Installing and Configuring the SafeNet Luna Network HSM Appliance

In our previous articles "HSM Overview" & "Exploring HSM Interactions: A Journey through SoftHSM", we provided an overview of HSMs and explored testing with SoftHSM. However, this time, we had the exciting opportunity to acquire a physical HSM appliance and work closely with the vendor to install it, set it up, and distribute responsibilities and roles within the system. So, even though the vendor provided assistance, we believe sharing our story will provide readers with insights and ideas for their own HSM implementations.

If your project involves installing an HSM, this article is for you. We will take you through the entire journey, starting from the procurement process. We understand that implementing an HSM can be a complex undertaking, and reading about others' experiences can be insightful and help you gain a better understanding of the process.

Note : some pictures of the SafeNet Luna Network HSM hardware is from the vendor website.

1- Procuring the SafeNet Luna Network HSM Appliance

Acquiring the SafeNet Luna Network HSM appliance was a crucial step in our implementation journey. It is important to note that the procurement process for an HSM can take 1-3 months due to factors such as availability and shipping logistics. We signed agreements with the vendor to ensure a smooth transaction and received the hardware, carefully inspecting it for any issues. We also prioritized training and knowledge transfer with the vendor. Understanding the HSM's capabilities and operation is crucial, so we scheduled training sessions to cover HSM administration, key management, and best practices for secure implementation. These steps ensured a well-prepared approach to incorporating the SafeNet Luna Network HSM appliance into our environment.

2- Responsibilities and Roles Distribution

Prior to the HSM setup, we carefully distributed responsibilities and roles among our team members. This process involved creating a comprehensive Roles and Responsibility document. We identified the necessary security officers (SO), domain officers (DO), partition officer (PO), and auditors, ensuring that each role had specific tasks and assigned access rights.By clearly delineating responsibilities, we established an effective framework for managing and securing the HSM system. This approach ensures that each team member understands their specific duties and contributes to the overall security and smooth operation of the HSM environment. Below is a simplified sample of the Roles and Responsibilities document:

During the HSM setup process, the Roles and Responsibility document is essential, outlining the assigned roles and responsibilities for each team member involved. It is crucial to ensure that the document includes all relevant team members and clearly distinguishes between the Security Officers group and the Domain Officers group.

3- Key Concepts and Preparations for HSM Initialization

The next section will guide you in connection with HSM and intitilizing it, however before we delve on the details, let's explain some concepts:

• NTP Server: To ensure accurate time synchronization for your HSM, it is essential to have an NTP (Network Time Protocol) server. This server retrieves precise time from a trusted source. It is likely that your organization has its own NTP server in place. I recommend reaching out to your organization to inquire about their NTP server and obtain the necessary details for configuring your HSM to synchronize with it.

• Network Interfaces: The network device interfaces (eth0, eth1, eth2, and eth3) and serial port are located on the rear of the appliance, as illustrated in the below image.

• NTLs: Network Trust Links (NTLs) are secure, authenticated network connections between the SafeNet Luna Network HSM appliance and clients. NTLs use two-way digital certificate authentication and TLS data encryption to protect your sensitive data during all communications between HSM partitions on the appliance. In "HSM overview"article, we discussed HSM-client communications. The image below illustrates the process of establishing an NTLS connection between the client and the appliance.

• FIPS: (Federal Information Processing Standards) is a set of rigorous security standards developed by NIST for cryptographic modules. FIPS compliance is crucial for trusted PKIs, establishing a secure framework for cryptographic operations. Enabling FIPS mode on an HSM ensures adherence to these standards, providing higher assurance for sensitive operations and key management.

4- Hardware Installation and Setup

Before proceeding with the installation of the HSM appliance in the data center, it is highly recommended to perform the HSM initializing process in a private room. This ensures a controlled and conducive environment for the setup.

The setup process for an HSM can be time-consuming, involving various steps and configurations. It is important to provide your team with a comfortable workspace to carry out these tasks efficiently. Transferring the HSM to the data center after completing the setup helps minimize disruption and optimize workflow.

Prerequisites

To prepare for the setup in the private room, please ensure that you have the following prerequisites readily available:

1. HSM appliance

2. Dedicated laptop solely for HSM management (not used for any other purposes)

3. Router

4. Two power supply cords

5. Local or remote Luna PED (Peripheral Equipment Device)

6. Luna PED cable

7. Set of PED keys and labels (colorful stickers)

8. Pieces of paper

9. Pen

Guide for Setting Up and Initializing an HSM

1- Power On

a. Insert the power and network cables into the rear panel of the HSM. For redundancy and reliability, connect the power cables to two independent power sources. The green LED on each power supply should light up when connected correctly.

b. Connect the network cable to a router and your laptop. c. If you have a multifactor-authenticated Luna Network HSM, connect the Luna PED directly to the HSM card's USB port on the rear panel using the USB-to-MiniUSB PED cable. Refer to the Local PED Setup for more details.

d. Press and release the Start/Stop switch on the front panel.

e. Power Off (optional): To power off the HSM appliance locally, press and release the START/STOP switch. If the appliance doesn't shut off, press and hold the START/STOP switch for five seconds as an override for immediate shutoff. Never disconnect the power by pulling the plug; always use the START/STOP switch.

