1. DL manuals
  2. SafeNet
  3. Server
  4. Luna SA
  5. Configuration Manual

SafeNet Luna SA Configuration Manual

Summary of Luna SA

  • Page 1

    Luna sa configuration guide.

  • Page 2

    Document information product version 5.4.1 document part number 007-011136-007 release date 04 july 2014 revision history revision date reason a 26 february 2014 initial release. B 17 april 2014 updates to the sff backup feature. C 04 july 2014 solaris client support. Trademarks all intellectual pro...

  • Page 3

    Contents preface about the configuration guide 6 customer release notes 6 audience 6 document conventions 7 notes 7 cautions 7 warnings 7 command syntax and typeface conventions 7 support contacts 8 chapter 1 planning your configuration 10 roles 10 named administrative users and their assigned roles...

  • Page 4

    Open a connection 30 first login & changing password 31 set system date and time 33 configure ip and network parameters 35 make your network connection 37 generate a new hsm server certificate 39 chapter 3 hsm initialization 42 initializing a password-authenticated hsm 44 initializing a password aut...

  • Page 5

    Create a client certificate (windows) 96 export a client cert to an hsm appliance (windows) 99 prepare a network trust link - unix/linux 102 import hsm appliance server certificate onto client (unix) 102 register the hsm server certificate with the client (unix) 102 register 103 create a client cert...

  • Page 6

    Preface about the configuration guide this document provides step-by-step instructions for configuring your luna hsm hardware, before you begin using it with your application(s). The instructions are for a basic configuration. Additional configuration options are described in "optional configuration...

  • Page 7

    Preface about the configuration guide the information, processes, and procedures contained in this document are intended for use by trained and qualified personnel only. It is assumed that the users of this document are proficient with security concepts. Document conventions this document uses stand...

  • Page 8

    Preface about the configuration guide format convention italics in type, the italic attribute is used for emphasis or to indicate a related document. (see the installation guide for more information.) in command descriptions, angle brackets represent variables. You must substitute a value for comman...

  • Page 9

    Preface about the configuration guide contact method contact provides access to the safenet knowledge base and quick downloads for various products. Customer technical support portal https://serviceportal.Safenet-inc.Com existing customers with a customer connection center account, or a service port...

  • Page 10

    Chapter 1 planning your configuration before initializing your hsm, we suggest taking a moment to consider the following available features and options. Some would be inconvenient to change after your hsm is in service: • "roles" on page 10 • "crypto officer & crypto user" on page 12 • "domain plann...

  • Page 11

    Chapter 1 planning your configuration abilities or privileges of created users named users empowered with the "admin" role can perform most actions that the original admin can perform. User accounts granted the "operator" role have access to a reduced set of administrative commands. User accounts gr...

  • Page 12

    Chapter 1 planning your configuration note: while the "built-in" 'admin', 'operator', and 'monitor' accounts are not deleted or added by a restore operation (those accounts are permanent), both their enabled/disabled status and their passwords are changed to whatever prevailed at the time the backup...

  • Page 13

    Chapter 1 planning your configuration hsm partition owner has control of one or more partitions (virtual hsms) within the luna hsm appliance. To access hsm partition owner functions, you must first be logged in as appliance admin. In addition to all the other appliance functions, a user who has auth...

  • Page 14

    Chapter 1 planning your configuration • appliance admin (same as appliance admin description above. No change.) • hsm admin (same as hsm admin description above. No change.) • crypto officer (full read-write access) (same capabilities as hsm partition owner and client in the default model) as above ...

  • Page 15

    Chapter 1 planning your configuration bad login attempts by default, both the crypto officer and the crypto user can make 10 consecutive failed login attempts before invoking consequences. That is, the two bad-authentication counters are independent of each other. Submissions of incorrect partition ...

  • Page 16

    Chapter 1 planning your configuration who can do what with each hsm partition. Also, as mentioned previously, you might wish to spread out and reinforce responsibility by using mofn to ensure that administrative partition access can never be achieved by a single person operating alone. These conside...

