Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CCKM Administration

Luna HSM Resources

search

Please Note:

Luna HSM Resources

This section describes prerequisites to manage Luna HSM resources on CCKM.

This release supports:

  • Luna Network HSM Software and Firmware versions v7.3.x and higher. STC partitions are only supported with Luna Network HSM versions 7.7 and higher.

  • PED and Password-based HSM configurations.

  • Both V0 and V1 partitions are supported.

  • Import of RSA-4096 keys from Luna HSM Software and Firmware versions 7.4.x and higher.

  • Symmetric and asymmetric keys with Luna HSM.

Note

The information presented in this section also applies to Azure Dedicated HSM.

Note

CCKM doesn't support FM-enabled Luna HSM as a key source.

Prerequisites

Note

  • Depending on the use case, the Luna HSM partitions can be configured in the Key Export or Clone mode. For AWS HYOK operations, you can configure the partitions in either mode. For BYOK operations, the partitions must be configured in the Key Export mode.

  • If the Luna HSM partitions are configured in Clone mode but the connection manager is configured in Key Export mode, the key is created on the primary partition but you receive a wrap key error.

  • If the Luna HSM partitions are configured in Export mode but the connection manager is configured in Clone mode, the key is created with an error. The public key will be present on all partitions, but the private key will only be present on the primary partition.

Before proceeding:

  • Make sure that a common cipher is enabled on the Luna HSM and the CipherTrust Manager to allow successful connection between them.

  • On Luna HSM, disable the HSM NTLS IP check by running the ntls ipcheck disable command.

Also, make sure the CipherTrust Manager is registered with the Luna HSM, as described below:

On the Luna HSM

  1. Create a Client. Refer to Luna HSM Client Software Installation.

    The client certificate needed when creating the client on the Luna HSM can be downloaded by clicking Download Luna Client Cert on the CipherTrust Manager GUI. When uploading the certificate file to the Luna HSM, the file must have the same name as the internally generated CN. You can use openssl (or some other tool) to inspect the certificate CN. The name will look similar to cckm-client-c2b39a4b-0f02-4be8-b37f-f3cadfc3ac11.

  2. Register the Client with the Luna HSM. Refer to Multi-Step NTLS Connection Procedure.

  3. Assign a Partition to the Client. Refer to Client Partition Connections.

On the CipherTrust Manager

  1. Add the Luna HSM Server to the CipherTrust Manager. Refer to Adding an Internal Connection (Server) under Connection Manager.

  2. Add Connection to the Luna HSM Server on the CipherTrust Manager. Refer to Creating a Luna Connection.

  3. Test the Connection. Refer to Testing a New Luna Connection. Make sure the "connection_status" is connection ok.

    The connection test can fail if:

    • CipherTrust Manager is not successfully authenticated to the Luna HSM device

    • NTLS service is down on the Luna HSM Server

    • Luna HSM partition is not assigned to a Luna HSM client

    Inspect the logs on the Luna HSM for details.

Now, Luna HSM partitions and Luna HSM keys can be managed on the CipherTrust Manager.

On this page