Show the Table of Contents

You are here: Configuration Manual (Set up Luna Appliance after Installing) > [Step 6] Setting up a Network Trust Link > Windows NTL Setup > Import Luna SA Server Cert onto Client (Windows)

Import HSM Appliance Server Certificate onto Client (Windows)

  1. Open a command prompt window on the Client, and change directory to c:\Program Files\Safenet\LunaClient\.  
  2. Securely transfer the server.pem file from the Luna SA, using the supplied pscp utility.
    c:\Program Files\SafeNet\LunaClient\ > pscp admin@myLuna:server.pem .  
    admin@myLuna's password:   
    server.pem           100%   
    |*******************************************************|   928  
    00:00
    Note the dot (.) at the end of the command, denoting “place the resulting file in the current directory”.
  3. Verify that the Server Certificate has arrived on the Client:
    c:\Program Files\SafeNet\LunaClient\ > dir  
    server.pem      

  4. Move the Server Certificate to the cert/server directory:
    move server.pem c:\Program Files\SafeNet\LunaClient\cert\server

 

You might need to surround the entire filespec (path and filename) within quotation marks if Windows stumbles at the space between Program and Files.

If the operations fail - and you have verified that the commands are typed correctly - then you might lack file permissions in the affected directories. If you lack administrator privileges on your computer, contact your IT department. If you do have the required privileges, then you might need to adjust the permissions for the affected directories [Click Here] (which by default are installed in the protected Windows directory "Program Files").

To adjust the permissions for the directory c:\Program Files\SafeNet\LunaClient\, right-click that directory. In the resulting context menu, select Properties, and in the ensuing dialog select the "Security" tab. Choose the appropriate user or group and adjust as needed. Then repeat the commands in the steps above, which should now work as expected.

Give yourself the needed permissions on the certificate directories so you can complete the certificate exhange and registration with the Luna appliance.

 

The appearance might vary slightly for different Windows versions. If the permissions change does not propagate to subdirectories, then you might need to repeat the process for the "cert" subdirectory and for the "client" and "server" subdirectories.

 

 

Example (No DNS)

Securely transfer the server.pem file from the Luna SA, using the supplied pscp utility.
c:\Program Files\SafeNet\LunaClient\ > pscp admin@192.168.0.123:server.pem .
admin@192.168.0.123's password:   
server.pem           100%   
|*******************************************************|   928  
00:00    

 

 

Any time the IP or hostname of the HSM appliance has changed (such as moving from a pre-production environment), the client(s) that have previously connected via SSH will detect a mismatch in the HSM appliance's server certification information and warn you of potential security breach.  In this case you will need to remove that server's certificate information from the client’s known host file found in:
/<user home dir>/.ssh/known_hosts2

If this is happening in a production environment, this could potentially be a security breach needing investigation. 

Similarly, when you first open a scp or ssh link, you must accept the certificate.
You can check the fingerprint of the certificate with:
lunash:> sysconf fingerprint -ssh

 

Next, "Register the HSM Server Certificate with the Client (Windows)".

 

 

Show the Table of Contents