Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Luna Cloud HSM Services

Configuring a Luna Cloud HSM Service Client

search

Configuring a Luna Cloud HSM Service Client

Configuring a Luna Cloud HSM Service Client

We recommend downloading a new Luna Cloud HSM Service Client for your Luna Cloud HSM Service regularly to gain access to the latest bug fixes, firmware updates, cryptographic utilities, enhanced performance and improved service resilience. For more information, see Upgrading your Luna Cloud HSM Service.

You must regularly and automatically synchronize your client host to an NTP server as client operations rely on accurate time.

The Luna Cloud HSM Service Client installation uses a .zip (Windows) or .tar (Linux) to deliver the Luna Cloud HSM Service Client materials required for configuring your system's connection to the Luna Cloud HSM Service. The Luna Cloud HSM Service Client .zip includes a pre-configured crystoki-template.ini file along with a client archive file containing a set of library and binary files.

See Luna Cloud HSM Services Supported Client Platforms for more information about supported operating systems and where you can deploy your Luna Cloud HSM Service Client.

Install service client

Complete the following procedures to access your Luna Cloud HSM Services from your operating system.

Navigate to the My Services tab. Click the service name.

Click Create Service Client, if this is your first client, or click New Service Client. The Create Service Client window displays.

In the Create Service Client window, enter a Service Client Name (e.g. Service_Windows-Client_1) and select Create Service Client.

A new Luna Cloud HSM Service Client (in this case Service_Windows-Client_1_client.zip) generates and is provided for downloading and installing on your client machine.

The Windows Luna Cloud HSM Service Client is a zip file that contains system information needed to connect your client machine to an existing Luna Cloud HSM Service available in the My Services table. See the section Luna Cloud HSM Service Client Contents for Luna Cloud HSM Service Client content details.

Transfer the Luna Cloud HSM Service Client to your machine. You can use SCP, PSCP, WinSCP, FTPS or other secure transfer tool to transfer the Luna Cloud HSM Service Client.

Using the Windows GUI or an unzip tool, unzip the file - Service_Windows-Client_1_client.zip

Uncompress the cvclient-min.zip.

Extract the cvclient-min.zip within the directory you created in the previous step. Do not extract to a new cvclient-min.zip directory. This location is required for the setenv command in step 7.

Set the environment variable. Open an Administrator Command Prompt - right click Command Prompt and select Run as Administrator. Execute the following in the Administrator Command Prompt:


.\setenv.cmd

The command returns:


Generated <path_to_service_client>\crystoki.ini

Start LunaCM. From the directory where you unzipped the cvclient-min.zip file.

Execute


lunacm

If the command executes with no errors, your connection is working correctly.


    lunacm <64-bit> v10.1.0-32. Copyright (c) 2019 SafeNet. All rights reserved.
        Available HSMs:
        Slot Id ->              3
        Label ->              
Serial Number -> 0000000000001 Model -> Cryptovisor7 Firmware Version -> 7.3.0 CV Firmware Version -> 1.4.0 Configuration -> Luna User Partition with SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> FM Not Supported Current Slot Id: 3 lunacm:>

Linux operating systems support installing multiple Luna Cloud HSM Service Clients on a single host system. See the section Installing multiple Luna Cloud HSM Service Client on Linux.

Navigate to the My Services tab. Click the service name.

Click Create Service Client, if this is your first client, or click New Service Client. The Create Service Client window displays.

In the Create Service Client window, enter a Service Client Name (e.g. Service_Linux-Client_1) and select Create Service Client.

A new Luna Cloud HSM Service Client (in this case, Service_Linux-Client_1_client.zip) generates and is provided for downloading and installing on your client machine.

The Linux Luna Cloud HSM Service Client is a zip file that contains system information needed to connect your client machine to an existing Luna Cloud HSM Service available in the My Services table. See the section Luna Cloud HSM Service Client Contents for Luna Cloud HSM Service Client content details.

Transfer the Luna Cloud HSM Service Client to your machine. You can use SCP, PSCP, WinSCP, FTPS or other secure transfer tool to transfer the Luna Cloud HSM Service Client.

Unzip the Luna Cloud HSM Service Client.


unzip Service_Linux-Client_1_client.zip

The Linux Luna Cloud HSM Service Client contains the legacy Windows Luna Cloud HSM Service Client materials. If you do not require the legacy Windows client, you can delete the cvclient-min.zip.

Untar the cvclient-min file.


tar xvf cvclient-min.tar

Extract the cvclient-min.tar within the directory you created in the previous step. Do not extract to a new cvclient-min.tar directory. This location is required for the setenv command in step 7.

Set the environment variable.


source ./setenv

Start LunaCM. From the directory where you unzipped the cvclient-min.zip file.

Execute


./bin/64/lunacm

If the command executes with no errors, your connection is working correctly.


lunacm <64-bit> v10.1.0-32. Copyright (c) 2019 SafeNet. All rights reserved.
        Available HSMs:
        Slot Id ->              3
        Label ->              
Serial Number -> 0000000000001 Model -> Cryptovisor7 Firmware Version -> 7.3.0 CV Firmware Version -> 1.4.0 Configuration -> Luna User Partition with SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> FM Not Supported Current Slot Id: 3 lunacm:>

Initialize service partition

For more information about Luna Cloud HSM Service Client configuration parameters for service label, domain string, and service client role passwords, see Luna Cloud HSM Service Client Configuration Requirements.

For more information about the client roles and responsibilities see Service Client Roles.

Set the active slot to the uninitialized application partition.


slot set -slot <slotnum>

You can verify the slot number by executing slot list in lunacm.

Initialize the application partition. To create the partition's security officer (PO), and set the initial password and cloning domain respond to the prompts.


partition init -label <par_label>

Log in as partition SO. You can also use the shortcut po.


role login -name partition so

Initialize the crypto officer role and set the initial password. You can also use the shortcut co.


role init -name crypto officer

The partition SO can create the crypto officer, but only the crypto officer can create the crypto user. You must log out to allow the crypto officer to log in with the newly-set password.


role logout

Once the crypto officer logs in and changes the initial credential set by the partition SO, applications using the CO's challenge secret/password can perform cryptographic operations in the partition. The crypto officer can create, modify and delete crypto objects within the partition, and use existing crypto objects (sign/verify). You can also create a limited-capability role called crypto user that can use the objects created by the crypto officer, but cannot modify them. The separation of roles is important in some security regimes and operational situations, and where you might be required to satisfy audit criteria for industry or government oversight.

Log in as the crypto officer. You can also use the shortcut co.


role login -name crypto officer

The password for the crypto officer role is valid for the initial login only. You must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when you perform role-dependent actions.

If you have not already done so, change the initial password set by the Partition SO.


role changepw -name crypto officer

Create the crypto user. You can also use the shortcut cu.


role init -name crypto user

The password for the crypto user role is valid for the initial login only. The CU must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when they perform role-dependent actions.

The crypto user can now log in with the credentials provided by the crypto officer, and change the initial password. The crypto user can now use applications to perform cryptographic operations using keys and objects created in the partition by the crypto officer.

Delete/revoke a Luna Cloud HSM Service Client

This procedure revokes a Luna Cloud HSM Service Clients credentials, disabling access by the Luna Cloud HSM Service Client to the associated Luna Cloud HSM Service. To resume using the Luna Cloud HSM Service, you will need to download and configure a new Luna Cloud HSM Service Client.

Find the Luna Cloud HSM Service Client name in the Service Client list.

In the Actions column, click the Garbange Can icon to delete the Luna Cloud HSM Service Client and revoke the credentials.

On the resulting pop-up dialog, click Delete.