Thales Luna PCI-E Card
PAM can use the Thales Luna PCI-E HSM card for encryption and decryption of its stored credentials in place of its built-in cryptographic engine.
capam34
HID_ConfigLunaPCI
Privileged Access Manager
can use the Thales Luna PCI-E HSM card for encryption and decryption of its stored credentials in place of its built-in cryptographic engine. 2
Supported Version
The following HSM version is supported:
- Model:K6 Base
- Firmware Version:6.2.1
- Configuration:Luna PCI (PED) Signing with Cloning Mode
Privileged Access Manager can use the K6-based Thales Luna PCI-E HSM card for encryption and decryption of its stored credentials in place of its built-in cryptographic engine when fitted to a PAM model 304L Hardware appliance. However, this optional configuration is no longer available for currently-shipping PAM 404L hardware appliances.
Luna Preparation
The Luna PCI-E card is already installed and configured for
Privileged Access Manager
and a Thales Luna PED (PIN Entry Device). During the Configure Support for a Luna PCI-E Card procedure, you provide further configuration through the PED. Do the following preparation tasks before that time:- Read at least the following sections in the Thales Luna PCI-E (here, 5.0) online help from their DVD: On the "START_HERE.html" page, selectProduct Documentation,Luna PCI 5.0 Help System, then navigating from the left Table of Contents:
- Review the concepts about Trusted Path Authentication, and information about the PED and PED (USB) Keys. SeeE – Concepts,Trusted Path Authentication (options).Note:Determine how many (of the 10 supplied) PED Keys to use.
- Review the steps that you take at the PED with the PED Keys. SeeA – Configuration,PED Authentication (Trusted Path) version.Note:Procedures that describe interaction with the LunaCM utility are no longer applicable – instead,Privileged Access Managerhandles these steps. Configure Support for a Luna PCI-E Card describes the steps that you use in place of that CLI, with your PED and PED Key responses.
- Ensure that you have physical access to yourPrivileged Access Managerappliances.
- Ensure that you have your PED and blue, red, and black PED Keys available when you perform HSM configuration.
- Be aware of the effect of extended power loss.
/content/worddave5bf08b085b29b9224be3c697367a83a.png)
Configure Support for a Luna PCI-E Card
Database Backup
Before configuring
Privileged Access Manager
to engage with the Luna appliance, back up the Privileged Access Manager
database.- Log in toPrivileged Access Manageras an administrator (for example, as "super").
- Navigate toConfiguration,Database.
- On theDatabasetab, selectSave Database and Configuration.The page updates with a confirmation of the backup creation with the database and configuration filenames. Note the database filename, which is similar to: gkdatabase20130714124622.gz
- Select the database filename from the list, and selectDownload.The database is saved to your local workstation (or other location you select).
Use this file if you must recover your
Privileged Access Manager
database.HSM Configuration
Use this procedure to prepare one Luna PCI-E equipped
Privileged Access Manager
appliance for Thales encryption use.After activation (as outlined in the following steps), the Luna PCI-E card is
permanently
configured for that Privileged Access Manager
appliance. You cannot disengage an activated Luna card and start using the built-in Credential Manager cryptography instead.To
cluster
the use of PCI-E cards in a Privileged Access Manager
appliance cluster, the following conditions must be true:- AllPrivileged Access Managerappliances must be PCI-E equipped.
- You must cluster the PCI-E cards according to Configure a Cluster of Appliances with PCI-E on this page.
Follow these steps:
- Plug the PED device into the corresponding outlet on the PCI card interface in the back of the appliance.
- At thePrivileged Access ManagerGUI:
- Log in toPrivileged Access Manageras an administrator (for example, as "super").
- Navigate toConfiguration,3rd Party,LUNA PCI-E Configuration.
- Select theINITIALIZEbutton on the Network Attached HSMs tab. You see a pop-up warning that you are about to erase the contents of the PCI card.
- When you are ready to continue with following the PED instructions, selectYes.
- With your PED Keys, go back to where the PED interface is visible (attached to the PCI card on thePrivileged Access Managerappliance). Perform the following Thales-specific steps:Take care in performing each step. The procedure is not reversible, and recovery can only be accomplished by repeating the entire procedure
- You are prompted several times for individual PED Keys. Perform key insertions and data entry as requested:
- Creation of one (or more) Security Officer (SO) keys, each using abluePED Key
- Creation of a user partition, using ablackPED Key. If you have multiple user keys, you can initialize them now.
- Creation of a cloning domain key, using aredPED Key. The cloning feature is not used byPrivileged Access Manager.
- When the PED steps are complete, you are presented with a 16-byte challenge string.
- Copy (by hand) thechallenge stringto a secure location.Be careful when copying this string – it is required to complete configuration in thePrivileged Access ManagerGUI. If you make a mistake copying this string or you lose it, you cannot recover it. You must then repeat the key creation procedures.
- SelectEnter, and then return to thePrivileged Access ManagerGUI.
- Return to thePrivileged Access ManagerGUI.
- Verify on the3rd Party,LUNA PCI-E Configurationpage that you see the following information:
- At the top of the page, the response message: "Success initializing the internal LunaPCI-E card"
- In the Network Attached HSMs tab, the Status is now "Initialized, Not Activated".
