Show the Table of Contents

You are here: Configuration Manual (Set up Luna Appliance after Installing) > [Step 6] Setting up a Network Trust Link > UNIX NTL Setup > Import Luna Server Cert onto Client (UNIX)

Import HSM Appliance Server Certificate onto Client (UNIX)

  1. Ensure that you are in the /usr/lunaclient/bin directory on the Client.
  2. Securely transfer the server.pem file from the Luna SA, using the scp utility.
    bash-2.05# scp admin@myLuna3:server.pem .  
    admin@myLuna3's password:  
    server.pem           100%  
    |*******************************************************|   928  
    00:00        

    Note the dot (.) at the end of the command, denoting “place the resulting file in the current directory”.
  3. Verify that the Server Certificate has arrived on the Client:
    bash-2.05# ls  
    multitoken2  openssl.cnf  server.pem  vtl      

 

 

Example (No DNS)

Securely transfer the server.pem file from the Luna SA, using the scp utility.
bash-2.05# scp admin@192.168.0.123:server.pem .
admin@192.168.0.123's password:   
server.pem           100%   
|*******************************************************|   928  
00:00    

 

 

Any time the IP or hostname of the HSM appliance has changed (such as moving from a pre-production environment), the client(s) that have previously connected via SSH will detect a mismatch in the HSM appliance's server certification information and warn you of potential security breach.  In this case you will need to remove that server's certificate information from the client’s known host file found in:
/<user home dir>/.ssh/known_hosts2

If this is happening in a production environment, this could potentially be a security breach needing investigation. 

Similarly, when you first open a scp or ssh link, you must accept the certificate.
You can check the fingerprint of the certificate with:
lunash:> sysconf fingerprint -ssh

 

Next, "Register the HSM Server Certificate with the Client (UNIX)".

 

Show the Table of Contents