SafeNet Luna SA Configuration Manual
  1. Manuals
  2. Brands
  3. SafeNet Manuals
  4. Server
  5. Luna SA
  6. Configuration manual

SafeNet Luna SA Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Luna SA
Configuration Guide

Advertisement

Table of Contents
loading

Related Manuals for SafeNet Luna SA

Summary of Contents for SafeNet Luna SA

  • Page 1 Luna SA Configuration Guide...

  • Page 2: Revision History

    SafeNet, Inc. Disclaimer SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes.

  • Page 3: Table Of Contents

    Other Considerations CHAPTER 2 Configure the Luna Appliance for your Network Gather appliance network setting information Client Requirements Recommended Network Characteristics Power-up the HSM Appliance Luna SA Configuration Guide Release 5.4.1 007-011136-007Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 4: Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 Safenet, Inc.   All Rights Reserved

    Prepare a Network Trust Link - Windows Import HSM Appliance Server Certificate onto Client (Windows) Register the HSM Server Certificate with the Client (Windows) Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 5: Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 Safenet, Inc.   All Rights Reserved

    Assign a Client to an HSM Partition Assign a Client to a Partition Verify Your Setup Client Connection Limits Applications and Integrations CHAPTER 9 Optional Configuration Tasks Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 6: Preface

    Luna HSM users and security officers, key manager administrators, and network administrators. All products manufactured and distributed by SafeNet, Inc. are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them.

  • Page 7: Document Conventions

    Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.) • User input (In the Date box, type April 1.) Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 8: Support Contacts

    If you encounter a problem while installing, registering or operating this product, please ensure that you have read the documentation. If you cannot resolve the issue, please contact your supplier or SafeNet support. SafeNet support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization.
  • Page 9 Existing customers with a Customer Connection Center account, or a Service Portal account, can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 10: Planning Your Configuration

    0-9, the dash, the dot, or the underscore. No spaces. abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._ As with any secure system, no two users (regardless of role) can have the same name. Luna SA Configuration Guide Release 5.4.1 007-011136-007Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 11: Implications Of Backup And Restore Of User Profiles

    For example, users need to know to use their previous password, and to change it immediately. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 12: Security Of Shell User Accounts

    Security of Shell User Accounts In most cases anticipated by the design and target markets for Luna SA, both the Luna SA appliance and any computers that make network connections for administrative purposes, would reside inside your organization's secure premises, behind well-maintained firewalls.
  • Page 13 Client A Client is a "working" or "production" user of one or more Luna SA HSM Partitions, that connects from a client computer (one that has set up NTLS by exchanging certificates and registering with the Luna SA). If a Client can provide the Partition Password, it can generate, delete, and use cryptographic objects (keys and certificates) on the Partition, as long as the Partition is prepared to accept the connection.

  • Page 14: How The Roles Are Invoked

    By default, the Crypto User role does not exist, and so the black PED Key owner is HSM Partition Owner. You create a Crypto User (the restricted Client user) with the "partition createUser" command. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 15: Bad Login Attempts

    But, because partitions contain the working keys, certificates, and objects that are used in your business, it is more likely that some scheme must be devised and maintained to control Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 16: Luna Ped Planning

    This is an opportunity to reconsider the key that you have inserted, before something irreversible happens. You can say "No" (don't overwrite what was found ), remove the key, and go back to Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 17: Hsm Initialization And The Blue So Ped Key

    Either they carry it with them, or they sign it out when they are using it and sign it back into a secure lockup. If PED Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 18: Hsm Cloning Domain And The Red Domain Ped Key

    "open for business" by Activating the partition - when a partition is activated, applications can present the partition challenge secret and make use of the partition Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 19: Remote Ped Orange Ped Key (Rpk)

    PED keys, with the same questions/choices for you to make about "reuse" (or a fresh, new secret), about M of N, about duplicates, etc. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 20: Secure Recovery Purple Ped Key (Srk)

