-authenticated (FIPS 140-2 level 2) and PED-authenticated (FIPS 140-2 level 3) configurations, but these configurations may not validate each other's logs - see the "same domain" requirement, above. • Each entry includes the following: – When the event occurred – Who initiated the event (the authenticated entity) – What the event was – The result of the logging event (success, error, etc.) • Multiple categories of audit logging are supported, configured by the audit role. • Audit management is a separate role - the role creation does not require the presence or co-operation of the SafeNet Luna HSM SO. • The category of audit logging is configurable by (and only by) the audit role. • Audit log integrity is ensured against the following: – Truncation - erasing part of a log record – Modification - modifying a log record – Deletion - erasing of the entire log record – Addition - writing of a fake log record • Log origin is assured. • The following critical events are logged unconditionally, regardless of the state of the audit role (initialized or not): – Tamper – Decommission – Zeroization – SO creation – Audit role creation SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 16 1 Audit Logging The Audit Role The audit logging function is controlled by two roles on SafeNet Luna Network HSM, that must be used together: • The "audit" appliance account (use SSH or PuTTy to log in as "audit", instead of "admin", or "operator", or "monitor", etc.) • The "audit" HSM account (accessible only if you have logged into the appliance as "audit"; this account must be initialized) On SafeNet Luna Network HSM, the audit logging is managed by an audit user (an appliance system role), in combination with the HSM audit role, through a set of LunaSH commands. The audit user can perform only the auditlogging related tasks and self-related tasks. Other HSM appliance users, such as admin, operator, and monitor, have no access to the audit logging commands. A default appliance (LunaSH) audit user is automatically created, but must be enabled. Upon first login, the audit user is asked to change their password. That appliance audit user would need to initialize the HSM audit role first, before being able to administer the audit logging. The SafeNet Luna Network HSM admin user can create more audit users when necessary. To simplify configuration, • The maximum log file size is capped at 4 MB. • The log path is kept internal. • The rotation offset is set at 0. Audit User on the Appliance The appliance audit user is a standard user account on SafeNet Luna Network HSM, with default password "PASSWORD" (without the quotation marks). By default, the appliance audit user is disabled. Therefore, you must enable it in LunaSH before it becomes available. See "user enable" on page 1 for the command syntax. Audit Role on the HSM A SafeNet Luna HSM Audit role allows complete separation of Audit responsibilities from the Security Officer (SO or HSM Admin), the Partition User (or Owner), and other HSM roles. If the Audit role is initialized, the HSM and Partition administrators are prevented from working with the log files, and auditors are unable to perform administrative tasks on the HSM. As a general rule, the Audit role should be created before the HSM Security Officer role, to ensure that all important HSM operations (including those that occur during initialization), are captured. Use the LunaSH command audit init to initialize the audit role, as described in "audit init" on page 1. Password-authenticated HSMs For SafeNet Luna HSMs with Password Authentication, the auditor role logs into the HSM to perform their activities using a password. After initializing the Audit role on a password-authenticated HSM, log in as the Auditor and set the domain (see "role setdomain" on page 1 for the command syntax). This step is required before setting logging parameters or the log filepath, or importing/exporting audit logs. PED-authenticated HSMs For SafeNet Luna HSMs with PED Authentication, the auditor role logs into the HSM to perform their activities using the Audit (white) PED key. Role Initialization Creating the Audit role (and imprinting the white PED key for PED-authenticated HSMs) does not require the presence or cooperation of the HSM SO. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 17 1 Audit Logging Appliance Audit User Available Commands The Audit role has a limited set of operations available to it, on the HSM, as reflected in the reduced command set available to the "audit" user when logged in to the shell (LunaSH). login as: audit audit@192.20.11.78's password: Last login: Fri Mar 31 09:37:53 2017 from 10.124.0.31 Luna SA 7.0.0 Command Line Shell - Copyright (c) 2001-2017 SafeNet, Inc. All rights reserved. lunash:>help The following top-level commands are available: Name (short) Description -------------------------------------------------------------------------------help he Get Help exit e Exit Luna Shell hsm hs > Hsm audit a > Audit my m > My network n > Network Audit Log Secret The HSM creates a log secret unique to the HSM, computed during the first initialization after manufacture. The log secret resides in flash memory (permanent, non-volatile memory), and is used to create log records that are sent to a log file. Later, the log secret is used to prove that a log record originated from a legitimate HSM and has not been tampered with. Log Secret and Log Verification The 256-bit log secret which is used to compute the HMACs is stored in the parameter area on the HSM. It is set the first time an event is logged. It can be exported from one HSM to another so that a particular sequence of log messages can be verified by the other HSM. Conversely, it can be imported from other HSMs for verification purpose. To accomplish cross-HSM verification, the HSM generates a key-cloning vector (KCV, a.k.a. the Domain key) for the audit role when it is initialized. The KCV can then be used to encrypt the log secret for export to the HOST. To verify a log that was generated on another HSM, assuming it is in the same domain, we simply import the wrapped secret, which the HSM subsequently decrypts; any records that are submitted to the host for verification will use this secret thereafter. When the HSM exports the secret, it calculates a 32-bit checksum which is appended to the secret before it is encrypted with the KCV. When the HSM imports the wrapped secret, it is decrypted, and the 32-bit checksum is calculated over the decrypted secret. If this doesn’t match the decrypted checksum, then the secret that the HSM is trying to import comes from a system on a different domain, and an error is returned. To verify a log generated on another HSM, in the same domain, the host passes to the target HSM the wrapped secret, which the target HSM subsequently decrypts; any records submitted to the target HSM for verification use this secret thereafter. Importing a log secret from another HSM does not overwrite the target log secret because the operation writes the foreign log secret only to a separate parameter area for the wrapped log secret. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 18 1 Audit Logging CAUTION: Once an HSM has imported a wrapped log secret from another HSM, it must export and then re-import its own log secret in order to verify its own logs again. Audit Log Records A log record consists of two fields – the log message and the HMAC for the previous record. When the HSM creates a log record, it uses the log secret to compute the SHA256-HMAC of all data contained in that log message, plus the HMAC of the previous log entry. The HMAC is stored in HSM flash memory. The log message is then transmitted, along with the HMAC of the previous record, to the host. The host has a logging daemon to receive and store the log data on the host hard drive. For the first log message ever returned from the HSM to the host there is no previous record and, therefore, no HMAC in flash. In this case, the previous HMAC is set to zero and the first HMAC is computed over the first log message concatenated with 32 zero-bytes. The first record in the log file then consists of the first log message plus 32 zerobytes. The second record consists of the second message plus HMAC1 = HMAC (message1 || 0x0000). This results in the organization shown below. MSG 1 HMAC 0 ... MSG n-1 HMAC n-2 MSG n HMAC n-1 ... MSG n+m HMAC n+m-1 MSG n+m+1 HMAC n+m ... MSG end Recent HMAC in NVRAM HMAC n+m-1 HMAC end To verify a sequence of m log records which is a subset of the complete log, starting at index n, the host must submit the data illustrated above. The HSM calculates the HMAC for each record the same way as it did when the record was originally generated, and compares this HMAC to the value it received. If all of the calculated HMACs match the received HMACs, then the entire sequence verifies. If an HMAC doesn’t match, then the associated record and all following records can be considered suspect. Because the HMAC of each message depends on the HMAC of the previous one, inserting or altering messages would cause the calculated HMAC to be invalid. The HSM always stores the HMAC of the most-recently generated log message in flash memory. When checking truncation, the host would send the newest record in its log to the HSM; and, the HSM would compute the HMAC and compare it to the one in flash. If it does not match, then truncation has occurred. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 19 1 Audit Logging Audit Log Message Format Each message is a fixed-length, comma delimited, and newline-terminated string. The table below shows the width and meaning of the fields in a message. Offset Length (Chars) Description 0 10 Sequence number 10 1 Comma 11 17 Timestamp 28 1 Comma 29 256 Message text, interpreted from raw data 285 1 Comma 286 64 HMAC of previous record as ASCII-HEX 350 1 Comma 351 96 Data for this record as ASCII-HEX (raw data) 447 1 Newline '\n' The raw data for the message is stored in ASCII-HEX form, along with a human-readable version. Although this format makes the messages larger, it simplifies the verification process, as the HSM expects to receive raw data records. Example The following example shows a sample log record. It is separated into multiple lines for readability even though it is a single record. Some white spaces are also omitted. 38,12/08/13 15:30:50,session 1 Access 2147483651:22621 operation LUNA_CREATE_CONTAINER returned LUNA_RET_SM_UNKNOWN_TOSM_STATE(0x00300014) (using PIN (entry=LUNA_ENTRY_DATA_AREA)), 29C51014B6F131EC67CF48734101BBE301335C25F43EDF8828745C40755ABE25, 2600001003600B00EA552950140030005D580000030000800100000000000000000000000000000000000000 The sequence number is “38”. The time is “12/08/13 15:30:50”. The log message is “session 1 Access 2147483651:22621 operation LUNA_CREATE_CONTAINER returned LUNA_RET_SM_UNKNOWN_TOSM_STATE(0x00300014) (using PIN (entry=LUNA_ENTRY_ DATA_AREA))”. In the message text, the “who” is the session identified by “session 1 Access 2147483651:22621” (the application is identified by the access ID major = 2147483651, minor = 22621). The “what” is “LUNA_CREATE_CONTAINER”. The operation status is “LUNA_RET_SM_UNKNOWN_TOSM_STATE(0x00300014)”. The HMAC of previous record is “29C51014B6F131EC67CF48734101BBE301335C25F43EDF8828745C40755ABE25”. The remainder is the raw data for this record as ASCII-HEX. • The “who” is LunaSH session “session 1 Access 2147483651:22621” (identified by the lunash access ID major = 2147483651, minor = 22621). SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 20 1 • The “what” is “LUNA_CREATE_CONTAINER”. • The operation status is “LUNA_RET_SM_UNKNOWN_TOSM_STATE(0x00300014)”. Audit Logging Note: Log Rotation Categories, Rotation Intervals, and other Configurable Factors are covered here in the Administration Guide. Command syntax is in the Command Reference Guide. Timestamping The HSM has an internal real-time clock (RTC). The RTC does not have a relevant time value until it is synchronized with the HOST system time. Because the HSM and the host time could drift apart over time, periodic resynchronization is necessary. Only an authenticated Auditor is allowed to synchronize the time. Time Reported in Log When you perform audit show, you might see a variance of a few seconds between the reported HSM time and the Host time. Any difference up to five seconds should be considered normal, as the HSM reads new values from its internal clock on a five-second interval. So, typically, Host time would show as slightly ahead. Log Capacity The log capacity of SafeNet Luna HSMs varies depending upon the physical memory available on the device. The HSM has approximately 16 MB available for Audit logging (or more than 200,000 records, depending on the size/content of each record). The normal function of Audit logging is to export log entries constantly to the file system. Short-term, within-the-HSM log storage capacity becomes important only in the rare situations where the HSM remains functioning but the file system is unreachable from the HSM. Log full condition In the case of a log full condition on the host, most commands will return CKR_LOG_FULL. There are a few exceptions to this, as follows: • factory reset • zeroize • login as audit user • logout • open session • close session • get audit config • set audit config Since the “log full” condition can make the HSM unusable, these commands are required to be able to login as the audit user and disable logging, even if logging for those commands is enabled; and the log is full. All other commands will not execute if their results are supposed to be logged, but can’t be, due to a log full condition. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 21 1 Audit Logging Configuration Persists Unless Factory Reset is Performed Audit logging configuration is not removed or reset upon HSM re-initialization or a tamper event. Factory reset or HSM decommission will remove the Audit user and configuration. Logs must be cleared by specific command. Therefore, if your security regime requires decommission at end-of-life, or prior to shipping an HSM, then explicit clearing of HSM logs should be part of that procedure. This is by design, as part of separation of roles in the HSM. When the Audit role exists, the SO cannot modify the logging configuration, and therefore cannot hide any activity from auditors. Audit Logging Stops Working if the Current Log File is Deleted As a general rule, you should not delete a file while it is open and in use by an application. In Linux, deletion of a file is deletion of an inode, but the actual file itself, while now invisible, remains on the file system until the space is cleaned up or overwritten. If a file is in use by an application - such as audit logging, in this case - the application can continue using and updating that file, unaware that it is now in deleted status. If you delete the current audit log file, the audit logging feature does not detect that and does not create a new file, so you might lose log entries. The workaround is to restart the pedclient daemon, which creates a new log file. Example 1. You’ve configured audit logging, and the entire audit path is deleted. In Linux, the file isn’t actually deleted until the last reference to the file has been destroyed. Since the pedclient has the file open, logging will continue, because technically the log file still exists. Applications, including the pedclient, will have no idea that anything is wrong. 2. On stopping the pedclient, the log file is deleted. When the pedclient gets started again, the HSM tries to tell the pedclient to use the old path. This path doesn’t exist anymore, so it will not be able to offload log messages. At this point, it starts storing log messages internally. With 16 MB of Flash dedicated to this purpose, that works out to 198,120 messages max. This can actually fill up very quickly, in as little as a few minutes under heavy load. 3. At this point the user must set the audit log path to a valid value. and the HSM will offload all stored log messages to the host. This will take a couple of minutes, during which time the HSM will be unresponsive. 4. Once all messages have been offloaded, normal operation resumes with messages being sent to the host (i.e. not being stored locally). Configuring and Using Audit Logging This section describes the procedures required to enable audit logging, configure it to specify what is logged and how often the logs are rotated, and how to copy, verify and read the audit logs. It contains the following information: • "Configuring Audit Logging" on the next page • "Copying Log Files Off the Appliance" on page 25 • "Exporting the Audit Logging Secret and Importing to a Verifying HSM" on page 25 • "Deciphering the Audit Log Records" on page 26 • "Audit Role Authentication Considerations" on page 27 SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 22 1 Audit Logging Configuring Audit Logging Configure audit logging using the LunaSH audit commands. See "audit" on page 1 in the LunaSH Command Reference Guide. Prerequisites (HSM SO) 1. Configure the SafeNet Luna Network HSM appliance to use the network time protocol (NTP). See "Timestamping – NTP and Clock Drift" on page 1 in the Appliance Administration Guide. 2. Log in to LunaSH as an admin-level user, and enable the audit user. The audit user is necessary to access and work with logs through the LunaSH interface. It is restricted from administrative functions: lunash:> user enable -username audit To configure audit logging (Auditor) 1. Using an SSH connection (or a local serial connection), login to LunaSH on the SafeNet Luna Network HSM appliance as audit (not as admin), using the password "PASSWORD". The first time you login as audit, you are prompted to change the password to something more secure. To fulfill the purpose of the Audit role, keep the audit user's password separate from, and unknown to, the HSM Security Officer: The audit user sees a reduced subset of commands suitable to the audit role, only, as follows: Name (short) Description -------------------------------------------------------------------------------init i Initialize the Audit role changePwd ch Change Audit User Password or PED Key login logi Login as the Audit user logout logo Logout the Audit user config co Set Audit Parameters sync sy Synchronize HSM Time to Host Time show sh Display the Audit logging info log l > Manage Audit Log Files secret se > Export/Import Audit Logging Secret remotehost r > Configure Audit Logging Remote Hosts Note: The audit user's commands are not available to the admin user. The audit user has no administrative control over the SafeNet Luna Network HSM appliance. This is a first layer in the separation of roles. This separation allows a user with no administrative control of the appliance and HSM to have oversight of the HSM logs, while also ensuring that an administrator cannot clear those logs. 2. Initialize the audit role on the HSM. This enables logging for all subsequent actions performed by the SO and partition user(s): lunash:> audit init – On password-authenticated HSMs, you are prompted for the password and cloning domain. – On PED-authenticated HSMs, you are referred to Luna PED, which prompts you for the domain (red PED key) and Audit authentication (white PED key). 3. Now that the audit role exists on the HSM, you can configure the auditing function. However, before you can configure audit logging you must log into the HSM as the audit role: lunash:> audit login SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 23 1 Audit Logging – On password-authenticated HSMs, you are prompted to enter the password for the audit role. – On PED-authenticated HSMs, you are referred to Luna PED, which prompts for the white PED key for the audit role. Note: You are now logged into the appliance as the audit user and into the HSM (within the appliance) as the audit role. Both are required. The audit commands, including HSM login as the audit role do not appear if you are logged in as any other named appliance-level user. 4. Synchronize the HSM’s clock with the host time (which should also be synchronized with the NTP server) so that all subsequent log records will have a valid and accurate timestamp: lunash:> audit sync 5. Configure audit logging to specify what you want to log. You can specify the level of audit appropriate for needs of the organization’s policy and the nature of the application(s) using the HSM: lunash:> audit config -parameter event -value Note: The first time you configure audit logging, we suggest using only the ? option, to see all the available options in the configuration process. See also "audit config " on page 1 in the LunaSH Command Reference Guide. Security audits can generate a very large amount of data, which consumes HSM processing resources, host storage resources, and makes the job of the Audit Officer quite difficult when it comes time to review the logs. For this reason, ensure that you configure audit logging such that you capture only relevant data, and no more. For example, the First Symmetric Key Usage Only or First Asymmetric Key Usage Only category is intended to assist Audit Officers to capture the relevant data in a space-efficient manner for high processing volume applications. On the other hand, a top-level Certificate Authority would likely be required, by policy, to capture all operations performed on the HSM but, since it is typically not an application that would see high volumes, configuring the HSM to audit all events would not impose a significant space and/or performance premium in that situation. As a further example, the command audit config -parameter event -value all will log everything the HSM does. This might be useful in some circumstances, but will quickly fill up log files. 6. Configure audit logging to specify how often you want to rotate the logs: lunash:> audit config -parameter rotation -value For example, the command audit config -parameter rotate -value hourly would rotate the logs every hour, cutting down the size of individual log files, even in a situation of high-volume event recording, but would increase the number of files to be handled. Log Entries Log entries are made within the HSM, and are written to the currently active log file on the appliance file system. When a log file reaches the rotation trigger, it is closed, and a new file gets the next log entry. The number of log files on the appliance grows according to the logging settings and the rotation schedule that you configured. At any time, you can copy files to a remote computer and then clear the originals from the HSM, if you wish to free the space. For SafeNet Luna Network HSM, to simplify configuration within its closed and hardened environment, the following rules apply: • The maximum log file size is capped at 4 MB. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 24 1 • The log path is internal to the SafeNet Luna Network HSM appliance. • The rotation offset is set at 0. Audit Logging Copying Log Files Off the Appliance You can copy the log files off of the appliance for viewing and verification. To copy files off the appliance 1. Create an archive of the logs that are ready to archive: lunash:> audit log list lunash:> audit log tarlogs 2. View a list of the log files currently saved on the appliance: lunash:>my file list For this example, assume that the list includes a file named audit.tgz. 3. On the computer where you wish to capture and store the log files, use scp (Linux) or pscp (Windows) to transfer the file from the appliance: /usr/safenet/lunaclient/logs :> scp audit@myLunaHSM1:audit.tgz mylunsa1_audit_2014-02-28.tgz Provide the audit user's credentials when prompted. This copies the identified file from the remote SafeNet Luna Network HSM's file system (in the audit account) and stores the copy on your local computer file system with a useful name. 4. You can view and parse the plain-text portion of the file. 5. You can verify the authenticity of the retrieved file using a connected HSM to which you have imported the Audit logging secret from the originating SafeNet Luna Network HSM. Exporting the Audit Logging Secret and Importing to a Verifying HSM You can export the audit log secret from one HSM and import it to another to allow the first HSM's logs to be viewed and verified on the second. The HSMs must share the same authentication method and Audit cloning domain (password string or red PED key). You can verify logs from a SafeNet Luna PCIe HSM using a SafeNet Luna Network HSM, and vice-versa. To export the Audit Logging secret from the HSM and import to the verifying HSM: 1. On the SafeNet Luna Network HSM where HSM audit log files are being created, export the audit logging secret: lunash:> audit secret export The filename is displayed when the secret is exported. You can check the filename with my file list. 2. On a computer connected to both HSMs, use scp or pscp to transfer the logging secret from the appliance. – If you are planning to verify logs with a SafeNet Luna PCIe HSM, you can use the PCIe HSM's host computer. – If you are planning to verify logs with a second SafeNet Luna Network HSM, you must transfer the logging secret to a client computer, and then to the second appliance. Linux :> scp audit@ : . Then, if transferring to a second SafeNet Luna Network HSM: SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 25 1 Audit Logging :> scp audit@ : Windows :> pscp audit@ : . Then, if transferring to a second SafeNet Luna Network HSM: :> pscp audit@ : This copies the identified file from the remote SafeNet Luna Network HSM's file system (in the "audit" account) and stores the copy on your local computer file system in the directory from which you issued the command. Provide the audit user's credentials when prompted. 3. Login to the verifying HSM as the audit user. For this example, we will assume that you have already initialized the HSM audit user role, using the same domain/secret as is associated with the source HSM. – If you are using a SafeNet Luna Network HSM, connect via SSH and login to LunaSH as the audit user: lunash:>audit login – If you are using a SafeNet Luna PCIe HSM, open LunaCM and login using the Auditor role: lunacm:>role login -name au 4. Import the audit logging secret to the HSM. – SafeNet Luna Network HSM (LunaSH): lunash:>audit secret import -serialtarget -serialsource -file – SafeNet Luna PCIe HSM (LunaCM): lunacm:> audit import file 5. You can now verify audit log files from the source HSM. – SafeNet Luna Network HSM (LunaSH): lunash:>audit log verify -file .log – SafeNet Luna PCIe HSM (LunaCM): lunacm:> audit verify file .log You might need to provide the full path to the file, depending upon your current environment settings. Deciphering the Audit Log Records In general, the audit logs are self-explanatory. Due to limitations in the firmware, however, some audit log records required further explanation, as detailed in the following sections: Determining the serial number of a created partition from the audit log An audit log entry similar to the following is generated when a partition is created on the HSM: 5,12/12/17 16:14:14,S/N 150718 session 1 Access 2147483651:2669 SO container operation LUNA_ CREATE_CONTAINER returned RC_OK(0x00000000) container=20 (using PIN (entry=LUNA_ENTRY_DATA_AREA)) It is not obvious from this entry what the serial number is for the created partition. This information, however, can be derived from the log entry, since the partition serial number is simply a concatenation of the HSM serial number and the partition container number, which are specified in the log entry, as highlighted below: SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 26 1 Audit Logging 5,12/12/17 16:14:14,S/N 150718 session 1 Access 2147483651:2669 SO container operation LUNA_ CREATE_CONTAINER returned RC_OK(0x00000000) container=20 (using PIN (entry=LUNA_ENTRY_DATA_AREA)) In the example above, the HSM serial number is 150718 and the partition container number is 20. Note that the partition container number is a three-digit number with leading zeros suppressed, so that the actual partition container number is 020. To determine the partition serial number concatenate the two numbers as follows: 150718020 Use this number to identify the partition in subsequent audit log entries. Audit Role Authentication Considerations • The audit role PED key or password is a critical property to manage the audit logs. If that authentication secret is lost, the HSM must be factory reset (that is, zeroize the HSM) in order to initialize the audit role again. • Multiple bad logins produce different results for the SO and for the audit role, as follows: – After 3 bad SO logins, the LUNA_RET_SO_LOGIN_FAILURE_THRESHOLD error is returned and the HSM is zeroized. – After 3 bad audit logins, the LUNA_RET_AUDIT_LOGIN_FAILURE_THRESHOLD error is returned, but the HSM is unaffected. If a subsequent login attempt is executed within 30 seconds, the LUNA_RET_AUDIT_ LOGIN_TIMEOUT_IN_PROGRESS error is returned. If you wait for more than 30 seconds and try login again with the correct password, the login is successful. Audit Logging General Advice and Recommendations The Security Audit Logging feature can produce a significant volume of data. It is expected, however, that Audit Officers will configure it properly for their specific operating environments. The data produced when the feature has been properly configured might be used for a number of reasons, such as: • Reconstructing a particular action or set of actions (forensics) • Tracing the actions of an application or individual user (accounting) • Holding a specific individual accountable for their actions (non-repudiation) That last bullet point represents the ultimate conclusion of any audit trail – to establish an irrefutable record of the chain of events leading up to a particular incident for the purpose of identifying and holding accountable the individual responsible. Not every organization will want to use security audit to meet the strict requirements of establishing such a chain of events. However, all security audit users will want to have an accurate representation of a particular sequence of events. To ensure that the audit log does contain an accurate representation of events and that it can be readily interpreted when it is reviewed, these basic guidelines should be followed after the audit logging feature has been properly configured: • Use a shell script to execute the audit sync command at least once every 24 hours, provided the host has maintained its connection(s) to its configured NTP server(s). • Do not allow synchronization with the host’s clock if the host has lost connectivity to NTP. This ensures that the HSM’s internal clock is not set to a less accurate time than it has maintained internally. In general, the HSM’s RTC will drift much less than the host’s RTC and will, therefore, be significantly more accurate than the host in the absence of NTP. • Review logs at least daily and adjust configuration settings if necessary. It is important that any anomalies be identified as soon as possible and that the logging configuration that has been set is effective. If possible, use the SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 27 1 Audit Logging remote logging feature to transmit log data to a Security Information and Event Management (SIEM) system to automatically analyze log data and identify anomalous events. • Execute the audit log tarlogs LunaSH command regularly to archive the audit logs and transfer them to a separate machine for long term storage. Also, execute the audit log clear LunaSH command regularly to free up the audit log disk space on SafeNet Luna Network HSM. • Consider installing and configuring a SafeNet Luna PCIe HSM in (or connected to) the remote log server to act as a “verification engine” for the remote log server. Ensure that the log secret for the operational HSM(s) has been shared with the log server verification HSM. Note: This is not always possible, unless you are physically copying the logs over from the .tgz archive. Because log records do not necessarily appear on the remote log server immediately, the HMAC might be incorrect. Also, if more than one SafeNet Luna HSM is posting log records to a remote server, this could interfere with record counts. • The audit log records are comma-delimited. We recommend that full use be made of the CSV formatting to import records into a database system or spreadsheet tool for analysis, if an SIEM system is not available. • The ASCII hex data representing the command and returned values and error code should be examined if an anomaly is detected in log review/analysis. It may be possible to match this data to the HSM’s dual-port data. The dual-port, if it is available, will contain additional data that could be helpful in establishing the context surrounding the anomalous event. For example, if an unexpected error occurs it could be possible to identify the trace through the firmware subsystems associated with the error condition. This information would be needed to help in determining if the error was unexpected but legitimate or if it was forced in an attempt to exploit a potential weakness. An important element of the security audit logging feature is the ‘Log External’ function. See the SDK Reference Guide for more information. For applications that cannot add this function call, it is possible to use the LunaCM command-line function audit log external within a startup script to insert a text record at the time the application is started. Disk Full In the event that all the audit disk space is used up, audit logs are written to the HSM's small persistent memory. When the HSM's persistent memory is full, normal crypto commands will fail with "disk full" error. To resolve that situation, the audit user must: • Archive the audit logs on the host side. • Move the audit logs to some other location for safe storage. • Clear the audit log directory. • Restart the logger daemon. To prevent the "disk full" situation, we recommend that the audit user should routinely archive the audit logs and clear the audit log directory. Audit Log Categories and HSM Events This section provides a summary of the audit log categories and their associated HSM events. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 28 1 Audit Logging HSM Access HSM Event Description LUNA_LOGIN C_Login. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). LUNA_LOGOUT C_Logout. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). LUNA_MODIFY_OBJECT C_SetAttributeValue LUNA_OPEN_SESSION C_OpenSession. This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). LUNA_CLOSE_ALL_ SESSIONS C_CloseAllSessions LUNA_CLOSE_SESSION C_CloseSession This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). LUNA_OPEN_ACCESS CA_OpenApplicationID LUNA_CLEAN_ACCESS CA_Restart, CA_RestartForContainer LUNA_CLOSE_ACCESS CA_CloseApplicationID LUNA_LOAD_CUSTOM_ MODULE CA_LoadModule LUNA_LOAD_ENCRYPTED_ CUSTOM_MODULE CA_LoadEncryptedModule LUNA_UNLOAD_CUSTOM_ MODULE CA_UnloadModule LUNA_EXECUTE_CUSTOM_ COMMAND CA_PerformModuleCall LUNA_HA_LOGIN CA_HAGetLoginChallenge, CA_HAAnswerLoginChallenge, CA_HALogin, CA_HAAnswerMofNChallenge, HAActivateMofN SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 29 1 Audit Logging Log External HSM Event Description LUNA_LOG_EXTERNAL CA_LogExternal HSM Management HSM Event Description LUNA_ZEROIZE CA_FactoryReset This event is logged unconditionally. LUNA_INIT_TOKEN C_InitToken This event is logged unconditionally. LUNA_SET_PIN C_SetPIN LUNA_INIT_PIN C_InitPIN LUNA_CREATE_CONTAINER CA_CreateContainer LUNA_DELETE_CONTAINER CA_DeleteContainer, CA_DeleteContainerWithHandle LUNA_SEED_RANDOM C_SeedRandom LUNA_EXTRACT_CONTEXTS C_GetOperationState LUNA_INSERT_CONTEXTS C_SetOperationState LUNA_SELF_TEST C_PerformSelfTest LUNA_LOAD_CERT CA_SetTokenCertificateSignature LUNA_HA_INIT CA_HAInit LUNA_SET_HSM_POLICY CA_SetHSMPolicy LUNA_SET_DESTRUCTIVE_HSM_POLICY CA_SetDestructiveHSMPolicy LUNA_SET_CONTAINER_POLICY CA_SetContainerPolicy LUNA_SET_CAPABILITY Internal, for capability update LUNA_CREATE_LOGIN_CHALLENGE CA_CreateLoginChallenge LUNA_REQUEST_CHALLENGE CA_SIMInsert, CA_SIMMultiSign LUNA_PED_INIT_RPV CA_InitializeRemotePEDVector LUNA_PED_DELETE_RPV CA_DeleteRemotePEDVector LUNA_MTK_LOCK Internal, for manufacturing SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 30 1 HSM Event Description LUNA_MTK_UNLOCK_CHALLENGE Internal, for manufacturing LUNA_MTK_UNLOCK_RESPONSE Internal, for manufacturing LUNA_MTK_RESTORE CA_MTKRestore LUNA_MTK_RESPLIT CA_MTKResplit LUNA_MTK_ZEROIZE CA_MTKZeroize LUNA_FW_UPGRADE_INIT CA_FirmwareUpdate LUNA_FW_UPGRADE_UPDATE CA_FirmwareUpdate LUNA_FW_UPGRADE_FINAL CA_FirmwareUpdate LUNA_FW_ROLLBACK CA_FirmwareRollback LUNA_MTK_SET_STORAGE CA_MTKSetStorage LUNA_SET_CONTAINER_SIZE CA_SetContainerSize Audit Logging Key Management HSM Event Description LUNA_CREATE_OBJECT C_CreateObject LUNA_COPY_OBJECT C_CopyObject LUNA_DESTROY_OBJECT C_DestroyObject LUNA_DESTROY_MULTIPLE_OBJECTS CA_DestroyMultipleObjects LUNA_GENERATE_KEY C_GenerateKey LUNA_GENERATE_KEY_PAIR C_GenerateKeyPair LUNA_WRAP_KEY C_WrapKey LUNA_UNWRAP_KEY C_UnwrapKey LUNA_DERIVE_KEY C_DeriveKey LUNA_GET_RANDOM C_GenerateRandom LUNA_CLONE_AS_SOURCE, LUNA_REPLICATE_AS_ SOURCE CA_CloneAsSource LUNA_CLONE_AS_TARGET_INIT, LUNA_REPLICATE_AS_ TARGET_INIT CA_CloneAsTargetInit LUNA_CLONE_AS_TARGET, LUNA_REPLICATE_AS_ CA_CloneAsTarget SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 31 1 HSM Event Audit Logging Description TARGET LUNA_GEN_TKN_KEYS CA_GenerateTokenKeys LUNA_GEN_KCV CA_ManualKCV, C_InitPIN, C_InitToken, CA_InitAudit LUNA_SET_LKCV CA_SetLKCV LUNA_M_OF_N_GENERATE CA_GenerateMofN_Common, CA_ GenerateMofN LUNA_M_OF_N_ACTIVATE CA_ActivateMofN LUNA_M_OF_N_MODIFY CA_ActivateMofN LUNA_EXTRACT CA_Extract LUNA_INSERT CA_Insert LUNA_LKM_COMMAND CA_LKMInitiatorChallenge, CA_LKMReceiverResponse, CA_LKMInitiatorComplete, CA_LKMReceiverComplete. LUNA_MODIFY_USAGE_COUNT CA_ModifyUsageCount Key Usage and Key First Usage HSM Event Description LUNA_ENCRYPT_INIT C_EncryptInit LUNA_ENCRYPT C_Encrypt LUNA_ENCRYPT_END C_EncryptFinal LUNA_DECRYPT_INIT C_DecryptInit LUNA_DECRYPT C_Decrypt LUNA_DECRYPT_END C_DecryptFinal LUNA_DIGEST_INIT C_DigestInit LUNA_DIGEST C_Digest LUNA_DIGEST_KEY C_DigestKey LUNA_DIGEST_END C_DigestFinal LUNA_SIGN_INIT C_SignInit SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 32 1 HSM Event Description LUNA_SIGN C_Sign LUNA_SIGN_END C_SignFinal LUNA_VERIFY_INIT C_VerifyInit LUNA_VERIFY C_Verify LUNA_VERIFY_END C_VerifyFinal LUNA_SIGN_SINGLEPART C_Sign LUNA_VERIFY_SINGLEPART C_Verify LUNA_WRAP_CSP CA_CloneMofN_Common LUNA_M_OF_N_DUPLICATE CA_DuplicateMofN LUNA_ENCRYPT_SINGLEPART C_Encrypt LUNA_DECRYPT_SINGLEPART C_Decrypt Audit Logging Audit Log Management HSM Event Description LUNA_LOG_SET_TIME CA_TimeSync LUNA_LOG_GET_TIME CA_GetTime LUNA_LOG_SET_CONFIG CA_LogSetConfig This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). LUNA_LOG_GET_CONFIG CA_LogGetConfig This event must be allowed to proceed even if the result should be logged but cannot (for example, due to a log full condition). LUNA_LOG_VERIFY CA_LogVerify LUNA_CREATE_AUDIT_ CONTAINER ** CA_ InitAudit LUNA_LOG_IMPORT_ SECRET CA_LogImportSecret LUNA_LOG_EXPORT_ SECRET CA_LogExportSecret The event is logged unconditionally. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 33 1 Audit Logging Remote Audit Logging With SafeNet Luna Network HSM, the audit logs can be sent to one or more remote logging servers. Either UDP or TCP protocol can be specified. The default is UDP and port 514. Note: You or your network administrator will need to adjust your firewall to pass this traffic (iptables). UDP Considerations If you are using the UDP protocol for logging, the following statements are required in the /etc/rsyslog.conf file: $ModLoad imudp $InputUDPServerRun (PORT) Possible approaches include the following: • With templates: $template AuditFile,"/var/log/luna/audit_remote.log" if $syslogfacility-text == 'local3' then ?AuditFile;AuditFormat • Without templates: local3.* /var/log/audit.log;AuditFormat • Dynamic filename: $template DynFile,"/var/log/luna/%HOSTNAME%.log" if $syslogfacility-text == 'local3' then ?DynFile;AuditFormat Note: The important thing to remember is that the incoming logs go to local3, and the port/protocol that is set on the SafeNet appliance must be the same that is set on the server running rsyslog. Example using TCP The following example illustrates how to setup a remote Linux system to receive the audit logs using TCP: 1. Register the remote Linux system IP address or hostname with the SafeNet Luna Network HSM: lunash:> audit remotehost add -host 192.20.9.160 -protocol tcp -port 1660 2. Modify the remote Linux system /etc/rsyslog.conf file to receive the audit logs: $ModLoad imtcp $InputTCPServerRun 514 $template AuditFormat,"%msg:F,94:2%\n" #save log messages from SafeNet Luna Network HSM local3.* /var/log/luna/audit.log;AuditFormat 3. Modify the remote Linux system /etc/sysconfig/rsyslog file to receive the remote logs: # Enables logging from remote machines. The listener will listen to the specified port. SYSLOGD_OPTIONS="-r -m 0" SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 34 1 Audit Logging 4. Restart the rsyslog daemon on the remote Linux system: # service rsyslog restart 5. Monitor the audit logs on the remote Linux system: # tail -f /var/log/luna/audit.log SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 35 2 Backup and Restore HSMs and Partitions SafeNet Luna HSMs secure the creation, storage, and use of cryptographic data (keys and other objects). However, no device can protect completely against unforeseen damage from various sources, including disaster-scale events. Therefore, the SafeNet Luna HSM product line provides several ways to protect secure copies of your important objects and keys at safe locations and to later restore your important data to your production, or primary HSM, in case of need. This chapter describes how to backup and restore the contents of your HSMs and HSM partitions. It contains the following sections: • "Backup and Restore Overview and Best Practices" below • "About the SafeNet Luna Backup HSM" on page 41 • "Backup HSM Installation, Storage, and Maintenance" on page 49 • "Backup and Restore From the Client to a Local Backup HSM (LunaCM)" on page 54 • "Backup and Restore From the Client to a Remote Backup HSM (LunaCM, RBS)" on page 59 • "Backup and Restore From the Appliance to a Local Backup HSM (LunaSH)" on page 72 • "Troubleshooting" on page 77 Backup and Restore Overview and Best Practices This section provides an overview of the various ways you can backup and restore your HSM partitions, and provides some guidance for best practices to ensure that your sensitive key material is protected in the event of a failure or other catastrophic event. It contains the following topics: • "Backup and Restore Best Practices" on the next page • "Backup and Restore Options" on the next page • "How Partition Backup Works" on the next page • "Performing a Backup" on page 38 • "Objects are Smaller When Stored on Backup HSM" on page 39 • "Comparison of Backup Performance by Medium" on page 39 • "Compatibility with Other Devices" on page 40 • "Why is Backup Optional?" on page 40 • "How Long Does Data Last?" on page 40 • "Additional Operational Questions" on page 41 SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 36 2 Backup and Restore HSMs and Partitions Backup and Restore Best Practices To ensure that your data is protected in the event of a failure or other catastrophic event, Gemalto recommends that you use the following best practices as part of a comprehensive backup strategy: • Develop and document a backup and recovery plan. This plan should include the following: – What is being backed up – The backup frequency – Where the backups are stored – Who is able to perform backup and restore operations – Frequency of exercising the recovery test plan • Make multiple backups. To ensure that your backups are always available, build redundancy into your backup procedures. • Use off-site storage. In the event of a local catastrophe, such as a flood or fire, you might lose both your working HSMs and locally stored backup HSMs. To fully protect against such events, always store a copy of your backups at a remote location. You can automate off-site backups using the remote backup feature, See "Backup and Restore From the Client to a Remote Backup HSM (LunaCM, RBS)" on page 59 for more information. • Regularly exercise your disaster recovery plan. Execute your recovery plan at least semi-annually (every six months) to ensure that you can fully recover your key material. This involves retrieving your stored Backup HSMs and restoring their contents to a test partition, to ensure that the data is intact and that your recovery plan works as documented. WARNING! Failure to develop and exercise a comprehensive backup and recovery plan may prevent you from being able to recover from a catastrophic event. Although Gemalto provides a robust set of backup hardware and utilities, we cannot guarantee the integrity of your backed-up key material, especially if stored for long periods. Gemalto strongly recommends that you exercise your recovery plan at least semiannually (every six months) to ensure that you can fully recover your key material. Backup and Restore Options The available options for backing up your SafeNet Luna Network HSM partitions include: • Local or remote backup to a SafeNet Luna Backup HSM (see "Local Partition Backup and Restore Using the Backup HSM" on page 1 and "Backup and Restore From the Client to a Remote Backup HSM (LunaCM, RBS)" on page 59) • Key synchronization among two or more SafeNet Luna HSMs in an HA configuration (see "High-Availability (HA) Configuration and Operation" on page 105) • Any combination of the above methods, to suit your needs The backup operation looks a lot like the restore operation, because they are basically the same event, merely in different directions. How Partition Backup Works HSM partition backup securely clones partition objects from a named HSM partition, to a SafeNet Luna Backup HSM (supports remote or local backups). This allows you to safely and securely preserve important keys, certificates, etc., SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 37 2 Backup and Restore HSMs and Partitions away from the primary SafeNet Luna HSM. It also allows you to restore the backup device's contents onto more than one HSM partition, if you wish to have multiple partitions with identical contents. To back up a partition, you must own it and be able to see it. You can use LunaSH to back up any partitions you own on a SafeNet Luna Network HSM appliance, or LunaCM to backup any SafeNet Luna Network HSM partitions that are visible as slots. When you backup a partition, the contents of your HSM partition are copied to a matching partition on the SafeNet Luna Backup HSM. You can add to, or replace, objects in the backup archive, as follows: • Partition backups initiated with the add or append option add new or changed objects to the partition archive, leaving existing objects intact. • Partition backups initiated with the replace option replace all existing objects in the partition archive with current contents of the partition, destroying the existing objects. The backup operation can go from a source partition on a SafeNet Luna HSM to an existing partition on the Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation, however, cannot create a target partition on a SafeNet Luna HSM; it must already exist. You can restore a partition backup to the original source HSM or to a different SafeNet Luna HSM. The HSM you restore to must already have a suitable partition created for the restored objects. The partition can have any name - it does not need to match the name of the archive partition on the backup device. Backup Devices You can back up all of your partitions to a SafeNet Luna Backup HSM: SafeNet Luna Backup HSM (Backup HSM) Note: The word "Remote" in the product name merely indicates that the SafeNet Luna Backup HSM provides remote backup capability. It also supports local backup and restore. The SafeNet Luna Backup HSM is commonly referred to as the Backup HSM. The SafeNet Luna Backup HSM (Backup HSM) is a separately powered unit that you can connect as follows: • To the USB port of a a SafeNet Luna Network HSM appliance. This allows a SafeNet Luna Network HSM administrator to use LunaSH to back up any partitions on the appliance that they own (non-PSO partitions). • To the USB port of a local SafeNet Luna HSM client workstation. This allows the workstation administrator to use LunaCM to back up any SafeNet Luna PCIe HSM devices installed in the workstation or any SafeNet Luna Network HSM partitions registered to the workstation. • To the USB port of a remote SafeNet Luna HSM client workstation running the Remote Backup Service (RBS). You can then register the Remote Backup HSM with a local SafeNet Luna HSM client workstation so that the it sees the Remote Backup HSM as a slot in LunaCM. This allows the administrator of the local SafeNet Luna HSM client workstation to use LunaCM to back up any local slots to the remote Backup HSM. Performing a Backup To perform a backup, you identify the partition to be backed up (source), and the partition that will be created (or added to) on the Backup HSM. You can specify whether to add/append only unique objects (objects that have not previously been saved onto the target partition), or to replace (overwrite) the objects on the target partition. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 38 2 Backup and Restore HSMs and Partitions LunaSH If you are using LunaSH to backup a partition on a SafeNet Luna Network HSM, use: partition backup -partition -tokenpar -serial [-add] [replace] More options are available. See "partition backup" on page 1 in the LunaSH Command Reference Guide for full command syntax. LunaCM If you are using LunaCM on a Client workstation, first login to the partition as Crypto Officer.If the backup device is • a slot in the current system, use: partition archive backup -slot -partition [-append] [-replace] • in a remote workstation, use: partition archive backup -slot remote-hostname -port -partition [-append] [-replace] • a USB-attached HSM, use: partition archive backup -slot direct -partition [-append] [-replace] More options are available. See "partition archive backup" on page 1 in the LunaCM Command Reference Guide for full command syntax. LunaCM assumes that the target partition already exists with the appropriate domain, while LunaSH expects you to provide the domain, or prompts you if it is not provided (for password-authenticated HSMs). Replacing or Appending If a matching target partition exists and the source partition is being incrementally backed up, choosing the add/append option in the command - then the target partition is not erased. Only source objects with unique IDs are copied to the target (backup) partition, adding them to the objects already there. If a matching target partition exists and the source partition is being fully backed up, choosing the replace option in the command. The existing partition is erased and a new one created. Objects are Smaller When Stored on Backup HSM Objects stored on the Backup HSM may be smaller than the same objects stored on the SafeNet Luna Network HSM. For example, symmetric keys are 8 bytes smaller when stored on the Backup HSM. This size difference has no effect on backup and restore operations. Comparison of Backup Performance by Medium For reference, this table shows examples of time required for a backup operation for one partition containing 25 RSA 2048-bit keypairs, or 50 objects in total. The source is a SafeNet Luna Network HSM appliance. The destination backup devices and paths are listed in the table. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 39 2 Backup and Restore HSMs and Partitions Backup Destination Time Required for Operation Comment SafeNet Luna Backup HSM (PW-auth), local 5 seconds Password is supplied with the command SafeNet Luna Backup HSM (PED-auth), local 5 seconds plus... Add any time required for PED key operations Compatibility with Other Devices Backup can co-exist with PKI Bundle operation. That is, multiple devices can be connected simultaneously to a SafeNet appliance (three USB connectors). Thus, you could connect a SafeNet Luna Backup HSM, a SafeNet DOCK 2 (with migration-source tokens in its reader slots), and a SafeNet Luna USB HSM to the three available USB connectors on the SafeNet Luna Network HSM. Why is Backup Optional? In general, a SafeNet Luna HSM or HSM partition is capable of being backed up to a SafeNet Luna Backup HSM. The backup capability is considered a good and desirable and necessary thing for keys that carry a high cost to replace, such as Certificate Authority root keys and root certificates. However, backup devices are an optional equipment for SafeNet Luna HSMs. There are at least two reasons for this: 1. Some customers don't care. They may be using (for example) SSL within a controlled boundary like a corporation, where it is not a problem to simply tell all employees to be prepared to trust a new certificate, in the event that the previous one is lost or compromised. In fact it might be company policy to periodically jettison old certificates and distribute fresh ones. Other customers might be using software that manages lost profiles, making it straightforward to resume work with a new key or cert. The certificate authority that issued the certificates would need backup, but the individual customers of that certificate authority would not. In summary, it might not be worthwhile to backup keys that are low-cost (from an implementation point of view) to replace. Keys that carry a high cost to replace should be backed up. 2. Some countries do not permit copying of private keys. If you are subject to such laws, and wish to store encrypted material for later retrieval (perhaps archives of highly sensitive files), then you would use symmetric keys, rather than a private/public keypair, for safe and legal backup. How Long Does Data Last? SafeNet Luna HSMs have onboard volatile memory meant for temporary data (disappears when power is removed), and onboard flash memory, used to store permanent material, like PKI Root keys, and critical key material, and the firmware that makes the device work. No electronic storage is forever. If your SafeNet Luna HSM is operated within an ambient temperature range of 0 degrees Celsius to +40 degrees Celsius, or stored between -20 degrees Celsius and +65 degrees Celsius, then (according to industry-standard testing and estimation methods) your data should be retrievable for twenty years from the time that the token was shipped from the factory. This is a conservative estimate, based on worst-case characteristics of the system components. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 40 2 Backup and Restore HSMs and Partitions Additional Operational Questions Is SafeNet Luna Backup HSM capable of backing up multiple SafeNet Luna HSMs or is it a one-to-one relationship? For example, if we had two SafeNet Luna Network HSM appliances each with two partitions, or if we had four SafeNet Luna PCIe HSMs, could we backup all four partitions to a single Backup HSM? If yes, do they need to be under the same domain? Answer One SafeNet Luna Backup HSM can back up multiple SafeNet Luna HSMs. The domains on those SafeNet Luna HSMs do not need to match each other (although they can, if desired), since domains can be partition-specific. The only domains that must match are those on any given SafeNet Luna HSM partition and its backup partition on the SafeNet Luna Backup HSM. With that said, the limits on quantity of backup of partitions from multiple appliances or embedded HSMs is the remaining space available on the Backup HSM, and the remaining number of partitions (base configuration for SafeNet Luna Backup HSM is 20 partitions - you can purchase additional capability). Can a SafeNet Luna Backup HSM keep multiple backups of a single partition? For example, could we perform a backup of an application partition one month and then back it up again next month without overwriting the previous month? Answer Yes, you can do this as long as each successive backup partition (target) is given a unique name. About the SafeNet Luna Backup HSM This section describes what you can do with the SafeNet Luna Backup HSM (Backup HSM) and outlines the various ways, both local and remote, that you can connect the Backup HSM to perform backup and restore operations. It contains the following topics: • "Functionality of the SafeNet Luna Backup HSM" below • "Backup and Restore Options and Configurations" on page 43 Note: The word "Remote" in the product name merely indicates that the Backup HSM provides remote backup capability. You can use the SafeNet Luna Backup HSM to back up the contents of your HSM to a locally attached Backup HSM, or to a remotely located Backup HSM. The SafeNet Luna Backup HSM is referred to as the Backup HSM in this section. Functionality of the SafeNet Luna Backup HSM You can use the SafeNet Luna Backup HSM to backup multiple partitions from one or more SafeNet Luna Network HSMs or SafeNet Luna PCIe HSMs. Partition domain and authentication attributes are maintained when you back up a partition, which impacts how you can use the Backup HSM. Storage Capacity and Supported Number of Partitions Backup is performed on a per-partition basis. SafeNet Luna PCIe HSM supports one application partition. The SafeNet Luna Network HSM supports multiple application partitions. The size of a SafeNet Luna Network HSM partition is SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 41 2 Backup and Restore HSMs and Partitions configurable, but since all partitions share the HSM memory, the more partitions you create, the smaller they must be. The base configuration for SafeNet Luna Backup HSM is 20 partitions and 15.5 Mb of space, allowing you to backup a SafeNet Luna Network HSM with up to twenty partitions, or any combination of partitions on individual SafeNet Luna HSMs, up to the maximum memory available on the Backup HSM. SafeNet Luna Network HSMs can be updated to support up to 100 partitions. You have the option of purchasing and adding capability upgrades for 50 or 100 partitions to SafeNet Luna Network HSM, as well as to the SafeNet Luna Backup HSM. Note: The size of the partition header is different for a SafeNet Luna Network HSM partition and its equivalent backup partition stored on a SafeNet Luna Backup HSM. As a result, the value displayed in the Used column in the output of the partition list command (for the backed up SafeNet Luna Network HSM partition) is different than the value displayed in the Used column in the output of the token backup partition list command (for the backup partition on the Backup HSM). Upgrading the Number of Supported Partitions The 50 Partitions Capability Upgrade and the 100 Partitions Capability Upgrade are provided in the form of CUFs (capability update files) that can be applied to a SafeNet Luna Backup HSM connected to your workstation, in the same fashion as upgrades are applied to an installed SafeNet Luna PCIe HSM or to a USB-connected SafeNet Luna USB HSM. The 50 Partitions Capability Upgrade and the 100 Partitions Capability Upgrade are provided in the form of a secure package (.spkg file) that can be uploaded (via scp or pscp) for processing by SafeNet Luna Network HSM to upgrade SafeNet Luna Network HSM partition limit, or to upgrade the partition limit of a SafeNet Luna Backup HSM connected directly to the SafeNet Luna Network HSM appliance for local backup. When your SafeNet Luna Backup HSM is connected locally to a SafeNet Luna Network HSM appliance, use the upgrade instructions at "HSM Capability and Partition Upgrades" on page 287 to apply an upgrade to increase the number of HSM partitions that can be backed up to the device. Domains and Backups If the target partition exists on the Backup HSM, then it must already share its partition domain with the source partition. If the target partition is being created, then it takes the domain of the source partition. Multiple partitions, with different domains, can exist on a single Backup HSM. As with backup operations, restore operations can take place only where the source and target partitions have the same domain. • Full/replace backup or restore creates a new target partition with the same domain as the source partition. • Partial (additive/incremental) backup or restore requires the existing source and target partitions to have the same domain before the operation can start. No cross-domain copying (backup or restore) is possible - there is no way to "mix and match" objects from different domains. PED or Password Authentication The Backup HSM creates a partition with matching authentication type to the SafeNet Luna HSM partition that is being backed up. That does not work in the opposite direction, however. The Backup HSM can restore a partition (or contents of a partition) only to a SafeNet Luna HSM of matching authentication type. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 42 2 Backup and Restore HSMs and Partitions You cannot mix partition authentication types on one backup device. That is, if you have a PED-authenticated HSM and a password-authenticated HSM, you require two Backup HSMs in order to have a backup of each HSM's partitions. There is no possibility of backing up data from a higher-security device (Trusted Path, PED-authenticated, FIPS-3) onto a lower-security device (Password protected, FIPS-2). Normally this is not a concern because a given installation is likely to employ all SafeNet Luna HSMs of the same authentication type. However, for HSMs of the same authentication type, you could backup (or restore) partitions from different HSMs onto a single SafeNet Luna Backup HSM, as long as there is sufficient room. Given that the type matches, the authentication (domain) is handled at the partition level. Backup and Restore Options and Configurations The SafeNet Luna Backup HSM supports local or remote HSM backup. The options for backup of primary/source SafeNet Luna HSMs are: • Local backup of any SafeNet Luna HSM, where all components are co-located. This is a possible scenario with all SafeNet Luna HSMs, but is more likely with direct-connect, local-to-the-client HSMs such as SafeNet Luna PCIe HSM. It is unlikely for SafeNet Luna Network HSM, simply because SafeNet Luna Network HSM normally resides in a server rack, distant from its administrators. • Local backup of SafeNet Luna Network HSM, where SafeNet Luna Network HSM is located remotely from a computer that has the SafeNet Luna Backup HSM. This is one of the likely scenarios with SafeNet Luna Network HSM, but requires that the administrator performing backup must have client authentication access to all SafeNet Luna Network HSM partitions. • Remote backup of any SafeNet Luna HSM, where the SafeNet Luna HSM is located remotely from the computer that has the SafeNet Luna Backup HSM. This scenario requires that the administrator of the SafeNet Luna Backup HSM's host computer must connect (via SSH or RDP) to the clients of each HSM partition that is to be backed up. The client performs the backup (or restore) under remote direction. In local mode, you connect the Backup HSM directly, via USB, to a SafeNet Luna Network HSM appliance or SafeNet Luna PCIe HSM host server. That is, local backup is local to the HSM being backed-up, not necessarily local to the administrator who is directing the process, who might be far away. For remote backup, you connect the Backup HSM via USB to a computer running vtl and the driver for the device. Backup and restore are then performed over the secure network connection. For PED-authenticated HSMs, you must have a copy of the appropriate red (domain) PED keys to use with the Backup HSM in order to perform the copy/cloning (backup and restore) operation between the HSMs. Backing Up a Local HSM to a Directly Connected Backup HSM The simplest way to backup your SafeNet Luna Network HSM is to connect the Backup HSM directly to the SafeNet Luna Network HSM appliance. To perform a backup/restore, you open an SSH or serial connection from your workstation to the appliance, and then launch LunaSH in a terminal session to perform the backup, as illustrated in the following figure: The workstation is simply a display terminal for LunaSH running on the appliance. It does not require the SafeNet Luna Client software. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 43 2 Backup and Restore HSMs and Partitions The PEDs are required only if the SafeNet Luna Network HSM is PED-authenticated. The appropriate SO (blue), partition (black) and domain (red) PED keys are required. Backup to a Backup HSM Connected to a Local Client The following diagram depicts the elements and connections of the local backup (and restore) operation, where everything is in one room. 1 LunaCM on the client (host) system sees the primary and backup slots and controls the backup/restore operation. 2 Backup HSM is a slot visible to the client (host) system when it runs LunaCM. 3 Working HSMs are slots visible to the client (host) system when it runs LunaCM. 4 Every slot on the backup must have same domain (red PED key) as matching slot on the primary HSMs. The other two backup and restore options, local backup of a distant SafeNet Luna Network HSM and remote backup of any SafeNet Luna HSM require that PED operations be performed remotely. For that reason, HSMs must be prepared (locally) in advance by having orange Remote PED keys created and matched with each HSM. Backing Up a Remote HSM to a Locally-Connected Backup HSM The diagram below summarizes the elements and setup for backing up partitions of a remote SafeNet Luna Network HSM to a Backup HSM that is attached to the local host. For this example, the system administrator (admin) for the SafeNet Luna Network HSM appliance is also the person doing the backup. The local host is configured as follows: • The SafeNet Luna HSM client software with the Remote PED options is installed. • A Remote Luna PED is connected. • The SafeNet Luna Backup HSM is connected. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 44 2 Backup and Restore HSMs and Partitions Before performing a backup, the admin must open an SSH session to the SafeNet Luna Network HSM appliance and perform a certificate exchange and registration for each SafeNet Luna Network HSM partition to be backed up to make the local host a client of the partitions. 1 The admin must have client access to each partition being backed up. In this scenario, the admin must have black PED keys and passwords for the partitions. 2 The local host is used to control the backup/restore. The SafeNet Luna HSM client vtl software is used to generate and trade certificates with SafeNet Luna Network HSM, to create an NTLS link. The Luna PEDServer software running on the local host, in conjunction with the PEDClient software running on the SafeNet Luna Network HSM, provides remote PED access to the SafeNet Luna Network HSM. 3 The local host can see the SafeNet Luna Network HSM partitions as slots in LunaCM. The Luna PEDClient software runs on the SafeNet Luna Network HSM when it needs to access the Remote PED via the Luna PEDServer software running on the local host. 4 Every slot on the Backup HSM must have same domain (red PED key) as the matching slot on the working HSM. The domain (red) PED keys can be different for each partition or they can share one common domain, re-used for all partitions. The important consideration is that whatever domain situation exists on the primary HSM must be matched on the Backup HSM. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 45 2 Backup and Restore HSMs and Partitions 5 The local host can see the Backup HSM as a slot in LunaCM. Because the local host views the backup/restore operation in this scenario as a local transaction, between two slots visible to LunaCM on the local host, the remote backup service (RBS) is not needed. This scenario avoids the complication of an intermediary computer (as would be needed for true remote backup), but at the cost of giving the authentication keys for all client partitions to an administrator. Your security protocol determines whether this is acceptable. Backing Up a Remote HSM to a Remotely-Connected Backup HSM This section describes how to backup a remote HSM to a Backup HSM that is connected over the network to a remote host. In this configuration, you require an orange PED key, imprinted with the Remote PED Vector (RPV) for the HSM you want to back up. To create the orange PED key, you must temporarily connect a PED directly to the HSM you want to back up, as illustrated in the following figure. The figure shows a local admin session to the HSM. You could administer remotely, but this operation nevertheless requires a local PED connection to the HSM and someone there to insert PED keys and press buttons on the PED keypad, so we depict the most likely connection situation - one person doing all jobs at one location. Once the HSM has been matched to an orange Remote PED key, all future authentications can be performed with Remote PED, and the HSM can safely be shipped to its distant location. Figure 1: Creating an orange PED key imprinted with the remote PED vector (RPV) for the HSM After you have created the orange (RPV) PED key and have the appropriate red (domain) PED keys for the partitions you want to back up, you are ready to configure and use your Remote Backup HSM. In this scenario, you could have as many as three different computers (we depict two for our example) connecting to the SafeNet Luna Network HSM: • one to run the ssh administrative connection to the shell (lunash:>) on the SafeNet Luna Network HSM appliance • one to run the Remote PED server, with the Luna PED (in remote mode) connected via USB to the computer and separately connected to the mains electrical power source (see "Changing Modes" on page 176 for instructions on changing modes on the Luna PED) • one to run a client session with vtl and the SafeNet Remote Backup driver, and with the SafeNet Luna Backup HSM with its own local Luna PED attached SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 46 2 Backup and Restore HSMs and Partitions As noted previously, the orange PED keys contain a Remote PED Vector (RPV) that matches the RPV inside the SafeNet Luna Network HSM. It is the presence of that RPV at both ends that allows the connection to be made between the HSM and the Remote PED. At the same time, the SafeNet Luna Network HSM and the SafeNet Luna Backup HSM must share the same cloning domain, in order for backup and restore (cloning) operations to take place between the two HSMs. Therefore, red PED keys with that cloning domain must be available. SafeNet Luna HSMs use Remote Backup Service (RBS) to facilitate Remote Backup. Required Software LunaCM is required on both the Client (Host) System and on the System Admin computer, but is run on Client (Host) System to launch and manage the backup and restore activity. PEDClient is needed on both the Client (Host) System and the System Admin computer, as well as on any SafeNet Luna Network HSM. PedClient is needed on any host that must reach out to a pedserver instance and a Remote PED. PedClient instances can also communicate with each other to facilitate RBS PedServer must reside (and run, waiting for calls) on any computer connected to a Remote PED. RBS is required on the computer connected to the SafeNet Luna Backup HSM. RBS is not needed on any other computer in the scenario. Example The following figure provides an example configuration for backing up a remote HSM to a backup HSM connected to a remote host. This scenario adds an intermediate computer (Client (Host) System) to broker the remote backup of the HSM partitions. That could be a special-purpose computer, or it could simply mean that the Admin on the computer with the Remote Backup HSM is given remote access to each client that normally uses a SafeNet Luna HSM partition. The tradeoff is that those clients already have access to their registered partitions, so there is no need for the Remote Backup HSM admin to have client access (PED keys) for those partitions. Your security protocol dictates which scenario is appropriate for you. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 47 2 Backup and Restore HSMs and Partitions Figure 2: Configuration for backing up a remote HSM to a backup HSM connected to a remote host 1 "Client (Host) System" (1a) is a client of the SafeNet Luna Network HSM being backed up, but "System Admin" (1b) is not a client of SafeNet Luna Network HSM. 2 LunaCM on "Client (Host) System" (2a) sees the primary (2b) and backup (2c) slots and controls the backup/restore. 3 Each SafeNet Luna Network HSM (3a) partition is a slot visible to a "Client (Host) System" (3b) when Client (Host) System runs LunaCM. 4 Every slot on the backup (4a) must have same domain (red PED key) as matching slot on the primary HSMs (4b). 5 Every primary HSM slot (partition) that is to be backed up or restored must be in login or activated state (black PED keys (5)), so that the Client (Host) System can access it with LunaCM backup or restore commands. 6 Backup HSM (6a) is a slot visible to "Client (Host) System" (6b) when Client (Host) System runs LunaCM. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 48 2 Backup and Restore HSMs and Partitions Backup HSM Installation, Storage, and Maintenance This section describes how to install and maintain your SafeNet Luna Backup HSM (Backup HSM), and prepare it for storage. It contains the following sections: • "Connecting a Backup HSM" below • "Disconnecting a Backup HSM" on the next page • "Installing the Battery" on the next page • "Backup HSM Storage and Maintenance" on page 53 Connecting a Backup HSM For local backup, connect the Backup HSM to a power source, and via USB cable to the SafeNet Luna Network HSM USB port. For remote backup, connect the Backup HSM to a power source, and via USB cable to a USB port on your computer. In both cases, the cable attaches to the port on the back panel of the Backup HSM, which requires a mini-USB at that end of the cable (similar cable as used to connect computers to cameras, older cellphones, etc.). PED-authenticated HSMs At the front panel, connect the SafeNet PED, using the supplied cable between the micro-D subminiature (MDSM) receptacle on top of the PED, and the matching MDSM receptacle on the front panel of SafeNet Luna Backup HSM (the receptacle labeled "PED"). SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 49 2 Backup and Restore HSMs and Partitions Disconnecting a Backup HSM The Backup HSM is a USB device. It is not equipped with a power switch. There is no special procedure for disconnecting or shutting down a SafeNet Luna Backup HSM. If the Backup HSM is used in remote configuration for SafeNet Luna Network HSM (connected to a workstation acting as backup server), then your only action is to do the usual dismount of a USB device (for the benefit of your workstation, not the Backup HSM - “It is now safe to disconnect your USB Device”). Linux and UNIX platforms have their equivalent unmount actions for USB. Then disconnect the cables. If the Backup HSM is connected to SafeNet Luna Network HSM for local backup, you have no access to the SafeNet Luna Network HSM’s internal hardened kernel, so you cannot issue an un-mount instruction. Simply disconnect the cables and the system figures it out at either end. Both SafeNet Luna Network HSM and the Backup HSM accept this treatment very robustly. Installing the Battery The battery that powers the NVRAM and RTC in the SafeNet Luna Backup HSM is shipped uninstalled, in the packaging. This preserves the battery in case the unit spends a long time in transit or is stored in your warehouse as a spare. With the battery not inserted, the real-time clock and NVRAM are not depleting its charge to no purpose. If you are preparing a fresh-from-the-factory Backup HSM to place it into service, then you must install the battery before using the device. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 50 2 Backup and Restore HSMs and Partitions 1 Begin by removing the front face-plate. It is held in place by two spring clips. Grasp the face-plate firmly and pull to disengage the clips. Set the face-plate aside. 2 The battery compartment is to the right as you face the unit. The compartment cover is circular and has both raised dots and a recessed slot. Use finger-pressure against the dots, or the edge of a coin in the slot, to twist the battery compartment cover ¼ turn in a counter-clockwise direction. The cover should fall out easily. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 51 2 Backup and Restore HSMs and Partitions 3 Remove the battery from its packaging and align it at the opening of the SafeNet Luna USB HSM (or SafeNet Luna Backup HSM) battery compartment. The battery has a “+” sign near the end with the raised nub/bump. The flat end of the battery is the negative pole (-). 4 Insert the battery, negative end first. The positive end (+) should protrude. The compartment is spring-loaded. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 52 2 Backup and Restore HSMs and Partitions 5 Use the battery compartment cover to push the battery into the compartment, against the spring tension. Maintaining the pressure, align the two tabs on the inside of the cover with the two recessed indentations at the top and bottom of the compartment opening. With a little jiggling and a few trial pushes, the tabs should settle into those recesses, allowing the cover to seat flush with the front of the SafeNet Luna Backup HSM. Maintain the inward pressure and twist the cover ¼ turn clockwise to lock it in place. The battery is installed. 6 Replace the front-panel cover by aligning the clips with their respective posts and pushing until the clips grab the posts and the cover snaps in place. Backup HSM Storage and Maintenance The SafeNet Luna Backup HSM (for backing up and restoring HSM and partition contents) and the SafeNet Luna USB HSM (for PKI options) can be stored, with valuable contents, when not in use. The battery that powers the NVRAM and RTC in either device must be installed for use, but some questions commonly arise if the device is to be stored for long periods. Should I take the battery out when storing the HSM in a safe? It is generally good practice to remove batteries when storing electronic devices, to preclude accidental damage from battery leakage. We use high-quality, industrial-grade batteries, that are unlikely to fail in a damaging fashion, but prudence suggests removing them, regardless. Also, if the unit is not in use, there is no need to maintain power to the RTC and NVRAM, so an externally stored battery will last longer. If the battery is out, what happens? If main power is not connected, and the battery dies, or is removed, then NVRAM and the system's Real Time Clock lose power. The working copy of the MTK is lost. If the battery dies during operation, will I lose my key material? Will corruption occur? The only key material that is lost is session objects (including working copies of stored keys) that are in use at the time. If the "originals" of those same objects are stored as HSM/partition objects, then they reside in non-volatile memory, and those are preserved. There is no corruption of stored objects. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 53 2 Backup and Restore HSMs and Partitions Where can I get a spare/replacement battery? From any supplier that can match the specifications. Technical Specifications: • 3.6 V Primary lithium-thionyl chloride (Li-SOCl2) • Fast voltage recovery after long term storage and/or usage • Low self discharge rate • 10 years shelf life • Operating temperature range -55 ºC to +85 ºC • U.L. Component Recognition, MH 12193 Storage Conditions: Cells should be stored in a clean & dry area (less than 30 % Relative Humidity) Temperature should not exceed +30 ºC How do I know if the battery is dead or about to die? Can I check the status of the battery? There is not a low battery indicator or other provision for checking status. The battery discharge curve is such that the voltage remains constant until the very end of the battery life, at which point the discharge is extremely steep. What must I do to recover function, and access to my key material, after battery removal/discharge? Insert the battery, connect the HSM, power it up, and resume using it. The MTK that was deleted by the tamper event (battery removal/discharge) is reconstituted from stored portions as soon as you log in. All your stored material is available for use. Backup and Restore From the Client to a Local Backup HSM (LunaCM) This section describes how to use LunaCM to backup and restore a partition from the client to a locally connected SafeNet Luna Backup HSM (Backup HSM). To perform a local backup, you connect the SafeNet Luna Backup HSM to a USB port on the SafeNet Luna HSM client workstation and use LunaCM to log in as the Crytpo Officer (CO) and backup any SafeNet Luna Network HSM or SafeNet Luna PCIe HSM partitions that are visible as slots. The backup operation can go from a source partition (on a SafeNet Luna Network HSM) to an existing partition on the Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation, however, cannot create a target partition on a SafeNet Luna Network HSM; it must already exist. You can restore a partition backup to the source HSM or to a different SafeNet Luna Network HSM. The HSM you restore to must already have a suitable partition created for the restored objects. The partition can have any name - it does not need to match the name of the source partition on the backup HSM. You can connect the Backup HSM to a SafeNet Luna HSM client workstation to backup any SafeNet Luna Network HSM or SafeNet Luna PCIe HSM partitions that are visible as slots in LunaCM, as illustrated in the following figure: SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 54 2 Backup and Restore HSMs and Partitions Figure 1: Configuration for SafeNet Luna Network HSM/PCIe partition backup/restore using a Backup HSM connected to a local client workstation In this configuration, you connect the Backup HSM and SafeNet Remote PED, via USB, to your SafeNet Luna HSM client workstation. The SafeNet Luna Network HSM appliance is remote to the SafeNet Luna HSM client workstation and is connected using NTLS. Any installed PCIe devices communicate with the SafeNet Luna HSM client over the PCI bus. Any partitions you want to backup must be registered with the SafeNet Luna HSM client workstation, and be visible as slots in LunaCM. The Backup HSM most also be visible as a slot. If you are backing up PED-authenticated partitions, you require a PED. If you want to backup SafeNet Luna Network HSM partitions, the PED must have remote capability (Remote PED). Remote PED uses the pedserver/pedclient processes running on the SafeNet Luna HSM client workstation and on the SafeNet Luna Network HSM appliance to provide remote PED services for the network-attached SafeNet Luna Network HSM appliance. The PED provides authentication for all of the attached HSMs (the USB-connected SafeNet Luna Backup HSM, the NTLS-connected SafeNet Luna Network HSM, and the PCI bus-connected SafeNet Luna PCIe HSM). Every slot on the backup must have same domain (red PED key) as the matching slot on the source HSMs. Note: If you have Private Key Cloning switched off for the current partition, then the backup operation proceeds, but skips over any private keys, and clones only the permitted objects onto the Backup HSM. Similarly, if you restore from a token that includes private keys, but the target partition has Private Key Cloning disallowed, then all other objects are recovered to the partition, but the private keys are skipped during the operation. Backing Up a Partition to a Locally Connected Backup HSM You can backup any slots you can see on the client workstation. You must log in as the Crypto Officer to the partition you want to backup. To backup an application partition to a Backup HSM connected to a SafeNet Luna HSM client workstation: 1. Configure the remote PED, as described in "Using Remote PED" on page 203. 2. Start the LunaCM utility on the SafeNet Luna HSM client workstation. C:\Program Files\SafeNet\LunaClient>lunacm.exe LunaCM V7.0 - Copyright (c) 2006-2017 Gemalto, Inc. Available HSM's: Slot Id -> 1 SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 55 2 HSM HSM HSM HSM HSM HSM Backup and Restore HSMs and Partitions Label -> SA52_P1 Serial Number -> 500409014 Model -> LunaSA Firmware Version -> 7.0.1 Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode Status -> OK Slot Id -> 2 HSM Label -> BackupHSM Serial Number -> 700101 HSM Model -> G5Backup HSM Firmware Version -> 6.26.0 HSM Configuration -> Remote Backup HSM (PED) Backup Device HSM Status -> OK Current Slot Id: 1 3. Use the slot set command to go to the slot you want to back up: lunacm:> slot set slot 1 Current Slot Id: 1 (Luna User Slot 7.0.1 (PED) Signing With Cloning Mode) Command Result : No Error 4. Establish that the HSM is listening for a SafeNet Remote PED: lunacm:>ped get HSM slot 1 listening to local PED (PED id=0). Command Result : No Error lunacm:> ped connect ip 192.20.10.190 Command Result : No Error lunacm:> ped get HSM slot 1 listening to remote PED (PED id=100). Command Result : No Error The SafeNet Luna Network HSM is now listening for PED interaction via the link between PedClient on the SafeNet Luna Network HSM appliance and PedServer on the workstation, and is not expecting a PED connected directly at the location of the SafeNet Luna Network HSM. 5. Log in as the Crypto Officer (CO) to the partition in the current slot. This is the partition that you want to back up: lunacm:> role login -name Crypto Officer Option -password was not supplied. It is required. Enter the password: ******* User is activated, PED is not required. Command Result : No Error SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 56 2 Backup and Restore HSMs and Partitions 6. Disconnect the PED from your source HSM (slot 1 in this example), and connect to the Backup HSM (slot 2 in this example). The PED remains physically connected by USB cable to the SafeNet Luna HSM client workstation, and remains in Remote mode - you are merely changing slots that are in conversation with that PED. a. First, tell the SafeNet Luna Network HSM to disconnect from Remote PED with the command ped disconnect. b. Tell the Backup HSM to connect to Remote PED (it makes no difference that the PED and the Remote Backup HSM are USB-connected to the same workstation/laptop; when use of Remote PED is invoked by command ped connect and verified by ped get, all HSM-PED interaction takes place between PedClient running on that workstation and PedServer, also running on that workstation). lunacm:> ped connect ip 192.20.10.189 -slot 2 Command Result : No Error lunacm:> ped get -slot 2 HSM slot 2 listening to remote PED (PED id=100). Command Result : No Error 7. Use the partition archive backup command to perform the backup from the current slot (slot 1 in the example, see above) to the partition that you designate on the Backup HSM. Now that the Backup HSM is listening correctly for a PED, the target partition can be created, with PED action for the authentication. lunacm:> partition archive backup -slot 2 -par SAbck1 Logging in as the SO on slot 2. Please attend to the PED. Creating partition SAbck1 on slot 2. Please attend to the PED. Logging into the container SAbck1 on slot 2 as the user. Please attend to the PED. Creating Domain for the partition SAbck1 on slot 2. Please attend to the PED. Verifying that all objects can be backed up... 85 objects will be backed up. Backing up objects... Cloned object 99 to partition SAbck1 (new handle 19). Cloned object 33 to partition SAbck1 (new handle 20). Cloned object 108 to partition SAbck1 (new handle 23). Cloned object 134 to partition SAbck1 (new handle 24). Cloned object 83 to partition SAbck1 (new handle 25). Cloned object 117 to partition SAbck1 (new handle 26). Cloned object 126 to partition SAbck1 (new handle 27). Cloned object 65 to partition SAbck1 (new handle 28). Cloned object 140 to partition SAbck1 (new handle 29). Cloned object 131 to partition SAbck1 (new handle 30). Cloned object 94 to partition SAbck1 (new handle 31). Cloned object 109 to partition SAbck1 (new handle 35). Cloned object 66 to partition SAbck1 (new handle 36). Cloned object 123 to partition SAbck1 (new handle 39). SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 57 2 Cloned Cloned Cloned Cloned Cloned Cloned object object object object object object Backup and Restore HSMs and Partitions 74 to partition SAbck1 (new handle 40). 50 to partition SAbck1 (new handle 44). 43 to partition SAbck1 (new handle 45). 52 to partition SAbck1 (new handle 46). 124 to partition SAbck1 (new handle 47). 115 to partition SAbck1 (new handle 48). Backup Complete. 20 objects have been backed up to partition SAbck1 on slot 2. Command Result : No Error 8. Backup is complete, and can be verified if you like. Restoring a Partition from a Locally Connected Backup HSM You can restore a backup to any slot you can see on the client workstation. You must log in as the Crypto Officer to the partition you want to restore to. To restore an application partition from a Backup HSM connected to a SafeNet Luna HSM client workstation: 1. Create a target partition for the restore operation on the HSM you are restoring to, if it does not already exist, and register the partition with the SafeNet Luna HSM client workstation so that it is visible as a slot in LunaCM. 2. Start the LunaCM utility on the SafeNet Luna HSM client workstation. LunaCM v7.0.0. Copyright (c) 2006-2017 SafeNet. Available HSMs: Slot Id -> Label -> Serial Number -> Model -> Firmware Version -> Configuration -> Slot Description -> 0 par1 154438865288 LunaSA 7.0.0 7.0.1 Luna User Partition With SO (PED) Signing With Cloning Mode Net Token Slot Slot Id -> Label -> Serial Number -> Model -> Firmware Version -> HSM Configuration -> HSM Status -> 21 lunabackup 496771 G5Backup 6.26.0 Remote Backup HSM (PED) Backup Device OK Current Slot Id: 0 3. Use the slot set command to go to the slot you want to restore to. lunacm:> slot set slot 0 Current Slot Id: 0 (Luna User Slot 7.0.1 (PED) Signing With Cloning Mode) Command Result : No Error SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 58 2 Backup and Restore HSMs and Partitions 4. Open a remote PED session to the SafeNet Luna Network HSM you are restoring to: lunacm:> ped connect ip 192.20.10.190 Command Result : No Error lunacm:> ped get HSM slot 1 listening to remote PED (PED id=100). Command Result : No Error The SafeNet Luna Network HSM is now listening for PED interaction via the link between PEDclient on the SafeNet Luna Network HSM appliance and PEDserver on the workstation, and is not expecting a PED connected directly at the location of the SafeNet Luna Network HSM. 5. Log into the partition in the current slot. This is the partition that you want to restore to. lunacm:> role login -name Crypto Officer Option -password was not supplied. It is required. Enter the password: ******* User is activated, PED is not required. Command Result : No Error 6. Use the partition archive restore command restore the partition from the Backup HSM to the current slot, adding to, or replacing, the current partition contents: partition archive restore -slot -partition LunaSAPartitionname -password ClientPassword -replace Note: In the command above, you can use -add instead of -replace. Adding might result in unwanted behaviors, such as having two keys with the same label, if one existed in the HSM Partition and one on the backup token. The two would be assigned different handles, however. Backup and Restore From the Client to a Remote Backup HSM (LunaCM, RBS) This section describes how to use LunaCM and the Remote Backup Service (RBS) to backup and restore a partition from the client to a remotely located SafeNet Luna Backup HSM (Backup HSM). It contains the following sections: • "Overview" below • "Configuring the Remote Backup Service (RBS)" on page 61 • "Backing Up an Application Partition to a Remotely Located Backup HSM" on page 63 • "Restoring an HSM Partition From a Remotely Located Backup HSM" on page 68 Overview Remote backups are enabled by the SafeNet Remote Backup Service (RBS). RBS is a utility, included with the SafeNet Luna HSM client software, that runs as a service (Windows) or daemon (Unix/Linux) on a workstation used to SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 59 2 Backup and Restore HSMs and Partitions host one or more remote Backup HSMs. To use RBS, do the following: 1. Configure it to define which of the Backup HSMs connected to the workstation running RBS that you want to make available to other SafeNet Luna HSM client workstations or SafeNet Luna Network HSM appliances for performing remote backups. 