  • Page 17

    Chapter 1 planning your configuration being prompted to insert a key. If you say "yes" to overwrite what the ped just told you is on this inserted key, the ped gives you another chance to reconsider: "warning*** are you sure...". The ped is very thorough about making sure that you do not accidentall...

  • Page 18

    Chapter 1 planning your configuration pins are in use, then each so and each so backup/alternate personnel must know the ped pin(s) for every hsm in their charge. If your organization enforces a policy of password changes at certain intervals, or at events like firings and personnel turnover, then y...

  • Page 19

    Chapter 1 planning your configuration when a partition is created, after the black ped key is imprinted, you are prompted to provide a domain for the new partition. At your option, your partition can: • take on the same cloning domain (red ped key) as the hsm in which it resides • take on a new, uni...

  • Page 20

    Chapter 1 planning your configuration before you begin the audit init process, have your white ped keys ready, either with an existing auditor secret to reuse, or blank (or outdated secret) to be overwritten by a unique new auditor secret generated by the hsm. Secure recovery purple ped key (srk) th...

  • Page 21

    Chapter 1 planning your configuration at the time the hsm is initialized. With the exception of the purple srk ped key, all of the other ped key types can take a newly-created secret that is unique in the world at the time the hsm creates it. Optionally, the ped dialog allows you to present a key wi...

  • Page 22

    Chapter 1 planning your configuration you have (the version of the secret that is imprinted on the key) and something you know (the secret that you type in, to be xor'd with the contained secret), to make the final secret that unlocks the hsm. At this point, the key is imprinted. Now the ped inquire...

  • Page 23

    Chapter 1 planning your configuration before you begin the hsm init process, have your blue ped keys ready, either with an existing so secret to reuse, or blank (or outdated secret) to be overwritten by a unique new so secret generated by the hsm. At the same time, you must also have appropriate red...

  • Page 24

    Chapter 1 planning your configuration regardless of whether the hsm (so space) and the partition share a domain, it is not possible to copy/clone objects between the two. A shared domain between partitions allows you to clone between/among those partitions, and to make such partitions members of an ...

  • Page 25

    Chapter 1 planning your configuration when you invoke srk, to remove one of the mtk recovery secret splits from the hsm and imprint it onto a purple ped key, the ped prompt sequence does not include a "reuse" option. The purple ped key is the only one that is unique to its hsm and cannot be reused. ...

  • Page 26

    Chapter 2 configure the luna appliance for your network in this section, gather information and apply appropriate settings to replace factory default values, and have your luna sa appliance recognized on your network. Gather appliance network setting information before you begin, obtain the followin...

  • Page 27

    Chapter 2 configure the luna appliance for your network recommended network characteristics determine whether your network is configured optimally for use of luna appliances. Bandwidth and latency recommendation bandwidth • minimum supported: 10 mb half duplex • recommended: at least 100 mb full dup...

  • Page 28

    Chapter 2 configure the luna appliance for your network • connection to your network [gigabit or 100 megabit ethernet], and • a null-modem serial connection between the hsm appliance's serial console port and your administration computer or a terminal [recommended option - this is for convenience, d...

  • Page 29

    Chapter 2 configure the luna appliance for your network ethernet connector led state indicated indication nic 1 (right) activity status green (blinking): nic1 activity detected off: nic1 is not active, or lan cable has no connection nic 1 (left) speed range orange : 1g green : 100m off: 10m/no conne...

  • Page 30

    Chapter 2 configure the luna appliance for your network next, see "open a connection" on page 30 . Open a connection perform your initial configuration via direct serial connection to the luna appliance. Once network parameters are established, you can switch to an ssh session over your network. Dir...

  • Page 31

    Chapter 2 configure the luna appliance for your network first login & changing password orientation summary following the instructions in the previous pages, you have already: • gathered the necessary network and security information • made a connection (preferably serial) between your administratio...

  • Page 32

    Chapter 2 configure the luna appliance for your network changing password for admin (current) unix password: you can now choose the new password. A valid password should be a mix of upper and lower case letters, digits, and other characters. You can use an 8 character long password with characters f...

