Thales Luna PCI-E Card

PAM can use the Thales Luna PCI-E HSM card for encryption and decryption of its stored credentials in place of its built-in cryptographic engine.
capam34
HID_ConfigLunaPCI
Privileged Access Manager
can use the Thales Luna PCI-E HSM card for encryption and decryption of its stored credentials in place of its built-in cryptographic engine.
2
Supported Version
The following HSM version is supported:
  • Model:
    K6 Base
  • Firmware Version:
    6.2.1
  • Configuration:
    Luna PCI (PED) Signing with Cloning Mode
Privileged Access Manager can use the K6-based Thales Luna PCI-E HSM card for encryption and decryption of its stored credentials in place of its built-in cryptographic engine when fitted to a PAM model 304L Hardware appliance. However, this optional configuration is no longer available for currently-shipping PAM 404L hardware appliances.
Luna Preparation
The Luna PCI-E card is already installed and configured for
Privileged Access Manager
and a Thales Luna PED (PIN Entry Device). During the Configure Support for a Luna PCI-E Card procedure, you provide further configuration through the PED. Do the following preparation tasks before that time:
  • Read at least the following sections in the Thales Luna PCI-E (here, 5.0) online help from their DVD: On the "START_HERE.html" page, select
    Product Documentation
    ,
    Luna PCI 5.0 Help System
    , then navigating from the left Table of Contents:
    • Review the concepts about Trusted Path Authentication, and information about the PED and PED (USB) Keys. See
      E – Concepts
      ,
      Trusted Path Authentication (options).
      Note:
      Determine how many (of the 10 supplied) PED Keys to use.
    • Review the steps that you take at the PED with the PED Keys. See
      A – Configuration
      ,
      PED Authentication (Trusted Path) version
      .
      Note:
      Procedures that describe interaction with the LunaCM utility are no longer applicable – instead,
      Privileged Access Manager
      handles these steps. Configure Support for a Luna PCI-E Card describes the steps that you use in place of that CLI, with your PED and PED Key responses.
  • Ensure that you have physical access to your
    Privileged Access Manager
    appliances.
  • Ensure that you have your PED and blue, red, and black PED Keys available when you perform HSM configuration.
  • Be aware of the effect of extended power loss.
worddavf4cf96922d6ff318dbae64d10ef156bb.png worddave5bf08b085b29b9224be3c697367a83a.png
Configure Support for a Luna PCI-E Card
Database Backup
Before configuring
Privileged Access Manager
to engage with the Luna appliance, back up the
Privileged Access Manager
database.
  1. Log in to
    Privileged Access Manager
    as an administrator (for example, as "super").
  2. Navigate to
    Configuration
    ,
    Database
    .
  3. On the
    Database
    tab, select
    Save Database and Configuration
    .
    The page updates with a confirmation of the backup creation with the database and configuration filenames. Note the database filename, which is similar to: gkdatabase20130714124622.gz
  4. Select the database filename from the list, and select
    Download
    .
    The database is saved to your local workstation (or other location you select).
Use this file if you must recover your
Privileged Access Manager
database.
HSM Configuration
Use this procedure to prepare one Luna PCI-E equipped
Privileged Access Manager
appliance for Thales encryption use.
After activation (as outlined in the following steps), the Luna PCI-E card is
permanently
configured for that
Privileged Access Manager
appliance. You cannot disengage an activated Luna card and start using the built-in Credential Manager cryptography instead.
To
cluster
the use of PCI-E cards in a
Privileged Access Manager
appliance cluster, the following conditions must be true:
Follow these steps:
  1. Plug the PED device into the corresponding outlet on the PCI card interface in the back of the appliance.
  2. At the
    Privileged Access Manager
    GUI:
    1. Log in to
      Privileged Access Manager
      as an administrator (for example, as "super").
    2. Navigate to
      Configuration
      ,
      3rd Party
      ,
      LUNA PCI-E Configuration
      .
    3. Select the
      INITIALIZE
      button on the Network Attached HSMs tab. You see a pop-up warning that you are about to erase the contents of the PCI card.
    4. When you are ready to continue with following the PED instructions, select
      Yes
      .
  3. With your PED Keys, go back to where the PED interface is visible (attached to the PCI card on the
    Privileged Access Manager
    appliance). Perform the following Thales-specific steps:
    Take care in performing each step. The procedure is not reversible, and recovery can only be accomplished by repeating the entire procedure
    1. You are prompted several times for individual PED Keys. Perform key insertions and data entry as requested:
      • Creation of one (or more) Security Officer (SO) keys, each using a
        blue
        PED Key
      • Creation of a user partition, using a
        black
        PED Key. If you have multiple user keys, you can initialize them now.
      • Creation of a cloning domain key, using a
        red
        PED Key. The cloning feature is not used by
        Privileged Access Manager
        .
      • When the PED steps are complete, you are presented with a 16-byte challenge string.
    2. Copy (by hand) the
      challenge string
      to a secure location.
      Be careful when copying this string – it is required to complete configuration in the
      Privileged Access Manager
      GUI. If you make a mistake copying this string or you lose it, you cannot recover it. You must then repeat the key creation procedures.
    3. Select
      Enter
      , and then return to the
      Privileged Access Manager
      GUI.
  4. Return to the
    Privileged Access Manager
    GUI.
  5. Verify on the
    3rd Party
    ,
    LUNA PCI-E Configuration
    page that you see the following information:
    • At the top of the page, the response message: "Success initializing the internal LunaPCI-E card"
    • In the Network Attached HSMs tab, the Status is now "Initialized, Not Activated".
  6. Begin activation of the HSM:
    1. On the
      LUNA PCI-E Configuration
      tab, select the
      ACTIVATE
      button on the
      Network Attached HSMs
      tab.