    - for example,both the HSM and a blue SO PED Key are imprinted with the HSM SO secret Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 21: What Each Ped Prompt Means

    HSM, so in future you must always type those PED PIN digits to reverse the XOR and present the HSM with the secret it is expecting. With a PED PIN applied, the secret for that role is now two-factor - something Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 22: Hsm Initialization And The Blue So Ped Key

    Just as with a single, non-split SO secret, you can apply PED PINs to each blue key in an M of N set. Consider, before you do, how complicated your administration and key-handling/key-update procedures could become. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 23: Hsm Cloning Domain And The Red Domain Ped Key

    - this is how you allow the new partition to accept objects from a Backup HSM or to be part of an HA group) This is how you control which partitions (on the same or different HSMs) share a domain. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 24: Remote Ped Orange Ped Key (Rpk)

    HSM to service, or • wish to invoke Secure Transport Mode. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 25: Other Considerations

    PED Key sets. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 26: Chapter 2 Configure The Luna Appliance For Your Network

    The pscp utility is also included in LunaClient Software installer, and is required for this installation. Go to "Recommended Network Characteristics" on page 27 Luna SA Configuration Guide Release 5.4.1 007-011136-007Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 27: Recommended Network Characteristics

    [We suggest that each of the two power supplies be connected to an independent electrical source, and that at least one of those sources should be protected by UPS (uninterruptible power supply) and generator backup.], Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 28 (check your network cable connections on the back panel and at hub or switch). Here is a summary. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 29: Power Off

    CAUTION: Never disconnect the power by pulling the power plug. Always use the START/STOP switch. To switch off the HSM appliance from the lunash command line, use the command: lunash:> sysconf appliance poweroff Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 30: Open A Connection

    USB-to-serial adapter if needed. For security reasons, the USB port on the Luna SA appliance recognizes only SafeNet HSMs and peripheral devices - therefore it is prohibited from supporting general USB operations and thus does not accept a serial console link;...

  • Page 31: First Login & Changing Password

    Luna SA 5.4.0-14 [Build Time: 20131223 11:55] Authorized Use Only [localhost] ttyS0 login: admin Password: You are required to change your password immediately (root enforced) Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 32 Enter new password: Re-type new password: Last login: Mon Jan 30 11:24:00 from 172.20.10.180 Luna SA 5.4.0-14 Command Line Shell - Copyright (c) 2001-2013 SafeNet, Inc. All rights reserved. Command Result: 0 (Success) [local_host] lunash:>...

  • Page 33: Set System Date And Time

    1. First, verify the current date and time on the HSM Server, to see if they need to change. At the lunash prompt, type the command: lunash:> status date which returns the current settings of date, time and timezone. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 34 That is, you can just skip ahead in these instructions and perform your intended initialization out of order, and then set the appliance time and zone, and carry on.We chose an order for these Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 35: Configure Ip And Network Parameters

    Gateway (eth0): <not set>      Name Servers: <not set>      Search Domain(s): <not set>  Kernel IP routing table  Destination Gateway Genmask Flags Metric Ref Use Iface  Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 36 Note: Setting the Search Domain is important so that you can use short names for your client machines. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 37: Make Your Network Connection

    If you have been connecting via serial terminal, and the direct administration connection, to configure the HSM Server, you can now make an ethernet connection to your network. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 38 ===========================================================  1 21859 963a yes yes none sys.peer sys_peer 3  2 21860 9024 yes yes none reject reachable 2  ==============================================================================  NTP Time:  Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 39: Generate A New Hsm Server Certificate

    IP address/hostname for the network device(s) NTLS should be active on. Use 'ntls bind' to change this binding if necessary. Command Result : 0 (Success) Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 40 Sysconf regenCert with the IP argument results in a certificate with the appliance's IP address in the CN field. Using Luna SA with the link configured for IP-only speeds the NTLS client connection lookup, and bypasses such potential issues as transient DNS lookup failures and typing errors.
  • Page 41 If you have been following the instructions in these pages as part of setting up a new HSM appliance then the next step is to initialize the HSM on your Luna SA appliance. Those instructions can be found in the "HSM Configuration" section.