  • Page 33

    Chapter 2 configure the luna appliance for your network example – lunash command [myluna1] lunash:>? The following top-level commands are available: name (short) description -------------------------------------------------------------------------------- help he get help exit e exit luna shell clien...

  • Page 34

    Chapter 2 configure the luna appliance for your network if desired, lunash:> status time and/or lunash:> status zone can also be used. 2. If the date, time, or timezone are incorrect for your location, change them using the lunash sysconf command. For example: lunash:> sysconf timezone set canada/ea...

  • Page 35

    Chapter 2 configure the luna appliance for your network configuration instructions that is usually convenient and easy to understand, but having the system time set before initializing is not required. You can perform those actions out of order. It is important to have the time set before you create...

  • Page 36

    Chapter 2 configure the luna appliance for your network link status eth0: configured link detected: yes eth1: not configured command result : 0 (success) [local_host] lunash:> 2. Use network hostname to set the hostname of the hsm appliance (use lowercase characters). Lunash:> network hostname mylun...

  • Page 37

    Chapter 2 configure the luna appliance for your network note: your network could have multiple dns search domains. Repeat this step to add all search domains. Note: this command manually sets a dns parameter for the hsm appliance. If you elect to use a dhcp server (see the net -interface command lat...

  • Page 38

    Chapter 2 configure the luna appliance for your network 1. Connect the ethernet cable to the upper ethernet port on the hsm appliance back panel and use ssh to open a session on the hsm appliance. 2. Login as admin. Test your network configuration 3. Verify correctness of your network setup by pingi...

  • Page 39

    Chapter 2 configure the luna appliance for your network ============================================================================== ntp_gettime() returns code 0 (ok) time d1504c28.95777000 wed, apr 14 2014 12:22:00.583, (.583854), maximum error 7951596 us, estimated error 0 us ntp_adjtime() retur...

  • Page 40

    Chapter 2 configure the luna appliance for your network lunash:> the command sysconf regencert (with no ip address appended) is suitable if your network is using dns and, during the execution of the regeneration command, the hsm appliance is able to retrieve correct dns information about itself. If ...

  • Page 41

    Chapter 2 configure the luna appliance for your network note: the “stopping ntls” operation might fail in the above example, because ntls is not yet running on a new hsm appliance. Just ignore the message. The service starts again, whether the stop was needed or not. If you have been following the i...

  • Page 42

    Chapter 3 hsm initialization to initialize an hsm is to prepare it for operation, under the control of an hsm admin. Choose instructions for the type of hsm that you own: • " about initializing a password authenticated hsm " • " about initializing a ped authenticated hsm " which kind do i have? Luna...

  • Page 43

    Chapter 3 hsm initialization if this is your only ped authenticated luna hsm, then you should have received a ped and ped keys along with the hsm/appliance. If you have other ped authenticated units at your location, then you can use a ped from one of them. Luna sa configuration guide release 5.4.1 ...

  • Page 44

    Chapter 3 hsm initialization initializing a password-authenticated hsm in this section, you initialize the hsm portion of the luna appliance, and set any policies that you require. In normal operation, you would perform these actions just once, when first commissioning your luna appliance. Note: per...

  • Page 45

    Chapter 3 hsm initialization cloning domain the cloning domain is a shared identifier that makes cloning possible among a group of hsms. Cloning is required for backup or for ha. Cloning cannot take place between hsms that do not share a common domain. A domain is created (new) or is imprinted (from...

  • Page 46

    Chapter 3 hsm initialization initializing a ped-authenticated hsm in this section, you initialize the hsm portion of the luna appliance, and set any policies that you require. In normal operation, you would perform these actions just once, when first commissioning your luna appliance. Note: perform ...

  • Page 47

    Chapter 3 hsm initialization 2. You cannot place the hsm in secure transport mode (a form of controlled, intentional tamper). You have the option to move one of the recovery pieces of the master tamper key off-board, in the form of the secure recovery vector which gets imprinted on a purple secure r...

  • Page 48

    Chapter 3 hsm initialization specific, hands-on, oversight and recovery actions, in the case of a tamper event at the hsm. In that case, keep the external split and handle with care (including having on-site and off-site backup copies, just as you would with the security officer (blue) ped key). You...

