Creating an STC Link Between a Client and a Partition

If you require a higher level of security for your network links than is offered by NTLS, such as in cloud environments, or in situations where message integrity is paramount, you can use Secure Trusted Channel (STC) to provide very secure client-partition links. STC offers the following features to ensure the security and integrity of your client-partition communications:

>All data is transmitted using symmetric encryption; only the end-points can decrypt messages

>Message authentication codes prevent an attacker from intercepting and modifying any command or response

>Mutual authentication of the HSM and the end-point ensure that only authorized entities can establish an STC connection

See Secure Trusted Channel in the Administration Guide for more information. You can configure your SafeNet Luna Network HSM so that some partitions use STC and others use NTLS.

NOTE   The SafeNet Luna Network HSM can create STC and NTLS channels to different clients as required. The client can also support both STC and NTLS links. However, all links from a specific client to a specific SafeNet Luna Network HSM appliance must be either STC or NTLS.

STC links are not supported over an IPv6 network. You must use NTLS to make partition-client connections via IPv6.

If you plan to use Functionality Modules (FMs) on your HSM, you cannot use STC client connections. Use NTLS connections instead (see FM Deployment Constraints).

This section describes how to establish an STC connection between a client and a new partition. The procedure consists of the following major steps:

>Prerequisites

>Phase 1: Create the Client Token and Identity

>Phase 2: Register the Partition Identity Public Key to the Client

>Phase 3: Enable and Verify the STC Link

The following optional procedures are also described:

>Enabling STC on the Admin Channel (Optional)

>Registering a Single STC Partition to Multiple Clients

>Converting an Initialized NTLS Partition-Client Connection to STC

Figure 1: Creating an STC Link Between a Client and a Partition

Prerequisites

You must complete these procedures before establishing a partition-client STC connection. The instructions are divided into tasks performed by the HSM SO and the Client Administrator.

>HSM SO Prerequisites

>Enabling STC on the Admin Channel (Optional)

>Client Administrator Prerequisites

HSM SO Prerequisites

To prepare the HSM to use STC, the HSM SO must complete the following prerequisites. If you have Administrator access to the client workstation, you can use scp or pscp to transfer the server and partition public keys directly from the SafeNet Luna Network HSM. Otherwise, you must provide these keys to the client by other secure means.

1.Enable HSM Policy 39: Allow Secure Trusted Channel on the appliance.

a.Log in as HSM SO using LunaSH.

lunash:>hsm login

b.Set Policy 39 to 1 (Enabled).

lunash:>hsm changepolicy -policy 39 -value 1

c.Confirm that HSM Policy 39 is enabled.

lunash:>hsm showpolicies

2.Create one or more new partitions for the client.

NOTE   Each client identity registered to a partition uses 2392 bytes of storage on the partition. Ensure that you create partitions large enough to store the identity of every client workstation that will access the partition, in addition to cryptographic objects.

lunash:>partition create -partition <partition_name> [-size <bytes>]

When you create a partition, a partition identity key pair is automatically created.

3.For each partition you created, export the partition identity public key to the SafeNet Luna Network HSM file system. The file will be named with the partition's serial number. You can check the key's filename with my file list.

lunash:>stc partition export -partition <partition_name>

lunash:>my file list

lunash:>stc partition export -partition app_par1
Successfully exported partition identity for partition app_par1 to file: 154438865304.pid

lunash:>my file list
515 Mar  6 17:38 154438865304.pid
4409 Mar  6 10:44 firstboot.log

4.View the partition identity public key hash. It is recommended that you provide it (via separate channel) to the client receiving the partition identity public key, so that the Partition SO can verify the key's integrity as described in Phase 3: Enable and Verify the STC Link.

lunash:>stc partition show -partition <partition_name>

lunash:>stc partition show -partition app_par1

Partition Serial Number:                 154438865304
Partition Identity Public Key SHA1 Hash: 477ad2869ad892ebdd5007aa54fae3745fa175e2

5.The client will require the following files/information to establish the STC connection. The SafeNet Luna Network HSM client software package includes the scp (Linux) and pscp (Windows) tools for securely transferring files (see SCP and PSCP for syntax).

scp 'admin@172.20.11.98:154438865304.pid' /usr/safenet/lunaclient/data/partition_identities/154438865304.pid 

or

pscp 'admin@172.20.11.98:154438865304.pid' C:\Program Files\SafeNet\LunaClient\data\partition_identities\154438865304.pid  

6.If you do not have access to the client workstation, or a firewall prevents you from using scp or pscp, you must transfer these files from the HSM and provide them to the client by other secure means:

The HSM Server Certificate (server.pem) from the SafeNet Luna Network HSM. If you have already established an NTLS connection between the appliance and the client, as detailed in Create a Network Trust Link Between the Client and the Appliance, you do not need to send this certificate.