2. Register the workstation running RBS with any SafeNet Luna HSM client workstations or SafeNet Luna Network HSM appliances that you want to be able to use the Remote Backup HSMs. 3. Start the RBS service/daemon. Once RBS is configured and running, the SafeNet Luna HSM client workstations or SafeNet Luna Network HSM appliances registered with the workstation running RBS can see its available Backup HSMs as slots in LunaCM (SafeNet Luna HSM client workstation) or LunaSH (SafeNet Luna Network HSM appliance). To perform backup and restore operations using the Remote Backup HSMs, you open a LunaCM or LunaSH session, as relevant, on the SafeNet Luna HSM client workstation or SafeNet Luna Network HSM appliance used to host the slot you want to backup, and specify the slot for the Remote Backup HSM as the slot to use for the backup/restore operation. The backup operation can go from a source partition (on a SafeNet Luna HSM) to an existing partition on the SafeNet Luna Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation cannot create a target partition on a SafeNet Luna Network HSM; it must already exist and have a registered NTLS link. To back up PED-authenticated partitions, you can connect a remote PED to the Backup HSM host workstation, or you can use a separate computer to provide PED operations. Note: Remote PED (PED Server) is supported on Windows only. Configurations for Remote Backup of a SafeNet Luna Client Workstation Slot The possible configurations for performing a remote backup of a SafeNet Luna HSM client workstation slot are illustrated in the following figures. Only PED-authenticated backup configurations are shown. Figure 1: Configuration for remote backup of a SafeNet Luna HSM client workstation slot with the remote PED connected to the backup workstation SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 60 2 Backup and Restore HSMs and Partitions Figure 2: Configuration for remote backup of a SafeNet Luna HSM client workstation slot with the remote PED connected to a separate workstation Configuring the Remote Backup Service (RBS) RBS is not a standalone feature. It is a service that facilitates certain scenarios when backing-up HSM partitions or restoring onto those partitions, using a backup HSM that is distant from the primary HSM and its host or client. RBS is run on the computer that hosts the SafeNet Luna Backup HSM, only. RBS is a separate option at software installation time. You do not need it on all client/admin computers, but it doesn't hurt to have it installed. Running RBS also requires running PED Client on that computer, as well as on the distant primary - the paired instances of PED Client form the communications link that makes RBS possible. RBS requires PED Client on both the RBS client and RBS server ends. The PEDClient is half of the PEDServer/PEDClient duo that enables Remote PED service. However, PEDClient is also used in the communication component of Remote Backup Service. So, PEDClient should run on all the platforms that have HSMs - where a SafeNet Luna USB HSM or SafeNet Luna PCIe HSM is installed (PEDClient is already inside SafeNet Luna Network HSM 5.2 and newer...) - and also on any system with the RBS application. The PEDServer is required only on a computer with the SafeNet Remote PED. If you consolidate your HSM administration (including Remote PED) on the same computer with your SafeNet Remote Backup HSM, you would have both PEDClient and PEDServer installed there. We observe that a majority of customers combine administrative functions this way, on a laptop or a workstation that is used to administer one-ormany HSM hosts. The HSM host (with SafeNet Luna USB HSM or SafeNet Luna PCIe HSM) or the SafeNet Luna Network HSM appliance resides in a physically secure, possibly remote location, while the administrator works from a laptop in her/his office. Your security policy determines how you do it. To configure RBS: 1. Install the SafeNet Luna HSM client software on the computer used to manage the HSMs/partitions you want to back up. If you use PED authentication, ensure that the Remote PED option is installed. You must also install the SafeNet Luna Network HSM client software in addition to the SafeNet Luna USB HSM or SafeNet Luna PCIe HSM software, because the SafeNet Luna Network HSM client is the only one that includes the vtl utility, which is SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 61 2 Backup and Restore HSMs and Partitions required to perform the certificate exchange that enables Remote Backup Service. 2. Install the SafeNet Luna HSM client software on the workstation used to host your Backup HSM. Select the Remote Backup option. If the workstation is running Windows, and will be used to connect a Remote PED, install the Remote PED option here. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 62 2 Backup and Restore HSMs and Partitions 3. Run rbs --genkey to generate the server.pem to establish the Remote Backup Service between the Backup host and the host/client for the primary HSM. The location of the server.pem file can be found in the Chrystoki.conf /crystoki.ini file. 4. Run rbs --config to specify the devices to support. 5. Run rbs --daemon to launch the RBS daemon (Linux and UNIX) or the RBS console application (on Windows, it closes after every use). 6. Create the client certificate (if not already done) with vtl createCert -n . 7. Use scp (Unix/Linux) or pscp (Windows) to copy the certificate generated earlier (server.pem) to your primary HSM host computer (or SafeNet Luna Network HSM appliance): # scp root@192.20.9.253:/usr/safenet/lunaclient/rbs/server/server.pem . root@192.20.9.253's password: ********* server.pem | 1 kB | 1.2 kB/s | ETA: 00:00:00 | 100% 8. Run vtl on the host computer (or appliance) to add the RBS server to the server list. vtl add -n 192.20.9.253 -c server.pem New server 192.20.9.253 successfully added to server list. vtl list Server: 192.20.9.82 Server: 192.20.9.253 Note: If you encounter problems, try changing the RBS and PED Client ports from the default values. Check that your firewall is not blocking ports used by the service. (Refer to the command syntax pages for default values.) Backing Up an Application Partition to a Remotely Located Backup HSM This section describes how to backup an application partition to a remotely located Backup HSM using RBS. Prerequisites You will need the following components to perform a remote backup: SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 63 2 Backup and Restore HSMs and Partitions Quantity Description 1 SafeNet Luna HSM 5.2 or newer 1 Windows computer with SafeNet Luna Network HSM 5.2 (or newer) client software installed 1 SafeNet Luna Backup HSM 1 Set of PED keys imprinted for the source HSM and partitions 1 Luna PED (Remote PED with f/w 2.7.1 or later)* 1 Power cable for Luna PED (Remote) 2 USB to mini USB cable for Luna PED (Remote) and SafeNet Luna Backup HSM Note: The Luna PED that is connected to the Windows computer, in order to perform Remote PED operations with the distant SafeNet Luna Network HSM appliance, must be a Luna PED (remote-capable version) and is used in Remote mode and in Local mode. You also have the option to connect a second Luna PED, which can be Remote capable or can be a Local-only version, to the SafeNet Luna Backup HSM. This allows you to leave the Remote capable Luna PED connected to the workstation in Remote mode. Assumptions The following examples assume that you have set up RBS, as described in "Configuring the Remote Backup Service (RBS)" on page 61, and have prepared for the backup, as follows: • The Backup HSM and the HSMs/partitions you want to back up are initialized with appropriate keys (blue SO and black Partition Owner/User PED keys, which can be the same for both devices, or can be different). • Both devices must share the same domain or red PED key value. • The workstation (Windows computer) has Remote PED and SafeNet Remote Backup software package installed including the appropriate driver. • For SafeNet Luna Network HSM, NTLS is established between your workstation computer, acting as a SafeNet Luna Network HSM client, and the distant SafeNet Luna Network HSM - that is, the workstation is registered as a client with the partition. • A Remote PED session key (orange RPV key) has been created and associated with the distant SafeNet Luna HSM. To Backup an Application Partition to a Remotely Located Backup HSM: The following procedure provides an example illustrating how to remotely backup a PED-authenticated application partition. In this example a single remote PED, attached to the Windows workstation used to host the Backup HSM, is used. Set up the remote PED 1. Ensure that your Windows workstation has the PED USB driver (from the /USBDriver folder on the software CD) installed, and that the PEDServer.exe file (the executable program file that makes Remote PED operation possible) has been copied to a convenient directory on your hard disk. 2. Connect all of the components as follows: SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 64 2 Backup and Restore HSMs and Partitions From Using To Workstation USB Remote PED (Luna PED IIr in Remote mode) DC power receptacle on Remote PED PED Power Supply Mains AC power (wall socket) Workstation USB SafeNet Luna Backup HSM SafeNet Luna Backup HSM Power Cord Mains AC power (wall socket) 3. At the Remote Luna PED (Luna PED with remote capability, connected to the USB port of the workstation), do the following: – Press < on the PED keypad to navigate to the main menu. – Press 7 to enter Remote mode. 4. Run PedServer to start the Remote PED service on the administrative workstation (Windows) computer, as follows: – In a Command Prompt (DOS) window, change directory to the location of the PEDServer.exe file and run that file: C:\>cd \Program Files\LunaCient C:\Program Files\LunaClient>PEDServer -mode start 5. Open an administrative connection (SSH) to the distant SafeNet Luna HSM (for SafeNet Luna Network HSM appliance, log in as "admin." For another HSM host, log in with the appropriate ID. Start the PED Client (the Remote PED enabling process on the appliance): lunash:> hsm ped connect -ip -port 1503 or lunacm:> hsm ped connect -ip -port 1503 Insert the orange RPV PED key that matches the RPV of the distant SafeNet Luna HSM. The Remote PED Client in the SafeNet Luna Network HSM appliance or in the SafeNet Luna HSM client workstation establishes a connection with the listening PedServer on your remote PED workstation. Backup a slot to the remotely located backup HSM Note: The following steps apply to LunaCM only. For LunaSH, follow the procedure "To backup a SafeNet Luna Network HSM partition to a directly connected Backup HSM:" on page 1. Use the token backup list and token backup show commands to ensure that the remote Backup HSM is visible. 6. Start the LunaCM utility (in Windows, it resides at C:\Program Files\SafeNet\LunaClient - in Linux/UNIX, it resides at /usr/safenet/lunaclient/bin). C:\Program Files\SafeNet\LunaClient>lunacm.exe LunaCM V7.0.0 - Copyright (c) 2006-2017 Gemalto, Inc. Available HSM's: SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 65 2 Backup and Restore HSMs and Partitions Slot Id -> 1 HSM Label -> SA82_P1 HSM Serial Number -> 16298193222733 HSM Model -> LunaSA 7.0.0 HSM Firmware Version -> 7.0.1 HSM Configuration -> Luna User Partition, With SO (PED) Signing With Cloning Mode HSM Status -> OK Slot Id -> 2 HSM Label -> G5PKI HSM Serial Number -> 701968008 HSM Model -> LunaSA HSM Firmware Version -> 6.10.1 HSM Configuration -> SafeNet Luna Network HSM Slot (PED) Signing With Cloning Mode HSM Status -> OK Slot Id -> 3 HSM Label -> G5backup HSM Serial Number -> 700101 HSM Model -> G5Backup HSM Firmware Version -> 6.26.01 HSM Configuration -> Luna HSM (PED) Backup Device HSM Status -> OK Current Slot Id: 1 7. If the current slot is not the slot that you wish to backup, use the slot set command to go to the correct slot. lunacm:> slot set slot 1 Current Slot Id: 1 (Luna User Slot 6.22.0 (PED) Signing With Cloning Mode) Command Result : No Error 8. Establish that the HSM is listening for the remote Luna PED at the correct location: Note: The PEDServer must already have been set up at that host. lunacm:>ped get HSM slot 1 listening to local PED (PED id=0). Command Result : No Error lunacm:> ped connect ip 192.20.10.190 Command Result : No Error lunacm:> ped get HSM slot 1 listening to remote PED (PED id=100). Command Result : No Error 9. Skip this step if your source partition is activated. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 66 2 Backup and Restore HSMs and Partitions Log into the partition (this takes place at the currently selected slot). This step is needed only if the partition you are about to backup is not already in the activated state. lunacm:> role login -name Crypto Officer Option -password was not supplied. It is required. Enter the password: ******* User is activated, PED is not required. Command Result : No Error 10. Disconnect the PED from your source HSM (slot 1 in this example), and connect to the remote Backup HSM (slot 3 in this example): lunacm:> ped disconnect Are you sure you wish to disconnect the remote ped? Type 'proceed' to continue, or 'quit' to quit now -> proceed Command Result : No Error lunacm:> ped connect ip 192.20.10.190 -slot 3 Command Result : No Error lunacm:> ped get -slot 3 HSM slot 3 listening to remote PED (PED id=100). Command Result : No Error 11. Perform the backup from the current slot to the partition that you designate on the Remote Backup HSM. Now that the Backup HSM is listening correctly for a PED, the target partition can be created, with PED action for the authentication. lunacm:> partition archive backup -slot 3 -par SAbck1 Logging in as the SO on slot 3. Please attend to the PED. Creating partition SAbck1 on slot 3. Please attend to the PED. Logging into the container SAbck1 on slot 3 as the user. Please attend to the PED. Creating Domain for the partition SAbck1 on slot 3. Please attend to the PED. Verifying that all objects can be backed up... 85 objects will be backed up. Backing up objects... Cloned object 99 to partition SAbck1 (new handle 19). SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 67 2 Cloned Cloned . . . Cloned Cloned Cloned Backup and Restore HSMs and Partitions object 33 to partition SAbck1 (new handle 20). object 108 to partition SAbck1 (new handle 23). object 78 to partition SAbck1 (new handle 128). object 88 to partition SAbck1 (new handle 129). object 40 to partition SAbck1 (new handle 130). Backup Complete. 85 objects have been backed up to partition SAbck1 on slot 3. Command Result : No Error 12. The backup operation is complete. Restoring an HSM Partition From a Remotely Located Backup HSM This section describes how to restore an application partition from a remotely located Backup HSM using RBS. To restore an application partition from a remotely located backup HSM: The following procedure provides an example of how to restore a partition from a remotely located Backup HSM. In this example, the partition is restored to a SafeNet Luna Network HSM partition that is not in the activated state. A single remote PED is used to authenticate to the remote Backup HSM and the SafeNet Luna Network HSM partition. If your primary HSM partition (the partition onto which you will restore the backed-up objects) is in the activated state, then only the Backup HSM needs PED activity for authentication during restore. Note: The following steps apply to LunaCM only. For LunaSH, follow the procedure "To restore a SafeNet Luna Network HSM partition from a directly connected Backup HSM:" on page 1. Use the token backup list and token backup show commands to ensure that the Remote Backup HSM is visible. 1. In our test setup, we have each of several SafeNet Luna HSM products. An easy way to see an updated summary of all HSMs and slot assignments is to exit LunaCM and restart the utility. C:\Program Files\SafeNet\LunaClient>lunacm.exe LunaCM v7.0.0 - Copyright (c) 2006-2017 Gemalto, Inc. Available HSMs: Slot Id -> Label -> Serial Number -> Model -> Firmware Version -> Configuration -> Slot Description -> 0 Slot Id -> Label -> 1 16298193222733 LunaSA 7.0.0 7.0.1 Luna User Partition With SO (PED) Signing With Cloning Mode Net Token Slot SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 68 2 Backup and Restore HSMs and Partitions Serial Number -> Model -> Firmware Version -> Configuration -> Slot Description -> 16298193222735 LunaSA 7.0.0 7.0.1 Luna User Partition With SO (PED) Signing With Cloning Mode Net Token Slot Slot Id -> Label -> Serial Number -> Model -> Firmware Version -> Configuration -> Slot Description -> 2 legacypar1 16298193222734 LunaSA 6.22.0 Luna User Partition, No SO (PED) Signing With Cloning Mode Net Token Slot Slot Id -> Label -> Serial Number -> Model -> Firmware Version -> Configuration -> Slot Description -> 3 SAbck1 700101 G5Backup 6.26.0 Luna User Partition With SO (PED) Signing With Cloning Mode User Token Slot Slot Id -> Tunnel Slot Id -> Label -> Serial Number -> Model -> Firmware Version -> Configuration -> Slot Description -> 5 7 Slot Id -> Tunnel Slot Id -> Label -> Serial Number -> Model -> Firmware Version -> Configuration -> Slot Description -> HSM Configuration -> HSM Status -> 6 7 mypcie6 150022 K6 Base 6.22.0 Luna HSM Admin Partition (PED) Signing With Cloning Mode Admin Token Slot Luna HSM Admin Partition (PED) OK 349297122734 K6 Base 6.22.0 Luna User Partition With SO (PED) Signing With Cloning Mode User Token Slot Slot Id -> 8 HSM Label -> myG5pw HSM Serial Number -> 7001312 HSM Model -> G5Base HSM Firmware Version -> 6.10.4 HSM Configuration -> SafeNet Luna USB HSM (PW) Signing With Cloning Mode HSM Status -> OK Current Slot Id: 0 2. Verify which slot is listening for PED and whether it is expecting local or remote. lunacm:>ped get SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 69 2 Backup and Restore HSMs and Partitions HSM slot 0 listening to local PED (PED id=0). Command Result : No Error 3. Connect to Remote PED with ped connect. 4. Log into the partition to which you want to restore. Note: This would not be necessary if the partition was activated - we are demonstrating that if the partition was not in login state or activated state, it is straightforward to briefly switch the PED to the primary HSM partition before switching the PED back to the Backup HSM. lunacm:> role login -n Crypto Officer enter password: ******* Please attend to the PED. Command Result : No Error lunacm:> ped disconnect Are you sure you wish to disconnect the remote ped? Type 'proceed' to continue, or 'quit' to quit now -> proceed Command Result : No Error (The current selected slot in LunaCM is still slot 0, and having ensured login status on that slot/partition we have just released the Remote PED connection there. The other end of the Remote PED pair, the PED-connected host computer running PedServer, is now free to accept a Remote PED link from another PedClient, which will be the host attached to the SafeNet Luna Backup HSM.) Note: In this example, the SafeNet Luna Network HSM partition, to which we will restore objects, is visible in LunaCM at slot 0 because it is linked to this SafeNet Luna HSM client by NTLS, while this Client is registered to that partition at the SafeNet Luna Network HSM. The SafeNet Luna Backup HSM is visible in LunaCM, at slot 3 in this case, because it is linked by the RBS connection that you previously established (see "To Configure RBS" above in this chapter); that is, PedClient is running on this Client, and PedClient and rbs.exe are running on the Backup HSM's host, with each other identified as their partner in the RBS link. 5. Connect the Remote PED to the Backup HSM (which, in this example, is slot 3). lunacm:> ped connect ip 192.20.10.190 slot 3 Command Result : No Error lunacm:> ped get HSM slot 0 listening to local PED (PED id=0). SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 70 2 Backup and Restore HSMs and Partitions Command Result : No Error lunacm:> ped get slot 3 HSM slot 3 listening to remote PED (PED id=100). Command Result : No Error The ped connect command specifies the slot (now the SafeNet Luna Backup HSM) that makes a new Remote PED connection, because that slot indication is part of the command - and ped get verifies the new Remote PEDconnected slot. But the focus of the library/LunaCM has not changed from slot 0; any other LunaCM commands that act on a slot will act on slot 0 until you change that with slot set. You could verify that current focus, if you wished, by running slot list again. 6. Restore to the current slot from the slot that corresponds to the Backup HSM. lunacm:> partition archive restore -slot 3 -par SAbck1 Logging in to partition SAbck1 on slot 3 as the user. Please attend to the PED. Verifying that all objects can be restored... 85 objects will be restored. Restoring objects... Cloned object 19 from partition SAbck1 (new handle 20). Cloned object 20 from partition SAbck1 (new handle 21). Cloned object 23 from partition SAbck1 (new handle 22). . . . Cloned object 128 from partition SAbck1 (new handle 137). Cloned object 129 from partition SAbck1 (new handle 138). Cloned object 130 from partition SAbck1 (new handle 139). Restore Complete. 85 objects have been restored from partition SAbck1 on slot 3. Command Result : No Error Because the LunaCM focus rests with the target partition in slot 0, your partition archive restore command must explicitly identify the slot from which backup source objects are to be cloned, slot 3 in this example, onto the target partition, current-slot 0 in this case. You also specified the backup partition name, because a SafeNet Luna Backup HSM can contain more than one archived partition. 7. Verify that the restored slot now looks like it did just before the backup was originally performed. lunacm:> partition archive list -slot 3 HSM Storage Information for slot 3: Total HSM Storage Space: Used HSM Storage Space: Free HSM Storage Space: Number Of Allowed Partitions: 16252928 43616 16209312 20 SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 71 2 Backup and Restore HSMs and Partitions Number Of Allowed Partitions: 1 Partition list for slot 3 Number of partition: 1 Name: Total Storage Size: Used Storage Size: Free Storage Size: Number Of Objects: SAbck1 41460 41460 0 85 Command Result : No Error lunacm:> 8. Remote restore from backup, using RBS, is complete. To restore onto a different remote SafeNet Luna HSM, the same arrangement is required: • The remote HSM must already have a suitable partition. • If the restore-target HSM is a SafeNet Luna Network HSM, the target partition can have any name - it does not need to match the name of the source partition on the backup device. • Your workstation must be registered as a client to that partition. Backup and Restore From the Appliance to a Local Backup HSM (LunaSH) This section describes how to use LunaSH to backup and restore a partition on the appliance to a locally connected SafeNet Luna Backup HSM (Backup HSM). To perform a local backup, you connect the SafeNet Luna Backup HSM to a USB port on the SafeNet Luna Network HSM appliance and use LunaSH to log in as the Crypto Officer (CO) to the HSM partitions that you want to backup. The backup operation can go from a source partition (on a SafeNet Luna Network HSM) to an existing partition on the Backup HSM, or if one does not exist, a new partition can be created during the backup. The restore operation, however, cannot create a target partition on a SafeNet Luna Network HSM; it must already exist. You can restore a partition backup to the source HSM or to a different SafeNet Luna Network HSM. The HSM you restore to must already have a suitable partition created for the restored objects. The partition can have any name - it does not need to match the name of the source partition on the backup HSM. You can connect the Backup HSM directly to the SafeNet Luna Network HSM appliance to backup some or all of the individual partitions it contains, using LunaSH. You require the Partition Crypto Officer (CO) credentials for each partition you want to backup. Note: You cannot use this method to backup partitions configured to use STC (see "Secure Trusted Channel (STC)" on page 259). To backup a partition configured to use STC, you must use LunaCM, as described in "Backup and Restore From the Appliance to a Local Backup HSM (LunaSH)" above. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 72 2 Backup and Restore HSMs and Partitions To perform a backup/restore, you open an SSH or serial connection from your workstation to the appliance, and use LunaSH to perform a backup to the Backup HSM connected to the appliance, as illustrated in the following figure: Figure 1: Partition backup/restore using a Backup HSM connected directly to the appliance Workstation requirements The workstation is simply a display terminal for LunaSH running on the appliance. It requires an SSH client (ssh on Linux, PuTTY on Windows). It does not require the SafeNet Luna HSM client software. PED-authenticated partitions The PEDs are required only if the SafeNet Luna Network HSM is PED-authenticated. The appropriate SO (blue), partition (black) and domain (red) PED keys are required. The Backup HSM and SafeNet Luna Network HSM must share the same domain (red) PED key value. Although two PEDs are recommended (one connected to the SafeNet Luna Network HSM and one connected to the Backup HSM) you can use a single PED, if desired. If using a single PED, note that you can connect the PED to only one HSM at a time. You will need to disconnect it from the source (SafeNet Luna Network HSM) HSM and connect to the target (SafeNet Luna Backup HSM) when PED operations are needed at those HSMs respectively. Backing Up a Partition to a Locally Connected Backup HSM You can backup any partitions you can log in to as the Crypto Officer. To backup a SafeNet Luna Network HSM partition to a directly connected Backup HSM: 1. Connect all the required components and open a terminal session to the SafeNet Luna Network HSM appliance. See the following topics for details: – "Open a Connection" on page 1 in the Configuration Guide – "Backup HSM Installation, Storage, and Maintenance" on page 49 Connect your PED directly to the HSM, and set it to Local PED-USB mode. (For legacy PED-HSM connections via MDSM cable, set your PED to Local PED-SCP mode.) See "Changing Modes" on page 176 for instructions on changing modes on the Luna PED. Connect your Backup HSM to any USB port on the appliance. 2. Open a LunaSH session on the SafeNet Luna Network HSM appliance. login as: admin admin@192.20.10.202's password: Last login: Tue Dec 30 16:03:46 2014 from 192.16.153.111 SafeNet Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved. [myluna] lunash:> 3. Use the token backup list and token backup show commands to determine the serial number of the Backup HSM and to verify its partition and storage configuration: lunash:>token backup list SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 73 2 Token Details: ============ Token Label: Slot: Serial #: Firmware: Hardware Model: Backup and Restore HSMs and Partitions BackupHSM 6 7000179 6.26.0 G5 Backup Command Result : 0 (Success) lunash:> token backup show -serial 700179 Token Details: ============ Token Label: Serial #: Firmware: Hardware Model: Authentication Method: Token Admin login status: Token Admin login attempts left: Partition Information: ====================== Partitions licensed on token: Partitions created on token: ---------------------- BackupHSM 700179 6.22.0 SafeNet Luna USB HSM PED keys Logged In 3 before Token zeroization! 20 0 There are no partitions. Token Storage Information: ========================== Maximum Token Storage Space (Bytes): 16252928 Space In Use (Bytes): 0 Free Space Left (Bytes): 16252928 License Information: ==================== 621010355-000 621000005-001 621000006-001 621000007-001 621000008-001 621-010355-000 621-000005-001 621-000006-001 621-000007-001 621-000008-001 G5 Backup Device Base Backup Device Partitions 20 Backup Device Storage 15.5 MB Backup Device Store MTK Split Externally Backup Device Remote Ped Enable Command result : 0 (Success) 4. Use the partition backup command to backup a specified partition and provide the PED keys as prompted, for example: [myluna] lunash:>par backup -s 7000179 -par p1 -tokenPar bck1 Type 'proceed' to continue the backup, or 'quit' to abort this operation. > proceed Please enter the password for the HSM partition: SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 74 2 Backup and Restore HSMs and Partitions > ******* Warning: You will need to attach Luna PED to the SafeNet Luna Backup HSM to complete this operation. You may use the same Luna PED that you used for SafeNet Luna Network HSM. Please hit when you are ready to proceed. Luna PED Luna PED key. Luna PED PED key. Luna PED PED key. operation required to login to token - use token Security Officer (blue) PED key. operation required to create a partition - use User or Partition Owner (black) PED operation required to login to user on token - use User or Partition Owner (black) operation required to generate cloning domain on the partition - use Domain (red) Object "1-User DES Key1" (handle 17) cloned to handle 11 on target Object "1-User DES Key2" (handle 18) cloned to handle 12 on target Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target . . . Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target 'partition backup' successful. Command Result : 0 (Success) 5. Use the token backup show command to verify the backup: lunash:> token backup show -serial 667788 Token Details: ============ Token Label: BackupHSM Serial #: 700179 Firmware: 6.26.0 HSM Model: G5Backup Authentication Method: PED keys Token Admin login status: Logged In Token Admin login attempts left: 3 before Token zeroization! Partition Information: ====================== Partitions licensed on token: Partitions created on token: ---------------------Partition: 7000179008, 20 1 Name: bck1. Token Storage Information: ========================== Maximum Token Storage Space (Bytes): Space In Use (Bytes): Free Space Left (Bytes): 16252928 43616 16209312 License Information: ==================== SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 75 2 621010355-000 621000005-001 621000006-001 621000007-001 621000008-001 621-010355-000 621-000005-001 621-000006-001 621-000007-001 621-000008-001 Backup and Restore HSMs and Partitions G5 Backup Device Base Backup Device Partitions 20 Backup Device Storage 15.5 MB Backup Device Store MTK Split Externally Backup Device Remote PED Enable Command result : 0 (Success) Restoring a Partition from a Locally Connected Backup HSM You can backup any partitions you can log in to as the Crypto Officer. To restore a SafeNet Luna Network HSM partition from a directly connected Backup HSM: To restore the partition contents from the SafeNet Remote Backup Device to the same local SafeNet Luna Network HSM, use the same setup described above, but use the partition backup restore command instead. 1. Connect all the required components and open a terminal session to the SafeNet Luna Network HSM appliance. See the following topics for details: – "Open a Connection" on page 1 in the Installation and Configuration Guide – "Backup HSM Installation, Storage, and Maintenance" on page 49 Connect your PED directly to the HSM, and set it to Local PED-USB mode. (For legacy PED-HSM connections via MDSM cable, set your PED to Local PED-SCP mode.) See "Changing Modes" on page 176 for instructions on changing modes on the Luna PED. 2. Open a LunaSH session on the SafeNet Luna Network HSM appliance. login as: admin admin@192.20.10.202's password: Last login: Tue Feb 28 16:03:46 2012 from 192.16.153.111 SafeNet Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2016 Gemalto, Inc. All rights reserved. [myluna] lunash:> 3. Use the partition restore command to restore a partition: [myluna] lunash:>par restore -s 7000179 -tokenPar bk5 -par p1 -replace Please enter the password for the HSM partition: > ******* CAUTION: Are you sure you wish to erase all objects in the partition named: p1 Type 'proceed' to continue, or 'quit' to quit now. > proceed Warning: You will need to attach Luna PED to the SafeNet Luna Backup HSM to complete this operation. You may use the same Luna PED that you used for SafeNet Luna Network HSM. Please hit when you are ready to proceed. Luna PED operation required to login to user on token - use User or Partition Owner (black) PED key. Object "1-User DES Key1" (handle 17) cloned to handle 11 on target Object "1-User DES Key2" (handle 18) cloned to handle 12 on target SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 76 2 Backup and Restore HSMs and Partitions Object "1-User Public RSA Key1-512" (handle 19) cloned to handle 13 on target . . . Object "1-User ARIA Key3" (handle 124) cloned to handle 118 on target Object "1-User ARIA Key4" (handle 125) cloned to handle 119 on target Object "1-User ARIA Key5" (handle 126) cloned to handle 120 on target 'partition restore' successful. Command Result : 0 (Success) Troubleshooting This section provides troubleshooting tips for errors you may encounter when performing a partition backup/restore operation. Warning: This token is not in the factory reset (zeroized) state If you insert a backup token that has previously been used on a password-authenticated SafeNet Luna Network HSM into a PED-authenticated SafeNet Luna Network HSM, and attempt to initialize it, the system responds with the message "Warning: This token is not in the factory reset (zeroized) state" as shown in the following example: lunash:>token backup init -label mylunatoken -serial 1234567 -force Warning: This token is not in the factory reset (zeroized) state. You must present the current Token Admin login credentials to clear the backup token's contents. Luna PED operation required to initialize backup token - use Security Officer (blue) PED key. Error: 'token init' failed. (300130 : LUNA_RET_INVALID_ENTRY_TYPE) Command Result : 65535 (Luna Shell execution) This is a security feature, intended to prevent backup of PED-secured HSM objects onto a less secure Password Authenticated token. To work around this problem, issue the token factoryreset command, and then initialize the token, as shown in the following example: lunash:>token backup factoryreset -serial 1234567 CAUTION: Are you sure you wish to reset this backup token to factory default settings? All data will be erased. Type 'proceed' to return the token to factory default, or 'quit' to quit now. > proceed token factoryReset' successful. Command Result : 0 (Success) lunash:>token backup init -label mylunatoken -serial 1234567 -force Luna PED operation required to initialize backup token - use Security Officer (blue) PED key. Luna PED operation required to login to backup token - use Security Officer (blue) PED key. Luna PED operation required to generate cloning domain on SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 77 2 Backup and Restore HSMs and Partitions backup token - use Domain (red) PED key. 'token init' successful. Command Result : 0 (Success) SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 78 3 Capabilities and Policies HSM capabilities describe the SafeNet Luna Network HSM's configuration, and are displayed using the LunaSH command hsm showpolicies. They are set at manufacture according to the model you selected at time of purchase. Capabilities can only be modified by purchase and application of capability updates. HSM policies correspond to a subset of capabilities that allow you to customize the HSM functions. Policies can be modified to provide greater security based on your specific needs. For example, you can restrict the HSM to use only FIPS-approved algorithms by setting HSM policy 12. Partitions inherit the capabilities and policy settings of the HSM. Partitions also have policies that can be set to customize the partition functions. Partition policies can never be modified to be less secure than the corresponding HSM capability/policy. For example, if the HSM's cloning policy is disallowed (see HSM policy 7), partition policies 0 and 4, which allow cloning of private or secret keys, cannot be set. The following sections list and describe the HSM and partition capabilities and policies: • "HSM Capabilities and Policies" below • "Partition Capabilities and Policies" on page 83 HSM Capabilities and Policies HSM capabilities describe the SafeNet Luna Network HSM's configuration. They are set a manufacture according to the model you selected at time of purchase. Capabilities can only be modified by purchase and application of capability updates. HSM policies correspond to a subset of capabilities that allow you to modify the HSM functions. Policies can be modified to provide greater security based on your specific needs. They can never be modified to be less secure than the corresponding capability. To view the HSM capability and policy settings, use the LunaSH command hsm showpolicies. To modify HSM policies, login as HSM SO and use the LunaSH command hsm changepolicy -policy value <0/1>. See "hsm changepolicy" on page 1 in the LunaSH Command Reference Guide for command syntax. To zeroize the HSM and reset the policies to their default values, use hsm factoryreset. Destructiveness In some cases, changing an HSM policy zeroizes all application partitions or the entire HSM as a security measure. These policies are listed as destructive. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 79 3 Capabilities and Policies HSM Capability and Policy Descriptions The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy. # HSM Capability HSM Policy Description 0 Enable PIN-based authentication If allowed, the HSM authenticates all users with keyboardentered passwords. 1 Enable PED-based authentication If allowed, the HSM authenticates users with secrets stored on physical PED keys, read by a SafeNet Luna PED. The Crypto Officer and Crypto User roles may also be configured with a secondary, keyboard-entered challenge secret. 2 Performance level Numerical value indicates the performance level of this HSM, determined by the model you selected at time of purchase: • 4: Standard performance • 8: Enterprise performance • 15: Maximum performance 4 Enable domestic mechanisms & key sizes Always allowed. All SafeNet Luna HSMs are capable of fullstrength cryptography with no US export restrictions. 6 Enable masking Always disallowed. SIM has been deprecated on all current SafeNet Luna Network HSMs. 7 Enable cloning Allow cloning Destructive 9 12 Enable full (nonbackup) functionality Enable non-FIPS algorithms If allowed, the HSM is capable of cloning cryptographic objects from one partition to another. This policy must be enabled to backup partitions over a network or create HA groups. Partition Security Officers may then enable/disable cloning on individual partitions. If allowed, the HSM is capable of full cryptographic functions. This capability is only disallowed on SafeNet Luna Backup HSMs. Allow non-FIPS algorithms If allowed, the HSM can use all available cryptographic algorithms. Destructive If disallowed, only algorithms sanctioned by the FIPS 140-2 standard are permitted. The following is displayed in the output from hsm show in LunaSH: FIPS 140-2 Operation: ===================== The HSM is in FIPS 140-2 approved operation mode. 15 Enable SO reset of partition PIN SO can reset partition PIN If allowed, a Partition SO can reset the password or PED secret of a Crypto Officer who has been locked out after too SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 80 3 # HSM Capability HSM Policy Destructive Capabilities and Policies Description many bad login attempts. If disallowed, the lockout is permanent and the partition contents are no longer accessible. The partition must be reinitialized, and key material restored from a backup device. See "Failed Logins" on page 335 for more information. 16 Enable network replication Allow network replication If allowed, cryptographic object cloning is permitted over a network. This is required for HA groups, and for partition backup to a remote or client-connected SafeNet Luna Backup HSM. If disallowed, cloning over a network is not permitted. Partition backup is possible to a locally-connected SafeNet Luna Backup HSM only. Setting this policy to 0 means that only the HSM SO can backup partitions. 17 Enable Korean Algorithms Allow Korean algorithms 18 FIPS evaluated Always disallowed - deprecated policy. All SafeNet Luna Network HSMs are capable of operating in FIPS Mode. 19 Manufacturing Token N/A (SafeNet internal use only) 21 Enable forcing user PIN change Force user PIN change after set/reset If allowed, the SafeNet Luna Network HSM can use the Korean algorithm set. This capability may be purchased as an upgrade. See "HSM Capability and Partition Upgrades" on page 287. If allowed, when a Partition SO initializes the Crypto Officer role (or resets the password/PED secret), the CO must change the credential with role changepw before any other actions are permitted. The same is true when the CO initializes/resets the Crypto User role. This policy is intended to enforce the separation of roles on the partition. If disallowed, the CO/CU may continue to use the credential assigned by the Partition SO. 22 Enable offboard storage Allow off-board storage Destructive 23 Enable partition groups 25 Enable Remote PED usage 27 HSM non-volatile storage space On previous HSMs, this policy allowed or disallowed the use of the portable SIM key. SIM is not supported on this version of SafeNet Luna HSM. Always disallowed - deprecated policy. Allow Remote PED usage Always enabled on PED-authenticated SafeNet Luna Network HSMs. All PED-authenticated HSMs are capable of connecting to a local PED or a remotely-located PED server. The HSM SO may turn this feature on or off. Displays the non-volatile maximum storage space (in bytes) on the HSM. This is determined by the model of SafeNet SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 81 3 # HSM Capability HSM Policy Capabilities and Policies Description Luna Network HSM you selected at time of purchase. 30 Enable Unmasking Allow unmasking 33 Maximum number of partitions Displays the maximum number of application partitions that can be created on the HSM. This number is determined by the model of SafeNet Luna Network HSM you selected at time of purchase. On some models, the number of allowable partitions can be upgraded with a separate purchase. See "HSM Capability and Partition Upgrades" on page 287 for more information. 35 Enable Single Domain Not applicable to SafeNet Luna Network HSMs. 36 Enable Unified PED Key Not applicable to SafeNet Luna Network HSMs. 37 Enable MofN Allow MofN If allowed, cryptographic material can be migrated from legacy SafeNet appliances that used SIM. If allowed on PED-authenticated SafeNet Luna Network HSMs, this policy enables you to split a PED secret among multiple PED keys (see "MofN Split Secret Keys" on page 182). If disallowed, users will no longer be asked to split a PED secret (M and N automatically set to 1). Always disallowed on password-authenticated HSMs. 38 Enable small form factor backup/restore 39 Enable Secure Trusted Channel Not available in this release. Allow Secure Trusted Channel If allowed, this policy enables the use of Secure Trusted Channel for partition-client connections (see "Secure Trusted Channel (STC)" on page 259). If disallowed, all partition-client connections must use NTLS. 40 Enable decommission on tamper Decommission on tamper Destructive If allowed, the HSM will be decommissioned if a tamper event occurs. Decommissioning deletes all partitions and their contents, the audit role, and the audit configuration. The HSM policy settings are retained. See "Tamper Events" on page 303 for more information. CAUTION: Setting this policy to 0 will zeroize the entire HSM and it must be re-initialized. 42 Enable partition reinitialize 43 Enable low level Not available in this release. Allow low level math This is enabled by default, and must be enabled to provide SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 82 3 # HSM Capability math acceleration 45 Enable Fast-Path 46 Allow Disabling Decommission 47 Enable Tunnel Slot 48 Enable Controlled Tamper Recovery HSM Policy acceleration Capabilities and Policies Description maximum performance. Do not disable unless instructed to do so by Gemalto Technical Support. Not available in this release. Disable Decommission If enabled, the decommission button is disabled, preventing decommissioning of the HSM. Destructive Note: You cannot enable this policy if HSM policy 40: Decommission on Tamper is enabled. Not available in this release. Do Controlled Tamper Recovery If allowed, the HSM SO must explicitly clear the tamper before the HSM can resume normal operations. This is the default behavior. If disallowed, the HSM must be restarted before it can resume normal operations. See "Tamper Events" on page 303 for more information. Partition Capabilities and Policies Partitions inherit the capabilities and policy settings of the HSM. Partitions also have policies that can be set to customize the partition functions. Partition policies can never be modified to be less secure than the corresponding HSM capability/policy. For example, if the HSM's cloning policy is disallowed (see HSM policy 7), partition policies 0 and 4, which allow cloning of private or secret keys, cannot be set. Note: If you are running more than one LunaCM session against the same partition, and change a partition policy in one LunaCM session, the policy change will be reflected in that session only. You must exit and restart the other LunaCM sessions to display the changed policy settings. To view the partition capabilities and policy settings, use the LunaCM command partition showpolicies. To modify partition policies, login as Partition SO and use the LunaCM command partition changepolicy -policy -value <0/1/value>. See "partition changepolicy" on page 1 in the LunaCM Command Reference Guide for command syntax. Destructiveness In some cases, changing a partition policy forces deletion of all cryptographic objects on the partition as a security measure. These policies are listed as destructive. Destructive policies are typically those that change the security level of the objects stored in the partition. Use the LunaCM command partition showpolicies -verbose to check whether the policy you want to enable/disable is destructive. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 83 3 Capabilities and Policies Partition Capabilities and Policies List The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy. # Partition Capability 0 Enable private key cloning Partition Policy Allow private key cloning Destructive: ON 1 2 Enable private key wrapping Enable private key unwrapping Allow private key wrapping Description If enabled, the partition is capable of cloning cryptographic objects to another partition. This policy must be enabled to backup partitions or create HA groups. Destructive: ON Always disabled for all partitions on a SafeNet Luna Network HSM. Private keys on the partition may not be wrapped off. The Partition SO cannot change this policy. Allow private key unwrapping If enabled, private keys may be unwrapped onto the partition. The Partition SO can turn this feature on or off. If disabled, private key unwrapping is not available, and the Partition SO cannot change this. 3 Enable private key masking Allow private key masking Destructive: ON 4 Enable secret key cloning Allow secret key cloning Destructive: ON Always disabled. SIM has been deprecated on all current SafeNet Luna Network HSMs. The Partition SO cannot change this policy. If enabled, secret keys on the partition can be backed up. The Partition SO can turn this feature on or off. The Partition SO may wish to turn this feature on immediately before a scheduled backup, and then turn it off again to prevent unauthorized backup. If disabled, secret keys cannot be backed up, and the Partition SO cannot change this.. Partition backup or partition network replication is allowed for the SafeNet high availability feature. 5 Enable secret key wrapping Allow secret key wrapping Destructive: ON If enabled, secret keys can be wrapped off the partition. The Partition SO can turn this feature on or off. The Partition SO may wish not to allow secret key wrapping, in which case he/she would turn off this policy. If disabled, the partition does not support secret key wrapping, and the Partition SO cannot change this. 6 Enable secret key unwrapping Allow secret key unwrapping If enabled, secret keys can be unwrapped onto the partition. The Partition SO can turn this feature on or off. If disabled, the partition does not support secret key unwrapping, and the Partition SO cannot change this. 7 10 Enable secret key masking Enable multipurpose Allow secret key masking Destructive: ON Always disabled. SIM has been deprecated on all current SafeNet Luna Network HSMs. The Partition SO cannot change this policy. Allow multipurpose If enabled, keys for multiple purposes, such as signing and SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 84 3 # Partition Capability keys Partition Policy keys Destructive: ON Capabilities and Policies Description decrypting, may be created on the partition. The Partition SO can turn this feature on or off. If disabled, keys created on (or unwrapped onto) the partition must specify only a single function in the attribute template. 11 Enable changing key attributes Allow changing key attributes Destructive: ON If enabled, non-sensitive attributes of the keys on the partition are modifiable (the user can change the functions that the key can use). If disabled, keys created on the partition cannot be modified. This policy affects the following "key function attributes": CKA_ENCRYPT CKA_DECRYPT CKA_WRAP CKA_UNWRAP CKA_SIGN CKA_SIGN_RECOVER CKA_VERIFY CKA_VERIFY_RECOVER CKA_DERIVE CKA_EXTRACTABLE 15 Allow failed challenge responses Ignore failed challenge responses This policy applies to PED-authenticated SafeNet Luna HSMs only. The Partition SO can turn the feature on or off. Destructive: ON If enabled, failed challenge secret login attempts on an activated partition are not counted towards a partition lockout. Only failed PED key authentication attempts will increment the counter. If disabled, failed login attempts using either a PED key or a challenge secret will count towards a partition lockout. See "Activation and Auto-Activation on PED-Authenticated Partitions" on page 160 and "Failed Logins" on page 335 for more information. 16 Enable operation without RSA blinding Operate without RSA blinding Destructive: ON If enabled, the partition may run in a mode that does not use RSA blinding (a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance). The Partition SO can turn this feature on or off. If disabled, the partition will always run in RSA blinding mode; performance will be affected. If the policy is on (set to 1), RSA blinding is not used. 17 Enable signing with non-local keys Allow signing with non-local keys If a key was generated on an HSM, CKA_LOCAL is set to 1. With this policy turned off, only keys with CKA_LOCAL=1 can be used to sign data on the HSM. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 85 3 # Partition Capability Partition Policy Capabilities and Policies Description Keys that are imported (unwrapped) to the HSM have CKA_ LOCAL explicitly set to 0, so they may not be used for signing. Cloning and SIM maintain the value of CKA_ LOCAL. With this policy turned on, keys that did not originate on the HSM (CKA_LOCAL=0) may be used for signing, and their trust history is not assured. 18 Enable raw RSA operations Allow raw RSA operations Destructive: ON If enabled, the partition may allow raw RSA operations (mechanism CKM_RSA_X_509). This allows weak signatures and weak encryption. The Partition SO can turn this feature on or off. If disabled, the partition will not support raw RSA operations. 20 Max failed user logins allowed Max failed user logins allowed Displays the maximum number of failed partition login attempts before the partition is locked out (see "Failed Logins" on page 335). The Partition SO can change the number of failed logins to a value lower than the maximum if desired. 21 Enable high availability recovery Allow high availability recovery If enabled, partitions in the same HA group may be used to restore the login state of this partition after power outage or other deactivation. RecoveryLogin must be configured in advance (see "role recoveryinit" on page 1 and "role recoverylogin" on page 1 in the LunaCM Command Reference Guide for details. The Partition SO can turn this feature on or off. 22 Enable activation Allow activation Applies only to PED-authenticated HSMs. If enabled, the black and/or gray PED key secrets may be cached, so that the CO or CU only needs the challenge secret to login. The Partition SO can turn this feature on or off. If disabled (or the policy is turned off), PED keys must be presented at each login, whether the call is local or from a client application. This policy setting is overidden and activation is disabled if a tamper event occurs, or if an uncleared tamper event is detected on reboot. See "Tamper Events" on page 303, and "Activation and Auto-Activation on PED-Authenticated Partitions" on page 160 for more information. 23 Enable autoactivation Allow autoactivation See Capability 22 above for a description of activation. If enabled, the black or gray PED key secrets may be encrypted and semi-permanently cached to hard disk, so that the partition's activation status can be maintained after a power loss of up to two hours. The Partition SO can turn SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 86 3 # Partition Capability Partition Policy Capabilities and Policies Description this feature on or off. If disabled, this partition does not support auto-activation. This policy setting is overidden and auto-activation is disabled if a tamper event occurs, or if an uncleared tamper event is detected on reboot. See "Tamper Events" on page 303, and "Activation and Auto-Activation on PEDAuthenticated Partitions" on page 160 for more information. 25 Minimum PIN length (inverted: 255 - min) Minimum PIN length (inverted: 255 - min) The absolute minimum length for a partition login PIN is 8 characters. This is displayed as a value subtracted from 256. The policy value is determined as follows: Subtract the desired minimum PIN length from 256 (the absolute maximum length), and set policy 25 to that value. 256 - (min PIN) = (policy value) For example, to set the minimum PIN length to 10 characters, the Partition SO should set the value of this policy to 246: 256 - 10 = 246 The reason for this inversion is that a policy can only be set to a value equal to or lower than the value set by its capability. If the absolute minimum PIN length was set to 8, the Partition SO would be able to set the preferred minimum to 2, a less-secure policy. The Partition SO may only change the minimum PIN length to increase security by forcing stronger passwords. 26 Maximum PIN length Maximum PIN length The absolute maximum length for a partition login PIN is 255 characters. The effective maximum may be changed by the Partition SO, and must always be greater than the value of the minimum PIN length, determined by the formula in the description of policy 25 (above). 28 Enable Key Management Functions Allow Key Management Functions The Partition SO can disable access to any key management functions by the user - all users become Crypto Users (the restricted-capability user) even if logged in as Crypto Officer. Destructive: ON 29 Enable RSA signing without confirmation Perform RSA signing without confirmation Destructive: ON The HSM can perform an internal verification (confirmation) of a signing operation to validate the signature. This confirmation is disabled by default because it has a performance impact on signature operations. 31 Enable private key unmasking Allow private key unmasking Remove encryption with AES 256-bit key from private key 32 Enable secret key unmasking Allow secret key unmasking Remove encryption with AES 256-bit key from secret key SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 87 3 # Partition Capability 33 Enable RSA PKCS mechanism Partition Policy Capabilities and Policies Description Allow RSA PKCS mechanism Destructive: ON 34 Enable CBC-PAD (un)wrap keys of any size Allow CBC-PAD (un)wrap keys of any size Destructive: ON 35 Enable private key SFF backup/restore Allow private key SFF backup/restore Not available in this release. Destructive: ON 36 Enable secret key SFF backup/restore Allow secret key SFF backup/restore Not available in this release. Destructive: ON 37 Enable Secure Trusted Channel Force Secure Trusted Channel If enabled, the Partition SO can turn this policy on to require Secure Trusted Channel (STC) for partition access. Destructive: OFF If disabled, the Client will use NTLS to access the partition. NOTE: It is not possible for a single Client to access some partitions on an appliance using STC and others on the same appliance using NTLS. All connections between a single client and a single SafeNet Luna Network HSM but be either STC or NTLS. See "Secure Trusted Channel (STC)" on page 259 in the Administration Guide for more information. 38 Enable Fast-Path Not available in this release. 39 Enable Start/End Date Attributes Not available in this release. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 88 4 Configuration File Summary Many aspects of SafeNet Luna HSM configuration and operation are controlled or adjusted by the Chrystoki.conf file (Linux/UNIX) or Crystoki.ini file (Windows). The examples in the table below are from a Windows Chrystoki.ini file. The configuration file is organized into named sections, under which related configuration-affecting entries might appear. A basic configuration file is always present in the SafeNet Luna Client folder, installed by the SafeNet Luna Client installer, with default values assigned to the populated entries. In addition to the most basic sections and entries, some additional sections and entries can be included at installation time, if you select more than the minimal installation options for your HSM model(s). In addition, new entries can be added, or existing entries can be adjusted by actions that you perform in SafeNet tools like LunaCM and vtl. Finally, some sections or entries can be added or adjusted by manual editing of the Chrystoki.conf /Crystoki.ini file. If you install SafeNet Luna Client where a previous version was installed, then the existing configuration file is saved and the new file adds to the existing content if appropriate. That is, if you have a SafeNet Luna HSM setup, already configured and tweaked to your satisfaction, those settings are preserved when you update to newer SafeNet Luna Client. Note: For SafeNet Luna Network HSM, LunaSH commands use onboard default configuration settings. Clients that are sent to the HSM via SafeNet Luna HSM Client, making use of the client library, include the relevant configuration settings from the client-side Chrystoki.conf /Crystoki.ini configuration file. The following table lists sections and settings that you are likely to encounter in normal use of SafeNet products. Not all are applicable to every SafeNet Luna HSM. Each setting is named, with default values, allowed range of values, description of the item/setting, and remarks about any interactions between the current setting and others that you might configure. Where the range is a file path, specifies the path to your SafeNet Luna HSM client installation. Setting Range (Default) Description LibNT= ( \cryptoki.dll) Path to the Chrystoki2 library. LibNT32= ( \win32\libCryptoki2.dll) Path to the Chrystoki2 library on 32-bit Windows systems only. [Chrystoki2] [Luna] SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 89 4 Configuration File Summary Setting Range (Default) Description PEDTimeout1= (100000) ms Specifies the PED timeout time 1 defines how long (in milliseconds) the HSM tries to detect if it can talk to the PED before starting the actual communication with it. If the PED is unreachable the HSM returns to the host a result code for the respective HSM command. The result code indicates that the PED is not connected. This timeout is intended to be small so that the user is informed quickly that the PED is not connected. PEDTimeout2= (200000) ms Specifies the PED timeout time 2 defines how long (in milliseconds) the firmware waits for the local PED to respond to PED commands. PED commands should not be confused with PED-related HSM commands. An HSM sends PED commands to the PED when processing PED-related HSM commands, such as LOGIN or PED_ CONNECT. One PED-related HSM command can involve many PED commands being sent by the HSM to the PED (for example, the MofN related commands). If a local PED does not respond to the PED commands within the span of PEDTimeout2 the HSM returns an appropriate result code (such as PED_TIMEOUT) for the respective PED-related HSM command. PEDTimeout3= (20000) ms Specifies the PED timeout time 3 defines additional time (in milliseconds) the firmware must wait for the remote PED to respond to PED commands. That is, the actual time the firmware waits for a remote PED to respond is PEDTimeout2 + PEDTimeout3. DefaultTimeOut= (500000) ms Sets the default timeout interval defines how long (in milliseconds) the HSM driver in the host system waits for HSM commands to return a result code. If the result code is not returned in that time, the driver assumes that the HSM SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 90 4 Setting Range (Default) Configuration File Summary Description is stuck and halts it, with the DEVICE_ ERROR returned to all applications that use the HSM. Most HSM commands use this timeout. Very few exceptions exist, when a command's timeout is hard-coded in the Cryptoki library, or separate timeouts are specified in the Chrystoki.conf for certain classes of HSM commands. CommandTimeoutPedSet= (720000) ms This is an exception to DefaultTimeout (above). It defines timeout (in milliseconds) for all PED-related HSM commands. This class of PED-related commands can take more time than the ordinary commands that subscribe to the DefaultTimeOut value. As a rule of thumb, CommandTimeOutPedSet = DefaultTimeOut + PEDTimeout1 + PEDTimeout2 + PEDTimeout3. KeypairGenTimeOut= (2700000) ms The amount of time (in milliseconds) the library allows for a Keypair generate operation to return a value. Due to the random component, large key sizes can take an arbitrarily long time to generate, and this setting keeps the attempts within reasonable bounds.The default is calculated as the best balance between the inconvenience of occasional very long waits and the inconvenience of restarting a keygen operation. You can change it to suit your situation. CloningCommandTimeout= (300000) ms The amount of time (in milliseconds) the library allows for the HSM to respond to a cloning command. DomainParamTimeout= (5400000) ms Timeout for Domain Parameter Generation. RemoteCommand= 0 = false (1 = true) This setting was used when debugging older SafeNet products. For modern products it is ignored. LunaG5Slots= (3) Number of SafeNet Luna USB HSM [CardReader] SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 91 4 Setting Range (Default) Configuration File Summary Description slots reserved so that the library will check for connected devices. • Can be set to zero if you have no SafeNet Luna USB HSMs and wish to get rid of the reserved spaces in your slot list. • Can be set to any number, but is effectively limited by the number of external USB devices your host can support. [RBS] HostName= Any hostname or IP address (0.0.0.0) The hostname or IP address that the RBS server will listen on. Default is 0.0.0.0 (any IP on the local host). HostPort= Any unassigned port (1792) The port number used by the RBS server. ClientAuthFile= ( \config\clientauth.dat) The location of the RBS Client authentication file. ServerCertFile= ( \cert\server\server.pem) The location of the RBS Server certificate file. ServerPrivKeyFile= ( \cert\server\serverkey.pem) The location of the RBS Server certificate private key file. ServerSSLConfigFile= ( \openssl.cnf) The location of the OpenSSL configuration file used by RBS Server or Client. CmdProcessor= ( \rbs_processor2.dll) The location of the RBS library. NetServer= 0 = false (1 = true) If true (default), RBS acts as a Server. If false, RBS acts as a Client. SSLConfigFile= ( \openssl.cnf) Location of the OpenSSL configuration file. ReceiveTimeout= (20000) ms Time in milliseconds before a receive timeout TCPKeepAlive= 0 = false (1 = true) TCPKeepAlive [LunaSA Client] SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 92 4 Setting Range (Default) Configuration File Summary Description TCPKeepAlive is a TCP stack option, available at the LunaClient, and at the SafeNet Luna Network HSM appliance. For SafeNet purposes, it is controlled via an entry in the Chrystoki.conf /crystoki.ini file on the LunaClient, and in an equivalent file on SafeNet Luna Network HSM. For SafeNet Luna HSM 6.1 and newer, a fresh client software installation includes an entry "TCPKeepAlive=1" in the "LunaSA Client" section of the configuration file Chrystoki.conf (Linux/UNIX) or crystoki.ini (Windows). Config files and certificates are normally preserved through an uninstall, unless you explicitly delete them. As such, if you update (install) LunaClient software where you previously had an older LunaClient that did not have a TCPKeepAlive entry, one is added and set to "1" (enabled), by default. In the case of update, if TCPKeepAlive is already defined in the configuration file, then your existing setting (enabled or disabled) is preserved. On the SafeNet Luna Network HSM appliance, where you do not have direct access to the file system, the TCPKeepAlive= setting is controlled by the LunaSH command ntls tcp_ keepalive set. The settings at the appliance and the client are independent. This allows a level of assurance, in case (for example) a firewall setting blocks in one direction. NetClient= 0 = false (1 = true) If true, library will search for network slots ServerCAFile= ( \cert\server\CAFile.pem) Location, on the client, of the server certificate file (set by vtl or LunaCM command clientconfig deploy). ClientCertFile= ( \cert\client\ClientNameCert.pem) Location of the Client certificate file that is uploaded to SafeNet Luna Network SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 93 4 Setting Range (Default) Configuration File Summary Description HSM for NTLS (set by vtl or LunaCM command clientconfig deploy). ClientPrivKeyFile= ( \cert\client\ClientNameKey.pem) ServerName00=192.20.17.200 Location of the Client private key file (set by vtl or LunaCM command clientconfig deploy). Entries embedded by vtl utility, when you run the command vtl addserver or the LunaCM command clientconfig deploy. Identifies the NTLS-linked SafeNet Luna Network HSM servers, and determines the order in which they are polled to create a slot list. ServerPort00=1792 ServerName01= ServerPort01= NOTE: The Presentation section is not created automatically. To change any of the following values, you must first create this section in the configuration file. [Presentation] ShowUserSlots= ( ) Comma-delimited list of ( ), like ShowUserSlots=1(351970018022),2 (351970018021),3(351970018020),.... Sets the starting slot for the identified partition. If one partition slot on an HSM is specified, then any that are not listed from that HSM are not displayed. ShowAdminTokens= 0/(1) Admin partitions of local SafeNet Luna PCIe HSMs are not visible/(visible) in a slot listing ShowEmptySlots= (0)/1 When the number of partitions on an HSM is not at the limit, unused slots are shown/(not shown). OneBaseSlotId= (0)/1 Causes basic slot list to start at slot number 1 instead of (0). (0)/1 When set to 1, shows only the HA virtual slot to the client, and hides the physical partitions/slots that are members of the virtual slot. Setting HAOnly helps prevent synchronization problems among member partitions, by forcing all client actions to be directed against the virtual slot, and dealing with synch transparently. HAOnly also prevents the shifting of slot numbers in the slot list that could occur if a visible [HAConfiguration] HAOnly= SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 94 4 Setting Range (Default) Configuration File Summary Description physical partition were to drop out, which could disrupt an application that identifies its client partitions by slot numbers. reconnAtt= (10) Specifies how many reconnection attempts will be made, when a member drops from the group. A value of "-1" is infinite retries. AutoReconnectInterval= (60) s Specifies the interval (in seconds) at which the library will attempt to reconnect with a missing member, until "reconnAtt" is reached, and attempts cease. The default value of 60 seconds is the lowest that is accepted. ToolsDir= ( \) The location of the LunaClient tools. RSAKeyGenMechRemap= (0)/1 Controls what happens on newer firmware, when calls are made to specific older mechanisms that are now discouraged due to weakness. When this item is set to 0, no remapping is performed. When the value is set to 1, the following re-mapping occurs if the HSM firmware permits: •PKCS Key Gen -> 186-3 Prime key gen •X9.31 Key Gen -> 186-3 Aux Prime key gen (see "Mechanism Remap for FIPS Compliance " on page 1) RSAPre1863KeyGen MechRemap= (0)/1 Controls what happens on older firmware, when specific newer mechanisms are called, that are not supported on the older firmware. When this item is set to 0, no remapping is performed. When the value is set to 1, the following re-mapping occurs if the HSM firmware permits: • 186-3 Prime key gen -> PKCS Key Gen [Misc] SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 95 4 Setting Range (Default) Configuration File Summary Description • 186-3 Aux Prime key gen -> X9.31 Key Gen Intended for evaluation purposes, such as with existing integrations that require newer mechanisms, before you update to firmware that actually supports the more secure mechanisms. Be careful with this setting, which makes it appear you are getting a new, secure mechanism, when really you are getting an outdated, insecure mechanism. (see "Mechanism Remap for FIPS Compliance " on page 1) [Secure Trusted Channel] ClientIdentitiesDir= \data\client_identities Specifies the directory used to store the STC client identity PartitionIdentitiesDir= \data\partition_ identities Specifies the directory used to store the STC partition identities exported using the LunaCM stcconfig partitionidexport command ClientTokenLib= (for 64-bit Windows systems) For soft token: • \softtoken.dll Specifies the location of the token library on 64-bit Windows systems. This value must be correct in order to use a client token. For hard token: • C:\Windows\System32\etoken.dll For 32-bit systems, see the ClientTokenLib32 entry below. By default, ClientTokenLib points to the location of the soft token library. If you are using a hard token, you must manually change this value to point to the hard token library for your operating system. The exact location of the hard token library may vary depending on your installer. The location provided here is the most common location used. ClientTokenLib32= (for 32-bit Windows systems) For soft token: • \win32\softtoken.dll For hard token: • C:\Windows\SysWOW64\etoken.dll SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. Specifies the location of the token library on 32-bit Windows systems. This entry appears on Windows only. For 64bit systems, see the ClientTokenLib entry above. 96 4 Setting Range (Default) Configuration File Summary Description By default, ClientTokenLib32 points to the location of the soft token library. If you are using a hard token, you must manually change this value to point to the hard token library for your operating system. The exact location of the hard token library may vary depending on your installer. The location provided here is the most common location used. SoftTokenDir= \softtoken Specifies the location where the STC client soft token (token.db) is stored. Each client soft token is stored in its own numbered subdirectory. Note: In this release there is only one client token, which is stored in the 001 subdirectory. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 97 5 Decommissioning, Zeroizing, or Resetting an HSM to Factory Conditions During the lifetime of a SafeNet Luna HSM, you might have cause to take the HSM out of service, and wish to perform actions to ensure that no trace of your sensitive material remains. Those events might include: • Placing the unit into storage, perhaps as a spare • Shipping to another location or business unit in your organization • Shipping the unit back to Gemalto for repair/re-manufacture • Removing the HSM permanently from operational use, for disposal at end-of-life This chapter describes the available options in the following sections: • "Decommissioning the HSM Appliance" below • "Comparing Zeroize, Decommission, and Factory Reset" on the next page • "Resetting to Factory Condition" on page 100 • "End of service and disposal" on page 101 • "Comparison of Destruction/Denial Actions" on page 102 • "RMA and Shipping Back to Gemalto" on page 103 • "Zeroization" on page 104 Decommissioning the HSM Appliance This section describes how to decommission the appliance to remove all current key material and configurations, so that it can be safely redeployed. To decommission a SafeNet Luna Network HSM: For full decommission (removing the unit from service, clearing the HSM of all your material, clearing the appliance of all identifying information) of a SafeNet Luna Network HSM appliance, and assuming that you can power the appliance and gain admin access, follow these steps in LunaSH, using a serial connection: 1. Rotate all logs: lunash:> syslog rotate 2. Delete all files in the SCP directory: lunash:> my file clear 3. Delete all logs: lunash:> syslog cleanup 4. Return the appliance to factory-default settings: SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 98 5 Decommissioning, Zeroizing, or Resetting an HSM to Factory Conditions lunash:> sysconf config factoryreset -service all 5. Delete any backups of settings: lunash:> sysconf config clear 6. Push the decommission button (small red button, inset in the SafeNet Luna Network HSM back panel). 7. Power down the appliance. 8. Power up the appliance. At this point, the HSM internally issues and executes a zeroize command to erase all partitions and objects. This step takes about five minutes. The KEK is already gone at that point – erased as soon as the button is pressed – so the step of erasing partitions and objects is for customers subject to especially rigid decommission protocols. Disabling Decommissioning You can disable the decommissioning feature if you have the factory-installed HSM Capability 46: Allow Disable Decommission (see "HSM Capabilities and Policies" on page 79). The primary reason for disabling decommissioning is to prevent the HSM from being automatically decommissioned due to loss of battery (see "Tamper Events" on page 303). If decommissioning is disabled, the SafeNet Luna Network HSM has an indefinite shelf life, as far as the battery is concerned. To disable decommissioning: 1. Ensure that the Disable Decommissioning capability update (CUF) is installed on the HSM. To verify that the CUF is installed, enter the following command: lunash:> hsm showpolicies If the CUF is installed, HSM Capability 46: Allow Disable Decommission and HSM Policy 46: Disable Decommission are listed. If they are not, contact technical support to obtain the Disable Decommissioning capability update (CUF). 2. Enter the following command to enable HSM Policy 46: Disable Decommission lunash:> hsm changehsmpolicy -policy 46 -value 1 Comparing Zeroize, Decommission, and Factory Reset You can clear the contents of your HSM on demand, or the HSM may be cleared in response to an event. How this affects the contents and configuration of your HSM depends on whether the user partitions were deleted or whether the HSM was zeroized, decommissioned, or factory reset, as detailed below: Action Command/Event Description Erase User Partitions • Destroy/erase all user partitions, but do not zeroize the HSM. Policy 46 " Disable Decommission" is the exception in that it zeroizes the HSM and erases all user partitions if the policy is changed. To bring the HSM back Enable or disable a destructive HSM policy SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 99 5 Action Command/Event Decommissioning, Zeroizing, or Resetting an HSM to Factory Conditions Description into service, you need to: 1. Recreate the partitions 2. Reinitialize the partition roles Zeroize • Too many bad login attempts on the HSM SO account Deletes all partitions and their contents, but retains the HSM configuration (audit role and configuration, policy settings). To bring the HSM back into service, you need to: • Perform an HSM firmware rollback 2. Recreate the partitions • Run the LunaSH command hsm zeroize Decommission • Press the decommission button on the rear of the appliance. Deletes all partitions and their contents, the audit role, and the audit configuration. Retains the HSM policy settings. To bring the HSM back into service, you need to: • Enable HSM Policy 40: Decommission on Tamper, and tamper the HSM. 2. Reinitialize the audit role and reconfigure auditing Factory Reset Run the LunaSH command hsm factoryreset 1. Reinitialize the HSM 3. Reinitialize the partition roles 1. Reinitialize the HSM 3. Recreate the partitions 4. Reinitialize the partition roles Deletes all partitions and their contents, and resets all roles and policy configurations to their factory default values. To bring the HSM back into service, you need to completely reconfigure the HSM as though it were new from the factory. Resetting to Factory Condition These instructions will allow you to restore your SafeNet Luna Network HSM to its original factory configuration. If you have performed firmware and software updates, those remain in place, and are not affected by this procedure. The reset commands affect contents and settings of the HSM and appliance. Reverting of software and firmware is outside their scope. You must access LunaSH via a serial console to execute hsm factoryreset. To reset the HSM to factory condition: 1. Login as HSM SO. hsm login 2. Reset the HSM to factory settings. hsm factoryreset 3. Reset the appliance configuration (network settings, ssh, ntls, etc.) to factory settings. sysconf config factoryreset -service all 4. Reboot the appliance. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 100 5 Decommissioning, Zeroizing, or Resetting an HSM to Factory Conditions End of service and disposal SafeNet Luna HSMs and appliances are deployed into a wide variety of markets and environments. Arranging for the eventual disposal of a SafeNet Luna HSM or appliance that is no longer needed can be a simple accounting task and a call to your local computer recycling service, or it can be a complex and rigorous set of procedures intended to protect very sensitive information. Needs Can Differ Some users of SafeNet Luna HSMs employ cryptographic keys and material that have a very short "shelf life". A relatively short time after the HSM is taken out of service, any objects that it contains are no longer relevant. The HSM could be disposed of, with no concern about any material that might remain in it. The majority of our customers are concerned with their keys and objects that are stored on the HSM. It is important to them that those items never be exposed. The fact is that they are never exposed, but see below for explanations and actions that address the concerns of auditors who might be more accustomed to other ways of safeguarding HSM contents. SafeNet Luna HSM Protects Your Keys and Objects The design philosophy of our SafeNet Luna HSMs ensures that contents are safe from attackers. Unlike other HSM products on the market, SafeNet Luna HSMs never store sensitive objects, like cryptographic keys, unencrypted. Therefore, SafeNet Luna HSMs have no real need - other than perception or "optics" - to perform active erasure of HSM contents, in case of an attack or tamper event. Instead, the basic state of a SafeNet Luna HSM is that any stored keys and objects are strongly encrypted. They are decrypted only for current use, and only into volatile memory within the HSM. If power is removed from the HSM, or if the current session closes, the temporarily-decrypted objects instantly evaporate. The encrypted originals remain, but they are unusable by anyone who does not have the correct HSM keys to decrypt them. How the HSM encryption keys protect your sensitive objects In addition to encryption with the user specific access keys or passwords, all objects on the HSM are encrypted by the HSM's global key encryption key (KEK) and the HSM's unique Master Tamper Key (MTK). If the HSM experiences a Decommission event (pressing of the small red button on back of SafeNet Luna Network HSM, or shorting of the pins of the decommission header on the HSM card, or removal of the battery while main power is not connected to a SafeNet Luna USB HSM) then the KEK is deleted. If the HSM experiences a tamper event (physical intrusion, environmental excursion), then the MTK is destroyed. Destruction of either of those keys instantly renders any objects in the HSM unusable by anyone. In the case of a Decommission event, when the HSM is next powered on, it requires initialization, which wipes even the encrypted remains of your former keys and objects. We recognize that some organizations build their protocols around assumptions that apply to other suppliers' HSMs where keys are stored unencrypted and must be actively erased in the event of an attack or removal from service. If your policies include that assumption, then you can re-initialize after Decommission - which actively erases the encrypted objects for which no decrypting key existed. For purposes of security, such an action is not required, but it can satisfy pre-existing protocols that presume a weakness not present in SafeNet Luna HSMs. Our customers are often very high-security establishments that have rigorous protocols for removing a device from service. In such circumstances, it is not sufficient to merely ensure that all material is gone from the HSM. It is also SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 101 5 Decommissioning, Zeroizing, or Resetting an HSM to Factory Conditions necessary to clear any possible evidence from the appliance that contains the HSM, such as IP configuration and addresses, log files, etc. If you have any concern that simply pressing the Decommission button and running sysconf config factoryreset is not sufficient destruction of potentially-sensitive information, then please refer to "Decommissioning the HSM Appliance" on page 98. Comparison of Destruction/Denial Actions Various operations on the SafeNet Luna HSM are intended to make HSM contents unavailable to potential intruders. The effect of those actions are summarized and contrasted in the following table, along with notes on how to recognize and how to recover from each scenario. Scenario 1: MTK is destroyed, HSM is unavailable, but use/access can be recovered after reboot (See Note 1) Scenario 2: KEK is destroyed (Real-Time Clock and NVRAM), HSM contents cannot be recovered without restore from backup See Note 2) Scenario 3: Appliance admin password reset Event Scen. 1 Scen. 2 Scen. 3 How to discover (See Note 3) How to recover • Three bad SO login attempts NO YES NO • Syslog entry • • lunash:> hsm zeroize "HSM IS ZEROIZED" in HSM Details (from hsm show command) Restore HSM objects from Backup • lunash:> hsm factoryreset • Any change to a destructive policy • Firmware rollback (See Note 4) Login to SafeNet Luna Network HSM "recover" account (local serial connection) NO NO YES Syslog entry shows login by "recover" Log into appliance as admin, using the reset password "PASSWORD" and change to a secure password Hardware tamper YES NO NO Reboot [See Note 1] • Undervoltage or overvoltage during operation Parse Syslog for text like "tamper", "TVK was corrupted", or "Generating new TVK", indicating that a tamper event was logged. Example: • Undertemperature or over-temperature during operation RTC: external tamper latched/ MTK: security function was zeroized on previous tamper event and has not been restored yet • Chassis interference (such Also, keywords in Syslog like: "HSM internal error", "device error" SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 102 5 Event Scen. 1 Scen. 2 Decommissioning, Zeroizing, or Resetting an HSM to Factory Conditions Scen. 3 as cover, fans, etc.) How to discover (See Note 3) How to recover SafeNet Luna Network HSM appliance front panel flashes error 30. Software (commandinitiated) tamper • lunash:> hsm stm transport Decommission • NO YES Pressing the Decommission button on the back of the appliance NO Look for log entry like: RTC: tamper 2 signal/Zeroizing HSM after decommission...LOG(INFO): POWER-UP LOG DUMP END Restore HSM objects from Backup Note 1: MTK is an independent layer of encryption on HSM contents, to manage tamper and Secure Transport Mode. A destroyed MTK is recovered on next reboot. If MTK cannot be recovered, only restoring from backup onto a new or re-manufactured HSM can retrieve your keys and HSM data. Note 2: KEK is an HSM-wide encryption layer that encrypts all HSM objects, excluding only MTK, RPK, a wrapping key, and a couple of keys used for legacy support. A destroyed KEK cannot be recovered. If the KEK is destroyed, only restoring from backup can retrieve your keys and HSM data. Note 3: To check the health of a remote HSM, script a frequent login to the HSM host and execution of a subset of HSM commands. If a command fails, check the logs for an indication of the cause. Note 4: These actions all create a situation where hsm init is required, or strongly recommended before the HSM is used again. In addition, another event/action that has a destructive component is HSM initialization. See "HSM Initialization" on page 141. RMA and Shipping Back to Gemalto Although rare, it could happen that you need to ship a SafeNet appliance back to Gemalto. Contact your Gemaltorepresentative to obtain the Return Material Authorization (RMA) and instructions for packing and shipping. You might wish (or your security policy might require you) to take maximum precaution with any contents in your HSM before it leaves your possession. If so, there are two options available to secure the contents of the SafeNet Luna Network HSM before returning it to Gemalto: • Decommission the HSM, forcibly clearing all HSM contents (see "Decommissioning the HSM Appliance" on page 98 for instructions) • Set the HSM into Secure Transport Mode (see "Secure Transport Mode" on page 256 for instructions) and provide the verification string and random user string to your Gemalto representative by secure means. This will allow Gemalto to know if the HSM is tampered while in transit. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 103 5 Decommissioning, Zeroizing, or Resetting an HSM to Factory Conditions Zeroization In the context of HSMs in general, the term "zeroize" means to erase all plaintext keys. Some HSMs keep all keys in plaintext within the HSM boundary. SafeNet Luna HSMs do not. In the context of SafeNet Luna HSMs, keys at rest (keys or objects that are stored in the HSM) are encrypted. Keys are decrypted into a volatile working memory space inside the HSM only while they are being used. Items in volatile memory disappear when power is removed. The action that we loosely call "zeroizing", or clearing, erases volatile memory as well as destroying the key that encrypts stored objects. Any temporarily decrypted keys are destroyed, and all customer keys on the HSM are immediately rendered inaccessible and unrecoverable whenever you: • perform hsm factoryreset • make too many bad login attempts on the SO account • press the Decommission button on the SafeNet Luna Network HSM back panel • set a "destructive" HSM policy • perform HSM firmware rollback The KEK (key encryption key that encrypts all user objects, partition structure, cloning vectors, masking vectors, etc.) is destroyed by a zeroization (erasure) or decommission event. At that point, any objects or identities in the HSM become effectively random blobs of bits that can never be decoded. Note: The next HSM power-up following a KEK zeroization automatically erases the contents of user storage, which were already an indecipherable blob without the original KEK. That is, any zeroizing event instantly makes encrypted objects unusable, and as soon as power is reapplied, the HSM immediately erases even the encrypted remains before it allows further use of the HSM. The HSM must now be re-initialized in order to use it again, and initialization overwrites the HSM with new user parameters. Everything is further encrypted with a new KEK unique to that HSM. Keys not encrypted by the KEK are those that require exemption and are not involved in user identities or user objects: • The Master Tamper Key, which enables tamper handling • The Remote PED Vector, to allow Remote PED-mediated recovery from tamper or from Secure Transport Mode • The hardware origin key that certifies the HSM hardware as having been built by Gemalto SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 104 6 High-Availability (HA) Configuration and Operation This chapter describes how to configure and use SafeNet Luna HSMs to provide load-balancing and redundancy for mission-critical applications. It contains the following sections: • "High Availability (HA) Overview" below • "Load Balancing" on page 107 • "Key Replication" on page 108 • "Failover" on page 109 • "Recovery" on page 112 • "Performance" on page 117 • "Standby Members" on page 118 • "Planning Your Deployment" on page 121 • "Configuring HA" on page 124 • "Using HA With Your Applications" on page 129 • "Adding, Removing, Replacing, or Reconnecting HA Group Members" on page 130 • "Managing and Troubleshooting Your HA Groups" on page 138 High Availability (HA) Overview You can use the SafeNet Luna HSM client to group multiple devices, or partitions, into a single logical group – known as an HA (High Availability) group. When you create an HA group, it is listed as a virtual HA slot in the client. Any applications that use the virtual HA slot can access cryptographic services as long as at least one member of the HA group remains functional and connected to the application server. In addition, the client performs load balancing among the HA group members, allowing many cryptographic commands to be automatically distributed across the HA group, and enabling linear performance gains for many applications. How HA is Implemented The HA and load-balancing functionality is implemented in the SafeNet Luna HSM client, and uses the cloning function to replicate/synchronize content across HA-group members. There is no direct connection between the members of an HA group, and all communications between the members of an HA group are managed by the client. The HSMs and appliances are not involved and, except for being instructed to clone objects to certain HSMs during a synchronization operation, are unaware that they might be configured in an HA group. The advantage of this approach is that it allows you to configure HA groups on a per-application (or per-slot) basis. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 105 6 High-Availability (HA) Configuration and Operation To create an HA group, you must first register your client with each HSM you want to include in the HA group. You then use the client-side administration commands to define the HA group and set any desired configuration options. You can configure several options including: • Setting automatic or manual recovery mode • Setting some HSMs as standby members • Performing various manual synchronization and recovery operations Once defined, the SafeNet Luna HSM client presents the HA group as a virtual slot, which is a consolidation of all the physical HSMs in the HA group. Any operations that access the slot are automatically distributed between the group members, to provide load balancing, and all key material is automatically replicated and synchronized between each member of the HA group. Example: Database Encryption This section walks through a specific sample use case of some of the HA logic with a specific application – namely a transparent database encryption. Typical Database Encryption Key Architecture Database engines typically use a two-layered key architecture. At the top layer is a master encryption key that is the root of data protection. Losing this key is equivalent to losing the database, so it obviously needs to be highly durable. At the second layer are table keys used to protect table-spaces and/or columns. These table keys are stored with the database as blobs encrypted by the master encryption key (MEK). This architecture maps to the following operations on the HSM: 1. Initial generation of master key for each database. 2. Generation and encryption of table keys with the master key. 3. Decryption of table keys when the database needs to access encrypted elements. 4. Generation of new master keys during a re-key and then re-encrypting all table keys with it. 5. Generation and encryption of new table keys for storage in the database (often done in a software module). SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 106 6 High-Availability (HA) Configuration and Operation The HSM is not involved in the use of table keys. Instead it provides the strong protection of the MEK which is used to protect the table keys. Users must follow backup procedures to ensure their MEK is as durable as the database itself. Refer to the backup section of this manual for proper backup procedures. HSM High Availability with Database Encryption When the HSMs are configured as an HA group, the database’s master key is automatically and transparently replicated to all the members when the key is created or re-keyed. If an HSM group member was offline or fails during the replication, it does not immediately receive a copy of the key. Instead the HA group proceeds after replicating to all of the active members. Once a member is re-joined to the group the HSM client automatically replicates the new master keys to the recovered member. With this in mind, before every re-key event the user should ensure the HA group has sufficient redundancy. A re-key will succeed so long as one HA group member exists, but proceeding with too few HSMs will result in an availability risk. For example, proceeding with only one HSM means the new master key will be at risk since it exists only on a single HSM. Even with sufficient redundancy, SafeNet recommends maintaining an offline backup of a database’s master key. HSM Load Balancing with Database Encryption While a database is up and running, the master key exists on all members in the HA group. As such, requests to encrypt or decrypt table keys are distributed across the entire group. So the load-balancing feature is able to deliver improved performance and scalability when the database requires a large number of accesses to the table keys. With that said, most deployments will not need much load-balancing as the typical database deployment results in a small number of table keys. While the table keys are re-keyed, new keys are generated in the HSM and encrypted for storage in the database. Within an HA group, these keys are generated on the primary HSM and then, even though they exist on the HSM for only a moment, they are replicated to the entire HSM group as part of the availability logic. These events are infrequent enough that this extra replication has minimal impact. Conclusion The SafeNet high availability and load balancing features provide an excellent set of tools to scale applications and manage availability of cryptographic services without compromising the integrity of cryptographic keys. A broad range of deployment options are supported that allow solution architects to achieve the availability needed in a manner that optimizes the cost and performance without compromising the assurance of the solution. Load Balancing The default behavior of the client library is to attempt to load-balance the application’s cryptographic requests across each active member of an HA group. Any standby members in the HA group are not used to perform cryptographic operations, and are therefore not part of the load-balancing scheme (see "Standby Members" on page 118). The top-level algorithm is a round-robin scheme that is modified to favor the least busy device in the set. As each new command is processed, the SafeNet Luna HSM client looks at how many commands it has scheduled on every device in the group. If all devices have an equal number of outstanding commands, the new command is scheduled on the next device in the list – creating a round-robin behavior. However, if the devices have a different number of commands outstanding on them, the new command is scheduled on the device with the fewest commands queued – creating a least-busy behavior. This modified round-robin has the advantage of biasing load away from any device currently performing a lengthy command. In addition to this least-busy bias, the type of command also affects the scheduling algorithm, as follows: SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 107 6 High-Availability (HA) Configuration and Operation • Single-part (stateless) cryptographic operations are load-balanced. • Multi-part (stateful) commands that involve cryptographic operations are load-balanced. • Multi-part (stateful) commands that involve information retrieval are not load-balanced. Multi-part operations carry over several individual commands. The cost of distributing the commands to different HA group members is generally greater than the benefit. For this reason, multi-part commands that involve information retrieval are all targeted at one member. Multi-part operations are typically not used, or are infrequent actions, so most applications are not affected by this restriction. • Key management commands are not load-balanced. Key management commands affect the state of the keys stored in the HSM. As such, these commands are targeted at all HSMs in the group. That is, the command is performed on the primary HSM and then the result is replicated to all members in the HA group. Key management operations are also an infrequent occurrence for most applications . It is important to understand that the least-busy algorithm uses the number of commands outstanding on each device as the indication of its busyness. When an application performs a repeated command set, this method works very well. When the pattern is interrupted, however, the type of command can have an impact. For example, when the HSM is performing signing and an atypical asymmetric key generation request is issued, some number of the application’s signing commands are scheduled on the same device (behind the key generation). Commands queued behind the key generation therefore have a large latency driven by the key generation. However, the least-busy characteristic automatically schedules more commands to other devices in the HA group, minimizing the impact of the key generation. It is also important to note that the load-balancing algorithm operates independently in each application process. Multiple processes on the same client or on different clients do not share their “busyness” information while making their scheduling choice. In most cases this is reasonable, but some mixed use cases might cause certain applications to hog the HSMs. Finally, when an HA group is shared across many servers, different initial members can be selected while the HA group is being defined on each server. The member first assigned to each group becomes the primary. This approach optimizes an HA group to distribute the key management and/or multi-part cryptographic operation load more equally. In summary, the load-balancing scheme used by SafeNet is a combination of round-robin and least-busy for most operations. However, as required, the algorithm adapts to various conditions and use cases so it might not always emulate a round-robin approach. Example When the client makes a request on a virtual HA slot, the request goes to the first member in the HA group, as listed in the Chrystoki.conf file (Linux/UNIX) or Crystoki.ini file (Windows), unless it is busy. A member is busy if it has not yet responded to the most recent request that was sent to it. If the primary member is busy, the client sends the request to the next non-busy member of the HA Group. If you add network latency, or if you increase the key-size, or if you interleave other crypto operations, then performance may drop for individual active members as they become busier. If you have any group members set to "Standby" status, then they do not contribute to group performance, even if the client can saturate the active members. Key Replication Whenever an application creates key material, the HA functionality transparently replicates the key material to all members of the HA group before reporting back to the application that the new key is ready. The HA library always starts with what it considers its primary HSM (initially the first member defined in an HA group). Once the key is created SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 108 6 High-Availability (HA) Configuration and Operation on the primary it is automatically replicated to each member in the group. If a member fails during this process the key replication to the failed member is aborted after the fail-over time out. If any member is unavailable during the replication process (that is, the unit failed before or during the operation), the HA library keeps track of this and automatically replicates the key when that member rejoins the group . Once the key is replicated on all active members of the HA group a success code is returned to the application. Whether automatic or manual, object replication security is based on the use of the SafeNet cloning protocol to provide mutual authentication, confidentiality and integrity for each object that is copied from one partition to another. When partition objects are synchronized, the SafeNet Luna HSM client is used as a secure conduit to coordinate the duplication of these objects across all partitions. An object created on LunaA partition#1A is duplicated on LunaB Partition#1B using the following process: 1. The object is created on LunaA. 2. The duplicated object is then encrypted using a key derived from common Domain material (Red key) shared by each SafeNet Luna HSM in the HA group. 3. LunaA transfers the encrypted object to the SafeNet Luna Client utilizing the encrypted NTL connection between itself and the client (the object is now double encrypted). 4. The client then securely transfers the object to LunaB. 5. LunaB decrypts the object and stores it in the partition The cloning protocol is such that it must be invoked separately for each object to be cloned and the sequence of calls required to implement the protocol must be issued by an authorized client library (residing on a client platform that has been authenticated to each of the SafeNet Luna HSMs involved in the HA group). This ensures that the use of the cloning function calls is controlled and the protocol cannot be misused to permit the unauthorized transfer of objects to or from one of the partitions in the HA group. Manual Synchronization To manually synchronize the contents of the members of an HA group, use the LunaCM command hagroup synchronize. Failover When an HA group is running normally the client library continues to schedule commands across all members as described above. The client continuously monitors the health of each member at two different levels: • First, the connectivity with the member is monitored at the networking layer. Disruption of the network connection invokes a fail-over event within a twenty second timeout. • Second, every command sent to a device is continuously monitored for completion. Any command that fails to complete within twenty seconds also invokes a fail-over event. Most commands are completed within milliseconds. However, some commands can take extended periods to complete – either because the command itself is time-consuming (for example, key generation), or because the device is under extreme load. To cover these events the HSM automatically sends “heartbeats” every two seconds for all commands that have not completed within the first two seconds. The twenty second timer is extended every time one of these heartbeats arrives at the client, thus preventing false fail-over events. A failover event involves dropping a device from the available members in the HA group. All commands that were pending on the failed device are transparently rescheduled on the remaining members of the group. When a failure occurs, the application experiences a latency stall on some of the commands in process (on the failing unit) but SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 109 6 High-Availability (HA) Configuration and Operation otherwise sees no impact on the transaction flow. Note that the least-busy scheduling algorithm automatically minimizes the number of commands that stall on a failing unit during the twenty second timeout. If the primary unit fails, clients automatically select the next member in the group as the new primary. Any key management or single-part cryptographic operations are transparently restarted on a new group member. In the event that the primary unit fails, any in-progress, multi-part, cryptographic operations must be restarted by the application, as the operation returns an error code. As long as one HA group member remains functional, cryptographic service is maintained to an application no matter how many other group members fail. As discussed in "Failover" on the previous page, members can also be put back into service without restarting the application. How Do You (or Software) Know That a Member Has Failed? When an HA Group member first fails, the HA status for the group shows "device error" for the failed member. All subsequent calls return "token not present", until the member (HSM Partition or PKI token) is returned to service. At the library level, what happens when a device fails or doesn’t respond? The client library drops the member and continues with others. It will try to reconnect that member at a minimum retry rate of once per minute (configurable) for the number of times specified in the configuration file, and then stop trying that member. You can specify a number of retries from 3 to an unlimited number. What happens to an application if a device fails mid-operation? What if it’s a multi-part operation? Multi part operations do not fail over. The entire operation returns a failure. Your application deals with the failure in whatever way it is coded to do so. Any operation that fails mid-point would need to be re-sent from the calling application. This is more likely to happen in a multi-part operation because those are longer, but a failure could conceivably happen during a single atomic operation as well. With HA, if the library attempts to send a command to an HSM and it is unavailable, it will automatically retry sending that command to the next HSM in the configuration after the timeout expires. Multi-part operations would typically be block encryption or decryption, or any other command where the previous state of the HSM is critical to the processing of the next command. It is understandable that these need to be re-sent since the HSMs do not synchronize ‘internal memory state,’ only stored key material. Reaction to Failures This section looks at possible failures in an overall HA system, and what needs to be done. The assumption is that HA has been In a complex system, it is possible to come up with any number of failure scenarios, such as this (partial) list for an HA goup: • Failure at the HSM or appliance – HSM card failure – HSM re-initialization – Deactivated partition – Power failure of a member – Reboot of member – NTL failure – STC failure SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 110 6 • • High-Availability (HA) Configuration and Operation Failure at the client – Power failure of the client – Reboot of client – Network keepalive failure Failure between client and group members – Network failure near the member appliance (so only one member might disappear from client's view) – Network failure near the client (client loses contact with all members) HSM-Side Failures The categories of failure at the HSM side of an HA arrangement are temporary or permanent. Temporary Temporary failures like reboots, or failures of power or network are self-correcting, and as long as you have set HA autorecovery parameters that are sufficiently lenient, then recovery is automatic, shortly after the HSM partition becomes visible to the HA client. Permanent Permanent failures require overt intervention at the HSM end, including possibly complete physical replacement of the unit, or at least initialization of the HSM. All that concerns the HA service is that the particular unit is gone, and isn't coming back. If an entire SafeNet Luna Network HSM unit is replaced, then you must go through the entire appliance and HSM configuration of a new unit, before introducing it to the HA group. If a non-appliance HSM (resides in the Client host computer, e.g., SafeNet Luna PCIe HSM or SafeNet Luna USB HSM) is replaced, then it must be initialized and a new partition created. Either way, your immediate options are to use a new name for the partition, or to make the HA SafeNet Luna HSM Client forget the dead member (LunaCM command hagroup removemember) so you can reuse the old name. Then, you must ensure that automatic synchronization is enabled (LunaCM command hagroup synchronize -enable), and manually introduce a new member to the group (LunaCM command hagroup addmember). After that, you can carry on using your application with full HA redundancy. Because your application should be using only the HA virtual slot (LunaCM command hagroup haonly), your application should not have noticed that one HA group member went away, or that another one was added and synchronized. The only visible sign might have been a brief dip in performance, but only if your application was placing high demand on the HSM(s). Client-Side Failures For SafeNet Luna Network HSM, any failure of the client (such as operating system problems), that does not involve corruption or removal of files on the host, should resolve itself when the host computer is rebooted. If the host seems to be working fine otherwise, but you have lost visibility of the HSMs in LunaCM or your client, verify that the SafeNet drivers are running, and retry. If that fails, reboot. If that fails, restore your configuration from backup of your host computer. If that fails, re-install SafeNet Luna HSM Client, re-perform certificate exchanges, creation of HA group, adding of members, setting HAOnly, etc. For SafeNet Luna PCIe HSM and SafeNet Luna USB HSM, the client is the host of the HSMs, so if HA has been working, then any sudden failure is likely to be OS or driver related (so restart) or corruption of files (so re-install). If a re- SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 111 6 High-Availability (HA) Configuration and Operation install is necessary, you will need to recreate the HA group and re-add all members and re-assert all settings (like HAOnly). Failures Between the HSM and Client (SafeNet Luna Network HSM only) The only failure that could likely occur between a SafeNet Luna Network HSM (or multiple HSMs) and a client computer coordinating an HA group is a network failure. In that case, the salient factor is whether the failure occurred near the client or near one (or more) of the SafeNet Luna Network HSM appliances. If the failure occurs near the client, and you have not set up port bonding on the client, then the client would lose sight of all HA group members, and the client application would fail. The application would resume according to its timeouts and error-handling capabilities, and HA would resume automatically if the members reappeared within the recovery window that you had set. If the failure occurs near a SafeNet Luna Network HSM member of the HA group, then that member might disappear from the group until the network failure is cleared, but the client would still be able to see other members, and would carry on normally. If the recovery window is exceeded, then you must manually restart HA. Recovery After a failure, the recovery process is typically straightforward. Depending on the deployment, an automated or manual recovery process might be appropriate. In either case there is no need to restart an application. Automatic recovery With automatic recovery, the client automatically performs periodic recovery attempts while a member is failed. The frequency of these checks is adjustable and the number of re-tries can be limited. Each time a reconnection is attempted, one application command experiences a slight delay while the client attempts to recover. As such, the retry frequency cannot be set any faster than once per minute. Even if a manual recovery process is selected, the application does not need to be restarted. Simply run the client recovery command and the recovery logic inside the client makes a recovery attempt the next time the application uses the HSM. As part of recovery, any key material created while the member was offline is automatically replicated to the recovered unit. Automatic recovery is disabled by default. Use the command hagroup retry to turn it on or off. If retry=0, automatic recovery is disabled. Any other retry value enables automatic recovery. Failed units Sometimes a failure of a device is permanent. In this event, the only solution is to deploy a new member to the group. In this case, you can remove the failed unit from the HA group, add a new device to the group and then start the recovery process. The running clients automatically resynchronize keys to the new member and start scheduling operations to it. See "Adding, Removing, Replacing, or Reconnecting HA Group Members" on page 130 for more information. Manual recovery Finally, sometimes both an HSM and application fail at the same time. If no new key material was created while an HSM was offline, the recovery is straightforward: simply return the HSM to service and then restart the application. However, if new key material was created after an HSM failed but before the application failed, a manual resynchronization (using the hagroup synchronize command) might be required. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 112 6 High-Availability (HA) Configuration and Operation To perform a manual recovery, you confirm which member, or members, have the current key material (normally the unit that was online at the time the application failed). Put them back in service with the application. Then, for each member that has stale key material (a copy of an object that was deleted; or an old copy of an object whose attributes were changed), delete all their key material after making sure they are not part of the HA group. Be particularly careful that the member is not part of the HA group or the action might destroy active key material by causing an accidental synchronization during the delete operation. After the HSM is cleared of key material, rejoin it to the group and the synchronization logic automatically repopulates the device’s key material from the active units. Usage When a client is configured to use auto recovery the manual recovery commands must not be used. Invoking them can cause multiple concurrent recovery processes which result in error codes and possible key corruption . Most customers should enable auto-recovery in all configurations. We anticipate that the only reason you might wish to choose manual recovery is if you do not want to change the retry time for periodic transactions. That is, each time a recovery is attempted a single application thread experiences an increased latency while the library uses that thread to attempt the re-connection (the latency impact is a few hundred milliseconds). Recovery Conditions HA recovery is hands-off resumption by failed HA Group members, or it is manual re-introduction of a failed member, if autorecovery is not enabled. Some reasons for a member to fail from the group might be: • The appliance loses power (but regains power in less than the 2 hours that the HSM preserves its activation state). • The network link from the unit is lost and then regained. HA recovery takes place if the following conditions are true: • HA autorecovery is enabled, or if you detect a unit failure and manually re-introduce the unit (or its replacement) • HA group has at least 2 nodes • HA node is reachable (connected) at client startup • HA node recover retry limit is not reached. Otherwise manual recover is the only option to bring back the downed connection(s) If all HA nodes fail (no links from client) no recovery is possible. The HA recovery logic makes its first attempt at recovering a failed member when your application makes a call to its HSM (the HA group). An idle client does not start the recovery-attempt process. As of release 6.22, if the retry count is not 0, then recovery is attempted after the configured HA interval expires. On the other hand, a busy client would notice a slight pause every minute, as the library attempts to recover a dropped HA group member (or members) until the member has been reinstated or until the timeout has been reached and it stops trying. Therefore, set the number of retries according to your normal situation (the kinds and durations of network interruptions you experience, for example). Enabling and Configuring Autorecovery In previous releases, autorecovery was not on by default, and needed to be explicitly enabled. Beginning with SafeNet Luna HSM release 6.0, HA autorecovery is automatically enabled when you set the recovery retry count using the LunaCM command hagroup retry. Use the command hagroup interval to specify the interval, in seconds, between each retry attempt. The default is 60 seconds. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 113 6 High-Availability (HA) Configuration and Operation Failure of All Members If all members of an HA group were to fail, then all logged-in sessions are gone, and operations that were active when the last group member went down, are terminated. If the client application is able to recover all that state information, then it is not necessary to restart or re-initialize in order to resume client operations with the SafeNet Luna Network HSM HA group. All sessions will be restarted without requiring a restart of the client. Automatic Reintroduction Automatic reintroduction is supported. A failed (and fixed, or replacement) HSM appliance can be re-introduced if the application continues without restart. Restarting the application causes it to take a fresh inventory of available HSMs, and to use only those HSMs within its HA group. You cannot reintroduce a SafeNet Luna Network HSM that was not in the group when the application started. Auto-insert Automatic reintroduction or "auto-insert" is supported. A failed (and fixed, or replacement) HSM appliance can be reintroduced if the application continues without restart. Restarting the application causes it to take a fresh inventory of available HSMs, and to use only those HSMs within its HA group. You cannot [re]introduce a SafeNet Luna Network HSM that was not in the group when the application started. Auto-insert is now the default behavior (from Client 6.2.1 and later). [list below satisfies LHSM-31162] 1. A running client automatically detects SafeNet Luna Network HSM appliance insertion and removal to/from its configuration. 2. Connection to the new SafeNet Luna Network HSM appliance occurs only if the client HA configuration also has a new HA member or an HA member gone missing. 3. A running client does not automatically disconnect from the appliance that has been removed from its configuration until the appliance goes offline (for example, disconnected or powered down). 