Show the Table of Contents

You are here: Configuration Manual (Set up Luna Appliance after Installing) > [Step 1] Configuring Luna Appliance for your Network > Generate New Luna SA Server Cert

 

Generate a New HSM Server Certificate

Generate the Cert




   Although your HSM appliance came with a server certificate, good security practice dictates that you should generate a new one.

 

 

  1. Use sysconf regenCert to generate a new Server Certificate:

    lunash:> sysconf regenCert
    WARNING !! This command will overwrite the current server certificate and private key. 
    All clients will have to add this server again with this new certificate. 
    If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit' 
    > proceed 
    Proceeding... 
    'sysconf regenCert' successful. NTLS must be (re)started before clients can connect. 
    Please use the 'ntls show' command to ensure that NTLS is bound to an appropriate network device or IP address/hostname for the network device(s) NTLS should be active on. Use 'ntls bind' to change this binding if necessary.

    Command Result : 0 (Success)
    lunash:>

The command sysconf regenCert (with no IP address appended) is suitable if your network is using DNS and, during  the execution of the regeneration command, the HSM appliance is able to retrieve correct DNS information about itself. If DNS is not used, or it does not know about the HSM appliance, an invalid certificate will be generated that prevents NTLS running later.

In situations where DNS is not used or contains unreliable information, use this form of the command "sysconf regenCert <ip_of_hsm_appliance>" to generate a usable NTLS certificate.

(more)

Sysconf regenCert (without the IP argument) populates the CN field of the server's certificate with the unqualified hostname of the appliance. If the appliance is set up correctly for use in a DNS environment, then it will work. The command does not check.

Sysconf regenCert with the IP argument results in a certificate with the appliance's IP address in the CN field.

Using Luna SA with the link configured for IP-only speeds the NTLS client connection lookup, and bypasses such potential issues as transient DNS lookup failures and typing errors.

Bind the Network Trust Link Service

From the factory, the network trust link service (NTLS) is bound to the loopback device, by default. In order to use the appliance on your network, you must bind the NTLS to one of the two ethernet ports, ETH0 or ETH1, or to a hostname or IP address. You can use the ntls show command to see current status.

  1. Use ntls bind to bind the service:

[luna23] lunash:>ntls bind eth0
Success: NTLS binding network device eth0 set.
NOTICE: The NTLS service must be restarted for new settings to take effect.
If you are sure that you wish to restart NTLS, then type 'proceed', otherwise type 'quit'
> proceed
Proceeding...
Restarting NTLS service...
Stopping ntls:                                             [  OK  ]
Starting ntls:                                             [  OK  ]
Command Result : 0 (Success)
[luna23] lunash:>

Or, an example using an IP address:

[myluna] lunash:>ntls bind eth0 -bind 192.20.10.96
Success: NTLS binding hostname or IP Address 192.20.10.96 set.
NOTICE: The NTLS service must be restarted for new settings to take effect.
If you are sure that you wish to restart NTLS, then type 'proceed', otherwise type 'quit'
> proceed
Proceeding...
Restarting NTLS service...
Stopping ntls:                                             [  OK  ]
Starting ntls:                                             [  OK  ]
Command Result : 0 (Success)
[myluna] lunash:>ntls show
NTLS bound to network device: eth0  IP Address: "192.20.10.96" (eth0)
Command Result : 0 (Success)

 


The “Stopping ntls” operation may fail in the above example, because NTLS is not yet running on a new HSM appliance. Just ignore the message. The service starts again, whether the stop was needed or not.

 

If you have been following the instructions in these pages as part of setting up a new HSM appliance then the next step is to initialize the HSM on your Luna SA appliance. Choose one of the following links, according to the type of HSM appliance that you have:

"Use hsm-init to Initialize a Password Authenticated HSM"


 

  Go to "Use hsm-init to Initialize an HSM [1]"

 

 

 

 

Show the Table of Contents