Show the Table of Contents

You are here: Configuration Manual (Set up Luna Appliance after Installing) > Configure HTL [optional] > HTL Setup in Windows

Administration & Maintenance - HTL

HTL Setup in Windows

You should already have confirmed NTLS binding to the correct interface/address on your Luna SA appliance, with ntls bind command.    

Windows Client HTL Setup

Import Luna SA Server Certificate to the Client

  1. Open command prompt on Windows client and navigate to this directory:      
    C:\Program Files\SafeNet\LunaClient>
  2. Securely transfer the server.pem file from the Luna SA to the client, using the pscp utility:   
    C:\Program Files\SafeNet\LunaClient>PSCP.EXE  admin@myLuna:server.pem .   
    admin@myLuna’s password:    
    server.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%

 

Register the Luna SA with the Client (specifying HTL)

  1. At the command prompt on the Windows client, navigate to this directory:
    C:\Program Files\SafeNet\LunaClient>
  2. Use the VTL utility to register the Luna SA:   
    C:\Program Files\SafeNet\LunaClient>VTL.exe addserver –n <SA hostname-or-IPaddress> -c “C:\Program Files\SafeNet\LunaClient\cert\server\server.pem” –htl
    New server <SA hostname or IPaddress> successfully added to server list.

 

Create a Client Certificate

  1. Use the vtl utility to create a client certificate:   
    C:\Program Files\SafeNet\LunaClient> VTL.exe createCert –n <clientHostname-or-IPaddress>
    ----------------- Example -------------------------   
    C:\Program Files\SafeNet\LunaClient>VTL.exe createCert –n myClient   
    Private Key created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\myClientKey.pem
    Certificate created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\myClient.pem

 

Export Client Certificate to Luna SA

  1. Use the pscp utility to export the client certificate to your Luna SA:
    C:\Program Files\SafeNet\LunaClient>PSCP.EXE cert\client\<clientCert>.pem admin@<SAhostname-or-IPaddress>
    --------------------- Example ---------------------
    C:\Program Files\SafeNet\LunaClient>PSCP.EXE “C:\Program Files\SafeNet\LunaClient\cert\client\myClient.pem”
    admin@LunaSA: admin@LunaSA’s password:
    myClient.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%

 

Register Client with HTL

  1. On the Luna SA appliance, from the luna shell, after the client certificate has been transferred to your Luna SA (above), register your client ensuring that the –requireHtl flag is specified.
    lunash:>client register –c <clientname> –ip <client-ip-address> -requireHtl
    ---------------- Example -------------------------   
    lunash:>client register –c MyClient –ip 192.76.20.10 -requireHtl
    ‘client register’ successful.
    Command Result : 0 (Success)
    lunash:>
    OR
    lunash:>client register –c <clientname> –hostname <client-hostname> -requireHtl
    ---------------- Example -------------------------   
    lunash:>client register –c MyClient –hostname myfirstclient -requireHtl
    ‘client register’ successful.
    Command Result : 0 (Success)
    lunash:>

 

Generate OTT for Client on Luna SA

  1. A One Time Token (OTT) is required for your client to initiate the Host Trust Link strong-binding connection with your Luna SA. On the Luna SA, from the luna shell, generate the OTT for the client.
    lunash:> htl generateOtt –client <clientname>
    ------------------ Example ------------------------
    lunash:>htl generateOtt –client MyClient
    One-time token for client MyClient is ready to use.
    Filename is MyClient.ott
    Command Result : 0 (Success)
    lunash:>

 

Export OTT from Luna SA to Client

  1. On your Client, transfer the newly generated OTT from the Luna SA appliance to your client:
    PSCP.EXE admin@<SAHostname-or-IPaddress>:<clientname.ott> .
    --------------- Example ---------------------------
    C:\Program Files\SafeNet\LunaClient>PSCP.EXE admin@<LunaSA>:MyClient.ott . admin@LunaSA's password:
    MyClient.ott | 0 kB | 0.0 kB/s | ETA: 00:00:00 | 100%

 

Establish Host Trust Link

After the OTT has been transferred to your client, the final step is to make the token available.  

1. Move the token to the htl directory on the client, renaming it with the ip address OR hostname of your Luna SA appliance:
Move <clientname.ott> “C:\Program Files\SafeNet\LunaClient\htl\<SAhostname-or-IPaddress.ott>”  
---------------- Example --------------------------  
C:\Program Files\SafeNet\LunaClient>move MyClient.ott "C:\Program Files\SafeNet\LunaClient\htl\myLunaSA.ott"
1 file(s) moved.

C:\Program Files\SafeNet\LunaClient>

 

You must rename the token file (see above). It is easiest to change the filename during the "move" operation.

 

After the token has been moved to its correct location and renamed to reflect the Luna SA hostname or IP, it will be used during the next HTL polling interval. This happens automatically.

On the Luna SA appliance, you can confirm the status of the Host Trust Link with the ‘htl show’ command. The HTL Status changes to "Up" and the OTT Status changes to "In use" after the client has successfully established a Host Trust Link

lunash:>htl show


HTL Grace period   :  60 seconds
Default OTT expiry :  300 seconds
 Client Name         HTL Status     OTT Status     OTT Expiry Time
 -----------------------------------------------------------------
 MyClient            Up           In Use        300 (default)


Command Result : 0 (Success)
lunash:>

 

 

See Also

 

 

 

 

 

Show the Table of Contents