Creating a One-Step NTLS Registration Role

Creating NTLS links between a client and partition using the one-step method (see One-Step NTLS Connection Procedure) usually requires administrative access to the SafeNet Luna Network HSM appliance. You can set up a custom role that allows a third party to use only the commands necessary for one-step NTLS.

To create a one-step NTLS registration role

1.Create a role definition .txt file on your local workstation, listing the following commands:

scp
partition list
client list
client register
client assignPartition

NOTE   All lines must end with a UNIX-style linefeed (lf) character. If you create your file in Windows, be sure to convert it to use UNIX line endings before transferring it to an HSM appliance.

These are the commands necessary for creating one-step NTLS links. You can include any other commands for your registration purposes. See client for the complete set of commands.

2.Transfer the role definition file (registerclient.txt in the example below) to the appliance using pscp or scp.

pscp registerclient.txt admin@<server_host/IP>:

3.Log in to the appliance by SSH as the admin user.

4.Import the role definition file to create the registerclient role.

lunash:> user role import -file registerclient.txt -role registerclient

5.Create the register user account.

lunash:> user add -username register

6.Assign the role to the register user.

lunash:> user role add -username register -role registerclient

7.Open a new SSH connection to the appliance and log in as register with the default password "PASSWORD".

login as: register
register@192.168.0.123's password:

You will be prompted to set a new password for the register user. This will be the password you provide to the third-party client. Ensure it is both secure and distinct from the admin user password.

LunaSH passwords must be at least eight characters in length, and include characters from at least three of the following four groups:
>  lowercase alphabetic: abcdefghijklmnopqrstuvwxyz
>  uppercase alphabetic: ABCDEFGHIJKLMNOPQRSTUVWXYZ
>  numeric: 0123456789
>  special (spaces allowed):  !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~

8.If you are using SafeNet Luna Network HSM appliance software 7.0, custom users do not automatically have access to the appliance's Server Certificate (server.pem). You must transfer the certificate from the appliance's admin account to the custom register account. This step is unnecessary if you have installed appliance software 7.1 or newer.

pscp admin@<server_host/IP>:server.pem .

pscp server.pem register@<server_host/IP>:

9.Provide the register password and the partition name to the client operator. The client can now establish a one-step NTLS connection by specifying the register user and password in LunaCM.

lunacm:> clientconfig deploy -server <server_host/IP> -client <client_host/IP> -partition <name> -user register