4. A running client uses the new HA member that is being added to the HA group configuration and does not require the client to restart to do so. 5. A running client stops attempting to use the removed HA member that is being revoked from the HA configuration and does not require the client to restart to do so. 6. When a new member is added to the HA group, entries similar to the following appear in the client HA Log: Mon Feb 1 11:06:55 2016 : [6619] HA group: 11079656446993 detected new member member: 286668019649 Mon Feb 1 11:07:25 2016 : [6619] HA group: 11079656446993 recovery attempt #1 succeeded for member: 286668019649 7. When a HA member is removed from the HA group, entries similar to the following appear in the client HA Log: Mon Feb 1 11:07:45 2016 : [6619] HA group: 11079656446993 member: 286668019649 revoked 8. When a new SafeNet Luna Network HSM appliance is registered with a client that has HA configured with “Active recovery mode”, entries similar to the following appear in the client HA Log: Sun Jan 31 21:01:52 2016 : [3820] HA subsystem detected new server : 192.20.11.175 Sun Jan 31 21:01:56 2016 : [3820] HA subsystem server 192.20.11.175 connected SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 114 6 High-Availability (HA) Configuration and Operation Entries like these appear only if item 3, above, is true. [LHSM-31294] 9. When an existing SafeNet Luna Network HSM appliance is removed from client that has HA configured with “Active recovery mode”, entries similar to the following appear in the client HA Log: Tue Feb 2 15:45:12 2016 : [28001] HA subsystem detected removal of server : 192.20.11.86 Synchronization Synchronization of token objects is a manual process using the hagroup synchronize command. Synchronization locates any object that exists on any one physical HSM partition (that is a member of the HA group), but not on all others, and replicates that object to any partitions (among the group) where it did not exist. This is distinct from the replication that occurs when you create or delete an object on the HA virtual slot. Creation or deletion against the virtual slot causes that change to be immediately replicated to all connected members (addition or deletion). Effect of PED Operations PED operations block cryptographic operations, so that while a member of an HA group is performing a PED operation, it will appear to the HA group as a failed member. When the PED operation is complete, failover and recovery HA logic are invoked to return the member to normal operation. Network failures If network connectivity fails to one or more connected SafeNet Luna Network HSM appliances, the HA group will be restored automatically subject to timeouts and retries, as follows: • While the client application is active, and one HA group member is connected and active, other members can automatically resume in the HA group as long as retries have not stopped. • If all members fail or if the client does not have a network connection to at least one group member, then the client application must be restarted, unless you have recoveryMode activeEnhanced enabled. Process interaction Other events and processes interact at different levels and in different situations as described below. Note: All references to NTLS also apply to STC. Both NTLS and STC provide secure clientappliance connections. At the lowest communication level, the transport protocol (TCP) is responsible for making and operating the communication connection between client and appliance (whether HA is involved or not). For SafeNet Luna Network HSM, the default protocol timeout of 2 hours was much too long, so SafeNet configured that to 3 minutes when HA is involved. This means that: • In a period of no activity by client or appliance, the appliance's TCP will wonder if the client is still there, and will send a packet after 3 minutes of silence. • If that packet is acknowledged, the 3 minute TCP timer restarts, and the cycle repeats indefinitely. • If the packet is not acknowledged, then TCP sends another after approximately 45 seconds, and then another after a further 45 seconds. At the two minute mark, with no response, the connection is considered dead, and higher SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 115 6 High-Availability (HA) Configuration and Operation levels are alerted to perform their cleanup. So altogether, a total of five minutes can elapse since the last time the other participant was heard from. This is at the transport layer. Above that level, the NTLS layer provides the connection security and some other housekeeping. Any time a client sends a request for a cryptographic operation, the HSM on the appliance begins working on that operation. While the HSM processes the request, appliance-side NTLS sends a "keep-alive PING" every two seconds, until the HSM returns the answer, which NTLS then conveys across the link to the requesting client. NTLS (nor any layer above) does not perform any interpretation of the ping. It simply drops a slow, steady trickle of bytes into the pipe, to keep the TCP layer active. This normally has little effect, but if your client requests a lengthy operation like an 8192-bit keygen, then the random-number-generation portion of that operation could take many minutes to complete, during which the HSM would legitimately be sending nothing back to the client. The NTLS ping ensures that the connection remains alive during long pauses. Configuration settings In the SafeNet configuration file, "DefaultTimeout" (default value is 500 seconds) governs how long the client will wait for a result from an HSM, for a cryptographic call. In the case of SafeNet Luna Network HSM, the copy of the config file inside the appliance is not accessible externally. The config file in the client installation is accessible to modify, but "DefaultTimeout" in that file affects only a locally connected HSM (such as might be the case if you had a SafeNet Luna Backup HSM attached to your client computer). The config file in the client has no effect on the configuration inside the network-attached SafeNet Luna Network HSM appliance, and thus can have no effect on the interaction between client and SafeNet Luna Network HSM appliance. "ReceiveTimeout" is how long the library will wait for a dropped connection to come back. If "ReceiveTimeout" is tripped, for a given appliance, the HA client stops talking to that appliance and deals with the remaining members of the HA group to serve your application's crypto requests. A minute later, the HA client tries to contact the member that failed to reply. If the connection is successfully re-established, the errant appliance resumes working in the group, being assigned application calls as needed (governed by application workload and HA logic). If the connection is not successfully re-established, the client continues working with the remaining group members. Another minute passes, and the client once again tries the missing appliance to see if it is ready to actively resume working in the HA group. The retries continue until the missing member resumes, or until the pre-set (by you) number of retries is reached (maximum of 500). If the retry count is reached with no success, the client stops trying that member. The failed appliance is still a member of the group (it is still in the list of HA group members maintained on the client), but the client no longer tries to send it application calls, and no longer encourages it to establish a connection. You must fix the appliance (or its network connection) and manually recover it into the group for the client to resume including it in operations. Active Autorecovery on a SafeNet Luna Network HSM Note: All references to NTLS also apply to STC. Both NTLS and STC provide secure clientappliance connections. Autorecovery uses the HA Active Recovery Thread (ARCT) to manage recovery from a failure. The ARCT sends a non-session-based message that is processed by NTLS. This allows recovery as soon as a failed member returns. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 116 6 High-Availability (HA) Configuration and Operation Thus, if a failed member returns to duty before an active member fails, then synchronization occurs immediately, and the secondary member is ready to take over from the active member if that now fails. Members can reconnect without the need to call finalize/initialize in the client application, which allows for multiple services that use a single JVM to recover connections independently. In the event that all HA members fail to respond to the ARCT probing message, the HA slot is deemed to be unrecoverable. The recovery mode on a SafeNet Luna Network HSM is the basic active mode. As long as the retry count is not 0, recovery is active basic be default. The enhanced active recovery mode is optional, and is controlled by the LunaCM hagroup recoverymode command. Performance For repetitive operations, like a high volume of signings using the same key, an HA group can expand SafeNet Luna Network HSM performance in linear fashion as HA group members are added. HA groups of 16 members have undergone long-term, full-throttle testing, with excellent results. Do keep in mind that simply adding more and more SafeNet Luna Network HSM appliances to an HA group is not an infallible recipe for endless performance improvement. For best overall performance, all HA group members should be driven near their individual performance "sweet spot", which for SafeNet Luna Network HSM 5.2 and later is around 30 simultaneous threads per HSM. If you assemble an HA group that is considerably larger than your server(s) can drive, then you might not achieve full performance from all. The best approach is an HA group balanced in size for the capability of the application servers that will be driving the group, and the expected loads - with an additional unit to provide capacity for bursts of traffic and for redundancy. Maximizing Performance The SafeNet Luna Network HSM used in HA can provide performance improvement for asymmetric single-part operations. Gigabit Ethernet connections are recommended to maximize performance. For example, we have seen as much as a doubling of asymmetric single-part operations in a two-member group in a controlled laboratory environment (without crossing subnet boundaries, without competing traffic or other latency-inducing factors). Multi-part operations are not load-balanced by the SafeNet HA due to the overhead that would be needed to perform context replication for each part of a multi-part operation. Single-part cryptographic operations are load-balanced by the SafeNet HA functionality under most circumstances. Load-balancing these operations provides both scalability (better net throughput of operations) and redundancy by supporting transparent fail-over. Performance is Dependent on the Type of Operation Performance is also affected by the kind of operation you are performing. HA is better for performance when all HSM operations are performed on keys and material that reside within the HSM. This changes if part of the operation involves importing and unwrapping of keys; it can be instructive to consider what happens when such HSM operations are performed both with and without HA. With HA • One encryption (to wrap the key) • One decryption in the HSM (to unwrap the key) • Object creation on the HSM (the unwrapped key is created and stored as a key object) SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 117 6 • • High-Availability (HA) Configuration and Operation Key replication happens for HA – RSA 4096-bit operation used to derive a shared secret between HSM – Encryption of the key on the primary HA member using the shared secret – Decryption of the key on the secondary HA member HSM using the shared secret – Object creation on the second HA member One encryption (uses the unwrapped key object to encrypt the data) Without HA • One encryption (to wrap the key) • One decryption in the HSM (to unwrap the key) • Object creation on the HSM (the unwrapped key is created and stored as a key object) • One encryption (uses the unwrapped key object to encrypt the data) From the above it is apparent that, with HA, many more operations are performed. Most significant in the above case are the RSA 4096-bit operation and the additional object creation performed. Those two operations are by far the slowest operations in the list, and so this type of task would have much better performance without HA. By contrast, if the task had made use of objects already within the HSM, then at most a single synchronization would have propagated the objects to all HA members, and all subsequent operations would have seen a performance boost from HA operation. The crucial consideration is whether the objects being manipulated are constant or are constantly being replaced. HA and FindObjects How your application uses the C_FindObjects function to search for objects in a virtual HA slot can have a significant impact your application performance. See "Application Object Handles" on page 129 for more information. Standby Members You can designate some members of an HA group as standby members after you add them to an HA group. Standby members differ from the default active members in that they do not actively participate in the HA group unless perform any cryptographic operations By default, all members in an HA group are treated as active so that they are kept current with key material and are used to load-balance cryptographic services. In some deployment scenarios, however, it makes sense to define some members as standby. Standby members are registered just like active members except that they are defined as “standby” after they are added to the HA group. As depicted below, applications can be deployed in geographically dispersed locations. In this scenario, you can use Luna’s standby capability to use the HSMs in the remote data center to cost-effectively improve availability. In this mode, only the local units (non-standby) are used for active load-balancing. However, as key material is created, it is automatically replicated to both the active (local) units and standby (remote) unit. In the event of a failure of all local members, the standby unit is automatically promoted to active status. You can use this feature to reduce costs, while improving reliability. This approach allows remote HSMs that have high latency to be avoided when not needed. However, in the worst case scenario where all the local HSMs fail, the remote member automatically activates itself and keeps the application running. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 118 6 High-Availability (HA) Configuration and Operation Note: In normal operation, the HA standby units do not perform any cryptographic operations. However, the HA service must log into all units in a group (C_OpenSession/Login is performed against all members), including standby units. This is necessary because, in the case where the standby unit is called into action, it must already be up-to-date with respect to key material that is being used in the group - it cannot synchronize with HSMs that have failed or that have gone off-line. Therefore, when the HA group consists of PED-authenticated HSMs, they must all be Activated, including the standby HSM(s). Standby Behavior Standby members become active only to keep the group alive. In an HA group that includes more than one standby member, if all active members go down/off-line, all available standby members become active in the group. Additional standby members remain on standby until/unless they are needed. In other words, in an HA group, the load-sharing and redundancy capability is as large as all the active members. If all active members become unavailable to the application, then the group load-sharing and redundancy falls to all available standby members. To set an HSM to standby status: In "Configuring HA" on page 124, we created an HA group with label "myHAgroup" and group number 1154438865297, with two active members, serial number 154438865297 and serial number 1238700701520. 1. Create a third member, as previously described, and add it to the HA group by specifying either its slot or serial number. hagroup addmember -group {-slot | -serialnumber } For example: lunacm:> hagroup addmember -group myHAgroup -slot 2 Enter the password: ******** Member 1238700701521 successfully added to group myHAgroup. New group configuration is: HA Group Label: myHAgroup HA Group Number: 1154438865297 HA Group Slot ID: 6 Synchronization: enabled Group Members: 154438865297, 1238700701520, 1238700701521 Needs sync: no SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 119 6 Standby Members: Slot # ====== 0 1 2 High-Availability (HA) Configuration and Operation Member S/N ========== 154438865297 1238700701520 1238700701521 Member Label ============ HApartition00 HApartition01 HApartition02 Status ====== alive alive alive Please use the command "ha synchronize" when you are ready to replicate data between all members of the HA group. (If you have additional members to add, you may wish to wait until you have added them before synchronizing to save time by avoiding multiple synchronizations.) Command Result : No Error 2. Set the member to standby status, specifying its slot or serial number. hagroup addstandby -group {-slot | -serialnumber } For example: lunacm:> hagroup addstandby -group myHAgroup -serialnumber 1238700701521 The member 1238700701521 was successfully added to the standby list for the HA Group myHAgroup. Command Result : No Error 3. If you wish, check the new configuration. hagroup listgroups For example: lunacm:> hagroup listgroups If you would like to see synchronization data for group myHAgroup, please enter the password for the group members. Sync info not available in HA Only mode. Enter the password: ******** HA auto recovery: HA recovery mode: Maximum auto recovery retry: Auto recovery poll interval: HA logging: Only Show HA Slots: disabled activeBasic 0 60 seconds disabled no HA Group Label: myHAgroup HA Group Number: 1154438865297 HA Group Slot ID: 6 Synchronization: enabled Group Members: 154438865297, 1238700701520, 1238700701521 Needs sync: no Standby Members: 1238700701521 Slot # ====== 0 1 2 Member S/N ========== 154438865297 1238700701520 1238700701521 Member Label ============ HApartition00 HApartition01 HApartition02 SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. Status ====== alive alive alive 120 6 High-Availability (HA) Configuration and Operation Command Result : No Error Planning Your Deployment This section describes the supported configurations and any limitations or constraints to consider when setting up an HA group. HA Group Members It is important that all members in an HA group have the same configuration and version. That means that each HA group member must use the same authentication method, either PED-authenticated or password-authenticated, and be at the same software version. Running HA groups with different versions is unsupported. Ensure that HSMs are configured identically to ensure smooth high availability and load balancing operation. SafeNet Luna HSMs come with various key management configurations: cloning mode, key-export mode, etc. HA functionality is supported with cloning, provided all members in the group have the same configuration. Clients automatically and transparently use the correct secure key replication method based on the group’s configuration. It is also critical that all members in an HA group share the same Security Domain role (Red PED key for PEDauthenticated devices, or domain password for password-authenticated devices). The Security Domain defines which HSMs are allowed to share key material. Because HA group members are, by definition, intended to be peers, they must be in the same Security Domain. The SafeNet HA and load-balancing feature works on per-client and per-partition bases. This provides a lot of flexibility. For example, it is possible to define a different sub-set of HSMs in each client and even in each client’s partitions (in the event that a single client uses multiple partitions). SafeNet recommends to avoid these complex configurations and to keep the HA topography uniform for an entire HSM. That is, treat HSM members at the HSM level as atomic and whole. This simplifies the configuration management associated with the HA feature. Mix and Match Appliance Software is Not Supported All SafeNet Luna Network HSM appliances in an HA group must be running the same appliance software version. Before attempting to create an HA group, ensure that all of the appliances used to host the HA members are running the same appliance software. In addition, it is recommended that your client software is at the same software version as the appliance. Mix and Match HSM Firmware, Capabilities, and FIPS Setting is Not Recommended The HSM firmware, capabilities, and FIPS setting define which mechanisms are available, and how they can be used. To ensure that all objects in an HA slot can be successfully cloned to all members of the HA group, ensure that all members of a production HA group are at the same firmware level, have the same set of capabilities installed, and use the same FIPS setting. If mismatches exist between members, HSM operations or HA synchronization might fail if your application attempts to use a mechanism or a capability that not all members support. To ensure minimal disruption during the during firmware or capability updates, your HA group will continue to function if there are differences in firmware, capabilities, or FIPS setting between the HA group members. Where differences exist, the capability of the group (in terms of features and available algorithms) is that of the member with the oldest firmware. It is recommended that you limit periods where mismatches are present to maintenance windows used to apply firmware of capability upgrades. Example Assume you have an HA group that includes HSMs with two different firmware versions,. In this case, certain capabilities that are part of the newer firmware are unavailable to clients connecting to the HA group. Specifically, SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 121 6 High-Availability (HA) Configuration and Operation operations that make use of newer cryptographic mechanisms and algorithms would likely fail. The client's calls might be initially assigned to a newer-firmware HSM and could therefore appear to work for a time, but if the task is loadbalanced to an HSM that does not support the newer features, it would fail. Similarly, if the newer-firmware HSM dropped out of the group, operations requiring the newer firmware would fail. HA Group Members Must Not Be on the Same Appliance In any one HA group, always ensure that member partitions or member PKI tokens (USB-attached SafeNet Luna USB HSMs, or SafeNet CA4/PCM token HSMs in a USB-attached SafeNet DOCK2 card reader) are on different / separate appliances. Do not attempt to include more than one HSM partition or PKI token (nor one of each) from the same appliance in a single HA group. This is not a supported configuration. Allowing two partitions from one HSM, or a partition from the HSM and an attached HSM (as for PKI), into a single HA group would defeat the purpose of HA by making the SafeNet appliance a potential single-point-of-failure. Running HA on a group of export SafeNet Luna Network HSM appliances This configuration is supported, although you cannot clone/replicate private keys. High Availability Group Sizing As of SafeNet Luna HSM release 6.x, the high availability function supports the grouping of up to thirty-two members. However, the maximum practical group size for your application is driven by a trade-off between performance and the cost of replicating key material across the entire group. A common practice is to set the group size to N+1 where N is defined by the desired performance per application server(s). As depicted below, this solution gives the desired performance with a single extra HSM providing the availability requirement. The number of HSMs per group of application servers varies based on the application use case but, as depicted, groups of three are typical. SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 122 6 High-Availability (HA) Configuration and Operation As performance needs grow beyond the performance capacity of three HSMs, it often makes sense to define a second independent group of application servers and HSMs to further isolate applications from any single point of failure. This has the added advantage of facilitating the distribution of HSM and application sets in different data centers. Network Requirements The network topography of the HA group is generally not important to the proper functioning of the group. As long as the client has a network path to each member the HA logic will function. Keep in mind that having a varying range of latencies between the client and each HA member causes a command scheduling bias towards the low-latency members. It also implies that commands scheduled on the long-latency devices have a larger overall latency associated with each command. In this case, the command latency is a characteristic of the network; to achieve uniform load distribution ensure that latencies to each device in the group are similar (with the exception of standby members, who do not contribute to network load). Gigabit Ethernet network connections are recommended. Upgrading and Redundancy and Rotation For SafeNet Luna Network HSM HA function we suggest that all SafeNet Luna Network HSM appliances in an HA group be at the same appliance software and firmware level. The issue is not about firmware level, per se - what might happen is that a newer firmware could contain newer algorithms that are not supported in the replaced firmware. If your client is configured to take advantage of newer/better algorithms when they become available, it might do so while one member of an HA group has new firmware, but another member has not yet been updated, and therefore does not yet support the requested algorithm. The client might not be able to interpret the resulting imbalance. Therefore, when you intend to upgrade/update any of the SafeNet Luna Network HSM units in an HA group, or when you intend to upgrade/update the SafeNet Luna Network HSM Client software, you might schedule some downtime for your application, if you anticipate a problem. If the application is so critical that you cannot permit that much scheduled downtime, then you can set up a second complete set of Client computer and associated HA group. One set can service the application load while the other set SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 123 6 High-Availability (HA) Configuration and Operation is being upgraded or otherwise maintained. For such up-time-critical applications, you might already have such a backup set of Client-plus-HA-group that you would rotate in and out of service during regular maintenance windows. Configuring HA To create an HA group, you need at least two SafeNet Luna Network HSMs with PED Authentication, or two with Password Authentication. You cannot use Password -Authenticated and PED-Authenticated SafeNet Luna Network HSMs simultaneously in an HA group. This section describes how to set up an HA group with partitions on different HSMs. It consists of the following major steps: • "Prerequisites" below • "Create the HA Group" on the next page • "Verification" on page 127 • "HA Standby Mode [Optional]" on page 128 Prerequisites You must complete these procedures before setting up an HA group. The prerequisite steps are divided into tasks performed by different roles. HSM SO Prerequisites 1. Perform the network setup on two or more SafeNet Luna Network HSM appliances (see "Configure the SafeNet Appliance for Your Network" on page 1 in the Configuration Guide). 2. Ensure that HSM policies 7: Allow Cloning and 16: Allow Network Replication are "on" (see "Set the HSM Policies" on page 1 in the Configuration Guide). If your HSMs do not have the cloning option, then they will use the Key Export functionality to backup to (and restore from) a file, rather than a hardware Backup token. 3. Initialize the HSMs (see "HSM Initialization" on page 141 in the Configuration Guide). All HSMs that will host partitions in the HA group must be initialized with the same cloning domain: – PED-authenticated HSMs must share the same red domain PED key – Password-authenticated HSMs must share the same domain string 4. Create a partition on each SafeNet Luna Network HSM. They do not need to have the same label. 5. Allow one or more clients to access the partitions using NTLS or STC links (see "Enable the Client to Access a Partition" on page 1 in the Configuration Guide). Partition SO Prerequisites 1. Ensure that all the partitions to be included in the HA group are visible in LunaCM (see "Enable the Client to Access a Partition" on page 1 in the Configuration Guide). 2. Initialize all the partitions to be included in the HA group (see "Configure Application Partitions" on page 1 in the Configuration Guide). The partitions do not need to have the same label, but they must be initialized with the same cloning domain: – PED-authenticated partitions must share the same red domain PED key – Password-authenticated partitions must share the same domain string In this example, the partitions have been initialized as HApartition00 (SN 154438865297) and HApartition01 (SN 1238700701520). SafeNet Luna Network HSM Administration Guide Release 7.0 007-013576-002 Rev. A June 2017 Copyright 2001-2017 Gemalto All rights reserved. 124 6 High-Availability (HA) Configuration and Operation 3. [OPTIONAL] If you are setting up a PED-authenticated HA group, ensure that each Partition is Activated and AutoActivated (see "Activation and Auto-Activation on PED-Authenticated Partitions" on page 160), so that it can retain/resume its "Activate" (persistent login) state through any brief power failure or other interruption. 4. Initialize the Crypto Officer role on all the partitions. role init -name co Crypto Officer Prerequisites 1. Login to each partition as Crypto Officer and change the initial primary credential (password or black PED key). Use the same Crypto Officer credential for each partition to be included in the HA group. role login -name co role changepw -name co 2. If you are setting up a PED-authenticated HA group, change the initial secondary credential (challenge password). Use the same challenge password for each partition to be included in the HA group. role login -name co role changepw -name co -oldpw -newpw Create the HA Group Note: Your LunaCM instance needs to update the Chrystoki.conf (Linux/UNIX) or crystoki.ini file (Windows) when setting up or reconfiguring HA. Ensure that you have sufficient privileges. After satisfying the prerequisites, use LunaCM to create an HA group on your client, and add member partitions. This procedure is completed by the Crypto Officer. 1. Use the hagroup creategroup command to create a new HA group on the client, which requires: – a Label for the group (do NOT call the group just "HA"). – the Serial number OR the slot number of the primary partition. – the Crypto Officer password for the partition. hagroup creategroup -label