The Thales Luna K7 Cryptographic Module is Common Criteria certified HSM according to the Protection Profile (PP) EN 419 221-5 "Cryptographic Module for Trust Services". This HSM can be used with Ascertia SAM appliance to produce qualified remote signatures and seals. 

A new Crypto Source can be created in ADSS Server > Key Manager. Press the New button in the Crypto Source Screen to do so. The following form is presented:

The above page is described here:

Items

Description

Status

Set the status of this crypto profile. If the status is set to Inactive then it can not be used to generate or read the keys for cryptographic operations.

Friendly Name

Enter a friendly name for this HSM device. The name should be unique within this ADSS Server environment. Use a meaningful name for easy reference, e.g. Thales_Luna etc.

Crypto Source Vendor

Select the option Thales as Crypto source vendor.

Interface Type

This drop-down will allow the operator to select the interface type for the Thales crypto source vendor i.e. either  Luna PKCS#11 or Luna EN 419221-5. Both are explained below:

  • Luna PKCS#11: It offers full support including management of key generation and PKCS#7/CSR handling.
  • Luna EN 419221-5: It allows EU eIDAS compliant Remote Qualified Signatures to be produced where the signatures are created on the Thales Luna K7 EN 419 221-5 Common Criteria certified HSM.

PKCS#11 Module

Enter the PKCS#11 driver library file name/complete path for this HSM device.

Note: To find the library name of your device, refer to the documentation of the driver or contact the HSM vendor support to find the library name.

Fetch Slots

When this button is clicked then available slots within the PKCS#11 HSM are shown. The list of available slots will be shown in the next field i.e. Fetch Slot.

Note: If no slots are shown, then the HSM may not be initialized correctly – consult the HSM installation & usage guide.

PKCS#11 Slot

Select the appropriate PKCS#11 slot. The drop down lists all the available slots for the configured PKCS#11 module.

PKCS#11 PIN

Enter the PIN or password of the Slot initializer user e.g. USR_0000.

Note: The PIN is held securely in ADSS Server.

PKCS#11 Connection Pool Size

Enter the number of connections that will be maintained at any given time for this PKCS#11 device. Default value is 30.

PKCS#11 Monitoring Interval

Enter the monitoring time interval in minutes to periodically check whether the PKCS#11 device is alive. If it finds the device is not alive/available due to any reason then an email alert could be sent if Hardware crypto source monitoring is enabled in Key Manager > Alerts page.

Note: To generate the notification alerts, alerts should be enabled at Global Settings > Alert Settings page.

Test Connection

This button is used to test communications with the configured hardware device.

Enable FIPS Mode

Thales Luna K7 is FIPS compliant device and this mode must be enabled by selecting this checkbox.

Key Template

The drop-down contains a list of key templates configured in Key Templates sub-module. Here, Thales Safenet CC certified key template will be attached from the drop-down. ADSS Server provides a default key template for Thales Safenet CC certified HSM i.e. 'Default Luna EN 419221-5 Key Template'. The operator can either attach the default key template or can create a new Thales Safenet CC certified key template with desired configurations.


Whenever the crypto source is changed, it is mandatory to re-start the ADSS Server Windows or Unix services.


See also

PKCS#11 Standard

Utimaco CryptoServer CP5 HSM
nCipher nShield Solo XC Cryptographic Module
Azure Key Vault
AWS CloudHSM
MS-CAPI/CNG
Importing Existing Keys