locked
TPD and disaster recovery with HSM RRS feed

  • Question

  • Hi all,

    perhaps I can get help here. I am seeking since a week for information how to setup ADRMS TPD with a Safenet Luna SA network HSM. I can just find information like (if using an HSM, ask the manufactor how to export keys). Well, I know, how to export them to another HSM. What´s missing is an idea, how I can get it imported to another RMS in order to setup TPD. Looks like ADRMS expects the private key to be in a file which makes no sense if using an HSM.

    I think, the question is kind of related to the one how to perform a disaster recovery, if the private key is on an HSM.

    Does anyone be able to help me on this?

    Thanks in advance.... Martin

    Tuesday, October 26, 2010 9:00 AM

Answers

  • Hi Chris,

    sorry for the late reply. I was not online here for a time.

    You are right with your assumption, that in case of an HSM only a reference to key is exported. I had a look at the RMS DB after importing a TPD key. It's only the Key ID and the CSP name used.

    Anyhow. I can set it up e.g. using the same HSM partition of a Safenet HSM but after defining the TPD trust, both of them stop working. I get messages "private key mismatch".

    One could assume, this is because the HSM has more than one key now on the same partition but that is not the cause. Without having TPD defined, both of them find their own key even there are others available. After setting up TPD, both do not even find their own keys anymore. The TPD setup did not change any object on the HSM itself.

    I will update, if I get news.

    Regards...Martin

    Wednesday, March 9, 2011 3:16 PM

All replies

  • Hi Martin,

    I never had the chance to work with a Safenet Luna but I am using a Thales nShield Connect in a project. The desaster recovery tests are still to come but here is my understanding of it:

    If you're using a CSP to store your SLC RMS internally uses a reference to the CSP. This reference is also what the RMS MMC exports instead of the SLC.

    So in an import scenario there are two possible ways:

    1.) The new RMS installation where the SLC is to be imported has access to the very same HSM and all you have to make sure is that the CSP on the new RMS cluster undestands the reference

    2.) If your HSM is setup to allow importing of certificates (which makes it non-FIPS-3 compliant, or was that exporting?)... well, I guess you have to create a reference to the new HSM which the CSP makes available to the RMS... maybe by editing the exported reference (not sure if is is signed or sth). Guess only Safenet and HSM-experienced RMS pros canhelp you on this.

    Those are my assumptions. Would be great to here what your solution is.

    Regards
    Chris

    Wednesday, November 17, 2010 11:44 AM
  • Hi Chris,

    sorry for the late reply. I was not online here for a time.

    You are right with your assumption, that in case of an HSM only a reference to key is exported. I had a look at the RMS DB after importing a TPD key. It's only the Key ID and the CSP name used.

    Anyhow. I can set it up e.g. using the same HSM partition of a Safenet HSM but after defining the TPD trust, both of them stop working. I get messages "private key mismatch".

    One could assume, this is because the HSM has more than one key now on the same partition but that is not the cause. Without having TPD defined, both of them find their own key even there are others available. After setting up TPD, both do not even find their own keys anymore. The TPD setup did not change any object on the HSM itself.

    I will update, if I get news.

    Regards...Martin

    Wednesday, March 9, 2011 3:16 PM
  • Hey folks, just an update worth mentioning. In general, the HSM vendor-specific guidance (such as from either Safenet or Thales in these cases) needs to be followed to make an HSM device work with AD RMS, but we do have some general guidance available on using HSMs with AD RMS that is now available here: Using AD RMS with Hardware Security Modules (http://technet.microsoft.com/en-us/library/jj651024.aspx).

    Hope that helps!


    Brad Mahugh
    Senior Technical Writer
    AD information eXperience (iX)
    Microsoft Corporation
    ------------------------
    This post is provided "AS IS" and confers no promises of current or future technical support for a specific support issue. Please use Microsoft product support if you need a service commitment for your current support case or issue. If this answer has been helpful to you, please "Propose as Answer" as that will enable me to better know I have helped you or inform others that this reply can be useful to them should they have a similar question or issue.


    Wednesday, December 12, 2012 8:35 PM