Creating an NTLS Connection Using Self-Signed Certificates

To create an NTLS connection, the SafeNet Luna Network HSM and the client must exchange certificates. Each registers the other's certificate in a trusted list. When both certificates are registered, the Network Trust Link is ready, and the appliance administrator can assign application partitions to the client for cryptographic operations. By default, this procedure uses self-signed certificates. To register your clients using certificates signed by a trusted Certificate Authority, see Creating an NTLS Connection Using a Client Certificate Signed by a Trusted Certificate Authority.

NOTE   Secure Trusted Channel (STC) offers enhanced HSM-client message integrity, and an additional layer of protection for client-to-HSM communications, even over unsecured networks. To take advantage of this feature, see Creating an STC Connection. For more on the differences between NTLS and STC connections, see Comparing NTLS and STC.

There are two methods of assigning partitions to a client via a self-signed NTLS connection:

>Multi-Step NTLS Connection Procedure: performed by the appliance administrator and a client administrator

>One-Step NTLS Connection Procedure: automates the multi-step process. It can be used when the client administrator has admin-level access to the appliance, or through a custom registration account.

Multi-Step NTLS Connection Procedure

The multi-step procedure is performed by the appliance administrator and the client administrator.

Prerequisites

>You must have admin-level access to LunaSH on the appliance to register a client, or a custom account created to handle client registration (see Creating a One-Step NTLS Registration Role).

>By default, you do not need to log in as HSM SO. You can force the appliance to require HSM SO login for this procedure with lunash:> sysconf forcesologin enable.

>Luna HSM Client software must be installed on the client workstation (see Luna HSM Client Software Installation in the Installation Guide)

>The client workstation must have an SSH client installed to provide secure shell access to the SafeNet Luna Network HSM appliance. The PuTTY SSH client (putty.exe) is included in the Windows client installation.

>Read/write access to the Luna HSM Client installation directory is required for the certificate exchange.

>The client workstation must have network access to the SafeNet Luna Network HSM appliance. The appliance auto-negotiates network bandwidth. See Recommended Network Characteristics for more information.

NOTE   Administration commands can take a few seconds to be noted by NTLS. If you have added or deleted a client, wait a few seconds before connecting.

To create a multi-step NTLS connection between the appliance and a client

1.On the client workstation, open a command prompt and navigate to the Luna HSM Client directory.

NOTE   On Windows, ensure that you open a command prompt with Administrator privileges.

•Windows: C:\Program Files\SafeNet\LunaClient

•Linux/AIX: /usr/safenet/lunaclient/bin

•Solaris: /opt/safenet/lunaclient/bin

2.Use pscp or scp to import the HSM Appliance Server Certificate (server.pem) from the appliance to the client workstation. You require admin- or operator-level account access to complete this step. If you do not have SSL access to the appliance, or a firewall blocks file transfer over the network, the appliance admin must provide this certificate by other secure means.

TIP   If you are importing certificates from multiple appliances to this client, rename each incoming certificate during the pscp/scp transfer. This will prevent you from accidentally overwriting one server.pem certificate with another.

pscp <user>@<host/IP>:server.pem <target_filename>

NOTE   When using pscp or scp over an IPv6 network, enclose addresses in square brackets.

You must accept the SSH certificate the first time you open a pscp/scp or SSH link. You can check the SSH fingerprint in LunaSH to confirm the secure connection.

lunash:> sysconf fingerprint ssh

If the HSM appliance IP or hostname is changed, SSH detects a mismatch in the HSM appliance's server certification information and warns you of a potential security breach. To resolve this issue, delete the server's certificate information from the client’s known host file at: /<user home dir>/.ssh/known_hosts2, and re-import the server certificate.

3.Register the HSM Server Certificate with the client, using the vtl utility from the command line or shell prompt. If using a host name, ensure the name is reachable over the network (ping <hostname>). Thales Group recommends specifying an IP address to avoid network issues.

>vtl addServer -n <Network_HSM_hostname/IP> -c <server_certificate>

4.Create a certificate and private key for the client. If you specify a client hostname, it must match exactly the hostname reported by the hostname command.

