2.2 What is needed?

2.2.1 SHA256 support

MyID has been tested using SHA256 for the PIV server hash algorithm.

2.2.2 Supported Thales Luna HSM models

MyID can integrate with the Thales Luna HSM range.

This includes Luna HSMs that are supplied by Thales Trusted Cyber Technologies (TCT). Previously, these HSMs were supplied by SafeNet Assured Technologies.

Integration with Luna HSMs is dependent on the client software supplied with the HSM. MyID integrates with the client software, which then connects to the hardware device. Therefore, MyID can operate with the HSMs supported by the client software. This release requires either the Thales Universal Client software, or the DPoD client software package that you can download from the Thales service.

The client software may be different for HSMs supplied by Thales TCT. References to “client software” throughout the rest of this document refer to the appropriate software for the HSM in use, which must be obtained from your HSM vendor.

Thales Luna HSM integration has been tested using Thales Universal Client v10.4.1 and DPoD client software v10.5.0-470; this enables support for a range of HSM models, including:

Further information on the full range of HSMs supported by this client version is available from Thales.

Note: It is possible to connect to a DPoD HSM using the Universal Client software; see your Thales documentation for details.

Thales TCT Luna HSM integration has been tested using Luna client versions 7.10.1 and 7.11.1 (64-bit); this enables support for:

Integration has been tested in the following configurations:

Both Network HSM and PCI-e versions may be supported by this client; however, information provided in this integration guide is for the Network HSM version.

Further information on the full range of HSMs supported by this client version is available from Thales Trusted Cyber Technologies.

Note: Luna HSMs with firmware 7.11 or greater in FIPS mode no longer support key ceremonies where a symmetric key is ECB wrapped with another symmetric key. Instead you must use an RSA public key to secure the key for transport and import into the HSM. See the Using RSA transport keys section in the Administration Guide for details.

If you have been provided with a different version of the client software from the versions listed above, you must use the HSM Test Utility to verify successful integration with the HSM, and carry out a general regression test of credential issuance and key management functionality before deploying to a production environment. See section 2.3, HSM Test Utility for details of where to find the utility.

2.2.3 Multiple HSMs

MyID manages a connection to a single HSM. If you have more than one HSM set up for failover purposes, your HSM administrator must ensure that the data is synchronized between each HSM.

2.2.4 Considerations for Thales TCT Luna HSMs with firmware 7.11 or later in FIPS mode

If you have an older Luna HSM in FIPS mode that has a 3DES master key and you upgrade to an HSM with firmware 7.11 or later, you must use the Intercede migration utility to migrate to an AES256 database master key.

Because SCP01 and SCP02 use 2DES keys, these will not work on an HSM with firmware 7.11 or later in FIPS mode, as the HSM will no longer perform these operations. To use SCP01 or SCP02, you must run the HSM in non-FIPS mode.

If you have 2DES or 3DES PIV 9B keys (for example, for YubiKey devices or older Oberthur PIV cards), these will not work on an HSM with firmware 7.11 or later in FIPS mode, as the HSM will no longer perform these operations. To use 2DES or 3DES PIV 9B keys, you must run the HSM in non-FIPS mode.