Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Luna Cloud HSM Clients

Add and Configure Client

search

Add and Configure Client

Tip

Luna Cloud HSM Services provisioned through the Thales Data Protection on Demand marketplace user interfaces refer to a service client. Luna Cloud HSM Services provisioned through external marketplaces user interfaces refer to a partition client. The documentation refers to these components as the client.

The client installation uses a .zip (Windows) or .tar (Linux) to deliver the client materials required for configuring your system's connection to the Luna Cloud HSM Service. The client .zip includes a pre-configured crystoki-template.ini file along with a client archive file containing a set of library and binary files.

Note

Windows systems are restricted to a single client per system. Adding a second client to a Windows operating system will overwrite the original client configuration. Please consider this limitation when planning your service configuration.

See the client Customer Release Notes for your client version for more information about supported operating systems and where you can deploy your client.

Caution

You must regularly and automatically synchronize your client host to an NTP server as client operations rely on accurate time.

Add client

Download a client using your DPoD tenant. For information about adding a Luna Cloud HSM Service to an existing client see Adding a Luna Cloud HSM Service in the Luna Client Guides.

Note

The client downloaded from the Luna Cloud HSM Service is a minimal client package. It does not contain Luna Universal Client utilities such as the Luna Software Development Kit (SDK), or pscp. To use these tools with the Luna Cloud HSM Service you must complete the Luna HSM Client Software Installation and configure the client to communicate with the Luna Cloud HSM service as describe in Adding a Luna Cloud HSM Service.

  1. Access the Service Page and click the service or the partition name that you would like to generate a client for.

  2. Click Create Client, if this is your first client, or click New Client. The Create Client window displays.

  3. In the Create Client window, enter a Client Name (Example: Luna-Cloud-HSM-Client_1) and select Create Client.

    A new client (in this case Luna-Cloud-HSM-Client_1_client.zip) generates and is provided for downloading and installing on your client machine.

    Note

    The client is a zip file that contains system information needed to connect your client machine to an HSM partition. See the section client Contents for client content details.

Unpack client .zip

Complete the following procedures to unpack the client .zip for your operating system.

  1. Transfer the client to your machine. You can use SCP, PSCP, WinSCP, FTPS or other secure transfer tool to transfer the client.

  2. Using the Windows GUI or an unzip tool, unzip the file - Service_Windows-Client_1_client.zip.

  3. Decompress the cvclient-min.zip.

    Note

    Extract the cvclient-min.zip within the directory you created in the previous step. Do not extract to a new cvclient-min.zip directory. This location is required for the setenv command in step 7.

    The lunacm command will only be able to run from root of client directory if setenv is not executed.

  4. Set the environment variable. Open an Administrator Command Prompt - right click Command Prompt and select Run as Administrator. Execute the following in the Administrator Command Prompt:

    
.\setenv.cmd

    The command returns:

    
Generated <path_to_service_client>\crystoki.ini

Linux operating systems support installing multiple clients on a single host system. See the section Installing multiple clients on Linux.

  1. Transfer the client to your machine. You can use SCP, PSCP, WinSCP, FTPS or other secure transfer tool to transfer the client.

  2. Unzip the client.

    
unzip Service_Linux-Client_1_client.zip

    Note

    The Linux client contains the legacy Windows client materials. If you do not require the legacy Windows client, you can delete the cvclient-min.zip.

  3. Untar the cvclient-min file.

    
tar xvf cvclient-min.tar

    Note

    Extract the cvclient-min.tar within the directory you created in the previous step. Do not extract to a new cvclient-min.tar directory. This location is required for the setenv command in step 7.

    The lunacm command will only be able to run from root of client directory if setenv is not executed.

  4. Set the environment variable.

    
source ./setenv

Initialize partition

Initialize the partition and required Service Client Roles to begin using the Luna Cloud HSM Service. For more information about client configuration parameters see client Configuration Requirements.

To launch lunacm with logging enabled see Logging.

  1. Start LunaCM. From the directory where you unzipped the cvclient-min.zip file.

    Execute

    
lunacm


    
./bin/64/lunacm

  2. If the command executes with no errors, your connection is working correctly.

    Tip

    If you are unable to connect to the Luna Cloud HSM Service see Client Network Connectivity and Client Troubleshooting for more information about resolving client connection issues.

    
    lunacm (64-bit) v10.4.0-417. Copyright (c) 2021 SafeNet. All rights reserved.
            Available HSMs:
            Slot Id ->              3
            Label ->
            Serial Number ->        1285336687861
            Model ->                Cryptovisor7
            Firmware Version ->     7.3.0
            CV Firmware Version ->  1.4.2
            Plugin Version ->       Cloud 2.1.0-554
            Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
            Slot Description ->     Net Token Slot
            FM HW Status ->         FM Not Supported
            Current Slot Id: 3
    lunacm:>

  3. Set the active slot to the uninitialized Luna Cloud HSM Service partition. You can verify the slot number by executing slot list in LunaCM.

    
slot set -slot <slotnum>

  4. Initialize the Luna Cloud HSM Service partition. Execute the following and complete the wizard to create the partition security officer (po), and set the initial password and cloning domain. 

    
partition init -label <par_label>

  5. Log in as partition SO (po).

    
role login -name partition so

  6. Initialize the crypto officer (co) and set the initial password.

    
role init -name crypto officer

  7. Log out of the partition security officer role and log in as the crypto officer.

    
role logout
role login -n crypto officer

    Caution

    On their first log in, the crypto officer (co) must change the credential password set by the partition so (po).

  8. Update the crypto officer password.

    
role changepw -n crypto officer

    Applications can now use the crypto officer credentials to perform cryptographic operations using keys and objects created in the partition.

On this page