Show the Table of Contents
CSP Registration Tool
This section describes integration of Microsoft products with Luna SA.
CSP Registration Tool
The CSP registration tool (installed only with the Luna CSP option)
registers HSM Partitions for use with the Luna CSP. It secures the Password
for each HSM Partition such that only the user for which the Password
was secured is able to un-secure it.
This tool is also used to register any non-RSA algorithms, that are
to be performed in software only.
It can be run only by an “Administrator” of the local computer.
Luna CSP is required in order to use Luna
SA with Microsoft Certificate Services. Luna CSP is supplied on the Luna
SA software CD, but is not installed as part of the standard Luna software
installation. If you require Luna CSP, you must install it explicitly,
meaning that you must select it as one of the options when you first install,
or you must re-insert the software CD at a later time and choose to install
the CSP then.
Only Administrator or members of the Administrators
group are to run "register.exe".
The Luna CSP can be used by any application that acquires the context of
the Luna CSP.
All users who login and use the applications that acquired the context
have access to the Luna CSP.
Once the Administrator or member of the Administrators group
runs the "/strongprotect" option, only those users that existed
previous to the "/strongprotect" command are allowed to use
the Luna CSP. If the "/strongprotect" option is not used, then
any/all users can use the Luna CSP.
First-time Partition Registration
The general form of the command is:
c:\Program Files\SafeNet\LunaClient\CSP> register [/partition | /algorithm
| /defaultschannel ] [/highavail] [/strongprotect]
For 64-bit systems the name of the command is "register.exe "
Example
c:\Program Files\SafeNet\LunaClient\CSP> register /partition [/highavail]
[/strongprotect]
/partition option
needed to register a partition
/highavail option
needed to register only high availability partitions
/strongprotect strongly
protect the encrypted challenges.
The basic command-line options of register are
- /partition,
- /algorithm, or
- /defaultschannel (applicable
only to IIS 5.0 and Windows 2000).
Any of them can be run alone. The default command-line option of register
is /partition. If you type just register with no additional parameters,
then /partition is assumed and you are prompted through the required steps
to select and register a Luna SA HSM Partition.
If you type register
/highavail or register
/strongprotect, then /partition
is invoked and the additional option that you selected is run along with
it (i.e., /highavail
or /strongprotect).
That is, typing register /highavail
is the same as typing register
/partition /highavail.
Registering Standard HSM Partitions
When registering HSM Partition(s) for use, follow these steps.
- Type:
c:\Program Files\SafeNetLunaClient\CSP> register
Respond appropriately to the prompts.
Example
**************************************************************
SafeNet Luna CSP, Partition Registration
Protect the HSM's challenge for the selected partitions.
NOTE:
This is a WEAK protection of the challenge!!
After you have configured all applications that will use
the Luna CSP, and run them once, you MUST run:
register
/partition /strongprotect *
to strongly protect the registered challenges!!
**************************************************************
This procedure is a destructive procedure and will completely replace
any previous settings!!
Do you wish to continue?: [y/n]
Do you want to register the partition named 'nes'? [y/n]:
Please enter the Luna SA challenge for the partition 'nes' :
Success registering the ENCRYPTED challenge for partition 'nes'.
Only the Luna CSP will be able to use this data!
Registered 1 partition(s) for use by the Luna CSP!
All available Partitions are presented for you to register or not.
- Install and/or
configure your application(s).
- Run each of your
applications once to use Luna CSP.
- Run:
c:\Program Files\SafeNet\LunaClient\CSP> register /strongprotect
You must run register /strongprotect in order to ensure the
protection of the HSM Partition passwords.
- Run all applications
as usual.
Registering HA Partitions
When registering an HA Partition for use, follow these steps.
- Type:
c:\Program Files\SafeNet\LunaClient\CSP> register /highavail
Use the /highavail option only if you have HA set up for your Luna SAs.
Respond appropriately to the prompts.
