Restoring Broken NTLS or STC Connections
If a certificate used to authenticate NTLS or STC connections is deleted, regenerated, or has expired, the TLS handshake fails, and connections must be re-established before cryptographic operations can resume. This can be the result of HSM or partition zeroization (STC), regeneration/expiry of the HSM server certificate (server.pem) on the Luna Network HSM 7 appliance, or expiry of a client certificate. The procedures on this page will allow you to restore your broken connections, wherever possible.
If you regenerate the HSM server certificate (server.pem) and/or a client certificate, you must restore all NTLS and STC connections using the new certificate(s).
To restore NTLS connections using an HSM server certificate signed by a third-party CA
Restore NTLS connections using the procedure for Authenticating the Appliance Using a Trusted CA. You do not need to re-install the CA certificate chain, only the new server certificate.
To restore NTLS connections using a client certificate signed by a third-party CA
Restore NTLS connections using the procedures for Authenticating a Client Using a Trusted CA and Registering a Client to the Appliance. You do not need to re-install the CA certificate chain, only the new server certificate.
To restore NTLS or STC connections using a self-signed HSM server certificate
1.Using LunaSH, restart the NTLS and STC services.
lunash:> service restart ntls
lunash:> service restart stc
2.Provide the new HSM Server Certificate (server.pem) to each client by pscp, scp, or other secure means.
1.If you have access to LunaSH on the Luna Network HSM 7 appliance, you can retrieve the new HSM server certificate (server.pem) using pscp or scp. Otherwise, the appliance administrator must provide it.
2.Delete the original server identity from the client.
>vtl deleteServer -n <hostname/IP>
3.Register the new HSM server certificate with the client.
>vtl addServer -n <hostname/IP> -c <cert_filename>
4.If you are restoring STC connections, launch LunaCM, find the new Server ID, and enable STC for the server.
lunacm:> clientconfig listservers
lunacm:> stc enable -id <server_ID>
If the HSM is zeroized, all partitions and their contents are erased. New partitions must be created and assigned to their clients via the usual connection procedure.
The HSM SO must re-initialize the HSM, create new partitions, and assign them to their respective registered clients (see Assigning or Revoking NTLS Client Access to a Partition). You do not need to register new appliance/client certificates unless they are regenerated.
When the HSM is zeroized, the following occurs:
>HSM policy 39: Allow Secure Trusted Channel is turned off.
>The STC application partition identities are deleted along with the partitions.
>If the STC admin channel is enabled, the STC admin partition identity is deleted, breaking the STC admin channel between LunaSH and the HSM.
Create new STC connections using the standard procedure found in Creating an STC Connection. You can use the existing client tokens/identities. You do not need to register a new HSM server certificate unless it was regenerated using lunash:> sysconf regenCert.
The registered client identities used to validate STC clients are stored on each partition. Since they are not cryptographic objects, they are not backed up as part of a normal partition backup operation. If the partition is zeroized due to multiple login failures, the registered client identities are erased and regenerated. The HSM SO must provide the new partition identity to the client administrator, who must register the new identity.
To restore an STC connection after partition zeroization
1.Log in to LunaSH and log in as HSM SO.
lunash:> hsm login
2.Export the new partition identity key to the appliance filesystem.
lunash:> stc partition export -partition <label>
3.Provide the new partition identity key (<partitionSN>.pem) to the client by pscp, scp, or other secure means.
1.If you have access to LunaSH on the Luna Network HSM 7 appliance, you can retrieve the new partition identity key (<partitionSN>.pem) using pscp or scp. Otherwise, the HSM SO must provide it.
2.Launch LunaCM and de-register the original partition identity from the client.
lunacm:> stc partitionderegister -serial <partitionSN>
3.Register the new partition identity key (<partitionSN>.pem)to the client.
lunacm:> stc partitionregister -file <path/filename> [-label <label>]
lunacm:> clientconfig restart
You can now re-initialize the STC partition.