Setting Up an HSM

Note: In the rest of this section, HID Global is providing instructions for using Thales (formerly Gemalto) SafeNet / Thales TCT (formerly SafeNet AT) Luna hardware and software. These instructions were written based on materials available to HID Global when this documentation was edited. You may need to adapt these steps based on the specific version of Thales SafeNet / Thales TCT Luna hardware and software that you are using. Please refer to the Thales SafeNet documentation or Thales Trusted Cyber Technologies Luna documentation applicable to your deployment in parallel to using this documentation.

Before you attempt to use the HSM with ActivID KMS, the HSM must first be initialized with the Thales / Thales TCT software (lunacm.exe).

  1. Go to the location of lunacm.exe file in the LunaPCI directory.

    The Thales SafeNet PCIe / Thales TCT Luna PCI-E directory is created during the installation of the Thales / Thales TCT software (by default, the directory location is C:\Program Files\SafeNet\LunaClient).

  2. Launch lunacm.

Initializing an HSM

HSM initialization consists of assigning a label and a new password for the Security Officer (SO). In the following example, the default value is retained for the password (in an actual deployment, the new SO value would be different).

ActivID KMS is supposed to change the SO PIN each time the principal HSM The first or main HSM. If you require multiple HSMs with the same master keys, use HSM manufacturer tools to duplicate the keys in the other HSM. is set up. In practice, this operation can fail if the initial SO PIN is not set to default. For initialization of the HSM using ActivID KMS, the SO PIN must remain unchanged from the factory settings.

See Using the HSM 'factoryreset' Command for details on how to reset the HSM to factory settings using the SafeNet hsm factoryreset command.

If needed, you can always change the SO PIN and assign an HSM label using the SafeNet lunacm command. A similar operation can be performed from ActivID KMS (where you change the SO password once ActivID KMS has initialized the PCI-E HSM).

To initialize the HSM, complete the following task:

  1. At the lunacm:> command prompt, enter the following commands:

    Copy 
    hsm init -label “new label” –domain “new domain” -password “new password”

Note:

  • The -domain parameter is optional during an initialization request. The password must be sufficiently strong that it meets or complies with the FIPS Federal Information Processing Standard 140 policies. The HSM rejects any passwords if the HSM does not meet the FIPS 140 policies.

  • The partition password (known as Operator PIN in ActivID KMS) can be modified in ActivID KMS (however, the SO password cannot be modified in ActivID KMS).