Example
**************************************************************
SafeNet Luna CSP, Partition Registration
Protect the HSM's challenge for the selected partitions.
NOTE:
This is a WEAK protection of the challenge!!
After you have configured all applications that will use
the Luna CSP, and run them once, you MUST run:
register
/partition /strongprotect *
to strongly protect the registered challenges!!
**************************************************************
This procedure is a destructive procedure and will completely replace
any previous settings!!
Do you wish to continue?: [y/n]
Do you want to register the partition named 'nes'? [y/n]:
Please enter the Luna SA challenge for the partition 'nes' :
Success registering the ENCRYPTED challenge for partition 'nes'.
Only the Luna CSP will be able to use this data!
Registered 1 partition(s) for use by the Luna CSP!
If you are using HA, then only the HA virtual Partition is presented
for registering.
- Install and/or
configure your application(s).
- Run each of your
applications once to use Luna CSP.
- Run:
c:\Program Files\SafeNet\LunaClient\CSP> register /strongprotect
You must run register
/strongprotect in order to ensure the protection of the HSM Partition
passwords.
- For 64-bit Windows, run register.exe /l (the " /l " invokes a reconnection to the library).
- Run all applications
as usual.
Performing Cryptographic Algorithms in Software
Certain operations (symmetric), such as the hash operation may be performed
faster in software than on the Luna SA HSM. The register /algorithms
command allows you to choose which algorithms to de-register from the
Luna SA.
The trade-off is a gain in speed, at the cost of some security (exposing
the operation in software). Signing
and other asymmetric operations are always done on the HSM.
The command is:
c:\Program Files\SafeNet\LunaClient\CSP> register /algorithms
- Run:
c:\Program Files\SafeNet\LunaClient\CSP> register /algorithms
You are prompted for yes or no responses about which algorithms are
to be registered for software-only use.
The following dialogue appears.
Example
************************************************************************
SafeNet Luna CSP, Algorithm Registration
Register algorithms to be done in software by the Microsoft CSP(s).
BY DEFAULT, ALL ALGORITHMS ARE DONE IN HARDWARE BY THE Luna SA.
ONLY NON RSA ALGORITHMS MAY BE CONFIGURED FOR SOFTWARE.
RSA PUBLIC/PRIVATE ALGORITHMS WILL ALWAYS BE IN HARDWARE.
************************************************************************
Do you want algorithm 'CALG_RC2', done in software?(y/n):
Do you want algorithm 'CALG_RC4', done in software?(y/n):
Do you want algorithm 'CALG_RC5', done in software?(y/n):
Do you want algorithm 'CALG_DES', done in software?(y/n):
Do you want algorithm 'CALG_3DES_112', done in software?(y/n):
Do you want algorithm 'CALG_3DES', done in software?(y/n):
Do you want algorithm 'CALG_MD2', done in software?(y/n):
Do you want algorithm 'CALG_MD5', done in software?(y/n):
Do you want algorithm 'CALG_SHA', done in software?(y/n):
Do you want algorithm 'CALG_MAC', done in software?(y/n):
Do you want algorithm 'CALG_HMAC', done in software?(y/n):
Success registering software only algorithms:
CALG_RC2,CALG_RC4,CALG_RC5,...!
- Select any algorithms
that are to be re-directed to software.
If you chose 'no' for all prompts, then all algorithms revert to hardware
and the following is displayed.
Example message after completion
All algorithms have been de-registered and will now only be done in
hardware!
Keymap Utility
Use the keymap utility if you have previously been using another provider
(with its keys in the Luna HSM) and wish to migrate to MS CSP keeping
your established keys. The keymap utility simply creates on the Luna HSM
the data object that MS CSP expects, which in turn makes your existing
keys available to MS CSP.
Ms2luna Utility
Use the Ms2luna utility if you already have MS CSP in use with software
key storage and you now wish to continue with your keys held on the Luna
HSM.
Show the Table of Contents