  • Page 42: Chapter 3 Hsm Initialization

    Which kind do I have? Luna SA HSMs are shipped from the factory as one or the other type. This is not a field-changeable setting. If you are not sure which kind you have, verify the type of HSM with the hsm displayLicenses command. You can run that command from the Luna shell (logged in as appliance admin).
  • Page 43 If this is your only PED Authenticated Luna HSM, then you should have received a PED and PED Keys along with the HSM/appliance. If you have other PED Authenticated units at your location, then you can use a PED from one of them. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 44: Initializing A Password-Authenticated Hsm

    (therefore, no words that occur in any dictionary) • no dates like birthdays or anniversaries, no proper names • should include miXEd-CAse letters, numbers, special (non-alphanumeric, -_!@#$%&*...). Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 45 You are ready to adjust HSM Policies (if desired) and begin creating HSM Partitions for your Client's applications to use. "Set HSM Policies (Password Authentication)" on page 67 Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 46: Initializing A Ped-Authenticated Hsm

    ...but there's an exception ... The statement above applies reliably to a new Luna SA appliance, or one that has been factory reset. One of the options when initializing an HSM is to forbid changing of time/timezone without HSM login (hsm init -label myluna -authtimeconfig).
  • Page 47 The SRK external secret is held on the purple SRK PED Key(s), shipped to you separately from the HSM. With the Luna SA powered and connected to a Luna PED, and also connected to a computer having the Luna Client software installed (using local serial connection, or ssh session over the network), log in as appliance 'admin'.

  • Page 48: Re-Split[ See 'Resplit' ] The Srk

    (offering them the same Secure Shipping option as is available from SafeNet). If you have just received an HSM from SafeNet in Secure Transport Mode, and recovered from STM, your next step should be to initialize the HSM. Go to "Initializing a PED-Authenticated HSM"...

  • Page 49: Preparing To Initialize A Luna Sa Hsm [Ped-Version]

    HSM Admin login status: Logged In HSM Admin login attempts left: 3 before HSM zeroization! RPV Initialized: Manually Zeroized: Partitions created on HSM: Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 50: Why Initialize

    The above states are addressed by configuring and initializing your Luna SA HSM. Instructions start on this page. If you requested Secure Transport Mode shipment from SafeNet, then a couple of additional steps are required (also included in these instructions).

  • Page 51: Start A Serial Terminal Or Ssh Session

    Last login: Fri Dec 2 20:16:54 2011 from 192.17.153.225 Luna SA 5.1.0-22 Command Line Shell - Copyright (c) 2001-2011 SafeNet, Inc. All rights reserved. [myluna] lunash:>  Initialize the HSM 1. Have the Luna PED connected and ready (in local mode and "Awaiting command...").
  • Page 52 HSM to share the authentication with that other HSM. Authentication will be read from the PED Key that you present and imprinted onto the current HSM. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 53 Insert a blue HSM Admin / SO PED key [ of course, the PED Key is generically black - we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting ] and press [Enter]. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 54 (This will be matched on the Luna SA HSM during this initialization). Luna PED makes very sure that you wish to overwrite, by asking again. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 55 PED PIN is desired. Luna PED imprints the PED Key, or the HSM, or both, as appropriate, and then prompts the final question for this key: Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 56 PED Key in place. Luna PED passes the authentication along to the HSM and then asks the first question toward imprinting a cloning domain: Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 57 If you have another HSM and wish that HSM and the current HSM to share their cloning Domain, then you must answer [ YES ]. In that case, Luna PED does not prompt for M and N. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 58 Insert a red HSM Cloning Domain PED key [ of course, the PED Key is generically black - we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting ] and press [Enter]. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 59 CHAPTER 3     HSM Initialization Just as with the blue SO PED Key, the next message is: Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 60 When you confirm that you do wish to overwrite whatever is (or is not) on the currently inserted key, with a Cloning Domain generated by the PED, the PED asks: And finally: Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 61 Maximum HSM Storage Space (Bytes): 2097152  Space In Use (Bytes): 0  Free Space Left (Bytes): 2097152 Command Result : 0 (Success) [myluna] lunash:> Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 62: Initialization - Some Additional Options And Description

