Luna HSM Resources
This section describes prerequisites to manage Luna HSM resources on CCKM.
This release supports:
Luna Network HSM v7.3.x and higher.
PED and Password-based HSM configurations.
Import of RSA-4096 keys from Luna HSM 7.4.0 and higher.
Depending on the use case, the Luna HSM partitions can be configured in the Key Export or Cloning mode. For AWS HYOK operations, you can configure the partitions in either mode. For BYOK operations, the partitions must be configured in the Key Export mode.
Make sure that a common cipher is enabled on the Luna HSM and the CipherTrust Manager to allow successful connection between them.
On Luna HSM, disable the HSM NTLS IP check by running the
ntls ipcheck disablecommand.
Also, make sure the CipherTrust Manager is registered with the Luna HSM, as described below:
On the Luna HSM
Create a Client. Refer to Luna HSM Client Software Installation.
The client certificate needed when creating the client on the Luna HSM can be downloaded by clicking Download Luna Client Cert on the CipherTrust Manager GUI. When uploading the certificate file to the Luna HSM, the file must have the same name as the internally generated CN. You can use
openssl(or some other tool) to inspect the certificate CN. The name will look similar to
Register the Client with the Luna HSM. Refer to Multi-Step NTLS Connection Procedure.
Assign a Partition to the Client. Refer to Client Partition Connections.
On the CipherTrust Manager
Add Connection to the Luna HSM Server on the CipherTrust Manager. Refer to Creating a Luna Connection.
Test the Connection. Refer to Testing a New Luna Connection. Make sure the "connection_status" is
The connection test can fail if:
CipherTrust Manager is not successfully authenticated to the Luna HSM device
NTLS service is down on the Luna HSM Server
Luna HSM partition is not assigned to a Luna HSM client
Inspect the logs on the Luna HSM for details.