Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

CCKM Administration

Luna HSM Resources

search

Please Note:

Luna HSM Resources

This section describes prerequisites to manage Luna HSM resources on CCKM.

This release supports:

  • Luna Network HSM v7.3.x and higher.

  • PED and Password-based HSM configurations.

  • Import of RSA-4096 keys from Luna HSM 7.4.0 and higher.

Prerequisites

Depending on the use case, the Luna HSM partitions can be configured in the Key Export or Cloning mode. For AWS HYOK operations, you can configure the partitions in either mode. For BYOK operations, the partitions must be configured in the Key Export mode.

Before proceeding:

  • Make sure that a common cipher is enabled on the Luna HSM and the CipherTrust Manager to allow successful connection between them.

  • On Luna HSM, disable the HSM NTLS IP check by running the ntls ipcheck disable command.

Also, make sure the CipherTrust Manager is registered with the Luna HSM, as described below:

On the Luna HSM

  1. Create a Client. Refer to Luna HSM Client Software Installation.

    The client certificate needed when creating the client on the Luna HSM can be downloaded by clicking Download Luna Client Cert on the CipherTrust Manager GUI. When uploading the certificate file to the Luna HSM, the file must have the same name as the internally generated CN. You can use openssl (or some other tool) to inspect the certificate CN. The name will look similar to cckm-client-c2b39a4b-0f02-4be8-b37f-f3cadfc3ac11.

  2. Register the Client with the Luna HSM. Refer to Multi-Step NTLS Connection Procedure.

  3. Assign a Partition to the Client. Refer to Client Partition Connections.

On the CipherTrust Manager

  1. Add the Luna HSM Server to the CipherTrust Manager. Refer to Adding an Internal Connection (Server) under Connection Manager.

  2. Add Connection to the Luna HSM Server on the CipherTrust Manager. Refer to Creating a Luna Connection.

  3. Test the Connection. Refer to Testing a New Luna Connection. Make sure the "connection_status" is connection ok.

    The connection test can fail if:

    • CipherTrust Manager is not successfully authenticated to the Luna HSM device

    • NTLS service is down on the Luna HSM Server

    • Luna HSM partition is not assigned to a Luna HSM client

    Inspect the logs on the Luna HSM for details.

Now, Luna HSM partitions and Luna HSM keys can be managed on the CipherTrust Manager.