Installing and Configuring Your New Luna USB HSM 7
This page will guide you through key concepts and procedures required to set up and begin using your new Luna USB HSM 7, including hardware installation, HSM initialization, client setup, and partition provisioning. These procedures are divided into operations at the level of the HSM and the partition.
HSM Operations
This series of procedures will help you to install the Luna USB HSM 7 at a client system, along with the Luna HSM Client software, initialize the HSM, and configure it for the needs of your organization by creating an application partition on the HSM.
1.Luna USB HSM 7 Hardware Installation
This section describes how to verify that your Luna USB HSM 7 has remained secure while in transit, confirm that you have received all required items, and install the HSM in a host system.
a.Verifying the Integrity of Your Shipment
b.Luna USB HSM 7 Required Items
c.Installing the Luna USB HSM 7 Hardware
d.Luna USB HSM 7 Hardware Functions
2.Luna HSM Client Software Installation
To use the Luna USB HSM 7, you must first install Luna HSM Client on the client system. This section guides you through the client software installation procedure for your supported operating system, and provides information on configuring the client software for your organization's needs.
•Windows Luna HSM Client Installation
•Windows Interactive Luna HSM Client Installation
•Linux Luna HSM Client Installation
3.Multifactor Quorum Authentication
You can initialize the Luna USB HSM 7 to use password or multifactor quorum authentication. Multifactor Quorum authentication credentials are stored on USB iKeys that must be presented to the Luna USB HSM 7 to authenticate the identities of HSM users. This section contains important information on creating, managing, and using iKeys, that you should know before initializing the HSM.
•iKey Management Using Luna USB HSM 7
Your Luna USB HSM 7 was shipped in Secure Transport Mode (STM), to provide assurance that the HSM has not been modified while in transit. This section describes how STM works and provides instructions for recovering the HSM from this state before you can configure it for use.
Each event that occurs on the HSM can be recorded in the HSM event log, allowing you to audit your HSM usage. These logs are controlled by a specialized Auditor role on the HSM. To ensure that your audit logs cover the HSM's entire span of use, your appointed Auditor should set up audit logging before you initialize the HSM. This section describes how to initialize the Auditor role and configure audit logging.
•Configuring and Using Audit Logging
6.Initializing the Luna USB HSM 7
Initialization prepares a new HSM for use, and creates the HSM Security Officer role. You must initialize the HSM before you can generate or store objects, or perform cryptographic operations.
NOTE If you prefer to set your HSM Policies using a template, refer to Setting HSM Policies Using a Template before initializing the HSM.
7.HSM Capabilities and Policies
The HSM SO can set policies on the HSM to configure its functionality. This section describes all the configurable policies on the HSM and how to change them to suit the needs of your organization.
•Setting HSM Policies Manually
•Setting HSM Policies Using a Template
Next, the HSM SO must create the application partition, where cryptographic objects are stored. Your application(s) on the host system will query the application partition to perform cryptographic operations.
•Creating the Application Partition
Partition/Client Operations
This series of procedures will help you configure the application partition for use with your cryptographic applications.
9.Domain Planning and Key Cloning
The Luna USB HSM 7 uses a protocol called cloning to ensure that your cryptographic objects are always stored safely within the confines of a Luna HSM. This section contains important information about how cloning works using specialized cryptographic secrets called domains. Each partition is initialized with a cloning domain that ensures that its objects can be cloned only to another partition sharing that domain. This is necessary for the partition to operate in a High-Availability group or perform backups. This section will help you plan a cloning domain configuration that works for your organization's deployment strategy.
10.Initializing the Application Partition
Initializing the partition creates the Partition Security Officer role and sets the partition's cloning domain.
NOTE If you prefer to set your partition policies using a template, refer to Setting Partition Policies Using a Template before initializing the partition.
11.Partition Capabilities and Policies
The Partition SO can set policies on the partition to configure its functionality. This section describes all the configurable policies on the partition and how to change them based on the desired functionality of your cryptographic applications.
•Setting Partition Policies Manually
•Setting Partition Policies Using a Template
While the Partition SO administers the partition by defining what functions are permitted, access to the objects on a partition are controlled by the read-write Crypto Officer (CO) and the read-only Crypto User (CU) roles. This section describes all the partition roles, and how to initialize and manage them.