  • Page 49

    Chapter 3 hsm initialization then you will need to take these instructions slightly out of order and perform time-related setting changes after you initialize, rather than before. Initialization prepares the hsm for use by setting up the necessary identities, ownership and authentication that are to...

  • Page 50

    Chapter 3 hsm initialization ========================== partition: 700022012, name: mypar1 partition: 700022013, name: mypar2 partition: 700022016, name: mypar3 fips 140-2 operation: ===================== the hsm is not in fips 140-2 approved operation mode. Hsm storage informaton: =================...

  • Page 51

    Chapter 3 hsm initialization start a serial terminal or ssh session bash#: ssh 192.20.10.203 login as: admin admin@172.20.10.202's password:________ last login: fri dec 2 20:16:54 2011 from 192.17.153.225 luna sa 5.1.0-22 command line shell - copyright (c) 2001-2011 safenet, inc. All rights reserved...

  • Page 52

    Chapter 3 hsm initialization the hsm and ped need to know, prior to imprinting the first so ped key. If you say [ no ] (on the ped keypad), then you are indicating there is nothing of value on your ped keys to preserve. On the assumption that you will now be writing onto a new blank ped key, or onto...

  • Page 53

    Chapter 3 hsm initialization setting m and n equal to "1" means that the authentication is not to be split, and only a single ped key will be necessary when the authentication is called for in future. Setting m and n larger than "1" means that the authentication is split into n different "splits", o...

  • Page 54

    Chapter 3 hsm initialization or answer (press the appropriate button on the ped keypad) – "no" if the ped key that you provided carries so authentication data that must be preserved. In that case, you must have made a mistake so the ped goes back to asking you to insert a suitable key. – "yes" if th...

  • Page 55

    Chapter 3 hsm initialization for any situation other than reusing a keyset, luna ped now prompts for you to set a ped pin. For multi-factor authentication security, the physical ped key is "something you have". You can choose to associate that with "something you know", in the form of a multi-digit ...

  • Page 56

    Chapter 3 hsm initialization you can respond [ yes ] and present one or more blank keys, all of which will be imprinted with exact copies of the current ped key's authentication, or you can say [ no ], telling the ped to move on to the next part of the initialization sequence. (you should always hav...

  • Page 57

    Chapter 3 hsm initialization if this is your first luna hsm, or if this hsm will not be cloning objects with other hsms that are already initialized, then answer [ no ]. Luna ped prompts for values of m and n. If you have another hsm and wish that hsm and the current hsm to share their cloning domai...

  • Page 58

    Chapter 3 hsm initialization luna ped goes through the same sequence that occurred for the blue so ped key, except it is now dealing with a red domain ped key. Insert a red hsm cloning domain ped key [ of course, the ped key is generically black - we suggest that you apply the appropriate color stic...

  • Page 59

    Chapter 3 hsm initialization or just as with the blue so ped key, the next message is: luna sa configuration guide release 5.4.1 007-011136-007 rev c july 2014 copyright 2014 safenet, inc. All rights reserved. 59.

  • Page 60

    Chapter 3 hsm initialization when you confirm that you do wish to overwrite whatever is (or is not) on the currently inserted key, with a cloning domain generated by the ped, the ped asks: and finally: luna sa configuration guide release 5.4.1 007-011136-007 rev c july 2014 copyright 2014 safenet, i...

  • Page 61

    Chapter 3 hsm initialization once you stop duplicating the domain key, or you indicate that you do not wish to make any duplicates (you should have backups of all your imprinted ped keys...), luna ped goes back to "awaiting command...". Lunash says: command result : no error lunash:> lmyluna] lunash...

  • Page 62

    Chapter 3 hsm initialization notice that the hsm now has a label. The next step is "prepare to create a partition (ped authenticated)" on page 75 on the hsm. Initialization - some additional options and description anywhere there are choices, options abound. Rather than clutter the main initializati...

  • Page 63

    Chapter 3 hsm initialization below the table are some expanded comments about the choices that you might encounter. "fresh" ped keys pre-used ped keys (reuse) pre-used ped keys (overwrite) slot 01 setting so pin... Would you like to reuse an existing keyset? (y/n) slot 01 setting so pin... Would you...