- Begin activation of the HSM:
- On theLUNA PCI-E Configurationtab, select theACTIVATEbutton on theNetwork Attached HSMstab.On the dialog that appears, carefully enter the challenge key into thePasswordfield. Do not include dashes.
- Enter the password and confirm it in the corresponding fields and selectOK.
- SelectActivate.A warning dialog appears, informing you that you are about to activate the Luna PCI-E device, and need yourblackPED Key ready.
- When you are ready to proceed, selectYes.
- Return to the PED interface with yourblackPED Key and attach it to complete activation of the HSM.
- In thePrivileged Access ManagerGUI, verify on the3rd Party, LUNA PCI-E Configurationpage that you see the following items:
- At the top of the page appears the response message: "Success activating the Luna PCI-E card on this [[primary | non primary] clustered | standalone] PAM"
- If this appliance is stand-alone, or the first member of a cluster, reboot the appliance.Do notreboot other members of the cluster until the procedure described in Configure a Cluster of Appliances with PCI-E is complete.
Configure a Cluster of Appliances with PCI-E
Multiple
Privileged Access Manager
appliances, each with an installed Luna PCI-E card, can be clustered together. To use Luna PCI-E with clustered appliances, follow these steps:- Perform a basicPrivileged Access Managerclustering procedure. See Set Up a Cluster page for details. Do not reboot cluster members after the first member until they complete the following procedure.During configuration of PCI-E functionality, each appliance knows whether it is a standalone device, first cluster member, or subsequent cluster member, and configures its HSM.
- On the first member of the cluster GUI and appliance, initialize and activate the Luna PCI-E as outlined in HSM Configuration. For subsequent cluster members, perform the same procedure without rebooting upon completion.Do not reboot a cluster member until it completes the following procedure, unless it is the first member.
- For subsequent cluster members, at the GUI:
- Initialize and activate the Luna PCI-E as outlined in HSM Configuration, without rebooting.
- On theLUNA PCI-E Configurationtab, selectGet Public Key.In a moment, the key is displayed in thePublic Keyfield.
- Copy (to the buffer or a file location) the full content of thePublic Keyfield. You might need to scroll the field to capture the full key.
- Log out from this subsequent cluster member.
- With the copied key (in your buffer or a file), log in to the first cluster member GUI:
- Navigate toConfiguration,3rd Party, LUNA PCI-E Configuration.
- On theLUNA PCI-E Configurationtab, paste the copied key into thePublic Keyfield.
- SelectExtract Key.You receive a message that you are about to "securely extract the encryption key", advising you to be ready with theblue(SO) PED Key.
- Go to the back of the first cluster member appliance, attach the PED, and follow the instructions, including plugging in the blue key.
- Return to the first cluster member GUI:
- Confirm that a new key now appears in theEncrypted Keyfield.
- Copy (to the buffer or a file location) the full content of theEncrypted Keyfield. You might need to scroll the field to capture the full key.
- Log out from the first cluster member.
- For the same subsequent cluster member that was used in step 3, and with the copied key, log in to the GUI:
- Navigate toConfiguration,3rdParty,LUNA PCI-E Configuration.
- On theLUNA PCI-E Configurationtab, paste the copied key into theEncrypted Keyfield.
- SelectInsert Key.
- You see these responses:
- At the top of the page, the response message: "Success inserting the encrypted cipher key into the Luna PCI-E device"
- The LUNA PCI-E Configuration fields are once again blank.
For each other member of the cluster, repeat Steps 3 through 7.
Once Luna PCI-E is active, this status is displayed on the View System Information page.
Extended Power Loss Error
Thales Luna can cache partition credentials that can be retained through power interruptions. If you experience a two-hour power outage or some other event that flushes the cache, you might get this error after 5 minutes:
HSM must be reactivated. Connect the PED to the PCI-E and follow the instructions on it, using the BLACK key and PIN.
Then, you connect the PED and use the BLACK key and PIN. The first or second login attempt caches the PED key data successfully. The message might remain for a minute after the login page appears.
Hardware Factory Reset
This section describes how to reconfigure a Luna PCI-E card after an appliance has been reset to its factory settings.
If the Luna PCI-E card has not been initialized before a factory reset, see Configure support for a Luna PCI-E Card
If the PCI-E card has already initialized and used before a factory reset, there is no need to reinitialize the embedded Luna PCI-E card after reset. However, because the PAM server has become a brand new instance after reset, reconfigure it to access the card.
Follow these steps:
- Open the PAM UI and login as an administrator (for example, as "super").
- Navigate toConfiguration,3rd Party,LUNA PCI-E Configuration. Notice that the status is "Factory Reset (LunaPCI-E Activated, PAM Uninitialized)
- Select theINITIALIZEbutton on theNetwork Attached HSMstab. A dialog appears informing you that hello you are about to initialize PAM to use existing contents.
- SelectYESto continue. You do not need to use a PED device and PED keys because the PCI-E card was initialized before the appliance was reset.
- Navigate to3rd Party,LUNA PCI-E Configurationand verify that you see the following items:
- The following response message appears at the top of the page: "Success initializing PAM to use the LunaPCI-E card on this [[primary | non primary] clustered | standalone] PAM"
- The PCI-E status is "Initialized and Activated"
- If the appliance is standalone, or the first member of a cluster, reboot the appliance. Do not reboot other members of the cluster until the procedure described in Configure a Cluster of Appliances with PCI-E is complete.