Luna EFT Payment HSM

Troubleshooting Guide
All information herein is either public information or is the property of and owned solely by Gemalto and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property
protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any
intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
• The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all
copies.
• This document shall not be posted on any publicly accessible network computer or broadcast in any media and no
modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise
expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to the
information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications
data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all
implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall
Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any
damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or
customers, arising out of or in connection with the use or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and
disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the
date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security
and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third
party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto
products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential
damages that result from any use of its products. It is further stressed that independent testing and verification by the
person using the product is particularly encouraged, especially in any application in which defective, incorrect or
insecure functioning could result in damage to persons or property, denial of service or loss of privacy.
© 1989-2018 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto
and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether
registered or not in specific countries, are the property of their respective owners.

Product Version: 2.3.0

Document Number: 007-000140-001, Rev. A
Release Date: October 2018

Luna EFT Payment HSM Troubleshooting Guide 2

Revision History
Revision Month/Year Reason

A October 2018 Initial Release.

Luna EFT Payment HSM Troubleshooting Guide 3

 CONTENTS

PREFACE About the Troubleshooting Guide 5

Document Conventions 6
Support Contacts 8

Troubleshooting Scenarios 9

General Tips 14

Frequently Asked Questions 15

Luna EFT Payment HSM Troubleshooting Guide

4
 PREFACE
About the Troubleshooting Guide

This document assists you to debug and resolve basic problems that you may experience while performing an
operation. It includes the following sections:
• "Troubleshooting Scenarios" on page 9
• "General Tips" on page 14
• "Frequently Asked Questions" on page 15

Luna EFT Payment HSM Troubleshooting Guide

5
 PREFACE About the Troubleshooting Guide

Document Conventions
This document uses standard conventions for describing the user interface and for alerting you to important information.

Notes
Notes are used to alert you to important or helpful information. They use the following format:

Note: Take note. Contains important or helpful information.

Cautions
Cautions are used to alert you to important information that may help prevent unexpected results or data loss. They use
the following format:

CAUTION: Exercise caution. Contains important information that may help prevent
unexpected results or data loss.

Warnings
Warnings are used to alert you to the potential for catastrophic data loss or personal injury. They use the following
format:

WARNING! Be extremely careful and obey all safety and security measures. In this
situation you might do something that could result in catastrophic data loss or
personal injury.

Command syntax and typeface conventions

Format Convention

bold The bold attribute is used to indicate the following:

• Command-line commands and options
• Check box and radio button names (Select the Print Duplex check box.)
• Button names (Click Save As.)
• Dialog box titles (On the Protect Document dialog box, click Yes.)
• Field names (User Name: Enter the name of the user.)
• Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)
• User input (In the Date box, type April 1.)

italics In type, the italic attribute is used for emphasis or to indicate a related document.

<variable> In command descriptions, angle brackets represent variables. Substitute a value for command line
arguments that are enclosed in angle brackets.

Luna EFT Payment HSM Troubleshooting Guide 6

 PREFACE About the Troubleshooting Guide

Format Convention

[optional] Represent optional keywords or <variables> in a command line description. Optionally enter the
[<optional>] keyword or <variable> that is enclosed in square brackets, if it is required to complete the task.

Luna EFT Payment HSM Troubleshooting Guide 7

 PREFACE About the Troubleshooting Guide

Support Contacts
Contact Method Contact Information

Address Gemalto
4690 Millennium Drive
Belcamp, Maryland 21017
USA

Phone United States (1-800-545-6608)

International (1-410-931-7520)

Technical Support https://supportportal.gemalto.com/

Customer Portal Existing customers with a Technical Support Customer Portal account can log in to manage
incidents, get the latest software upgrades, and access the Gemalto Knowledge Base.

Luna EFT Payment HSM Troubleshooting Guide 8

 Troubleshooting Scenarios

Troubleshooting Scenarios

Unable to Connect to the HSM

The “Network” LEDs glow or blink to indicate the exchange of traffic. The network LEDs do not illuminate if there is no
network connection.
Check your network cable connections on the back panel and at hub or switch.