      On the dialog that appears, carefully enter the challenge key into the
      Password
      field. Do not include dashes.
    2. Enter the password and confirm it in the corresponding fields and select
      OK
      .
    3. Select
      Activate
      .
      A warning dialog appears, informing you that you are about to activate the Luna PCI-E device, and need your
      black
      PED Key ready.
    4. When you are ready to proceed, select
      Yes
      .
  7. Return to the PED interface with your
    black
    PED Key and attach it to complete activation of the HSM.
  8. In the
    Privileged Access Manager
    GUI, verify on the
    3rd Party, LUNA PCI-E Configuration
    page that you see the following items:
    1. At the top of the page appears the response message: "Success activating the Luna PCI-E card on this [[primary | non primary] clustered | standalone] PAM"
  9. If this appliance is stand-alone, or the first member of a cluster, reboot the appliance.
    Do not
    reboot other members of the cluster until the procedure described in Configure a Cluster of Appliances with PCI-E is complete.
Configure a Cluster of Appliances with PCI-E
Multiple
Privileged Access Manager
appliances, each with an installed Luna PCI-E card, can be clustered together. To use Luna PCI-E with clustered appliances, follow these steps:
  1. Perform a basic
    Privileged Access Manager
    clustering procedure. See Set Up a Cluster page for details. Do not reboot cluster members after the first member until they complete the following procedure.
    During configuration of PCI-E functionality, each appliance knows whether it is a standalone device, first cluster member, or subsequent cluster member, and configures its HSM.
  2. On the first member of the cluster GUI and appliance, initialize and activate the Luna PCI-E as outlined in HSM Configuration. For subsequent cluster members, perform the same procedure without rebooting upon completion.
    Do not reboot a cluster member until it completes the following procedure, unless it is the first member.
  3. For subsequent cluster members, at the GUI:
    1. Initialize and activate the Luna PCI-E as outlined in HSM Configuration, without rebooting.
    2. On the
      LUNA PCI-E Configuration
      tab, select
      Get Public Key
      .
      In a moment, the key is displayed in the
      Public Key
      field.
    3. Copy (to the buffer or a file location) the full content of the
      Public Key
      field. You might need to scroll the field to capture the full key.
    4. Log out from this subsequent cluster member.
  4. With the copied key (in your buffer or a file), log in to the first cluster member GUI:
    1. Navigate to
      Configuration
      ,
      3rd Party, LUNA PCI-E Configuration
      .
    2. On the
      LUNA PCI-E Configuration
      tab, paste the copied key into the
      Public Key
      field.
    3. Select
      Extract Key.
      You receive a message that you are about to "securely extract the encryption key", advising you to be ready with the
      blue
      (SO) PED Key.
  5. Go to the back of the first cluster member appliance, attach the PED, and follow the instructions, including plugging in the blue key.
  6. Return to the first cluster member GUI:
    1. Confirm that a new key now appears in the
      Encrypted Key
      field.
    2. Copy (to the buffer or a file location) the full content of the
      Encrypted Key
      field. You might need to scroll the field to capture the full key.
    3. Log out from the first cluster member.
  7. For the same subsequent cluster member that was used in step 3, and with the copied key, log in to the GUI:
    1. Navigate to
      Configuration
      ,
      3rd
      Party
      ,
      LUNA PCI-E Configuration
      .
    2. On the
      LUNA PCI-E Configuration
      tab, paste the copied key into the
      Encrypted Key
      field.
    1. Select
      Insert Key
      .
    2. You see these responses:
      • At the top of the page, the response message: "Success inserting the encrypted cipher key into the Luna PCI-E device"
      • The LUNA PCI-E Configuration fields are once again blank.
For each other member of the cluster, repeat Steps 3 through 7.
Once Luna PCI-E is active, this status is displayed on the View System Information page.
Extended Power Loss Error
Thales Luna can cache partition credentials that can be retained through power interruptions. If you experience a two-hour power outage or some other event that flushes the cache, you might get this error after 5 minutes:
HSM must be reactivated. Connect the PED to the PCI-E and follow the instructions on it, using the BLACK key and PIN.
Then, you connect the PED and use the BLACK key and PIN. The first or second login attempt caches the PED key data successfully. The message might remain for a minute after the login page appears.
Hardware Factory Reset
This section describes how to reconfigure a Luna PCI-E card after an appliance has been reset to its factory settings.
If the Luna PCI-E card has not been initialized before a factory reset, see Configure support for a Luna PCI-E Card
If the PCI-E card has already initialized and used before a factory reset, there is no need to reinitialize the embedded Luna PCI-E card after reset. However, because the PAM server has become a brand new instance after reset, reconfigure it to access the card.
Follow these steps:
  1. Open the PAM UI and login as an administrator (for example, as "super").
  2. Navigate to
    Configuration
    ,
    3rd Party
    ,
    LUNA PCI-E Configuration
    . Notice that the status is "Factory Reset (LunaPCI-E Activated, PAM Uninitialized)
  3. Select the
    INITIALIZE
    button on the
    Network Attached HSMs
    tab. A dialog appears informing you that hello you are about to initialize PAM to use existing contents.
  4. Select
    YES
    to continue. You do not need to use a PED device and PED keys because the PCI-E card was initialized before the appliance was reset.
  5. Navigate to
    3rd Party
    ,
    LUNA PCI-E Configuration
    and verify that you see the following items:
    • The following response message appears at the top of the page: "Success initializing PAM to use the LunaPCI-E card on this [[primary | non primary] clustered | standalone] PAM"
    • The PCI-E status is "Initialized and Activated"
  6. If the appliance is standalone, or the first member of a cluster, reboot the appliance. Do not reboot other members of the cluster until the procedure described in Configure a Cluster of Appliances with PCI-E is complete.