Quick Start to Safenet SA5 HSMs – Part1

4

Jan 2017

Quick Start to Safenet SA5 HSMs – Part1

sa5-product-image

Below is a quick start guide to setting up your Safenet (Luna) SA5 network attached Hardware Security Modules (HSMs)

 

Note: First step is to connect to the HSM using a serial Interface and putty (8N1, 115200). Default user/password are ADMIN/PASSWORD

 

Configure Luna SA Networking

 

Command

 

Notes/Comments

lunash:> sysconf timezone set US/Central US/ [Alaska, Aleutian, Arizona, Central, Eastern, East-Indiana, Hawaii, Indiana-Starke, Michigan, Mountain, Pacific, Samoa]

 

lunash:> sysconf time HH:MM YYYYMMDD

 

lunash:> net show

 

Displays the network configuration
lunash:> net hostname <hostname>

 

Sets the hostname for HSM
lunash:> net domain <domainname>

 

lunash:> net dns add nameserver <ip address>

 

lunash:> net dns add searchdomain <domain name>

 

Ex: zionclouds.com
lunash:> net int static -dev eth0 -ip <ip address>

 

 

-netmask <net mask> -gateway <gw ip>

 

lunash:> net ping 1.1.2.2 Test network connectivity to external IP

 

lunash:> sysconf ntp addserver <hostname or ip address>

 

lunash:> sysconf ntp enable

 

lunash:> sysconf ntp status

 

 

 

Generate New HSM Server Certificate

 

Command

 

Notes/Comments

lunash:> sysconf regenCert

 

Generate HSM Certificate
lunash:> ntls bind eth0

 

Note: Whenever HSM IP is changed you need to make sure to create and bind HSM certificate.

 

lunash:> ntls show

 

View the status of NTLS, verify it is bound to the eth interface

 

 

 

Initialize HSM and setup policies

 

Command

Notes/Comments

*** If using MofN on any of the PED key roles, make sure to first increase the pED timeout values

 

lunash:> hsm PED timeout show

 

 

lunash:> hsm PED timeout set -type pedk -seconds 300

 

 

Generate HSM Certificate

 

Timeout value of 300 secs should be enough

lunash:> hsm init -label <HSM Label> New for SA5, each role can have M of N. Refer to PED to generate mofn. Note: Security Officer key set can be changed later on. Domain Admin ( red key set) M of N settings cannot be changed later.

 

lunash:> hsm changePolicy -policy¬†12 –v 0 Policy 12 control non-FIPS compliant algorithms

 

Post Your Thoughts

Your email address will not be published. Required fields are marked *