  • Page 64

    Chapter 3 hsm initialization "fresh" ped keys pre-used ped keys (reuse) pre-used ped keys (overwrite) you can type a number and press enter to impose a ped pin "something you know", or you can just press enter (with no digits) for no ped pin (thus nothing to remember in future). Same as in first col...

  • Page 65

    Chapter 3 hsm initialization "fresh" ped keys pre-used ped keys (reuse) pre-used ped keys (overwrite) the ped prompts in similar fashion to the steps for the hsm admin/so key above (overwrite, copy, etc.). If asked to "reuse id", the best option is to say "yes", unless you have good reason to create...

  • Page 66

    Chapter 3 hsm initialization note: you can also make additional copies of a ped key at any time, using the ped's own "admin" menu. This does not require you to log into the hsm or issue commands from the appliance - the ped needs to be connected only to have power supplied to it when you are using t...

  • Page 67

    Chapter 4 hsm capabilities and policies safenet luna hsms are built on one of our general-purpose hsm platforms (hardware plus firmware), and then are loaded with what we call "personality", to make them into specific types of hsm with specific abilities and constraints, to suit different markets an...

  • Page 68

    Chapter 4 hsm capabilities and policies enable full (non-backup) functionality allowed enable ecc mechanisms allowed enable non-fips algorithms allowed enable so reset of partition pin allowed enable network replication allowed enable korean algorithms disallowed fips evaluated disallowed manufactur...

  • Page 69

    Chapter 4 hsm capabilities and policies fips-validated algorithms if your application requires them. The example listing above indicates that non-validated algorithms have been activated. The hsm is just as safe and secure as it is with the additional algorithms switched off. The only difference is ...

  • Page 70

    Chapter 4 hsm capabilities and policies enable special cloning certificate disallowed enable full (non-backup) functionality allowed enable ecc mechanisms allowed enable non-fips algorithms allowed enable so reset of partition pin allowed enable network replication allowed enable korean algorithms a...

  • Page 71

    Chapter 4 hsm capabilities and policies note: the fips 140-2 standard mandates a set of security factors that specify a restricted suite of cryptographic algorithms. The hsm is designed to the standard, but can permit activation of additional non-fips-validated algorithms if your application require...

  • Page 72

    Chapter 5 creating a partition on the hsm choose the authentication method that applies to your hsm. See "prepare to create a partition (password authenticated)" on page 72 . See "prepare to create a partition (ped authenticated)" on page 75 . Prepare to create a partition (password authenticated) t...

  • Page 73

    Chapter 5 creating a partition on the hsm authenticate as hsm admin by supplying the appropriate hsm admin password when you are prompted — this is generally preferable to typing the password on the command line, because your response to the password prompt is hidden from view by “*” characters. War...

  • Page 74

    Chapter 5 creating a partition on the hsm – avoid proper names (especially family and pets) – avoid birthday and other easily identifiable dates. 1. Create and name an hsm partition. At the lunash prompt, type: lunash:> partition create -partition mypartition1 2. Supply the appropriate new hsm parti...

  • Page 75

    Chapter 5 creating a partition on the hsm prepare to create a partition (ped authenticated) this section is hsm partition setup for ped (trusted path) authentication. The activities in this section are required in these circumstances. • if you just prepared an hsm on the hsm appliance for the first ...

  • Page 76

    Chapter 5 creating a partition on the hsm you must provide the blue hsm admin ped key that has been imprinted (initialized) for this hsm. If you had set a ped pin, you are prompted for that, as well. 5. Next, see "create (initialize) the partition - ped authenticated" on page 76 . Warning! If you fa...

  • Page 77

    Chapter 5 creating a partition on the hsm > proceed proceeding... Please ensure that you copy the password from the luna ped and that you keep it in a safe place. Luna ped operation required to create a partition - use user or partition owner (black) ped key. 2. The ped inquires if you intend to reu...

