Show the Table of Contents

You are here: System and Software Getting Started Guide > Installing the Luna Software > Linux Install

Linux Installation

These instructions are tested for the Linux versions listed in the Customer Release Notes.

These instructions assume that you have already acquired the LunaClient software, either on CD/DVD or in the form of a downloaded .tar archive.

Applicability to specific versions of Linux is summarized in the Customer Release Notes for the current release.

Before installing a Luna® system, you should confirm that the product you have received is in factory condition and has not been tampered with in transit. Refer to the Content Sheet included with your product shipment. If you have any questions about the condition of the product that you have received, please contact SafeNet Support (800)545 6608 or support@safenet-inc.com immediately

Each computer that connects to the Luna HSM appliance as a Client must have the cryptoki library, the vtl client shell and other utilities and supporting files installed.
Each computer that contains, or is connected to a Luna G5 or a Luna PCI-E HSM must have the cryptoki library and other utilities and supporting files installed.

This example shows all the LunaClient products and components. Some items are not supported on all operating systems and therefore do not appear as you proceed through the installation script.

Do NOT install LunaClient software on the same system as legacy Luna CA³, Luna CA4, Luna PCM, or Luna PCI software.

The software is intended for modern/current Luna HSMs, Luna SA, Luna PCI-E, Luna G5, Luna (Remote) Backup HSM.

Prerequisites

Before starting the installation, ensure that you have satisfied the following prerequisites:

Ensure that you have a Random Number Generator (RNG) or Entropy Gathering Daemon (EGD) on your system at one of /dev/egd-pool, /etc/egd-pool, /etc/entropy, or /var/run/egd-pool.
RNG/EGD
Cryptographic algorithms, including those that assure the security of communication – such as in OpenSSL and other protocols – depend upon random numbers for the creation of strong keys and certificates. A readily available source of random data is the entropy that exists in complex computer processes. Utilities exist for every operating system, to gather bits of system entropy into a pool, which can then be used by other processes.
Windows and Linux have these installed by default. Other systems may or may not. See your system administrator.
You Need an Entropy Pool
In the case of Luna SA, the Luna Client administration tool (vtl) expects to find a source of randomness at /dev/random. If one is not found, vtl fails, because the link cannot be secured from the Client end.
If your system does have an entropy pool, but the random number generator (RNG) is not in the expected place, then you can create a symbolic link between the actual location and one of
/dev/random, /dev/egd-pool, /etc/egd-pool, /etc/entropy, or /var/run/egd-pool.
If your system does not have an entropy gathering daemon or random number generator, please direct your system administrator to install one, and point it to one of the named devices.
If you are installing the Luna PCI-E, or Luna G5, or Luna Remote Backup HSM clients, ensure that the following items are installed:
- Kernel headers for build
- rpm-build package
- C compiler
- make command
These items are required because the driver module is built on Linux before it is installed. If one of these items is missing, the driver build will fail and the module will not get installed..

Install

Check the Luna HSM Customer Release Notes for any installation-related issues or instructions before you begin the following software installation process.

You must be logged in as root when you run the installation script.

Install Luna Client software on Linux as follows.

Log on to the client system, open a console or terminal window, and use sudo to gain administrative permissions for the installation.
If you have downloaded the LunaClient software as a .tar archive, skip to step 6.
Insert the DVD (mount it if you do not have automount).
Go to the DVD (/cdrom or whatever devicename your system uses) and the install directory:

cd /cdrom/linux/32
or
cd /cdrom/linux/64

(Not all platforms are supported with each release, so the available install options might not match the list above.)
Skip to step 9.
If you downloaded the software, copy or move the .tar archive (which usually has a name like "LunaClient_5.x.y-nn.tar") to a suitable directory where you can untar the archive and launch the installation script.
Extract the contents from the archive. Type
tar xvf LunaClient<version>.tar
Change directory to the software version suitable for your system (for example, under the "linux" subdirectory, in the "x86" directory, choose 32-bit or 64-bit according to your system requirement).
To see the 'help', or a list of available installer options, type:
./sh install.sh -? or ./sh install.sh --help

To install all available products and optional components, type:
./sh install.sh all

To selectively install individual products and optional components, type the command without arguments:
./sh install.sh
Type "y" if you agree to be bound by the license agreement.
[mylunaclient-1 32]$ sh install.sh
IMPORTANT: The terms and conditions of use outlined in the software
license agreement (Document #008-010005-001_053110) shipped with the product
("License") constitute a legal agreement between you and SafeNet Incorporated.
Please read the License contained in the packaging of this product
in its entirety before installing this product.

Do you agree to the License contained in the product packaging?

If you select 'yes' or 'y' you agree to be bound by all the terms and conditions set out in the License.

If you select 'no' or 'n', this product will not be installed.

(y/n)
A list of installable Luna products appears (might be different, depending on your platform). Select as many as you require, by typing the number of each (in any order) and pressing [Enter]. As each item is selected, the list updates, with a "*" in front of any item that has been selected. This example shows items 1 and 3 have been selected, and item 4 is about to be selected.

