Prerequisites

Hardware and software requirements

• Three Linux machines with:
  • Ubuntu 18.04 (Bionic).
  • At least 80GB of free disk space and at minimum 8GB of runtime memory available for Docker containers.
  • Docker.
  • Docker Compose.
• Two SafeNet Luna Network HSM 7.3 devices.
• One SafeNet Luna Backup HSM 7.3.

System requirements

To simplify the Secure Factory Service installation process, we provide the Secure Factory Node (sfn) CLI tool and the Root of Factories (rof) CLI tool.

To use these tools, add your user to the Linux docker group on each node by running:

sudo usermod -aG docker $USER

For more information about configuring Linux hosts to work with Docker, see https://docs.docker.com/engine/install/linux-postinstall/.

Any other user who wants to run sfn and rof commands must belong to the same primary group as the user who installs Secure Factory Service and must also belong to the Linux docker group on each node.

Alternatively, any user can run the sfn and rof tools as a root (sudo) user.

Connectivity requirements

The Secure Factory solution requires connectivity:

• In the secure room:

  • TCP connectivity between Secure Factory Service instances for database access.
  • TCP connectivity between each Secure Factory Service instance and both HSMs.
  • HTTPS connectivity from each Secure Factory Service instance to Izuma Device Management.

• HTTPS connectivity from each workstation on the factory floor to each Secure Factory Service instance.

• From remote offices to the secure room:

  • SSH connectivity to:
    • Each HSM instance for setup and configuration.
    • Each Secure Factory Service instance for initial installation and maintenance.
  • HTTPS connectivity to each Secure Factory Service for configuration.
  • VPN connectivity to each Secure Factory Service for remote assistance by your support team.

Setting up the HSMs

The configuration includes two HSMs. Be sure to note the IP addresses of the HSMs for later use.

Development note: To use an HSM emulator for development purposes, skip the HSM setup steps (this section).

To set up the two HSMs, perform the following steps on each of the HSM servers:

1. Connect to the HSM server using SSH:

   $ ssh admin@<hsm-ip-address>
   lunash:>
   

   The HSM server prompts you to enter a password, or set the password if you have not set one previously.

2. Generate an HSM server certificate for NTLS communication with the Luna clients:

   lunash:> sysconf regencert
   lunash:>
   

3. Set the network hostname and HSM label, admin password and domain:

   lunash:> network hostname <new-hsm-hostname>
   lunash:> hsm init -label HSM_INT_LABEL -password <SCP/HSM server admin password> -domain <domain.com>
   lunash:>
   

4. Restart HSM internal services and disable the HSM Secure Trusted Channel (STC) policy for the changes to take effect:

   lunash:> hsm changePolicy -policy 39 -value 0
   lunash:> service restart cbs
   lunash:> ntls ipcheck disable
   lunash:> service restart ntls
   lunash:> service restart stc
   lunash:>
   

   For more information about STC, see the "Secure Trusted Channel (STC)" section in the Gemalto SafeNet Luna Network HSM 7.3 product documentation.

5. Create a partition on the HSM server:

   1. Log in to the HSM server and create a SECURE_FACTORY partition:

      lunash:> hsm login
      lunash:> partition create -p SECURE_FACTORY
      lunash:>
      

      Example printout:

      lunash:> hsm login
        Please enter the HSM Administrators' password:
        > *************
      'hsm login' successful.
      Command Result : 0 (Success)
      lunash:> par create -p SECURE_FACTORY
                Type 'proceed' to create the partition, or
                'quit' to quit now.
                > proceed
      'partition create' successful.
      lunash:>
      

      Enter the HSM administrators' password defined when you ran the hsm init command.

   2. Check the partition details:

      lunash:> par show
      

      Example printout:

      lunash:> par show  
      Partition Name:                            SECURE_FACTORY
      Partition SN:                              1428271376068
      Partition Label:
      Partition SO     is not initialized.
      Crypto Officer   is not initialized.
      Crypto User      is not initialized.
      Legacy Domain Has Been Set:                no
      Partition Storage Information (Bytes):     Total=409782, Used=0, Free=409782
      Partition Object Count:                    0
      lunash:>
      

      Make note of the Partition SN, which you need later to verify the partition in the Luna client.

      For more information about the Partition Security Officer (SO) and Crypto Officer (CO) roles, see the "Partition Roles and Procedures" section in the Gemalto SafeNet Luna Network HSM 7.3 product documentation.