  • Page 78

    Chapter 5 creating a partition on the hsm and (enter "1" for both, unless you wish to invoke m of n split-secret, multi-person access control, "using m of n" on page 1 ). 4. The ped then demands the black owner ped key with the message luna sa configuration guide release 5.4.1 007-011136-007 rev c j...

  • Page 79

    Chapter 5 creating a partition on the hsm insert the black hsm partition owner ped key [ of course, the ped key is generically black - we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting ] and press [enter].. A unique partition owner pin ...

  • Page 80

    Chapter 5 creating a partition on the hsm decide whether this should be a group ped key (see "what is a shared or group ped key?" ), enter [yes] or [no] on the ped touchpad, and press [enter]. 6. Next, you are asked to provide a ped pin (optional, see "what is a ped pin?" — can be 4-to-48 digits, or...

  • Page 81

    Chapter 5 creating a partition on the hsm see "what is a duplicate ped key?" . Respond “no”, if you want the ped to imprint just the one black hsm admin ped key and go on to the next step in creation of the hsm partition. Respond “yes”, if you want the ped to imprint the first black key and then ask...

  • Page 82

    Chapter 5 creating a partition on the hsm respond "yes" if you have a key from another hsm partition with a cloning domain id already imprinted on it, that you wish to share/reuse. Respond "no" if you have a fresh, never-imprinted key, or if you have a key previously imprinted with an id that you do...

  • Page 83

    Chapter 5 creating a partition on the hsm insert the red hsm partition domain ped key [ of course, the ped key is generically black - we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting ] and press [enter]. A unique partition owner pin is...

  • Page 84

    Chapter 5 creating a partition on the hsm we suggest that you record the presented string using a text editor - in our experience, the greatest proportion of errors with the partition challenge secret involve misreading of hand-written text. The dashes (hyphens) are displayed only to enhance human r...

  • Page 85

    Chapter 5 creating a partition on the hsm it is not obvious from this entry what the serial number is for the created partition. This information, however, can be derived from the log entry, since the partition serial number is simply a concatenation of the hsm serial number and the partition contai...

  • Page 86

    Chapter 5 creating a partition on the hsm when you press [enter] on the ped keypad, control returns to the command prompt, where a success message is displayed: 'partition create' successful at the same time, luna ped goes back to "awaiting command...". Next you might need to adjust the partition po...

  • Page 87

    Luna sa configuration guide release 5.4.1 007-011136-007rev c july 2014 copyright 2014 safenet, inc. All rights reserved. 87.

  • Page 88

    Chapter 6 partition policies chapter 6 partition policies at this point, you should have initialized the hsm and created an hsm partition. You may need to set the policies that constrain the use of the hsm partition by clients. Capabilities are factory settings ( ). Policies are the means of modifyi...

  • Page 89

    Chapter 6 partition policies enable cbc-pad (un)wrap keys of any size allowed the following policies are set due to current configuration of this partition and may not be altered directly by the user. Description value =========== ===== challenge for authentication not needed false the following pol...

  • Page 90

    Chapter 6 partition policies select an example that is applicable to your luna appliance's hsm type: policy setting example, luna hsm with password authentication the default minimum password length is 7 characters (which the luna hsm calculates as 255 minus 248, where 255 is the maximum length and ...

  • Page 91

    Chapter 7 prepare the client for network trust link network trust links (ntl) are secure, authenticated network connections between the luna sa and clients. Ntls use two-way digital certificate authentication and tls data encryption to protect sensitive data as it is transmitted between hsm partitio...

  • Page 92

    Chapter 7 prepare the client for network trust link to create an ntl, the client and hsm appliance must first exchange certificates. Once the certificates have been exchanged, the client registers the luna sa’s certificate in a trust list, and the luna sa appliance, in turn, registers the client’s c...

  • Page 93

    Chapter 7 prepare the client for network trust link prepare a network trust link - windows in this section, create and exchange certificates from windows systems, to configure a network trust link with your luna sa appliance. Import hsm appliance server certificate onto client (windows) 1. Open a co...

  • Page 94

    Chapter 7 prepare the client for network trust link the appearance might vary slightly for different windows versions. If the permissions change does not propagate to sub-directories, then you might need to repeat the process for the "cert" sub-directory and for the "client" and "server" sub-directo...

