Thales KeySecure k570 Installation Manual
  1. Manuals
  2. Brands
  3. Thales Manuals
  4. Firewall
  5. KeySecure k570
  6. Installation manual

Thales KeySecure k570 Installation Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

SafeNet KeySecure k570 Appliance
INSTALLATION GUIDE

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the KeySecure k570 and is the answer not in the manual?

Questions and answers

Summary of Contents for Thales KeySecure k570

  • Page 1 SafeNet KeySecure k570 Appliance INSTALLATION GUIDE...

  • Page 2: Table Of Contents

    Configuring the HSM as Root of Trust Licensing Lock Codes Connector/Client Licensing Support Contacts Customer Support Portal Telephone Support Email Support Troubleshooting Issues in Conjunction with Customer Support KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 3: Overview

    Overview The SafeNet KeySecure k570 Appliance incorporates the new SafeNet NextGen KeySecure Architecture. This document describes how to install the k570 Appliance, from verifying your shipment to product activation and licensing. To ensure a successful installation of the appliance, perform the following procedures in the order indicated...

  • Page 4: Verifying The Integrity Of Your Shipment

    If yes, go to the next step. If no, contact Thales support. Did you receive any tamper-evident bag/label serial numbers that are not listed on the advance shipping notification? If yes, contact Thales support.

  • Page 5: Received Items

    The specific items you received depend on whether you ordered a password-authenticated or a PED- authenticated KeySecure k570 Appliance. Basic order items The basic items that you should have received as part of your order for a KeySecure k570 Appliance are listed the following table: Item KeySecure k570 Appliance Your order should include one password-authenticated or PED-authenticated KeySecure k570 Appliance .
  • Page 6 Used to connect a console terminal to the appliance during initial configuration. Front Ear Bracket Set Set includes: > (2) front ear brackets > (4) bracket screws KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.
  • Page 7 (8) M5 cage nuts > (8) M5x14 rack screws If you did not receive this set, you can request one from Thales Group (part number: 216-000035-001) or obtain your own suitable screws/nuts. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 8: Ped Related Order Items

    PED device Your order should include at least one PED device. If you intend to back up your KeySecure k570 Appliance Appliance to a SafeNet Luna Backup HSM, then you require a Luna PED to connect to that Backup HSM.
  • Page 9 Item PED cable This is a Type A to Mini B USB cable used to connect the PED device to your KeySecure k570 Appliance. Luna PED Power Supply Kit If you ordered a Luna PED, your order should also include a Luna PED power supply kit with the appropriate power connection for your region.
  • Page 10 Item Set of PED Keys and Labels Your order should include a set of iKey PED keys and peel-and-stick labels. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 11: Optional Items

    Item Sliding Rail Mounting Bracket Set The KeySecure k570 Appliance will fit into any standard 19-inch server rack. The optional sliding rail mounts "Using the Optional Sliding Rail allow for easy removal and access to the rear face of the appliance. See System" on page 16...
  • Page 12 Item SafeNet Luna Backup HSM You can back up your selected KeySecure k570 Appliance partition contents (root keys, certificates, other items) to a SafeNet Luna Backup HSM. The SafeNet Luna Backup HSM is suitable for off-site storage and for backing up multiple HSM partitions. It can back up contents of password-authenticated or of PED- authenticated HSMs.

  • Page 13: Rack-Mounting

    Rack-Mounting If you intend to mount the KeySecure k570 Appliance in a standard equipment rack, front ear brackets, side rails, rear slider brackets, and the necessary screws are packed separately in the carton. You may also have ordered the optional sliding rail mounting system. See "Received Items" on page 5...
  • Page 14 Install the two sliding rear brackets in your equipment rack using four rack mounting screws. NOTE While any standard equipment rack screws should fit the brackets, certain large- headed screws may interfere with the operation of the secure locking bezel. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.
  • Page 15 CAUTION! Support the weight of the appliance with the hydraulic lift until all four brackets are secured. Secure the front ear brackets using rack mounting screws. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 16: Using The Optional Sliding Rail System

    Fit the front end of each mount into either side of the rack and pull the spring-loaded latch at the rear to snap it in place. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.
  • Page 17 Secure the rear end of each mount to the rack with two wide flat-headed screws. Fasten the transformer bracket to each sliding mount with two wide flat-headed screws. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.
  • Page 18 Screws with heads that are too large can prevent the locking bezel from fitting to the faceplate. Use the screws included with the appliance, or other screws with suitable heads. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.
  • Page 19 "Connecting to the Appliance" on the next page to continue the installation process. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 20: Connecting To The Appliance