The partition identity public key for each partition to be assigned to the client (154438865304.pid in the example above).

The partition identity public key hash for each partition to be assigned to the client. This is recommended so that the client can verify the key's integrity before using the partition. Do not send the hash by the same means as the certificates.

Enabling STC on the Admin Channel (Optional)

For added security, you can use STC to secure communications between the SafeNet Luna Network HSM appliance and the HSM Admin partition. This procedure is performed by the HSM SO using LunaSH. You must be logged in as HSM SO to enable or disable this feature. You must restart the STC service after enabling STC on the Admin channel.

NOTE   Enabling STC on the Admin channel is performance-affecting. For more information, see Using the STC Admin Channel.

To enable STC on the admin channel

1.Enable STC.

lunash:>hsm stc enable

2.Restart the STC service on the HSM.

lunash:>service restart stc

Client Administrator Prerequisites

To prepare the client to access a partition on the SafeNet Luna Network HSM, you must first establish a Network Trust Link to the appliance using the HSM Server Certificate (server.pem) you received from the HSM SO. You must have Administrator privileges on the client workstation.

1.Open a command line (as Administrator) on the client and navigate to the SafeNet Luna HSM Client install directory.

2.Register the SafeNet Luna Network HSM appliance with the client.

>vtl addserver -n <IP/hostname> -c <server_certificate_filename>

See Create a Network Trust Link Between the Client and the Appliance for more detailed instructions.

3.To check that you have successfully registered the appliance with the client, launch LunaCM and view the list of registered servers.

lunacm:>clientconfig listservers

Phase 1: Create the Client Token and Identity

This procedure is completed by an Administrator on the client workstation, using LunaCM.

CAUTION!   This step is not required if you have already created a client token and identity. Verify using lunacm:>stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.

To create the client token and identity

1.Open a SafeNet Luna HSM Client session.

a.Open a command prompt or terminal window.

b.Launch LunaCM.

Windows

C:\Program Files\SafeNet\LunaClient\lunacm

Linux /usr/safenet/lunaclient/data/bin/lunacm
Solaris/HP-UX /opt/safenet/lunaclient/data/bin/lunacm

2.Initialize the STC client software token, or insert the STC client hardware token (SafeNet eToken 7300) you have prepared for this client:

If you are using an STC client software token, initialize the STC client token.

lunacm:>stc tokeninit -label <token_label>

lunacm:> stc tokeninit -label mySTCclientToken

Successfully initialized the client token.

3.Create a client identity on the token. The STC client identity public key is automatically exported to the <luna_client_root_dir>/data/client_identities directory.

lunacm:>stc identitycreate -label <client_identity>

Example Unix/Linux

lunacm:> stc identitycreate -label mySTCclientID

Client identity successfully created and exported to file /usr/safenet/lunaclient/data/client_identities/mySTCclientID

Example Windows

lunacm:> stc identitycreate -label mySTCclientID

Client identity successfully created and exported to file C:\Program Files\SafeNet\LunaClient\data\client_identities\mySTCclientID

Phase 2: Register the Partition Identity Public Key to the Client

This step requires the partition identity public key file created by the HSM SO in Prerequisites (154438865304.pid in the example).

To register the partition identity public key to the client

1.Launch LunaCM and register the public key to the client.

lunacm:>stc partitionregister -file <partition_identity> [-label <partition_label>]

Example UNIX/Linux

lunacm:> stc partitionregister -file /usr/safenet/lunaclient/data/partition_identities/154438865304.pid -label app_par1

Partition identity 154438865305 successfully registered. 