    Keys) or, in the third column example to overwrite what is found and generate a new secret to be imprinted on both the PED Key and the HSM. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 63 Enter a new PED PIN Enter a new PED PIN Enter a new PED PIN Confirm new PED PIN Confirm new PED PIN Confirm new PED PIN Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 64 Would you like to Would you like to reuse an existing reuse an existing reuse an existing keyset? (Y/N) keyset? (Y/N) keyset? (Y/N) Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 65 Your security protocols might require that individual backup PED Keys be stored at separate locations according to role. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 66 At this point in the process of configuring your Luna HSM, you can : optionally modify some of the HSM's Policy settings go directly to "Creating HSM Partitions" Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 67: Chapter 4 Hsm Capabilities And Policies

    HSM Capabilities and Policies SafeNet Luna HSMs are built on one of our general-purpose HSM platforms (hardware plus firmware), and then are loaded with what we call "personality", to make them into specific types of HSM with specific abilities and constraints, to suit different markets and applications.
  • Page 68 Note: The FIPS 140-2 standard mandates a set of security factors that specify a restricted suite of cryptographic algorithms.  The SafeNet HSM is designed to the standard, but can permit activation of additional non- Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 69: Set Hsm Policies - Ped (Trusted Path) Authentication

    Enable PED-based authentication L L O W E D Performance level Enable domestic mechanisms & key sizes Allowed Enable masking Allowed Enable cloning Allowed Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 70 The alterable policies have numeric codes. You can alter a policy with the hsm changePolicy command, giving the code for the policy that is to change, followed by the new value. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 71 (If you are not logged in, the above command begins the login process, directing you to the PED. If you are already logged in, the Luna SA tells you so, with an error message, that you can ignore.) Control is passed to the PED, which prompts you for the blue PED Key.

  • Page 72: Chapter 5 Creating A Partition On The Hsm

    Then, Login as HSM Admin To create HSM Partitions, you must login to the Luna HSM as HSM Admin. At the lunash prompt, type: lunash:> hsm login Luna SA Configuration Guide Release 5.4.1 007-011136-007Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 73: Create The Partition [Pw]

    – include at least one punctuation character or special character such as @#$%&, etc. – avoid words that can be found in the dictionary (any language) Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 74: Partition Creation Audit Log Entry

    You might wish to adjust "Partition Policies" on page 88 (Optional). Otherwise, go to "Prepare the Client for Network Trust Link" on page Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 75: Prepare To Create A Partition (Ped Authenticated)

    • if you have purchased a Luna SA capable of supporting multiple HSM Partitions and you wish to create those additional partitions (this procedure creates one HSM Partition at a time, and you would need to repeat it once for each Partition, up to the number supported by your Luna SA) , or •...

