Although your HSM appliance came with a server certificate, good security
practice dictates that you should generate a new one.
The command sysconf regenCert (with no IP address appended) is suitable if your network is using DNS and, during the execution of the regeneration command, the HSM appliance is able to retrieve correct DNS information about itself. If DNS is not used, or it does not know about the HSM appliance, an invalid certificate will be generated that prevents NTLS running later.
In situations where DNS is not used or contains unreliable information, use this form of the command "sysconf regenCert <ip_of_hsm_appliance>" to generate a usable NTLS certificate.
Sysconf regenCert (without the IP argument) populates the CN field of the server's certificate with the unqualified hostname of the appliance. If the appliance is set up correctly for use in a DNS environment, then it will work. The command does not check.
Sysconf regenCert with the IP argument results in a certificate with the appliance's IP address in the CN field.
Using Luna SA with the link configured for IP-only speeds the NTLS client connection lookup, and bypasses such potential issues as transient DNS lookup failures and typing errors.
From the factory, the network trust link service (NTLS) is bound to the loopback device, by default. In order to use the appliance on your network, you must bind the NTLS to one of the two ethernet ports, ETH0 or ETH1, or to a hostname or IP address. You can use the ntls show command to see current status.
[luna23] lunash:>ntls
bind eth0
Success: NTLS binding network device eth0 set.
NOTICE: The NTLS service must be restarted for new settings to take effect.
If you are sure that you wish to restart NTLS, then type 'proceed', otherwise
type 'quit'
> proceed
Proceeding...
Restarting NTLS service...
Stopping ntls: [
OK ]
Starting ntls: [
OK ]
Command Result : 0 (Success)
[luna23] lunash:>
Or, an example using an IP address:
[myluna] lunash:>ntls
bind eth0 -bind 192.20.10.96
Success: NTLS binding hostname or IP Address 192.20.10.96 set.
NOTICE: The NTLS service must be restarted for new settings to take effect.
If you are sure that you wish to restart NTLS, then type 'proceed', otherwise
type 'quit'
> proceed
Proceeding...
Restarting NTLS service...
Stopping ntls: [
OK ]
Starting ntls: [
OK ]
Command Result : 0 (Success)
[myluna] lunash:>ntls show
NTLS bound to network device: eth0 IP
Address: "192.20.10.96" (eth0)
Command Result : 0 (Success)
The “Stopping ntls” operation may fail in the above example, because NTLS
is not yet running on a new HSM appliance. Just ignore the message. The
service starts again, whether the stop was needed or not.
If you have been following the instructions in these pages as part of setting up a new HSM appliance then the next step is to initialize the HSM on your Luna SA appliance. Choose one of the following links, according to the type of HSM appliance that you have:
"Use hsm-init to Initialize a Password Authenticated HSM"
Go to "Use hsm-init to Initialize an HSM [1]"