Thales SafeNet Luna Network HSM 7.4 Administration Manual
  1. Manuals
  2. Brands
  3. Thales Manuals
  4. Security System
  5. SafeNet Luna Network HSM 7.4
  6. Administration manual
Thales SafeNet Luna Network HSM 7.4 Administration Manual

Thales SafeNet Luna Network HSM 7.4 Administration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
SafeNet Luna Network HSM 7.4
APPLIANCE ADMINISTRATION GUIDE

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SafeNet Luna Network HSM 7.4 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Thales SafeNet Luna Network HSM 7.4

Summary of Contents for Thales SafeNet Luna Network HSM 7.4

  • Page 1 SafeNet Luna Network HSM 7.4 APPLIANCE ADMINISTRATION GUIDE...
  • Page 2 Disclaimer All information herein is either public information or is the property of and owned solely by Thales and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.
  • Page 3 Thales does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks.

  • Page 4: Table Of Contents

    Chapter 2: Client Connections Connections to the Appliance - Limits SafeNet Luna Network HSM Port Usage SafeNet Luna Network HSM Appliance Port Bonding SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 5 Hardware Monitoring and Logging Configuring System Logging Rotating System Logs Customizing Severity Levels Reading System Logs Exporting System Logs Deleting System Logs Remote System Logging SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 6: Preface: About The Appliance Administration Guide

    > "Document Conventions" on the next page > "Support Contacts" on page 9 "Document Information" on page 2 For information regarding the document status and revision history, see SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 7: Customer Release Notes

    This includes SafeNet Luna HSM users and security officers, key manager administrators, and network administrators. All products manufactured and distributed by Thales Group are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them.
  • Page 8 Represent optional alternate keywords or variables in a command line description. Choose one [<a>|<b>|<c>] command line argument enclosed within the braces, if desired. Choices are separated by vertical (OR) bars. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 9: Support Contacts

    Customer Support. Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between Thales and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.

  • Page 10: Chapter 1: Appliance Hardware Functions

    The SafeNet Luna Network HSM is 1U high and fits into standard 19-inch equipment racks. Front Panel The front panel is illustrated below, with the secure locking bezel removed: SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 11 19-inch appliance rack. Kensington lock Allows the appliance to be secured to a desk or equipment rack using a Kensington connector lock. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 12: Safenet Luna Network Hsm Network Interface Configuration Variants

    The 1G model provides four 1G RJ45 copper Ethernet network interfaces. You can optionally bond eth0 and eth1 to bond0, or eth2 and eth3 to bond1, to provide a redundant active/standby virtual interface. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 13: Front-Panel Lcd Display

    Automatically cycles between displaying the following information: > Software (SW) and firmware (FW) versions currently installed on the appliance > Appliance host name > HSM label and HSM serial number SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 14: Appliance State And Status Codes

    If you have fixed a fault that caused an error, the display should clear the error indication at the next update. If the display continues to show the error message, then the fault may have re-occurred and you should investigate. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 15 Out of Service. The HSM service has experienced one or more errors or critical events. Use the LunaSH hsm information show and syslog tail commands help troubleshoot the issue. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 16: System Behavior With Hardware Tamper Events

    "Power Supply and Fan Maintenance" on page 21 for more information. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 17: Decommission

    STM. Now, we illustrate a hardware tamper (by physically interfering with the appliance as an intruder might do) SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 18 LUNA_RET_MTK_ZEROIZED hsm tamper Clear the HSM tamper. The HSM SO must be logged in to issue this command. clear SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 19: Summary Of Your Responses To Tamper Events

    This section describes how to power-on, power-off, or reboot the appliance. It contains the following sections: > "Power On" on the next page > "Power Off" on the next page > "Reboot" on the next page > "Hard Reboot" on page 21 SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 20: Power On

    If you issue the poweroff command, the system requests that you confirm by typing "proceed". After you type "proceed", the system returns a success message. From that point the orderly shutdown takes 15 to 20 seconds. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 21: Hard Reboot

    Power Supply LED DC present/only standby output on Flashing green (1Hz) Power supply DC output ON and OK Steady green Power supply failure Steady RED SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 22: Replacing A Power Supply

    Withdraw the power supply completely, using your other hand to support the body of the power supply as it emerges. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 23: The Fans

    In less-than-perfect non- clean-room conditions, the mesh might accumulate a buildup of dust, and should be cleaned occasionally for best cooling airflow into the equipment. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 24 Then, replace the lattice in front of the mesh by inserting the tabs first, then swinging the lattice closed like a door, and securing with the knurled screw. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 25 The illustration below happens to show them separated. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 26 Grasp the handle of the selected fan module and pull straight out toward you. After slight initial resistance, the fan module should easily slide free of the appliance. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 27: Summary

    > The appliance does not need to be powered on. > The appliance does not need to have power cables connected. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 28: What The Emergency Decommission Button Does

    If the capability is installed, Capability 46: Allow Disable Decommission and Policy 46: Disable Decommission are listed. Enter the following command to enable Policy 46: Disable Decommission SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 29: When To Use The Emergency Decommission Button

    Connect the serial port on the HSM appliance's rear panel to a terminal server, dumb terminal, PC, or laptop, using the supplied Prolific Technology Inc. USB to RJ45 (with 8P8C connector) adapter. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 30: Serial Pinout

