Installing and Configuring Your New Luna USB HSM 7

This page will guide you through key concepts and procedures required to set up and begin using your new Luna USB HSM 7, including hardware installation, HSM initialization, client setup, and partition provisioning. These procedures are divided into operations at the level of the HSM and the partition.

>HSM Operations

>Partition/Client Operations

HSM Operations

This series of procedures will help you to install the Luna USB HSM 7 at a client system, along with the Luna HSM Client software, initialize the HSM, and configure it for the needs of your organization by creating an application partition on the HSM.

1.Luna USB HSM 7 Hardware Installation

This section describes how to verify that your Luna USB HSM 7 has remained secure while in transit, confirm that you have received all required items, and install the HSM in a host system.

a.Verifying the Integrity of Your Shipment

b.Luna USB HSM 7 Required Items

c.Installing the Luna USB HSM 7 Hardware

d.Luna USB HSM 7 Hardware Functions

2.Luna HSM Client Software Installation

To use the Luna USB HSM 7, you must first install Luna HSM Client on the client system. This section guides you through the client software installation procedure for your supported operating system, and provides information on configuring the client software for your organization's needs.

Windows Luna HSM Client Installation

Windows Interactive Luna HSM Client Installation

Linux Luna HSM Client Installation

3.Multifactor Quorum Authentication

You can initialize the Luna USB HSM 7 to use password or multifactor quorum authentication. Multifactor Quorum authentication credentials are stored on USB iKeys that must be presented to the Luna USB HSM 7 to authenticate the identities of HSM users. This section contains important information on creating, managing, and using iKeys, that you should know before initializing the HSM.

iKey Management Using Luna USB HSM 7

4.Secure Transport Mode

Your Luna USB HSM 7 was shipped in Secure Transport Mode (STM), to provide assurance that the HSM has not been modified while in transit. This section describes how STM works and provides instructions for recovering the HSM from this state before you can configure it for use.

5.Audit Logging

Each event that occurs on the HSM can be recorded in the HSM event log, allowing you to audit your HSM usage. These logs are controlled by a specialized Auditor role on the HSM. To ensure that your audit logs cover the HSM's entire span of use, your appointed Auditor should set up audit logging before you initialize the HSM. This section describes how to initialize the Auditor role and configure audit logging.

Configuring and Using Audit Logging

6.Initializing the Luna USB HSM 7

Initialization prepares a new HSM for use, and creates the HSM Security Officer role. You must initialize the HSM before you can generate or store objects, or perform cryptographic operations.

NOTE   If you prefer to set your HSM Policies using a template, refer to Setting HSM Policies Using a Template before initializing the HSM.

7.HSM Capabilities and Policies

The HSM SO can set policies on the HSM to configure its functionality. This section describes all the configurable policies on the HSM and how to change them to suit the needs of your organization.

Setting HSM Policies Manually

Setting HSM Policies Using a Template

8.Application Partitions

Next, the HSM SO must create the application partition, where cryptographic objects are stored. Your application(s) on the host system will query the application partition to perform cryptographic operations.

Creating the Application Partition

Partition/Client Operations

This series of procedures will help you configure the application partition for use with your cryptographic applications.

9.Domain Planning and Key Cloning

The Luna USB HSM 7 uses a protocol called cloning to ensure that your cryptographic objects are always stored safely within the confines of a Luna HSM. This section contains important information about how cloning works using specialized cryptographic secrets called domains. Each partition is initialized with a cloning domain that ensures that its objects can be cloned only to another partition sharing that domain. This is necessary for the partition to operate in a High-Availability group or perform backups. This section will help you plan a cloning domain configuration that works for your organization's deployment strategy.

10.Initializing the Application Partition

Initializing the partition creates the Partition Security Officer role and sets the partition's cloning domain.

NOTE   If you prefer to set your partition policies using a template, refer to Setting Partition Policies Using a Template before initializing the partition.

11.Partition Capabilities and Policies

The Partition SO can set policies on the partition to configure its functionality. This section describes all the configurable policies on the partition and how to change them based on the desired functionality of your cryptographic applications.

Setting Partition Policies Manually

Setting Partition Policies Using a Template

12.Partition Roles

While the Partition SO administers the partition by defining what functions are permitted, access to the objects on a partition are controlled by the read-write Crypto Officer (CO) and the read-only Crypto User (CU) roles. This section describes all the partition roles, and how to initialize and manage them.

a.Initializing the Crypto Officer and Crypto User Roles

b.Changing a Role Credential

c.Activation on Multifactor Quorum-Authenticated Partitions