Initializing the HSM
Initialization prepares a new HSM for use, or an existing HSM for reuse. You must initialize the HSM before you can generate or store objects, allow clients to connect, or perform cryptographic operations:
>On a new or factory-reset HSM, initialization sets the HSM SO credentials, the HSM label, and the cloning domain of the HSM Admin partition. This is often referred to as a 'hard' initialization. See Initializing a New or Factory-reset HSM.
>On an initialized HSM, re-initialization destroys all existing partitions and objects, but retains the SO credentials and cloning domain. You have the option to change or retain the existing label. This is often referred to as a 'soft' initialization. See Re-initializing the HSM.
NOTE To ensure accurate auditing, perform initialization only after you have set the system time parameters (time, date, time zone, use of NTP (Network Time Protocol). You can use the -authtimeconfig option when initializing the HSM to require HSM SO authorization of any time-related changes once the HSM is initialized.
Hard versus soft initialization
The following table summarizes the differences between a hard and soft initialization.
| Condition/Effect |
Soft init |
Hard init |
|---|---|---|
| HSM SO authentication required | Yes | No |
| Can set new HSM label | Yes | Yes |
| Creates new HSM SO identity | No | Yes |
| Creates new Domain | No | Yes |
| Destroys partitions | Yes | No (none exist to destroy) |
| Destroys objects | Yes | No (none exist to destroy) |
Initializing a New or Factory-reset HSM
NOTE New HSMs are shipped in Secure Transport Mode (STM). You must recover the HSM from STM before you can initialize the HSM. See Secure Transport Mode for details.
On a new, or factory-reset HSM (using hsm factoryreset), the following attributes are set during a hard initialization:
| HSM Label |
The label is a string that uniquely identifies this HSM. The HSM label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. Only alphanumeric characters and the underscore are allowed:
For more information, refer to Name, Label, and Password Requirements. |
| HSM SO credentials |
For multifactor quorum-authenticated HSMs, you create a new HSM SO (blue) PED key(set) or re-use an existing PED key(set) from an HSM you want to share credentials with. If you are using multifactor quorum authentication, ensure that you have an authentication strategy before beginning. See Multifactor Quorum Authentication. For password-authenticated HSMs, you specify the HSM SO password. For proper security, it should be different from the appliance admin password, and employ standard password-security characteristics. In LunaSH, HSM role passwords must be 8-255 characters in length. The following characters are allowed:
The following characters are invalid or problematic and must not be used in passwords: Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks. |
| Cloning domain for the HSM Admin partition |
The cloning domain is a shared identifier that makes cloning possible among a group of HSM partitions. It specifies the security domain (group of HSM partitions) within which the HSM Admin partition can share cryptographic objects though cloning, backup/restore, or in high availability configurations. Note that the HSM Admin partition cloning domain is independent of the cloning domain specified when creating application partitions on the HSM. For multifactor quorum-authenticated HSMs, you create a new Domain (red) PED key(set) or re-use an existing PED key(set) from an HSM you want to be able to clone with. For password-authenticated HSMs, you create a new domain string or re-use an existing string from an HSM you want to be able to clone with. The domain string must be 1-128 characters in length. The following characters are allowed:
The following characters are problematic or invalid and must not be used in a domain string: Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks. For password-authenticated HSMs, the domain string should match the complexity of the partition password. |
To initialize a new or factory-reset HSM
1.Log into LunaSH as admin. You can use a serial terminal window or SSH connection.
2. If Secure Transport Mode is set, you must unlock the HSM before proceeding. New Luna HSMs are shipped from the factory in Secure Transport Mode (STM). STM allows you to verify whether or not an HSM has been tampered while it is not in your possession, such as when it is shipped to another location, or placed into storage. See Secure Transport Mode for more information.
To recover your HSM from Secure Transport Mode, proceed as follows:
a.As part of the delivery process for your new HSM, you should have received an email from Thales Client Services, containing two 16-digit strings, as follows. You will need both of these strings to recover the HSM from STM:
Random User String: XXXX-XXXX-XXXX-XXXX
Verification String: XXXX-XXXX-XXXX-XXXX
b.Ensure that you have the Random User String and Verification String that were emailed to you for your new HSM.
c.Enter the following command to recover from STM, specifying the Random User String that was emailed to you for your new HSM:
lunash:> hsm stm recover -randomuserstring <XXXX-XXXX-XXXX-XXXX>
d.You are presented with a verification string. If the verification string matches the original verification string emailed to you for your new HSM, the HSM has not been tampered, and can be safely deployed. If the verification string does not match the original verification string emailed to you for your new HSM, the HSM has been tampered while in STM. If the verification strings do not match, contact Thales Technical Support immediately.
e. Enter proceed to recover from STM (regardless of whether the strings match or not), or enter quit to remain in STM.
3.If you are initializing a multifactor quorum-authentication HSM, have the Luna PED connected and ready (via USB, in Local PED-USB mode). If your PED is not in USB mode, see Changing Modes. Alternatively, have a Remote PED instance set up, see About Remote PED.
4.Run the hsm init command, specifying a label for your Luna Network HSM 7:
lunash:> hsm init -label <label>
5.Respond to the prompts to complete the initialization process:
•on a password-authenticated HSM, you are prompted for the HSM password and for the HSM Admin partition cloning domain string (cloning domains for application partitions are set when the application partitions are initialized).
•on a multifactor quorum-authenticated HSM, you are prompted to attend to the Luna PED to create a new HSM SO (blue) PED key for this HSM, re-use an HSM SO PED key from an existing HSM so that you can also use it to log in to this HSM, or overwrite an existing key with a new authentication secret for use with this HSM. You are also prompted to create, re-use, or overwrite the Domain (red) PED key. You can create MofN quorum keysets and duplicate keys as required. See Multifactor Quorum Authentication for more information.
Re-initializing the HSM
On an existing, non-factory-reset HSM, re-initialization clears all existing partitions and objects, but retains the SO credentials and cloning domain. You have the option to change or retain the existing label. Re-initialization is also referred to as a soft init. If you do not want to do a soft init, and also change the SO credentials and cloning domain, you need to use the hsm factoryreset command to factory reset the HSM, and then perform the procedure described in Initializing a New or Factory-reset HSM.
CAUTION! Ensure you have backups for any partitions and objects you want to keep, before reinitializing the HSM.
To re-initialize the HSM (soft init)
1.Log into LunaSH as admin. You can use a serial terminal window or SSH connection.
2. Log in as the HSM SO.
3.If Secure Transport Mode is set, you must unlock the HSM before proceeding. See Secure Transport Mode.
4.If you are initializing a multifactor quorum-authenticated HSM, have the Luna PED connected and ready (via USB, in Local PED-USB mode). If your PED is not in USB mode, see Changing Modes.
5.Re-initialize the HSM, specifying a label for your Luna Network HSM 7:
lunash:> hsm init -label <label>