Unable to Access HSM over LunaSH

admin/audit (OS User)

• If the admin/audit user is logging in for the first time, a serial connection is required to log in to the HSM appliance.

HSM Administrator/Partition Owner

• “admin” user must be logged in before HSM Administrator/Partition Owner can log in to HSM over LunaSH.
• Ensure you are inserting correct eToken.
If you are logging in for the first time or performed hsm eftinit, you will have to activate HSM before logging in as HSM
Administrator or Partition Owner.

Auditor
• “audit” user must be logged in before Auditor can log in to HSM over LunaSH.
• Ensure you are inserting correct eToken.

Invalid Login Attempts via eToken

By default, each user can make up to 15 consecutive incorrect login attempts , after which the eToken is blocked. This
is a security feature meant to thwart repeated, unauthorized attempts to access your cryptographic material. The
number is not adjustable. You will have to re-initialize the HSM.

Resetting OS User Password

You can reset an authentication PIN/Password if its lost/forgotten, compromised, or if you have security procedures
that mandate password-change at regular intervals.
Note: As a security measure, "recover" can login only via the local serial connection.
Scenario 1

Luna EFT Payment HSM Troubleshooting Guide 9

 Troubleshooting Scenarios

You have lost OS user (admin/audit) password.

Perform the following steps:
1. Login as "recover". It has the permanent (or fixed) password "PASSWORD".
2. Insert activation token and enter PIN.
3. Choose option to reset password for OS user - 'admin' or 'audit'.
Scenario 2
You have lost OS user (admin/audit) password as well as all eToken’s password.
Perform the following steps to recover OS user password without using activation or admin eToken:
1. Perform decommission on HSM by using decommission button at the back of the HSM.
2. Reboot the HSM using the command hsm reboot.
3. Login as ‘recover’ and use password ‘PASSWORD’ through PuTTY.
4. Choose option to reset password for OS User - ‘admin’ or 'audit'.

Partition Creation Failed

Problem:
You created a partition but due to some reason the partition creation failed. Now, if you try to recreate the partition, the
system will not allow to create the partition with the same partition name.
It may be due to following two reasons:
• Due to session timeout the partition is created but still in unusable state.
• During the cleanup process the partition was not deleted.
Solution:
Perform the steps below to recreate the partition:
1. Go to the Luna EFT Payment HSM Administration Console and log in as "HSM Administrator".
2. Go to System Configuration > Session Timeout Configuration and increase the session timeout (if required).
3. Log in to the LunaSH as HSM Administrator.
4. List the partition and note the partition name you created. Use the command, sysconfig partition list
5. Delete the partition. Use the command, sysconfig partition delete
6. Now, you can create a partition with the same partition name.

Unable to Connect to Luna EFT Payment HSM

Administration Console
• You have Luna EFT Administration Console certificate present on your client machine. Refer to the section
"Generating Luna EFT Administration Console Certificate" in the Networking Guide.
• Ensure that the Luna EFT Administration Console certificate is valid. If the certificate is invalid, regenerate the
certificate.
• The web browser used to connect to the Luna EFT Administration Console must be capable of high-grade 128-bit

Luna EFT Payment HSM Troubleshooting Guide 10

 Troubleshooting Scenarios

encryption. To access all functionality of the Luna EFT Administration Console, enable Java content in the browser
using the Java Control panel.
If using Internet Explorer, enable TLS 1.2 ciphers under “Internet Options”. To view a list of cipher set supported by
Luna EFT Payment HSM for secure communication, see "Secured Communication Channels" in the Security
Guide.
• Ensure that you have installed SAC client (SafeNetAuthenticationClient-x32-x64-9.0.exe) included in the Luna EFT
Payment HSM software package. The SAC client is required to integrate eToken into the desktop operating
system.