Example Windows

lunacm:> stc partitionregister -file C:\Program Files\SafeNet\LunaClient\data\partition_identities\154438865304.pid -label app_par1

Partition identity 154438865305 successfully registered.

Repeat this step for each partition identity public key you wish to register to this client.

2.If you were provided with the partition identity public key hash, verify that the hashes match.

lunacm:>stc identityshow

lunacm:> stc identityshow

Client Identity Name:          mySTCclientID
Public Key SHA1 Hash:          1b8e783c5cc3bb6a79e5d4a4026258a0f34ef7f6

List of Registered Partitions:

 Partition Identity   Partition        Partition Public Key SHA1 Hash
 Label                Serial Number
________________________________________________________________________________
 app_par1             154438865304     6916eca3751173f7cf903ab60b9bf1bf35088271

If the hashes do not match, deregister the partition identity public key, and contact your HSM SO.

lunacm:>stc partitionderegister -serial <partition_serial_number>

Phase 3: Enable and Verify the STC Link

CAUTION!   When you enable STC on the client, you must specify the SafeNet Luna Network HSM appliance that hosts the partition you want to link to. This forces the client to use STC for all links to the specified SafeNet Luna Network HSM appliance. Any existing NTLS connections to the specified SafeNet Luna Network HSM appliance will be terminated. Ensure you have registered the partition identity for each partition on this HSM before continuing.

To enable and verify the STC link

1.Launch LunaCM and view the list of registered servers to find the server ID of the SafeNet Luna Network HSM appliance that hosts the partition.

lunacm:>clientconfig listservers

2.Enable the STC link.

lunacm:>stc enable -id <server_ID>

lunacm:> stc enable -id 0

        You are about to enable STC to server 192.20.11.78.
        This will initiate an automatic restart of this application. All sessions
        logged in through the application will be closed.

        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

        Successfully enabled STC to connect to server 192.20.11.78.

LunaCM restarts. If successful, the partition appears in the list of available HSMs. The slot for the partition is easily identified because it does not have a label, since it is not yet initialized. In the following example, the uninitialized SafeNet Luna Network HSM partition is in slot 1:

        Available HSMs:

        Slot Id ->              0
        Label ->                stc_legacy
        Serial Number ->        359693009024
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition, No SO (PW) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              1
        Label ->                
        Serial Number ->        154438865304
        Model ->                LunaSA
        Firmware Version ->     7.0.1
        Configuration ->        Luna User Partition, No SO (PW) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

3.Set the active slot to the new partition.

lunacm:>slot set -slot <slot>

4.Verify the link.

lunacm:>stc status

lunacm:> stc status

Enabled:        Yes
Status:         Connected
Channel ID:     2
Cipher Name:    AES 256 Bit with Cipher Block Chaining
HMAC Name:      HMAC with SHA 512 Bit

The Partition SO can now initialize the partition on the client workstation. See Configure Application Partitions. When the partition is initialized, the following actions are performed automatically:

>The client identity public key is registered to the partition.

>Partition policy 37: Force Secure Trusted Channel is enabled on the partition.

Registering a Single STC Partition to Multiple Clients

After the client-partition STC connection is established, you may want other clients to have access to the same partition. This allows the Partition SO, Crypto Officer, and Crypto User to access the partition from their own client workstations.

In the following procedure, Client 2 will register the HSM Server Certificate and the partition identity public key(s), and Client 1 will register Client 2's identity public key.

This procedure is completed by the Partition SO (Client 1) and the Client 2 Administrator.

Figure 2: Registering Two Clients to a Single Initialized Partition

Partition SO (Client 1) Prerequisites

You must provide the same files/information to the Client 2 Administrator that you received from the HSM SO. The SafeNet Luna Network HSM client software package includes the scp (Linux) and pscp (Windows) tools for securely transferring files (see SCP and PSCP for syntax). If you do not have access to the client workstation, or a firewall prevents you from using scp or pscp, you must provide the following to the Client 2 Administrator by other secure means:

>The HSM Server Certificate (server.pem) from the SafeNet Luna Network HSM. Alternatively, the Client 2 Administrator can obtain it from the HSM SO.

