Create a Network Trust Link - One-Step Setup
In this section, we setup a network trust link (NTL) between a SafeNet Luna HSM Client and an application partition on a SafeNet Luna Network HSM using the clientconfig deploy command. We then register each with the other, enabling applications on a client computer to access the partition.
This procedure is performed by the HSM SO on the client computer. If you do not have physical access to the client, you must use the multi-step procedure and exchange the appliance and client's certificates by other secure means. See Create a Network Trust Link - Multi-step setup.
The One-Step Setup option is intended for first-time connection of an HSM appliance and a client. If you already have a network trust link, then certificates have already been exchanged, and you can register additional partitions manually.
Additional clients can use One-Step NTLS setup against the same appliance, and any client can use One-Step NTLS setup against multiple appliances. All parties must have unique hostnames; none should retain "local_host".
When you run the clientconfig deploy command, it performs the following actions:
1.Check conditions prior to running the command
•check if the SafeNet Luna Network HSM is already registered on the client station
•check appliance and client connectivity
•check if the client is already registered on the appliance
•check that the target partition has been created
2.Retrieve the HSM appliance's certificate.
3.Register HSM appliance's certificate with the client.
4.Create client's certificate, if one does not already exist.
5.Export the client's .pem file to the SafeNet Luna Network HSM.
6.Connect to the appliance, register the client, and assign the partition.
7.Verify that the clientconfig deploy command has setup the NTLS connection successfully between the client and appliance.
During the process, if a failure is encountered, the command attempts to back out of the operation and clean-up, all the way back to the start of the operation.
NOTE Secure Trusted Channel (STC) offers enhanced HSM-client message integrity, and an additional layer of protection for client-to-HSM communications, even over unsecured networks. To take advantage of this feature, see Creating a Client-Partition STC Connection. For more on the differences between NTLS and STC connections, see Comparing NTLS and STC.
Prerequisites
The following prerequisite conditions must be in place:
On the SafeNet Luna Network HSM side
>The SafeNet Luna Network HSM's server.pem file must be available on the appliance (sysconf regencert command in LunaSH).
>NTLS must be restarted with service restart ntls so that the service picks up the newly generated appliance certificate.
>An application partition must exist on the HSM (use the partition create command in LunaSH - you did this in Create Application Partitions).
lunash:>partition list
Storage (bytes)
----------------------------
Partition Name Objects Total Used Free
===========================================================================
154438865287 LunaPar1 0 325896 0 325896
Command Result : 0 (Success)
On the client side
Two files, pscp and plink, are included for Linux installations to make the deploy option possible (see clientconfig deploy). Those files are 32-bit applications. For Linux 64-bit platforms only, ensure that glibc.i686 is installed. (See Linux SafeNet Luna HSM Client Installation)
yum install glibc.i686
NOTE If you do not wish to install glibc.i686, you can use the multi-step NTL setup procedure in section Create a Network Trust Link - Multi-step setup.
To create a Network Trust Link
1.On the client computer, where SafeNet Luna HSM Client is installed, launch LunaCM.
2.In LunaCM, run the clientconfig deploy command:
lunacm:>clientconfig deploy -server <server_IP> -client <client_IP> -partition <partition_name> [-password <password>] [-user <username>]
lunacm:> clientconfig deploy -server 192.20.11.78 -client 10.124.0.31 -partition LunaPar1
Please wait while we set up the connection to the HSM. This may take several minutes...
The server's host key is not cached in the registry. You have no
guarantee that the server is the computer you think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 15:86:1d:82:d9:8f:e9:51:90:62:0d:f5:87:e5:89:a3
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the connection.
Store key in cache? (y/n) y
Using username "admin".
Please enter appliance admin role user's password:
Last login: Wed Mar 29 17:19:11 2017 from 10.124.0.31
Luna SA 7.0.0 Command Line Shell - Copyright (c) 2001-2017 SafeNet, Inc. All rights reserved.
New server 192.20.11.78 successfully added to server list.
The following Luna SA Slots/Partitions were found:
Slot Serial # Label
==== ================ =====
0 154438865287
Command Result : No Error
Next
If you want to assign more partitions to this client, see Enable the Client to Access a Partition.
To begin configuring the partition you just assigned, see Configure Application Partitions.