  • Page 76: Create (Initialize) The Partition - Ped Authenticated

    Please ensure that you have purchased licenses for at least this number of partitions: -1 If you are sure to continue then type 'proceed', otherwise type 'quit'  Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 77 Respond "No" if you have a fresh, never-imprinted key, or if you have a key previously imprinted with an ID that you do not wish to preserve. 3. The PED requests values for : Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 78 (enter "1" for both, unless you wish to invoke M of N split-secret, multi-person access control, "Using M of N" on page 4. The PED then demands the black Owner PED key with the message Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 79 Partition Owner PIN is to be imprinted on both the PED key and the HSM Partition. 5. The PED might continue with: Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 80 When you provide a PED PIN – even if it is the null PIN (by just pressing [Enter] with no digits) – the PED requests it a second time, to ensure that you entered it correctly. Press [ENTER] again. 7. You are then prompted Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 81 Luna PED. 9. The PED inquires if you intend to reuse a previously imprinted red Domain PED Key. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 82 10. As it did for the black key, the PED now requests values for M and N. Again, enter 1 for each unless you wish to invoke M of N splitting. 11. The PED then prompts for a red Domain PED key with the message Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 83 12. The PED goes through the same prompts as for the black PED Key. Respond as appropriate. 13. Luna PED presents the generated partition challenge secret (password), which you must record: Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 84: Partition Creation Audit Log Entry

    An audit log entry similar to the following is generated when a partition is created on the HSM: 5,12/12/17 16:14:14,S/N 150718 session 1 Access 2147483651:2669 SO container operation LUNA_ CREATE_CONTAINER returned RC_OK(0x00000000) container=20 (using PIN (entry=LUNA_ENTRY_DATA_ AREA)) Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 85: Record The Partition Client Password (Ped-Auth Hsms)

    The password/challenge secret is case-sensitive. Note: The PED times out after eight minutes. You must complete recording the password and press the ENTER button before time-out occurs. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 86 Next you might need to adjust the Partition Policy settings for the new Partition. (Optional see "Partition Policies" on page 88 Otherwise, see "Prepare the Client for Network Trust Link" on page Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 87 Luna SA Configuration Guide Release 5.4.1 007-011136-007Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 88: Chapter 6 Partition Policies

    Enable RSA signing without confirmation Allowed Enable Remote Authentication Allowed Enable private key unmasking Allowed Enable secret key unmasking Allowed Enable RSA PKCS mechanism Allowed Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 89: Set Partition Policy

    1. To change a Partition Policy, at the lunash prompt type: lunash:> partition changePolicy -partition <name of HSM Partition> -policy <policy code> -value <new policy value> Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 90: Policy Setting Example, Luna Hsm With Password Authentication

    4. Log out of the HSM whenever you finish operations that require HSM login. lunash:> hsm - logout lunash:> Go to "Prepare the Client for Network Trust Link". Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 91: Chapter 7 Prepare The Client For Network Trust Link

    Similarly, each Client must generate its own certificate that identifies it uniquely (next section). Both the Client and the HSM appliance use these certificates to verify the other’s identity before an NTL is created between them. Luna SA Configuration Guide Release 5.4.1 007-011136-007Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 92: Import A Server Cert

    To create an NTL, the Client and HSM appliance must first exchange certificates. Once the certificates have been exchanged, the Client registers the Luna SA’s certificate in a trust list, and the Luna SA appliance, in turn, registers the Client’s certificate in its list of clients.

  • Page 93: Prepare A Network Trust Link - Windows

    Import HSM Appliance Server Certificate onto Client (Windows) 1. Open a command prompt window on the Client, and change directory to c:\Program Files\Safenet\LunaClient\. 2. Securely transfer the server.pem file from the Luna SA, using the supplied pscp utility. c:\Program Files\SafeNet\LunaClient\ > pscp admin@myLuna:server.pem . admin@myLuna's password: server.pem...
  • Page 94 "cert" sub-directory and for the "client" and "server" sub-directories. Example Securely transfer the server.pem file from the Luna SA, using the supplied pscp utility. c:\Program Files\SafeNet\LunaClient\ > pscp admin@192.168.0.123:server.pem . admin@192.168.0.123's password: server.pem...

  • Page 95: Register The Hsm Server Certificate With The Client (Windows)

    Invoke the vtl addServer command so that the client can create a secure connection with the HSM (the server). The vtl executable is located at c:\Program Files\SafeNet\LunaClient unless you have changed the default installation.