>The partition identity public key for each partition you want to register to Client 2. You can use the original *.pid file supplied by the HSM SO, or export a copy to the client system using LunaCM:

lunacm:>role login -name po

lunacm:>stcconfig partitionidexport

lunacm:> stcconfig partitionidexport

Successfully exported partition identity for the current slot to /usr/safenet/lunaclient/data/partition_identities/154438865305.pid

>The partition identity public key hash for each partition to be registered to Client 2. This is recommended so that the Client 2 Administrator can verify the key's integrity before using the partition. You should not send the hash by the same means as the certificates. To view the hash in LunaCM:

lunacm:>stc identityshow

lunacm:> stc identityshow

Client Identity Name:          mySTCclientID
Public Key SHA1 Hash:          1b8e783c5cc3bb6a79e5d4a4026258a0f34ef7f6
List of Registered Partitions:

 Partition Identity   Partition        Partition Public Key SHA1 Hash
 Label                Serial Number
________________________________________________________________________________
 app_par1             154438865304     6916eca3751173f7cf903ab60b9bf1bf35088271

Client 2 Prerequisites

1.Launch LunaCM and create the client token and identity.

NOTE   This step is not required if you have already created a client token and identity. Verify using stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.

lunacm:>stc tokeninit -label <token_label>

lunacm:>stc identitycreate -label <client_identity>

For a more detailed description of this step, see Phase 1: Create the Client Token and Identity.

2.Provide the following files/information to the Partition SO. The SafeNet Luna Network HSM client software package includes the scp (Linux) and pscp (Windows) tools for securely transferring files (see SCP and PSCP for syntax). If you do not have access to the client workstation, or a firewall prevents you from using scp or pscp, you must provide the client identity to the Partition SO by other secure means.

The client 2 identity public key

The client 2 identity public key hash. This is recommended so that the Partition SO can verify the key's integrity before allowing access to the partition. You should not send the hash by the same means as the client identity public key. To view the hash in LunaCM:

lunacm:>stc identityshow

lunacm:> stc identityshow

Client Identity Name:          Client2
Public Key SHA1 Hash:          cd5ca1c094acfe44803a9ef4b412fc4087a16c32
List of Registered Partitions: None
Client 2 Administrator

1.Ensure that you have the required certificates/information from the Partition SO:

HSM Server Certificate (*.pem)

Partition identity public key (*.pid) for each partition to be registered

Partition identity public key hash for each partition

2.Open a command prompt or terminal window and navigate to the SafeNet Luna Network HSM client installation directory.

3.Use the vtl utility to register the HSM Server Certificate (192.20.11.78Cert.pem in the example below) to the client.

>vtl addserver -n <HSM_hostname_or_IP> -c <server_certificate>

>vtl addserver -n 192.20.11.78 -c ./cert/server/192.20.11.78Cert.pem

New server 192.20.11.78 successfully added to server list.

4.Launch LunaCM, register the partition identity public key to Client 2, and view the partition hash.

lunacm:>stc partitionregister -file <partition_identity> [-label <partition_label>]

lunacm:>stc identityshow

Repeat for each partition you want to register. For a more detailed description of this step, see Phase 2: Register the Partition Identity Public Key to the Client.

5.Find the correct server ID for the SafeNet Luna Network HSM hosting the partition and enable its STC connection. You will be prompted to restart LunaCM and all current sessions will be closed.

CAUTION!   This forces the client to use STC for all links to the specified appliance. Any remaining NTLS links from this client to the appliance will be terminated. Ensure you have registered the partition identity for each partition on this HSM before continuing.

lunacm:>clientconfig listservers

lunacm:>stc enable -id <server_ID>

If the partition is not visible as a slot when LunaCM restarts, wait until the Partition SO completes the final procedure and activates Partition Policy 37. For a more detailed version of this step, see Phase 3: Enable and Verify the STC Link.

Partition SO (Client 1)

1.Ensure that you have received the required certificates/information from the Client 2 Administrator:

Client 2 identity public key

Client 2 identity public key hash

2.Launch LunaCM, change the active slot to the partition, and login as Partition SO.

lunacm:>slot set -slot <slotnum>

lunacm:>role login -name po

3.Register the Client 2 identity public key (Client2 in the example below).

lunacm:>stcconfig clientregister -label <client_label> -file <client_identity>

lunacm:> stcconfig clientregister -l Client2 -f /usr/safenet/lunaclient/data/client_identities/Client2

Successfully registered the client Client2 to the current slot.

