The client certificate, which has been securely transferred (scp’d) from the client to the HSM Server, in previous sections, must be registered by the HSM Server.
You must be connected to the HSM Server and logged in as “admin”.
The basic command is:
lunash:> client register -client <client’s-name> -hostname <client’s-hostname>
The <client’s-name>, above can be any string that allows you to easily identify this client - many people use the hostname, but the <client's-name> can be any string that you find convenient. This might sound a little redundant (naming the client twice in one command), but it becomes especially useful if you are not using DNS -in that case, a well-considered <client's-name> is likely going to be easier to remember or recognize ( more meaningful ) than would the client's ip-address.
The command is expecting to find (on the Luna SA appliance) a client certificate filename that matches the client’s hostname (or ip-address if you are not using DNS hostnames), as you provide it here. In other words, this is a check that you are registering the client whose .pem file you created in the previous steps and scp'd to the appliance. You can register several clients to the appliance.
lunash:> client register -client MyClient -hostname MyClient
Client registration successful.
lunash:> client list
registered client 1: MyClient
lunash:>
If you are working without DNS, then register the client by its IP address,
rather than its hostname.
lunash:> client register -client <client’s-name>
-ip <clientIPaddress>
The foregoing is sufficient for "real" (non-VM) clients. See below if your client is a virtual-machine instance.
The Client is now registered with the Luna SA.
You can verify on the Luna SA, with the client list command.
Refer to the Reference section of this Help for command syntax and descriptions.
De-Register
(registration not complete)
If you have multiple HSM appliances connected and registered with a client
and you de-register that client from one of the HSM appliances, then
you must also de-register that HSM appliance on the client side.
Failure to do so will result in a “Broken pipe” error, which indicates
an incomplete registration.
Re-Register
If you wish to de-register a client and then re-register with a new certificate,
on the same HSM appliance, then you must copy the certificate to the HSM appliance (HSM server) and stop and re-start the NTLS service.
Before such a restart, any attempts to connect will fail, and “Error on
SSL accept” is logged.
Administration commands can take a few seconds to be noted by the NTLS. If you have added or deleted a client, we suggest that you wait a few seconds before connecting.
Most applications require only a few separate clients to be registered with the Luna SA, and then those clients act as application servers or web servers to the rest of the world. The rest of the world usually has no need to connect as clients directly to the Luna SA.
Regardless of who is connecting (your servers acting as clients to the Luna SA, or your own customers given client access to your Luna SA) note that any registered client might make dozens or hundreds of simultaneous connections while running muti-process applications against the Luna SA HSM server. The Luna SA appliance is designed for such multi-connection operation. The Luna SA supports a total volume of 800 connections from all clients simultaneously, per Luna SA appliance. That is, one very large, fast client might generate 800 connections all by itself, or a combination of clients might each generate dozens or hundreds of connections, but the total of all of them must not exceed 800 against that one appliance.
When the client is a virtual machine instance, the possibility exists that the VM could be cloned or moved. NTL is not aware of such an event. For optimum security, when registering VM clients with Luna SA partitions, you should invoke the additional layer "HTL".
The "client register" command includes the options "-requireHtl", which invokes the Host Trust Link, and "-ottExpiry" and "-generateOtt" to create and configure the One Time Token used by HTL in setting up its hardware-independent trust link.
HTL should be considered mandatory for virtual clients, and optional (but a good idea) for "real" clients.
Proceed to the next section "Assign a Client to an HSM Partition" , which is the last configuration step before you start using your application with the Luna SA HSM server.
Optionally (as mentioned above), for use with virtual/cloud environments, or to additionally secure non-virtual configurations, you can choose to establish a Host Trust Link "Configuring and Using HTL".