    The Network HSM appliance serial port uses a configuration equivalent to the Cisco Terminal Console. The Prolific Technologies Inc. RJ45-to-USB serial adapter cable uses a standard RJ45 pinout configuration: SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 31: Troubleshooting

    The purpose of the bezel is to: > cover the appliance's ports, and the power button, > lock the appliance to the rack to prevent removal. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 32: Replacement Keys

    To obtain replacement keys, contact Technical Support (see ). Please have the lock serial numbers ready. You can find these numbers on the sides of the bezel by each lock. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 33: Power Consumption

    100W (max) The SafeNet appliance has two power supplies, each rated at 350W, either of which is capable of running the system alone. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 34: Chapter 2: Client Connections

    SafeNet Luna Network HSM Port Usage The table below describes the SafeNet Luna Network HSM appliance's default port settings. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 35: Safenet Luna Network Hsm Appliance Port Bonding

    Network HSM. Where a bonding interface has the same IP as the IP of eth0 or eth2, no ill effects have been observed on running clients other than normal fail-over/recover behavior. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 36: Using Port Bonding

    Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 37       ssh-rsa  1024 6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6 Command Result : 0 (Success) Notice that the fingerprint reported is the same as was generated back on mypc. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 38 Obviously, most of the above has been an extended example, to show various aspects of the function, and you do not need to go through all those steps just to set up Public-Key Authentication for a client/admin computer. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 39: Set Up Public-Key Ssh Access For Other Safenet Luna Network Hsm Users

    If you perform a service restart ntls on a live, or production SafeNet appliance, any active sessions would be lost. That is, HSM Partitions would remain active, but Clients would need to re-connect and re-authenticate. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 40: Timeouts

    SafeNet Luna Network HSM system is required. This value can be set in the SafeNet Luna Network HSM configuration file as follows: Windows (crystoki.ini) [LunaSA Client]   ReceiveTimeout=<value in milliseconds> //default is 20000 milliseconds SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 41 Chapter 2:   Client Connections UNIX (etc/Chrystoki.conf) LunaSA Client = {   ReceiveTimeout=<value in milliseconds>; SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 42: Chapter 3: Timestamping - Ntp And Clock Drift

    GMT have a (-) sign. Examples To set the time zone to... Command Eastern Standard Time sysconf timezone set EST SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 43: Correcting Clock Drift Manually

    Allow the drift measurement system to run for a minimum of 3 days before issuing the stop command. Issue the stopmeasure command with the current accurate time: lunash:> sysconf drift stopmeasure -currentprecisetime <hh:mm:ss> The drift measurement is automatically stored. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 44: Ntp On Safenet Luna Network Hsm

    Ensure that NTP is enabled on the appliance. lunash:> sysconf ntp enable Add an NTP server. lunash:> sysconf ntp addserver <NTPserver> Check the NTP connection. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 45: Securing Your Ntp Connection

    -password <password> Restart NTP again: lunash:> service restart ntp Add the trusted NTP server using the -autokey option: SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 46: References

    [2] NTP FAQ: Authentication http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#S-CONFIG-ADV-AUTH [3] NTP Public-Key Authentication: http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#Q-CONFIG-ADV-AUTH- AUTOKEY [4] Autokey Identity Schemes: http://www.eecis.udel.edu/~mills/ident.html [5] ntp-keygen tool: http://doc.ntp.org/4.2.6/keygen.html [6] NTP Server configuration options http://doc.ntp.org/4.2.6/confopt.html SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 47: Chapter 4: System Logging

    Table 1: syslog Severity Levels Severity Keyword Severity Description emerg/panic System is unusable alert Action must be taken immediately SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 48: Hardware Monitoring And Logging

    LunaSH displays warnings when the system reaches 50%, 75%, and 90% of log capacity. If you see one of these warnings, export your old logs to a client workstation to clear space in the syslog directory. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 49: Customizing Severity Levels

    ( emergency ) and send the rest of "Remote System Logging" on page 52 the logs to a remote syslog server (see SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 50: Reading System Logs

    STC policy is set to "OFF" on partition 66331 : Unknown ResultCode value 2017 Mar 1 14:27:55 local_host local5 info hsm[32120]: STC policy is set to "OFF" on partition SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 51: Exporting System Logs

    To transfer system logs from the appliance to a client Create the log archive file (see "syslog tarlogs" on page 1 lunash:> syslog tarlogs SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

  • Page 52: Deleting System Logs

    Remote System Logging Remote system logging allows you to send logs from your SafeNet Luna Network HSM to a central syslog server on the network. SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 53 Optionally, confirm the remote logging settings (see lunash:> syslog show Remote Configured Log Levels: ----------------------------- lunalogs: 192.10.10.100 info 192.10.10.101 info messages: 192.10.10.100 info 192.10.10.101 info SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 54 Remote Configured Log Levels: ----------------------------- lunalogs: 192.10.10.100 info 192.10.10.101 critical messages: 192.10.10.100 info 192.10.10.101 info cron: 192.10.10.100 notice 192.10.10.101 notice secure: 192.10.10.100 info 192.10.10.101 info SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...
  • Page 55 Chapter 4:   System Logging boot: 192.10.10.100 info 192.10.10.101 info Repeat step 1, specifying each log type severity level you wish to customize (lunalogs,messages,cron,secure,boot). SafeNet Luna Network HSM 7.4 Appliance Administration Guide 007-013578-007 Rev. B 16 December 2019 Copyright 2001-2019 Thales...

Table of Contents