2- Download Luna Client (Lunash) on your dedicated laptop

To download the Luna Client software, follow the instructions provided by your HSM vendor either through their customer support portal or any other means they have specified.

3- Connect to the HSM using Lunash

Please follow the instructions provided by your HSM vendor for integrating the HSM with your dedicated management laptop.

4- Verify HSM Integrity after STM (Secure Transport Module)

a. Enter the random user string generated when it was placed in STM, in the format XXXX-XXXX-XXXX-XXXX

hsm stm recover -randomuserstring [Type your random string here without brackets] 

b. It will take time then it should show “Verification String: Match the Value”

5- Check HSM Connectivity

Ping the HSM from the client machine.

a. From the Lunash shell

ping <client-ip>

b. From the user command prompt: ping <hsm-ip>

ping <hsm-ip>

6- Set the time zone

a.Check the current time

status date 

b. If the displayed date is not correct, reconfigure it

sysconf timezone set Asia/Riyadh
sysconf time hh:mm yyyymmdd
sysconf time <13:31 20200907>

c. Verify the updated time

Status date

7- Set the Hostname of the HSM

network hostname hsm01

8- Configure Network for HSM01

a. Check the gateway IP

network show

b. Configure the network interface bonding:

network interface bonding config -ip <hsm-ip> -netmask 255.255.255.0 -name bond0 -gateway <router-ip>
network interface bonding enable -name bond0  

c. Verify the network configuration

network show

9- Set the NTP server (Network Time Protocol)

a.Add NTP servers IPs

sysconf ntp addserver <ntp1-ip>
sysconf ntp addserver <ntp2-ip>

b. Verify the NTP servers' connectivity via ping:

network ping <ntp1-ip>
network ping <ntp2-ip>

10- Change PED (PIN Entry Device) Timeout

a. Check the current timeout setting

hsm ped timeout show

b. Set the timeout value

 hsm ped timeout set -type pedk -seconds 600 

c.Verify the updated timeout value

 hsm ped timeout show

11- Generate Server Certificate

Check if the certificate has already been generated; if not, proceed to generate it

sysconf regenCert

12- Bind NTLS traffic

a. Bind NTLS to specific or all devices/interfaces or a bonded interface (eth0, eth1, eth2, or eth3) to (bond0 or bond1)

ntls bind all -force

b. Check the bounded device/interface, it should show "NTLS is currently bound to IP Address: <ip> (eth0, bond0...)

ntls show 

13- Initialize HSM and Key Initialization

a. Prepare the SO/Admin (blue) and SO Domain (red) PED keys. b. Execute HSM initiation with a unique label for HSM identification

hsm init -label <label>

c. Follow the prompts to insert the blue PED key and initialize it.

1. HSM cmd shows: “insert BLUE PED key”

2. Plugin the PED in the HSM card's USB port ( in the back of HSM ), PED screen shows“Token Found”

3. The PED screen shows “would you like to reuse an existing keyset ?”

4. Select NO

5. The PED screen shows “ choose the M/N mechanism as your context"

6. Insert M number then press enter

7. Insert N number then press enter Follow the same process as described above to the next blue keys, then to the red keys (1-7).

8. Then, the PED screen shows: "Insert an SO/HSM admin PED key (blue)."

9. Plugin the blue key& Press enter.

10. The PED screen shows: "Overwrite?"

11. For the first HSM in the cluster, choose YES. Otherwise, choose NO

12. The PED screen shows: "Enter new PED PIN"

13. Insert the PIN of the PED key

14. Insert the PIN again for verification

15. The PED screen shows: "Are you duplicating this keyset?"

16. Select NO.

17. The PED screen shows: "Awaiting command."The blue PED key is now initialized, so you can unplug the blue key from the PED. Follow the same process as described above with the red key (8-17)

14- Secure Handling of PINs for Project Confidentiality

For the utmost security of the project, it is essential to follow strict procedures for handling PINs. First, write down all the PINs on paper and seal them in closed envelopes. Then, in the presence of the auditor, the responsible individual should hand over the sealed envelopes containing the PINs. Finally, the auditor should securely store these envelopes in a safe location, ensuring the confidentiality and protection of the sensitive information they contain.

15- Enable FIPS

a. Log in

hsm login

b.Disable HSM Non-FIPS policy:

hsm changepo -policy 12 -value 0

c.Check the HSM Non-FIPS policy (Allow nonFIPS policy value should be set to 0)

hsm showp 

16-(Optional) to initialize the remote PED

your vendor is going to give some commands, but keep in mind that the first time, PED should directly connected to the HSM.

Congratulations! You have successfully set up and initialized an HSM, configured network settings, security policies, user roles, and imported keys. You can now leverage the HSM's secure capabilities for cryptographic operations ! However, please note that the partitions have not been initialized yet. This step is crucial to tailor them specifically for your application or database. By completing this final step, you'll be able to fully leverage the secure capabilities of your HSM for cryptographic operations. Well done on reaching this milestone! I hope this article was informative. Thank you for reading! ♡