  • Page 96: Create A Client Certificate (Windows)

    "Create a Client Certificate (Windows)" on page Create a Client Certificate (Windows) Begin by creating a certificate and private key for the client, using the vtl command-line interface. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 97 (which by default are installed in the protected Windows directory "Program Files"). To adjust the permissions for the directory c:\Program Files\SafeNet\LunaClient\, right-click that directory. In the resulting context menu, select Properties, and in the ensuing dialog select the "Security" tab. Choose the appropriate user or group and adjust as needed.
  • Page 98 Files\SafeNet\LunaClient\>vtl createCert <clientIPaddress> In this case, the key and cert files are created with the filename being the IP address of the Client. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 99: Export A Client Cert To An Hsm Appliance (Windows)

    (which by default are installed in the protected Windows directory "Program Files"). To adjust the permissions for the directory c:\Program Files\SafeNet\LunaClient\, right-click that directory. In the resulting context menu, select Properties, and in the ensuing dialog select the "Security" tab. Choose the appropriate user or group and adjust as needed.
  • Page 100 Note: For networks without DNS, use the HSM appliance's IP address, instead of the hostname. Example c:\> cd \Program Files\SafeNet\LunaClient\cert\client c:\ Program Files\SafeNet\LunaClient\cert\client> dir <client-ip-address>Key.pem <client-ip-address>.pem Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.
  • Page 101 Next, see "Register the Client Certificate to an HSM Server" on page 105, to continue the setup (configuration is nearly done at this point). Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 102: Prepare A Network Trust Link - Unix/Linux

    Import HSM Appliance Server Certificate onto Client (UNIX) 1. Ensure that you are in the /usr/lunaclient/bin directory on the Client. 2. Securely transfer the server.pem file from the Luna SA, using the scp utility. bash-2.05# scp admin@myLuna3:server.pem . admin@myLuna3's password: server.pem...

  • Page 103: Register

    Note: If you are working without DNS, then supply the client IP numerically, instead: bash-2.05# ./vtl createCert -n <clientIPaddress> The cert and key files are created with the Client computer's IP address as the filenames. Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 104: Export A Client Cert To An Hsm Appliance (Unix)

    Next, see "Register the Client Certificate to an HSM Server" on page 105, to continue the setup (configuration is nearly done at this point). Luna SA Configuration Guide Release 5.4.1 007-011136-007 Rev C July 2014 Copyright 2014 SafeNet, Inc.   All rights reserved.

  • Page 105: Register The Client Certificate To An Hsm Server

    The command is expecting to find (on the Luna SA appliance) a client certificate filename that matches the client’s hostname (or ip-address if you are not using DNS hostnames), as you provide it here. In other words, this is a check that you are registering the client whose .pem file you created in the previous steps and scp'd to the appliance.

  • Page 106: How Many Clients

    Luna SA. Regardless of who is connecting (your servers acting as clients to the Luna SA, or your own customers given client access to your Luna SA) note that any registered client might make dozens or hundreds of simultaneous connections while running multi-process applications against the Luna SA HSM server.

  • Page 107: Chapter 8 Assign A Client To An Hsm Partition

    Client and Luna SA with each other The final Configuration step, before your Client can begin using the Luna SA, is to assign the Client to a specific Partition. You will perform the actions in this section whenever you have a new client that needs access to an HSM Partition.

  • Page 108: Client Connection Limits

    If you get an error message, then some part of the configuration has not been properly completed. Retrace the procedure. At this point, the client and HSM are configured and registered with each other. You can now begin to use the Luna SA with your application.

  • Page 109: Optional Configuration Tasks

    Coordinated Universal Time (UTC), and is the recommended option for providing an accurate date and time for the appliance. Luna SA also provides secure NTP. See "Timestamping – NTP and Time Drift" on page 1 in the Luna SA Appliance Administration Guide.

Table of Contents