CAUTION!   If you are registering this client with multiple SafeNet Luna Network HSM appliances, you only need to complete this step once. Use the same client certificate for all appliances. If you recreate the client certificate and key, any existing NTLS connections will be broken.

>vtl createCert -n <client_hostname/IP>

The certificate and private key are saved to the <client_install_dir>/cert/client directory and are named <client_hostname/IP>.pem and <client_hostname/IP>Key.pem, respectively. The command output displays the filepath.

5.Use pscp or scp to export the client certificate to the admin account (or an admin-level custom account) on the Network HSM appliance. The file arriving at the appliance is automatically placed in the appropriate directory. Do not specify a target directory.

pscp <cert_path/filename> admin@<host/IP>:[<target_filename>]

6.Connect to the appliance via SSH or a serial connection, and log in to LunaSH using an admin- or operator-level account (see Logging In to LunaSH).

7.Register the client certificate with the appliance, selecting a client name that can be used to easily identify the client. Specify either the -hostname or -ip option, according to which one you used to create the certificate.

lunash:> client register -client <client_name> {-hostname <client_hostname> | -ip <client_IP>}

8.[Optional] Verify the client registration.

lunash:> client list

Now that the NTLS connection is established, the SafeNet Luna Network HSM appliance admin can assign partitions for the client to access (see Assigning or Revoking NTLS Client Access to a Partition).

One-Step NTLS Connection Procedure

The Luna HSM Client provides a one-step NTLS setup option, which automates the multi-step procedure described above.

The One-Step NTLS procedure is performed by the client administrator, and requires SSL access to an admin-level account (or a specialized NTLS registration account) on the SafeNet Luna Network HSM appliance. If you do not have SSL access to the appliance, an authorized user must provide the appliance certificate by other secure means, and you must use the multi-step procedure to manually register certificates.

This procedure uses pscp/scp to exchange certificates over the network. If a firewall prevents this file transfer, the procedure will fail. You must exchange the certificates by other secure means and perform the manual procedure.

One-Step NTLS can only be used to create a new NTLS connection, and not to assign additional partitions to the client. If an NTLS connection already exists between the client and the appliance, or if one has already registered the other's certificate, the operation fails.

SafeNet Luna Network HSM Prerequisites

>The appliance certificate (server.pem) must be available on the appliance (see Generating the HSM Server Certificate).

>An application partition must be available on the HSM (see Creating or Deleting an Application Partition).

>The client must not have a certificate already registered on the appliance.

Luna HSM Client Prerequisites

>Client software must be installed (see Luna HSM Client Software Installation).

>The client administrator must have access to an admin-level account, or a specialized NTLS registration account, on the appliance (see Creating a One-Step NTLS Registration Role).

>The client administrator must know the name of an existing application partition that will be assigned to the client.

>The appliance must not have a certificate already registered with the client.

>For Linux 64-bit platforms only, ensure that glibc.i686 is installed:

yum install glibc.i686

If you do not wish to install glibc.i686, use the Multi-Step NTLS Connection Procedure instead.

To create a One-Step NTLS connection between the appliance and a client

1.Launch LunaCM on the client workstation.

2.Initiate the One-Step NTLS procedure by specifying the appliance and client hostnames/IPs, and the name of the application partition to assign to this client. By default, the request is sent to the admin account, but you can specify any other account.

lunacm:> clientconfig deploy -server <server_hostname/IP> -client <client hostname/IP> -partition <partition_name> [-user <appliance_username>] [-password <password>] [-verbose]

NOTE   After you enter the account password, LunaCM appears to pause for 1-2 minutes while the registration procedure is completed. This is expected behavior.

The NTLS connection is now active, and the specified partition has been assigned to the client. If you want this client to have access to more partitions on this HSM, see Assigning or Revoking NTLS Client Access to a Partition.

To initialize the application partition, see Initializing an Application Partition.

To restore a broken NTLS client connection, see Restoring Broken NTLS or STC Connections.