Entrust Authority Security Manager
Configure your Entrust Authority Security Manager (EASM) to generate and secure the EASM Certificate Authority (CA) private keys on a Luna Cloud HSM Service. The Luna Cloud HSM Service provides full key life-cycle management with FIPS-certified hardware and reduces the cryptographic load on the host server CPU.
We recommend you use the Luna Cloud HSM service for this integration.
This integration guide uses the following third party applications:
- Entrust Authority Security Manager (EASM)
- Entrust Authority Security Manager PostgreSQL
- Directory Server (Critical Path Directory server/OpenLDAP/OpenDJ/Atos DirX/Microsoft Active Directory LDS).
This integration is supported on the following operating systems:
- RHEL
Prerequisites
Before proceeding with the integration complete the following:
Provision Luna Cloud HSM Service
Configure the Luna Cloud HSM service for your application integration. See the section Luna Cloud HSM Service for detailed instructions on deploying and initializing a Luna Cloud HSM service partition and Luna Cloud HSM service client for your application integration.
Please take the following limitations into consideration when integrating your application with a Luna Cloud HSM service partition:
Non-FIPS algorithms: Luna Cloud HSM services operate in a FIPS and non-FIPS mode, which affects which algorithms are available on the partition. If your organization requires non-FIPS algorithms for your operations, ensure you enable the Remove FIPS restrictions check box when configuring your Luna Cloud HSM service. The FIPS mode is enabled by default.
Refer to the Supported Mechanisms in the SDK Reference Guide for more information about available FIPS and non-FIPS algorithms.
Verify Luna Cloud HSM <slot> value: LunaCM commands work on the current slot. If there is only one slot, then it is always the current slot. If you are completing an integration using Luna Cloud HSM services, you need to verify which slot on the Luna Cloud HSM service you send commands to.
If there is more than one slot, then use the slot set command to direct a command to a specified slot. You can use slot list to determine which slot numbers are in use by which Luna Cloud HSM service.
Setup EASM
Ensure the following software is installed on the machine before proceeding with the integration:
Entrust Authority Security Manager
Entrust Authority Security Manager PostgreSQL
Directory Server
Integration
Integrate Entrust Authority Security Manager (EASM) with a Luna Cloud HSM Service to secure the EASM CA keys. To set up Entrust Authority Security Manager to use the Luna Cloud HSM Service complete the following procedure set for your operating system:
Configuring EASM with a Luna Cloud HSM Service
Configure EASM to use the Luna Cloud HSM Service on Red Hat Enterprise Linux (RHEL) operating system.
Create the EASM user. This user will own the EASM installation.
Install Entrust Authority Security Manager PostgreSQL and Entrust Authority Security Manager. Refer to the Entrust Authority Security Manager documentation for detailed installation procedures.
Run the Entrust Authority Security Manager Configuration utility. When the system prompts you asking if you would like to use a hardware device for the CA keys, enter Yes.
Point to the Cryptoki library path from <service_client_installation_directory>/libCryptoki.so
.
The EASM Configuration utility presents the option to use a Luna Cloud HSM Service, with a given serial number. Select the correct Luna Cloud HSM Service slot.
Complete the EASM configuration.
Initialize EASM for the first time using the Entrust Authority Security Manager Master Control Command Shell. Add passwords for the Master1, Master2, Master3 and First Officer user.
Refer to the Entrust Authority Security Manager documentation for detailed procedures.
Entrust Authority Security Manager detects the service slot and prompts for the service password. Enter the Luna Cloud HSM Service password.
EASM generates the root CA key on the Luna Cloud HSM Service.
EASM performs a database backup.
EASM starts.
This completes the integration of Entrust Authority Security Manager with a Luna Cloud HSM Service.
Use the ca key show-cache
command on the Entrust Authority Security Manager command line to display all of the keys created during integration. Alternatively, you can execute partition contents
on lunacm.