    If you have a PED-authenticated appliance, connect the PED directly to the appliance's USB port (on the rear panel's left side), using the included USB-to-MiniUSB PED cable. Press and release the Start/Stop switch on the front panel to power up the appliance. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 21: Connecting The Appliance To A Console Device

    Use a terminal emulation package, such as PuTTY, to open a serial connection to the COM port associated with your Prolific USB-to-Serial adapter. Set the serial connection parameters as follows: Baud rate: 19200 KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 22: Connecting To The Gui

    After the system starts up, in the Console Window , choose the KeySecure IP address for your network. Use this address to browse to the NextGen KeySecure GUI. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.
  • Page 23 Save this SSH Public Key at a safe location. You will need this key for future SSH access. After replacing the default SSH Public Key, the Log In screen appears. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.
  • Page 24 SSH to the appliance from this point on. The initial Application Administrator can now log in. This is part of appliance activation, which is covered in the following section, "Deploying the Appliance" on page 26. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 25: Installing The Locking Bezel

    The two locks are keyed differently, so the keys can be issued to different security personnel and kept in secure, separate locations. NOTE Leaving the keys in the bezel could interfere with closing the rack door, and compromise security. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 26: Deploying The Appliance

    Deploying the Appliance This section describes how to deploy the NextGen KeySecure k570 Appliance. This section consists of the following sub-sections: > "Initializing the SafeNet Luna PCIe HSM Card" below > "Resetting the Crypto Officer Password" on page 29 > "Activating the Appliance" on page 31 >...
  • Page 27 You must be logged in as Partition SO to initialize the Crypto Officer role. “po” is the short form for “Partition SO”. lunacm:> role init –name Crypto Officer KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.
  • Page 28 Look for a slot with description "Admin Token Slot". To select the active slot, enter: lunacm:> slot set -slot <number> Re-initialize the HSM Card. lunacm:> hsm factoryReset KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 29: Resetting The Crypto Officer Password

    The Crypto Officer password set by the Partition SO must be changed. If it is not changed, lunacm will generate a CKR_PIN_EXPIRED error when accessing the partition. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.
  • Page 30 –name Crypto Officer –old <Existing Par PW> -newpw <New Par PW> NOTE Passwords are not masked. Activate/cache the new Crypto Officer credentials by logging in. lunacm:> role login –name Crypto Officer Exit the lunacm utility. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 31: Activating The Appliance

    Activating the Appliance The initial Application Administrator can now log in. This is part of the Appliance Activation, which is covered in the following section. To activate the KeySecure k570 Appliance, the initial Application Admin user must log in using these steps: Browse to the KeySecure IP address as you did earlier in the section "Connecting to the GUI" on...
  • Page 32 Using your new password, log in again. The KeySecure k570 Appliance GUI home page appears: The KeySecure k570 Appliance has been activated. When you are ready, you can continue with the following section to configure the PCIe HSM Card as Root of Trust.

  • Page 33: Configuring The Hsm As Root Of Trust

    You can configure the HSM as Root of Trust using either the GUI or the CLI (KSCTL). This section uses the GUI. For instructions on using KSCTL to configure the HSM as Root of Trust, refer to the NextGen KeySecure Administrator Guide. Browse to the KeySecure k570 Appliance GUI home page as you did in the "Activating the Appliance" on page 31 section above.

  • Page 34: Licensing

    To access from the GUI, Select Settings > Licenses . The basic licensing steps are shown here using the GUI and KSCTL: To activate a license using the GUI Retrieve the 'Key Manager Lock Code'. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 35: Connector/Client Licensing

    Refer to the NextGen KeySecure Release Notes > Compatibility section for information on supported SafeNet Connectors. The Connector Lock Code is also used to license the KMIP interface. For details, refer to "KMIP Licensing" in the KMIP Reference Guide. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

  • Page 36: Support Contacts

    If you cannot resolve the issue, contact your supplier or Thales Group Customer Support. Thales Group Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between Thales Group and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.
  • Page 37 NOTE Any ssl connection related error message can be filtered from the log file based on “ERR ” and “tls” tags. KeySecure k570 Appliance : Installation Guide 16 June 2020, Copyright © 2020 Thales Group. All rights reserved.

Table of Contents

Save PDF