Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Luna Cloud HSM Services

Service Quickstart Guide

search

Service Quickstart Guide

Service Quickstart Guide

This document provides a single article view of the steps required to provision a Luna Cloud HSM Service and initialize a Luna Cloud HSM Service partition. For more information about the procedures, see the linked article in each procedural section.

To provision and configure a Luna Cloud HSM Service for use, you need to complete the following:

Tip

Luna Cloud HSM Services provisioned through the Thales Data Protection on Demand marketplace user interfaces refer to a service client. Luna Cloud HSM Services provisioned through external marketplaces user interfaces refer to a partition client. The documentation refers to these components as the client.

Provision the Service

Provision a Luna Cloud HSM Service. For more information about Luna Cloud HSM Services see Services and the Luna Cloud HSM Service Guide.

  1. Log in to your DPoD enterprise tenant as a user with tenant administrator or application owner privileges.

  2. Open the Services tab and select the Add Service heading. Navigate the marketplace categories and click Create Service on the service that you would like to provision. If you have not Purchased a Service Subscription or previously completed a trial for the service, the option will display as Try Service.

  3. The Add Service wizard displays. Review the Terms of Service and click Next.

  4. On the Configure Service page, enter the required criteria for the service. You can optionally enable the use of algorithms that are not FIPS compliant by selecting the Remove FIPS restrictions check box.

    Caution

    You cannot alter the FIPS setting after creating the service.

    Click Next.

  5. Review your configuration summary page, and if you are satisfied click Finish. If you would like to adjust the service configuration click Go Back.

    DPoD initializes provisioning of the service, this may take a few moments. After provisioning completes the service will be visible under the View Services table in DPoD with the Provisioned status.

Luna Cloud HSM Services are available from the following external service marketplaces:

When you provision a Luna Cloud HSM Service through an external marketplace a Thales Data Protection on Demand subscriber tenant is generated and the user is registered as the primary tenant administrator. The DPoD Subscriber Tenant provides access to features such as Reporting and User and Account Management. For more information about DPoD and Tenants see the DPoD Platform Documentation.

Luna Cloud HSM Services provisioned through external marketplaces do not benefit from the following DPoD features: Service Credentials, Purchasing a Service Subscription through MISSING VARIABLE: dpod marketplace.

Create a Partition

Luna Cloud HSM Services provide users access to partitions. If using an external marketplace, create a partition. For more information see Create Partition.

Luna Cloud HSM Services provisioned through the Thales Data Protection on Demand platform provide access to a single partition per service. The partition is automatically generated and registered on service creation.

Users of Luna Cloud HSM Services provisioned through external (non-DPoD) marketplaces can create and manage the number of partitions defined by the Service Plan.

  1. Access the service page and view HSM Partitions by clicking the service's name in the Services table of your DPoD tenant.

    The service page displays. If you are directly accessing the service page for the first time you must provide your DPoD tenant hostname/URL and user credentials.

  2. Click Create Partition.

    The Create Partition wizard displays.

  3. On the Configure Partition screen, provide a Partition Name. You can optionally enable the use of algorithms that are not FIPS compliant by selecting the Remove FIPS restrictions. check box.

    Click Next.

    Caution

    You cannot alter the FIPS setting after creating the partition.

  4. Review your configuration summary page and if acceptable, click Finish. If you would like to make changes to the configuration, click Go Back.

    The DPoD server generates the partition, this may take a few moments.

    Once added, the new partition is listed under HSM Partitions and you are redirected to the service page which lists the partition details and the partition clients. See the Service Page for more information about available service, partition, and partition client details. See Add and Configure Client for more information about using the partition client.

Add a Client

Download a client using your DPoD tenant. For information about adding a Luna Cloud HSM Service to an existing client see Adding a Luna Cloud HSM Service in the Luna Client Guides.

Note

The client downloaded from the Luna Cloud HSM Service is a minimal client package. It does not contain Luna Universal Client utilities such as the Luna Software Development Kit (SDK), or pscp. To use these tools with the Luna Cloud HSM Service you must complete the Luna HSM Client Software Installation and configure the client to communicate with the Luna Cloud HSM service as describe in Adding a Luna Cloud HSM Service.

