Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for Thales SafeNet Luna Network HSM 7.3
Summary of Contents for Thales SafeNet Luna Network HSM 7.3
- Page 1 SafeNet Luna Network HSM 7.3 APPLIANCE ADMINISTRATION GUIDE...
- Page 2 Disclaimer All information herein is either public information or is the property of and owned solely by Thales and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.
- Page 3 Thales does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks.
-
Page 4: Table Of Contents
Chapter 2: Client Connections Connections to the Appliance - Limits SafeNet Luna Network HSM Port Usage SafeNet Luna Network HSM Appliance Port Bonding Using Port Bonding SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 5 Backing Up and Restoring Your Appliance Service Configuration Example of Backing Up and Restoring Your Appliance Configuration Backing Up the Appliance Configuration to the HSM SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 6: Preface: About The Appliance Administration Guide
> "Document Conventions" on the next page > "Support Contacts" on page 8 "Document Information" on page 2 For information regarding the document status and revision history, see SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 7: Customer Release Notes
This includes SafeNet Luna Network HSM users and security officers, key manager administrators, and network administrators. All products manufactured and distributed by Thales Group are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them. -
Page 8: Support Contacts
Customer Support. Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between Thales and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you. - Page 9 REGISTER link. Telephone The support portal also lists telephone numbers for voice contact (Contact Us). SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 10: Chapter 1: Appliance Hardware Functions
The SafeNet Luna Network HSM is 1U high and fits into standard 19-inch equipment racks. Front Panel The front panel is illustrated below, with the secure locking bezel removed: SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 11 19-inch appliance rack. Kensington lock Allows the appliance to be secured to a desk or equipment rack using a Kensington connector lock. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 12: Front-Panel Lcd Display
The LCD on front panel of the SafeNet Luna Network HSM provides basic configuration and status information for the appliance. The LCD is split horizontally into three sections as follows: Figure 1: The LCD display SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 13: Appliance State And Status Codes
For example, if there are no faults detected, the display indicates that the appliance is in service (ISO), with status code 0, so the display reads "ISO 0." SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 14 In Service Operational. The SNMP service is not running. Use the LunaSH service status snmp command to display more information about the status of the SNMP subsystem. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 15: System Behavior With Hardware Tamper Events
(physical) tamper events and Secure Transport Mode. Tampering with the Appliance Hardware tamper events are detectable events that imply intrusion into the appliance interior. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 16: Decommission
Log in to the HSM and HSM SO and recover from Secure Transport Mode. Also, the PED presents the Transport Mode verification string. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 17 [Stop/Start] switch on the back panel when the Check for HSM Tampered: Yes or No system is back up, run hsm show SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
- Page 18 Next, we illustrate what happens when a physical tamper occurs while the HSM is already in Secure Transport Mode stm transport Enter Secure Transport Mode. hsm tamper lunash:>hsm tamper show show No active tampers. Command Result : 0 (Success) SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 19: Summary Of Your Responses To Tamper Events
If the appliance does not immediately begin to start up, press and release the START/STOP switch on the front panel. The HSM appliance begins to power up. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 20: Power Off
The disadvantage is that the shutdown is abrupt and not orderly - in a constrained and hardened system like SafeNet Luna Network HSM, any risk is minimal, but not zero. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 21: Automatic Restart Following A Power Interruption
Network HSM appliance with only one power supply, we recommend that you remove the second supply to silence the audible alarm. Replacing a Power Supply You may need to replace a power supply in the event of a failure. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 22 Withdraw the power supply completely, using your other hand to support the body of the power supply as it emerges. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 23: The Fans
Do so. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 24 . In the FAN section of the command output, the fans are listed in the order that they appear, left-to-right, as viewed from the front of the appliance. The example shows a fault with the first fan module: SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
- Page 25 The fan modules are now exposed and are held in place only by the friction of their electrical connectors. Grasp the handle of the selected fan module and pull straight out toward you. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 26: Summary
Clients. If only one fan module is showing a defect, you can probably leave replacing it until scheduled down-time, during which there would be no unexpected disruption to your Clients. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 27: Hsm Emergency Decommission Button
View a table that compares and contrasts the "Emergency Decommission" event with other deny access "Comparison of Destruction/Denial Actions" on page 1 events or actions that are sometimes confused: SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 28: Disabling Decommissioning
Therefore, you should verify that the connection works before you need it - performing the appliance's network configuration is an ideal test. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 29 You might need to press ENTER several times to initiate the session. You must log in within two minutes of opening an administration session, or the connection will time out. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 30: Serial Pinout
Your order may have included an optional front locking bezel (pictured below). The locking bezel fits over the HSM's faceplate for maximum physical access security. Certain security standards require the use of these physical access measures. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 31: Replacement Keys
To obtain replacement keys, contact Technical Support (see ). Please have the lock serial numbers ready. You can find these numbers on the bezel beneath each lock. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 32: Power Consumption
100W (max) The SafeNet appliance has two power supplies, each rated at 350W, either of which is capable of running the system alone. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 33: Chapter 2: Client Connections