Once SafeNet Authentication Client (SAC) is installed, you can see SafeNet Authentication Client tray icon
displayed in the Taskbar notification area.
If the SAC client fails to respond, please restart the HSM.

Note: You cannot login to "Luna EFT Payment HSM Administration Console" and "LunaSH" at
the same time. This prevents synchronization issues that could arise from multiple users
changing the configuration simultaneously.

Unable to Authenticate as HSM Administrator, Partition

Owner or Auditor
• Ensure you are using correct eTokens for authentication.
• If you are logging in to "LunaSH", then eTokens must be inserted in the HSM's USB port.
• If you are logging in to Luna EFT Administration Console, then eTokens must be inserted in your PC's USB port.

Key Entry Failure

• Ensure that you are logged in as Partition Owner.
• Check that the keyboard is connected to the HSM. If not, connect the keyboard and press 'Enter' to continue.
• If the partition is full, you will not be able to store a key. You'll receive an error message "ERROR : Insufficient
space on partition".
• Key component input must be provided within a fixed timeout of 5 minutes, the failure of which require you to rerun
the command.
• While performing the key entry operation, if the keyboard is removed accidentally, or, if the session is closed
unexpectedly, you will have to rerun the command after 5 minutes.
If you still face the issue, check the session timeout configuration (go to Luna EFT Payment HSM Administration
Console >System Configuration > Session Timeout Configuration).

Smart card Restore Operation Failed

Problem1 :
While transferring keys on the smart card, the key transfer stops on session timeout failure.
Solution:

Luna EFT Payment HSM Troubleshooting Guide 11

 Troubleshooting Scenarios

Perform the steps below:

1. Go to the Luna EFT Payment HSM Administration Console and login as "Partition Owner".
2. Go to System Configuration > Session Timeout Configuration and increase the session timeout.
3. Perform smart card restore operation.
Problem 2:
The smart card restore operation failed due to insufficient space on the partition.
Scenarios:
a. Unable to perform key operations.
b. Unable to perform the restore operation.
Solution:
Note: It is assumed that you have taken a complete backup of all the existing keys stored on the partition before
performing the restore operation.
a. Unable to perform key operations.
The key/key table may be corrupt due to partial restore and hence, you are not able to perform any key
operation. Perform the following steps to recover the system from the failure due to failed restore.
– Delete all the keys from the partition.
– Restore the backup of existing keys (keys that were stored on the partition and backed up before performing
the restore operation).
b. Unable to perform the restore operation.
Due to insufficient space you are not able to perform the restore operation. Perform the following steps.
– Delete the existing partition and create a new partition with the increased space. Please note that the new
partition that is being created can accommodate the existing keys as well as new keys you want to restore.
– Restore the backup of existing keys (keys that were stored on the partition and backed up before performing
the restore operation).
– Restore new keys.

Smart card Not Detected

Problem:
Smart card not detected on connecting to HSM's front/rear panel USB port.
Solution:
• Ensure that no other USB device is connected to the HSM.
• If the smartcard is not read on the front panel then insert it on the rear panel and vice versa.

Unable to View Certificate Attributes

The subject string included in the Luna EFT Administration console certificate command include the certificate
attributes. The default subject string is "Subject:/CN=local_

Luna EFT Payment HSM Troubleshooting Guide 12

 Troubleshooting Scenarios

host/O=Gemalto/OU=InformationTechnology/C=US/ST=Maryland/L=Belcamp/emailAddress=support@gemalto.co
m"
The arguments in the subject string should be specified in the same manner as mentioned in the above string. The
attribute will be ignored while the certificate is generated if,
– use of lowercase in the common name i.e., cn instead of CN
– use of spaces between attribute and its associated value i.e., CN = EFT Lab instead of CN=EFTLab

Unable to Connect Printer

• Ensure that the printer is connected to the HSM via USB port.
• If you are using serial printer, then Serial to USB convertor should be used. Serial port on the HSM cannot be used
for printing operation.
• Click "Refresh" button (go to Luna EFT Payment HSM Administration Console > System Configuration > Printer
Configuration > Printer Settings) to check the printer status.
• In case of USB printer, ensure that the correct USB printer driver and printer type is selected.