  1. Access the Service Page and click the service or the partition name that you would like to generate a client for.

  2. Click Create Client, if this is your first client, or click New Client. The Create Client window displays.

  3. In the Create Client window, enter a Client Name (e.g. Luna-Cloud-HSM-Client_1) and select Create Client.

    A new client (in this case Luna-Cloud-HSM-Client_1_client.zip) generates and is provided for downloading and installing on your client machine.

    Note

    The client is a zip file that contains system information needed to connect your client machine to an HSM partition. See the section client Contents for client content details.

Unpack the Client

Complete the following procedures to unpack the client .zip for your operating system.

  1. Transfer the client to your machine. You can use SCP, PSCP, WinSCP, FTPS or other secure transfer tool to transfer the client.

  2. Using the Windows GUI or an unzip tool, unzip the file - Service_Windows-Client_1_client.zip.

  3. Decompress the cvclient-min.zip.

    Note

    Extract the cvclient-min.zip within the directory you created in the previous step. Do not extract to a new cvclient-min.zip directory. This location is required for the setenv command in step 7.

  4. Set the environment variable. Open an Administrator Command Prompt - right click Command Prompt and select Run as Administrator. Execute the following in the Administrator Command Prompt:

    
    .\setenv.cmd
    

    The command returns:

    
    Generated <path_to_service_client>\crystoki.ini
    

Linux operating systems support installing multiple clients on a single host system. See the section Installing multiple clients on Linux.

  1. Transfer the client to your machine. You can use SCP, PSCP, WinSCP, FTPS or other secure transfer tool to transfer the client.

  2. Unzip the client.

    
    unzip Service_Linux-Client_1_client.zip
    

    Note

    The Linux client contains the legacy Windows client materials. If you do not require the legacy Windows client, you can delete the cvclient-min.zip.

  3. Untar the cvclient-min file.

    
    tar xvf cvclient-min.tar
    

    Note

    Extract the cvclient-min.tar within the directory you created in the previous step. Do not extract to a new cvclient-min.tar directory. This location is required for the setenv command in step 7.

  4. Set the environment variable.

    
    source ./setenv
    

Initialize the Partition

Initialize the partition and required Service Client Roles to begin using the Luna Cloud HSM Service. For more information about client configuration parameters see client Configuration Requirements.

To launch lunacm with logging enabled see Logging.

  1. Start LunaCM. From the directory where you unzipped the cvclient-min.zip file.

    Execute

    
    lunacm
    

    
    ./bin/64/lunacm
    

  2. If the command executes with no errors, your connection is working correctly.

    Tip

    If you are unable to connect to the Luna Cloud HSM Service see Client Network Connectivity and Client Troubleshooting for more information about resolving client connection issues.

    
        lunacm (64-bit) v10.4.0-417. Copyright (c) 2021 SafeNet. All rights reserved.
                Available HSMs:
                Slot Id ->              3
                Label ->
                Serial Number ->        1285336687861
                Model ->                Cryptovisor7
                Firmware Version ->     7.3.0
                CV Firmware Version ->  1.4.2
                Plugin Version ->       Cloud 2.1.0-554
                Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
                Slot Description ->     Net Token Slot
                FM HW Status ->         FM Not Supported
                Current Slot Id: 3
        lunacm:>
    

  3. Set the active slot to the uninitialized Luna Cloud HSM Service partition. You can verify the slot number by executing slot list in LunaCM.

    
    slot set -slot <slotnum>
    

  4. Initialize the Luna Cloud HSM Service partition. Execute the following and complete the wizard to create the partition security officer (po), and set the initial password and cloning domain.

    
    partition init -label <par_label>
    

  5. Log in as partition SO (po).

    
    role login -name partition so
    

  6. Initialize the crypto officer (co) and set the initial password.

    
    role init -name crypto officer
    

  7. Log out of the partition security officer role and log in as the crypto officer.

    
    role logout
    role login -n crypto officer
    

    Caution

    On their first log in, the crypto officer (co) must change the credential password set by the partition so (po).

  8. Update the crypto officer password.

    
    role changepw -n crypto officer
    

    Applications can now use the crypto officer credentials to perform cryptographic operations using keys and objects created in the partition.