Quick Start To Safenet SA5 HSMs – Part1

Below is a quick start guide to setting up your Safenet (Luna) SA5 network attached Hardware Security Modules (HSMs) Note: First step is to connect to the HSM using a serial Interface and putty (8N1, 115200). Default user/password are ADMIN/PASSWORD

Configure Luna SA Networking
Command	Notes/Comments
lunash:> sysconf timezone set US/Central	US/ [Alaska, Aleutian, Arizona, Central, Eastern, East-Indiana, Hawaii, Indiana-Starke, Michigan, Mountain, Pacific, Samoa]
lunash:> sysconf time HH:MM YYYYMMDD
lunash:> net show	Displays the network configuration
lunash:> net hostname <hostname>	Sets the hostname for HSM
lunash:> net domain <domainname>
lunash:> net dns add nameserver <ip address>
lunash:> net dns add searchdomain <domain name>	Ex: zionclouds.com
lunash:> net int static -dev eth0 -ip <ip address> -netmask <net mask> -gateway <gw ip>
lunash:> net ping 1.1.2.2	Test network connectivity to external IP
lunash:> sysconf ntp addserver <hostname or ip address>
lunash:> sysconf ntp enable
lunash:> sysconf ntp status

Generate New HSM Server Certificate
Command	Notes/Comments
lunash:> sysconf regenCert	Generate HSM Certificate
lunash:> ntls bind eth0	Note: Whenever HSM IP is changed you need to make sure to create and bind HSM certificate.
lunash:> ntls show	View the status of NTLS, verify it is bound to the eth interface

Initialize HSM and setup policies
Command	Notes/Comments
*** If using MofN on any of the PED key roles, make sure to first increase the pED timeout values lunash:> hsm PED timeout show lunash:> hsm PED timeout set -type pedk -seconds 300	Generate HSM Certificate Timeout value of 300 secs should be enough
lunash:> hsm init -label <HSM Label>	New for SA5, each role can have M of N. Refer to PED to generate mofn. Note: Security Officer key set can be changed later on. Domain Admin ( red key set) M of N settings cannot be changed later.
lunash:> hsm changePolicy -policy 12 –v 0	Policy 12 control non-FIPS compliant algorithms