4.View the hash for the Client2 identity.

lunacm:>stcconfig clientlist

lunacm:> stcconfig clientlist

 Client Name                    Client Public Key SHA1 Hash
 ___________________________________________________________________________

 Client2                        cd5ca1c094acfe44803a9ef4b412fc4087a16c32

 Partition SO                   1b8e783c5cc3bb6a79e5d4a4026258a0f34ef7f6

If the displayed hash does not match the hash you received from the Client 2 Administrator, deregister the client identity and contact the Client 2 Administrator:

lunacm:>stcconfig clientdelete -label <client_label>

5.You can now initialize the Crypto Officer role (or the CO can initialize the Crypto User role) and provide the password to the Client 2 Administrator by secure means. See Configure Application Partitions.

The Partition SO can register additional clients to the same partition by repeating the process above.

Figure 3: Registering Multiple Clients to a Single Partition

Converting an Initialized NTLS Partition-Client Connection to STC

If you have initialized partitions already assigned to a client using NTLS, you can use the following procedure to switch to a more secure STC connection. All of the client's assigned partitions on the specified SafeNet Luna Network HSM will be converted. It is not possible for a client to connect to multiple partitions on a single SafeNet Luna Network HSM using a combination of NTLS and STC.

NOTE   The HSM SO must first enable HSM Policy 39: Allow Secure Trusted Channel on the SafeNet Luna Network HSM (see Prerequisites).

The Partition SO must complete this procedure.

To convert an NTLS partition-client connection to STC

1.Launch LunaCM and create the client token and identity.

NOTE   This step is not required if you have already created a client token and identity. Verify using stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.

lunacm:>stc tokeninit -label <token_label>

lunacm:>stc identitycreate -label <client_identity>

For a more detailed description of this step, see Phase 1: Create the Client Token and Identity.

2.Login as Partition SO and export the existing partition ID.

lunacm:>slot set -slot <slotnum>

lunacm:>role login -name po

lunacm:>stcconfig partitionidexport

lunacm:> stcconfig partitionidexport

Successfully exported partition identity for the current slot to /usr/safenet/lunaclient/data/partition_identities/1238700701520.pid

3.Register the partition's public key with the client identity.

lunacm:>stc partitionregister -file <partition_identity> [-label <partition_label>]

Example UNIX/Linux  

lunacm:> stc partitionregister -file /usr/safenet/lunaclient/data/partition_identities/1238700701520.pid

Partition identity 1238700701520 successfully registered.

Example Windows  

lunacm:> stc partitionregister -file C:\Program Files\SafeNet\LunaClient\data\partition_identities\1238700701520.pid

Partition identity 1238700701520 successfully registered.

4.Register the client identity to the partition.

NOTE   Each client identity registered to a partition uses 2392 bytes of storage on the partition. Ensure that there is enough free space before registering a client identity.

lunacm:>stcconfig clientregister -label <client_label> -file <client_identity>

lunacm:> stcconfig clientregister -label mySTCclientID -file /usr/safenet/lunaclient/data/client_identities/mySTCclientID

Successfully registered the client mySTCclientID to the current slot.

5.Enable partition policy 37: Force STM Connection.

lunacm:>partition changepolicy -slot <slotnum> -policy 37 -value 1

Repeat steps 2-5 for each NTLS partition on the same SafeNet Luna Network HSM you want to register to this client.

NOTE   If this command returns an error, ensure that the HSM SO has enabled HSM Policy 39.

6.Find the correct server ID for the SafeNet Luna Network HSM hosting the partition and enable its STC connection. You will be prompted to restart LunaCM and all current sessions will be closed.

CAUTION!   This forces the client to use STC for all links to the specified appliance. Any remaining NTLS links from this client to the appliance will be terminated. Ensure that you have completed steps 2-5 for each of this client's partitions before continuing.

lunacm:>clientconfig listservers

lunacm:>stc enable -id <server_ID>

If a partition is not visible as a slot when LunaCM restarts, disable STC for the server using lunacm:>stc disable -id <server_ID>, and ensure that you have activated Partition Policy 37. For a more detailed version of this step, see Phase 3: Enable and Verify the STC Link.