Inappropriate Print Output

By default, printer is not assigned to any partition, and hence, multiple partitions are able to use a printer as a shared
resource. In this case, the print output may be inappropriate. It is thus recommended to assign a printer to a partition
before performing the print operation.
Please note a printer can be assigned to one partition at a time.

Unable to Read eToken

If the HSM is unable to read the eToken, reboot the HSM.
Scenario:
• The user receives the error message "ERROR : Incorrect username or PIN" even on entering the valid username
and password.
• HSM do not respond on initialization.
• HSM do not respond on creating a partition.
Workaround:
Reboot the HSM.

Secure channel not working

Problem:
Unable to run secure channel in CA signed mode.
Workaround:
Once the new certificate is registered for use, reboot the HSM. This will replace the old certificate with the new
certificate.

Luna EFT Payment HSM Troubleshooting Guide 13

 General Tips

General Tips

Important Things to Remember

• Never disconnect the power by pulling the power plug. Always use hsm poweroff command or alternatively, the
START/STOP switch. Each of the two power supplies be connected to an independent electrical source, and that
at least one of those sources should be protected by UPS (Uninterruptible power supply) and generator backup.
• It is recommended to have a null-modem serial connection between the HSM's serial Console Port and the
administration computer or a terminal. This is for convenience during initial setup, so your administrative
connection remains active when you assign new IP addresses.
• Some HSM policies are destructive, and require re-initialization before you can continue to use the HSM. In the
case where you intend to make a destructive HSM policy change, be sure to back up any important objects and
keys so that they can be restored after the policy change and subsequent re-initialization.
• Pressing the browser "Back" or "Refresh" button expires the current session and mandates a re-login.
• Do not execute multiple Luna EFT Payment HSM Administration Console operations at a time. If you attempt to
switch to another operation while the first operation is still in progress, you'll be logged out of the Luna EFT
Payment HSM Administration Console.
• While working on Luna EFT Payment HSM Administration Console DO NOT execute multiple web console
operations at a time. If you attempt to switch to another operation while the first operation is still in progress, you'll
be logged out of the Luna EFT Payment HSM Administration Console.
• If the user wants to change the MAC key at an already used index, the auditor should retrieve the audit logs and
verify them to avoid any verification failures after injection of the MAC key.
• Due to PCI HSM restrictions, certificates with MD5 and SHA-1 signature algorithms are not permitted for use and
hence, cannot be registered with the HSM.

Luna EFT Payment HSM Troubleshooting Guide 14

 Frequently Asked Questions

Frequently Asked Questions

How Can I Upgrade the Performance Level (PL) of Luna

EFT?
Luna EFT supports different Performance levels. PL 60, PL 140, PL 280, PL 1200, PL 2000 can be set for Luna EFT.
Check with Gemalto's Technical support team if you wish to upgrade the PL. Once approved, the support team will
provide you secure update package file with desired PL that can be installed on Luna EFT.

How to Check the Authenticity of HSM?

To ensure the integrity of the unit received the following two steps should be taken:
• The serial number on the tamper envelope should be compared with that included with the ASN.
• Once the HSM is initialized, and prior to loading any cryptographic keys, the cryptographically protected identity
certificate securely stored in the HSM should be retrieved using the LunaSH interface and the signatures on the
certificate should be validated against the SafeNet Root CA.
Luna EFT should be considered compromised and SafeNet should be contacted immediately,
– if there is a mis-match between the serial numbers in the Advanced Shipping Notification (ASN) and the
identity certificate provided by the appliance, or
– if the signature on the identity certificate cannot be verified and chained back to the SafeNet Root CA supplied.

Luna EFT Payment HSM Troubleshooting Guide 15