  • Page 95

    Chapter 7 prepare the client for network trust link information from the client’s known host file found in: //.Ssh/known_hosts2 if this is happening in a production environment, this could potentially be a security breach needing investigation. Similarly, when you first open a scp or ssh link, you m...

  • Page 96

    Chapter 7 prepare the client for network trust link the appearance might vary slightly for different windows versions. If the permissions change does not propagate to sub-directories, then you might need to repeat the process for the "cert" sub-directory and for the "client" and "server" sub-directo...

  • Page 97

    Chapter 7 prepare the client for network trust link note: before you run the vtl createcert command, run hostname to view the hostname of your client computer. Then, when you run the vtl createcert - n command (example below), be sure to input the hostname exactly as reported (uppercase/lowercase). ...

  • Page 98

    Chapter 7 prepare the client for network trust link the appearance might vary slightly for different windows versions. If the permissions change does not propagate to sub-directories, then you might need to repeat the process for the "cert" sub-directory and for the "client" and "server" sub-directo...

  • Page 99

    Chapter 7 prepare the client for network trust link note: in the createcert command, provide only the unqualified hostname, rather than the fully qualified hostname. Next, see "export a client cert to an hsm appliance (windows)" on page 99 . That is the other half of the certificate exchange that cr...

  • Page 100

    Chapter 7 prepare the client for network trust link the appearance might vary slightly for different windows versions. If the permissions change does not propagate to sub-directories, then you might need to repeat the process for the "cert" sub-directory and for the "client" and "server" sub-directo...

  • Page 101

    Chapter 7 prepare the client for network trust link c:\ program files\safenet\lunaclient\> pscp “c:\program files\safenet\lunaclient\cert\client\ address>.Pem” admin@: note: the “:” after the destination is required. Without the colon, scp does not recognize the supplied destination as a remote serv...

  • Page 102

    Chapter 7 prepare the client for network trust link prepare a network trust link - unix/linux in this section, create and exchange certificates from linux and unix systems, to configure a network trust link with your luna sa appliance. Import hsm appliance server certificate onto client (unix) 1. En...

  • Page 103

    Chapter 7 prepare the client for network trust link register bash-2.05# ./vtl addserver -n -c server.Pem example bash-2.05# ./vtl addserver -n myluna3 -c cert/server/server.Pem if you are working without dns, then give the server ip number, rather than its name, as in: bash-2.05# ./vtl addserver -n ...

  • Page 104

    Chapter 7 prepare the client for network trust link note: in the createcert command, provide only the unqualified hostname, rather than the fully qualified hostname. Next, see "export a client cert to an hsm appliance (unix)" on page 104 . That is the other half of the certificate exchange that crea...

  • Page 105

    Chapter 7 prepare the client for network trust link register the client certificate to an hsm server the client certificate, which has been securely transferred (scp’d) from the client to the hsm server, in previous sections, must be registered by the hsm server. You must be connected to the hsm ser...

  • Page 106

    Chapter 7 prepare the client for network trust link note: re-register if you wish to de-register a client and then re-register with a new certificate, on the same hsm appliance, then you must copy the certificate to the hsm appliance (hsm server) and stop and re-start the ntls service. Before such a...

  • Page 107

    Chapter 8 assign a client to an hsm partition at this point, you should already have performed the following tasks to create a network trust link (ntl) between client and luna sa.: • initialized the hsm and created one-or-more hsm partitions • exchanged certificates between the luna sa and the clien...

  • Page 108: Done!

    Chapter 8 assign a client to an hsm partition 2. Go to the software directory (c:\program files\safenet\lunaclient for windows, or /usr/safenet/lunaclient for linux, solaris or aix, or /opt/safenet/lunaclient for hp-ux), and type vtl verify . 3. The response should be similar to: slot serial # label...

  • Page 109

    Chapter 9 optional configuration tasks after completing the base configuration, you can also perform any of the following optional configuration tasks: configure a host trust link (htl) host trust links ensure that the hsm connects only to a trusted host that is in possession of a one-time-token. Se...