Creating a One-Step NTLS Registration Role
Creating NTLS links between a client and partition using the one-step method (see One-Step NTLS Connection Procedure) usually requires administrative access to the SafeNet Luna Network HSM appliance. You can set up a custom role that allows a third party to use only the commands necessary for one-step NTLS.
To create a one-step NTLS registration role
1.Create a role definition .txt file on your local workstation, listing the following commands:
scp partition list client list client register client assignPartition
NOTE All lines must end with a UNIX-style linefeed (lf) character. If you create your file in Windows, be sure to convert it to use UNIX line endings before transferring it to an HSM appliance.
These are the commands necessary for creating one-step NTLS links. You can include any other commands for your registration purposes. See client for the complete set of commands.
2.Transfer the role definition file (registerclient.txt in the example below) to the appliance using pscp (Windows) or scp (Linux/UNIX).
Windows |
pscp registerclient.txt admin@<server_host/IP>: pscp registerclient.txt admin@192.168.0.123: |
Linux/UNIX |
scp registerclient.txt admin@<server_host/IP>: scp registerclient.txt admin@192.168.0.123: |
3.Log in to the appliance by SSH as the admin user.
4.Import the role definition file to create the registerclient role.
lunash:> user role import -file registerclient.txt -role registerclient
5.Create the register user account.
lunash:> user add -username register
6.Assign the role to the register user.
lunash:> user role add -username register -role registerclient
7.Open a new SSH connection to the appliance and log in as register with the default password "PASSWORD".
login as: register register@192.168.0.123's password:
You will be prompted to set a new password for the register user. This will be the password you provide to the third-party client. Ensure it is both secure and distinct from the admin user password.
LunaSH passwords must be at least eight characters in length,
and include characters from at least three of the following four
groups:
> lowercase alphabetic: abcdefghijklmnopqrstuvwxyz
> uppercase alphabetic: ABCDEFGHIJKLMNOPQRSTUVWXYZ
> numeric: 0123456789
> special (spaces allowed): !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~
8.Provide the register password and the partition name to the client operator. The client can now establish a one-step NTLS connection by specifying the register user and password in LunaCM.
lunacm:> clientconfig deploy -server <server_host/IP> -client <client_host/IP> -partition <name> -user register