SafeNet Luna Network HSM Port Usage The table below describes the SafeNet Luna Network HSM appliance's default port settings. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 34: Safenet Luna Network Hsm Appliance Port Bonding
Use LunaSH to configure, enable, or disable port bonding, and to display the current port bonding status. See "network interface bonding" on page 1 in the LunaSH Command Reference Guide for a list of the port bonding commands. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 35: Client Startup Delay Across Mixed Subnets
SSH to the SafeNet appliance and verify that the default functionality is a password prompt: [root@mypc /]# ssh admin@myLuna admin@myLuna's password: Now, scp the client’s public key to the appliance: SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 36 Verify that you are still password prompted if you ssh from other clients: bash-2.05b# ./ssh admin@myLuna admin@myLuna's password: 10.Disable public key authentication on myLuna, and verify the current status of the service: SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 37: Set Up Public-Key Ssh Access For Other Safenet Luna Network Hsm Users
Transfer ( scp ) the SSH pubkey to the SafeNet appliance using the new user account (example $ scp id_ rsa_pub op-number1@lunasa6:). > Log in with the new account. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 38: When To Restart Ntls
In the former case, there is no impact. In the latter case, the brief disruption of active Clients would be overshadowed by the seriousness of the compromise. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 39: Ntls (Ssl) Performance Issue
(HA). Default settings have been chosen with some care, and should not be modified without good reason and full knowledge of the consequences. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 40 SafeNet Luna Network HSM configuration file as follows: Windows (crystoki.ini) [LunaSA Client] ReceiveTimeout=<value in milliseconds> //default is 20000 milliseconds UNIX (etc/Chrystoki.conf) LunaSA Client = { ReceiveTimeout=<value in milliseconds>; SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 41: Chapter 3: Timestamping - Ntp And Clock Drift
GMT have a (-) sign. Examples To set the time zone to... Command Eastern Standard Time sysconf timezone set EST SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 42: Correcting Clock Drift Manually
Allow the drift measurement system to run for a minimum of 3 days before issuing the stop command. Issue the stopmeasure command with the current accurate time: lunash:> sysconf drift stopmeasure -currentprecisetime <hh:mm:ss> The drift measurement is automatically stored. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 43: Ntp On Safenet Luna Network Hsm
Ensure that NTP is enabled on the appliance. lunash:> sysconf ntp enable Add an NTP server. lunash:> sysconf ntp addserver <NTPserver> Check the NTP connection. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 44: Securing Your Ntp Connection
-password <password> Restart NTP again: lunash:> service restart ntp Add the trusted NTP server using the -autokey option: SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 45: References
[2] NTP FAQ: Authentication http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#S-CONFIG-ADV-AUTH [3] NTP Public-Key Authentication: http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#Q-CONFIG-ADV-AUTH- AUTOKEY [4] Autokey Identity Schemes: http://www.eecis.udel.edu/~mills/ident.html [5] ntp-keygen tool: http://doc.ntp.org/4.2.6/keygen.html [6] NTP Server configuration options http://doc.ntp.org/4.2.6/confopt.html SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 46: Chapter 4: System Logging
Table 1: syslog Severity Levels Severity Keyword Severity Description emerg/panic System is unusable alert Action must be taken immediately SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 47: Hardware Monitoring And Logging
LunaSH displays warnings when the system reaches 50%, 75%, and 90% of log capacity. If you see one of these warnings, export your old logs to a client workstation to clear space in the syslog directory. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 48: Customizing Severity Levels
( emergency ) and send the rest of the logs to a remote syslog server (see "Remote System Logging" on page 51 SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 49: Reading System Logs
66331 : Unknown ResultCode value 2017 Mar 1 14:27:55 local_host local5 info hsm[32120]: STC policy is set to "OFF" on partition 66331 : Unknown ResultCode value SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 50: Exporting System Logs
The tar file containing logs is now available via scp as filename 'logs.tgz'. Command Result : 0 (Success) SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... -
Page 51: Deleting System Logs
You can use the LunaSH syslog remotehost commands to specify the central syslog server (see "syslog remotehost" on page 1 > "Configuring a Remote Syslog Server" on the next page > "Customizing Remote Logging Severity Levels" on page 53 SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 52 192.10.10.101 info messages: 192.10.10.100 info 192.10.10.101 info cron: 192.10.10.100 notice 192.10.10.101 notice secure: 192.10.10.100 info 192.10.10.101 info boot: 192.10.10.100 info 192.10.10.101 info SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
- Page 53 192.10.10.100 info 192.10.10.101 info boot: 192.10.10.100 info 192.10.10.101 info Repeat step 1, specifying each log type severity level you wish to customize (lunalogs,messages,cron,secure,boot). SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 54: Chapter 5: Backing Up The Appliance Configuration
SSH configuration Syslog Syslog configuration System System configuration (keys and certificates) Users User accounts, passwords, and files Webserver Webserver configuration for REST API SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 55 SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 56: Example Of Backing Up And Restoring Your Appliance Configuration
Broadcast message from root (pts/1) (Wed Feb 22 08:00:41 2012): The system is going down for reboot NOW! Reboot commencing Command Result : 0 (Success) SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales... - Page 57 | Net_HSM_Config_20120222_0558.tar.gz | Automatic Backup Before Restoring Command Result : 0 (Success) The list of configuration backup files is unchanged. We can choose one and restore it. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
- Page 58 Finally, ask for the list of system configuration backup files one more time. [Net_HSM] lunash:>sysconf config list Configuration backup files in file system: Size | File Name | Description --------------------------------------------------------------------------------------------- 16641 | Net_HSM_Config_20120222_0556.tar.gz | testing-this SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
-
Page 59: Backing Up The Appliance Configuration To The Hsm
> The maximum size of individual exportable files is 64 KB. > The maximum storage capacity of the Admin/SO partition is 384 KB. SafeNet Luna Network HSM 7.3 Appliance Administration Guide 007-013576-005 Rev. A 13 December 2019 Copyright 2001-2019 Thales...
Need help?
Do you have a question about the SafeNet Luna Network HSM 7.3 and is the answer not in the manual?
Questions and answers