Below is a quick start guide to setting up your Safenet (Luna) SA5 network attached Hardware Security Modules (HSMs)
Note: First step is to connect to the HSM using a serial Interface and putty (8N1, 115200). Default user/password are ADMIN/PASSWORD
Configure Luna SA Networking
|
|
Command
|
Notes/Comments |
| lunash:> sysconf timezone set US/Central | US/ [Alaska, Aleutian, Arizona, Central, Eastern, East-Indiana, Hawaii, Indiana-Starke, Michigan, Mountain, Pacific, Samoa]
|
| lunash:> sysconf time HH:MM YYYYMMDD
|
|
| lunash:> net show
|
Displays the network configuration |
| lunash:> net hostname <hostname>
|
Sets the hostname for HSM |
| lunash:> net domain <domainname>
|
|
| lunash:> net dns add nameserver <ip address>
|
|
| lunash:> net dns add searchdomain <domain name>
|
Ex: zionclouds.com |
| lunash:> net int static -dev eth0 -ip <ip address>
-netmask <net mask> -gateway <gw ip>
|
|
| lunash:> net ping 1.1.2.2 | Test network connectivity to external IP
|
| lunash:> sysconf ntp addserver <hostname or ip address>
|
|
| lunash:> sysconf ntp enable
|
|
| lunash:> sysconf ntp status
|
|
Generate New HSM Server Certificate
|
|
Command
|
Notes/Comments |
| lunash:> sysconf regenCert
|
Generate HSM Certificate |
| lunash:> ntls bind eth0
|
Note: Whenever HSM IP is changed you need to make sure to create and bind HSM certificate.
|
| lunash:> ntls show
|
View the status of NTLS, verify it is bound to the eth interface
|
Initialize HSM and setup policies
|
|
Command |
Notes/Comments |
| *** If using MofN on any of the PED key roles, make sure to first increase the pED timeout values
lunash:> hsm PED timeout show
lunash:> hsm PED timeout set -type pedk -seconds 300
|
Generate HSM Certificate
Timeout value of 300 secs should be enough |
| lunash:> hsm init -label <HSM Label> | New for SA5, each role can have M of N. Refer to PED to generate mofn. Note: Security Officer key set can be changed later on. Domain Admin ( red key set) M of N settings cannot be changed later.
|
| lunash:> hsm changePolicy -policy 12 –v 0 | Policy 12 control non-FIPS compliant algorithms
|