You are here: Configuration Manual (Set up Luna Appliance after Installing) > Configure HTL [optional] > HTL Setup in Linux

Administration & Maintenance - HTL

HTL Setup Linux

You should already have confirmed NTLS binding to the correct interface address on your Luna SA appliance, with ntls bind command.

Linux Client HTL Setup

Import Luna SA Server Certificate to the Client

  1. From the command prompt on your Linux client, navigate to this directory:
    /usr/safenet/lunaclient/bin
  2. Securely transfer the server.pem file from the Luna SA to the client, using the scp utility:
    scp admin@LunaSA:server.pem .
    admin@LunaSA’s password
    server.pem 100% 1164 1.1KB/s 00:00

 

Register the Luna SA with the Client (specifying HTL)

  1. From the /usr/safenet/lunaclient/bin directory, use the vtl utility to register the Luna SA appliance, making sure to specify htl:   
    # ./vtl addServer –n <SAhostname-or-IPaddress> -c server.pem –htl
    ---------------- Example --------------------------
    # ./vtl addServer –n LunaSA –c server.pem –htl
    New server LunaSA successfully added to server list.

 

Create a Client Certificate

  1. Use the vtl utility to create a client certificate:
    # ./vtl createCert –n <clienthostname-or-ipaddress>
    ----------------- Example -------------------------
    # ./vtl createCert –n MyClient
    Private Key created and written to: /usr/safenet/lunaclient/cert/client/MyClientKey.pem   
    Certificate created and written to: /usr/safenet/lunaclient/cert/client/MyClient.pem

 

Export Client Certificate to Luna SA  

  1. Use the scp utility to export the client certificate to your Luna SA:
    # scp /usr/safenet/lunaclient/cert/client/<client.pem> admin@<SAhostname-or-IPaddress>:
    ------------------- Example -----------------------
    # scp /usr/safenet/lunaclient/cert/client/MyClient.pem admin@LunaSA:
    admin@LunaSA's password:
    MyClient.pem 100% 1164 1.1KB/s 00:00

 

Register Client with HTL   

  1. On the Luna SA appliance, from the luna shell, after the client certificate has been transferred to your Luna SA (above), register your client ensuring that the –requireHtl flag is specified.
    lunash:>client register –c <clientname> –ip <client-ip-address> -requireHtl
    ---------------- Example -------------------------   
    lunash:>client register –c MyClient –ip 192.76.20.10 -requireHtl
    ‘client register’ successful.
    Command Result : 0 (Success)
    lunash:>
    OR
    lunash:>client register –c <clientname> –hostname <client-hostname> -requireHtl
    ---------------- Example -------------------------   
    lunash:>client register –c MyClient –hostname myfirstclient -requireHtl
    ‘client register’ successful.
    Command Result : 0 (Success)
    lunash:>

 

Generate OTT for Client on Luna SA   

  1. A One Time Token (OTT) is required for your client to initiate the Host Trust Link strong-binding connection with your Luna SA appliance. On the appliance, from the luna shell, generate the OTT for the client.
    lunash:> htl generateOtt –client <clientname>   
    -------------------- Example ----------------------   
    htl generateOtt -client MyClient
    One-time token for client MyClient is ready to use.   
    Filename is MyClient.ott   
    Command Result : 0 (Success)   
    lunash:>

 

Export OTT from Luna SA to Client   

  1. On your Client, use the scp utility to transfer the newly generated OTT from the Luna SA to your client:  
    # scp admin@<SAHostname-or-IPaddress>:<clientname.ott> .   
    --------------------- Example ---------------------   
    # scp admin@10.2.87.61:MyClient2.ott .   
    admin@10.2.87.61's password:   
    MyClient2.ott 100% 32 0.0KB/s 00:00

    OR
    --------------------- Example ---------------------   
    # scp admin@10.2.87.61:MyClient2.ott .   
    admin@MyLunaSA's password:   
    MyClient2.ott 100% 32 0.0KB/s 00:00

 

Establish Host Trust Link   

After the OTT has been transferred to your client, the final step is to make the token available.  

  1. Move the token to the htl directory on the client, renaming it with the ip address or hostname of your Luna SA appliance:  
    # mv MyClient2.ott /usr/safenet/lunaclient/htl/<SAHostname-or-IPaddress>.ott   
    -------------------- Example ----------------------   
    # mv MyClient2.ott ../htl/myLunaSA.ott
    #

 

You must rename the token file (see above). It is easiest to change the filename during the "move" operation.

 

After the token has been moved to its correct location, it will be used during the next HTL polling interval. This happens automatically.

On the Luna SA appliance, you can confirm the status of the Host Trust Link with the ‘htl show’ command. The HTL Status changes to "Up" and the OTT Status changes to "In use" after the client has successfully established a Host Trust Link

htl show
HTL Grace period   :  60 seconds
Default OTT expiry :  300 seconds


 Client Name         HTL Status     OTT Status     OTT Expiry Time
 -----------------------------------------------------------------
 MyClient            Down           No file        300 (default)
 MyClient2           Up             In use         300 (default)

Command Result : 0 (Success)

 

 

See Also