Products
Choose Luna Products to be installed
    *[1]: Luna SA
     [2]: Luna PCI-E
    *[3]: Luna G5
     [4]: Luna Remote Backup HSM
     [N|n]: Next
     [Q|q]: Quit
   Enter selection: 4
When selection is complete, type "N" or "n" for "Next", and press [Enter].

Products
Choose Luna Products to be installed
   *[1]: Luna SA
    [2]: Luna PCI-E
   *[3]: Luna G5
   *[4]: Luna Remote Backup HSM
     [N|n]: Next
     [Q|q]: Quit
   Enter selection: n
If you wish to make a change, simply type a number again and press [Enter] to de-select a single item.
The next list is called "Advanced" and includes additional items to install. Some items might be pre-selected to provide the optimum Luna HSM experience for the majority of customers, but you can change any selection in the [list].

Products
Choose Luna Components to be installed
    [1]: Luna Software Development Kit (SDK)
   *[2]: Luna JSP (Java)
   *[3]: Luna JCProv (Java)
   *[4]: Crypto Command Center Provisioning Client
   *[5]: Luna SNMP subagent
     [B|b]: Back to Products Selection
    [I|i]: Install
     [Q|q]: Quit
   Enter selection: n
When the Components list is adjusted to your satisfaction, press [Enter].

The installer includes the Luna SNMP Subagent as an option. After installation is complete, you will need to move the SafeNet MIB files to the appropriate directory for your SNMP application, and you will need to start the SafeNet subagent and configure for use with your agent. See "SNMP".

If the script detects an existing cryptoki library, it stops and suggests that you uninstall your previous Luna software before starting the Luna Client installation again.
The system installs all packages related to the products and any optional components that you selected.

By default, the Client programs are installed in the “/usr/safenet/lunaclient” directory.

As a general rule, do not modify the Chrystoki.conf/crystoki.ini file, unless directed to do so by SafeNet Customer Support.
If you do modify the file, never insert TAB characters - use individual space characters.
Avoid modifying the PED timeout settings. These are now hardcoded in the appliance, but the numbers in the Chrystoki.conf file must match.

To uninstall the Luna HSM client software

# cd /usr/safenet/lunaclient/bin
# ./sh uninstall.sh

Crypto Command Center depends on lunacm. If Crypto Command Center is installed on the client, you must uninstall Crypto Command Center before you can uninstall the Luna client, otherwise a dependency error is displayed and the Luna client is not successfully uninstalled. See "Installing Crypto Command Center" for Crypto Command Center un-installation instructions.

Java

During the installation, the script provides the opportunity to install Luna Java components. If you select Java components, the Luna Java files are installed below/usr/safenet/lunaclient/jsp/. In order to use Java, you must have separately installed Java (JDK or run-time environment from the vendor of your choice) onto your system.

Copy the Luna Java library and jar files from their default location under /usr/safenet/lunaclient/jsp/lib to the Java environment directory; example
/usr/jre/lib/ext

The exact directory might differ depending on where you obtained your Java system, the version, and any choices that you made while installing and configuring it.

For additional Java-related information, "Java".

JSP Static Registration

You would choose static registration of providers if you want all applications to default to our (SafeNet) provider.

Once your client has externally logged in using salogin (see "Login from a Client to your Luna HSM (optional)" ) in the Reference section of this document) or your own HSM-aware utility, any application would be able to use Luna product without being designed to login to the HSM Partition.

Edit the java.security file located in the \jre\lib\security directory of your Java SDK/JRE 1.6.x or 1.7.x installation to read as follows:

security.provider.1=sun.security.provider.Sun

security.provider.2=com.sun.net.ssl.internal.ssl.Provider

security.provider.3=com.safenetinc.luna.provider.LunaProvider

security.provider.4=com.sun.rsajca.Provider

security.provider.5=com.sun.crypto.provider.SunJCE

security.provider.6=sun.security.jgss.SunProvider

You can set our provider in first position for efficiency if Luna HSM operations are your primary mode. However, if your application needs to perform operations not supported by the LunaProvider (secure random generation or random publickey verification, for example) then it would receive error messages from the HSM and would need to handle those gracefully before resorting to providers further down the list. We have found that having our provider in third position works well for most applications.

The modifications in the "java.security" file are global, and they might result in the breaking of another application that uses the default KeyPairGenerator without logging into the Luna SA first. This consideration might argue for using dynamic registration, instead.

JSP Dynamic Registration

For your situation, you may prefer to employ dynamic registration of Providers, in order to avoid possible negative impacts on other applications running on the same machine. As well, the use of dynamic registration allows you to keep installation as straightforward as possible for your customers.

Compatibility

We formally test Luna HSMs and our Java provider with SUN JDK for all platforms except AIX, and with IBM JDK for the AIX platform. We have not had problems with OpenJDK, although it has not been part of our formal test suite. The Luna JCE provider is compliant with the JCE specification, and should work with any JVM that implements the Java language specification.

Occasional problems have been encountered with respect to IBM JSSE.

GNU JDK shipped with most Linux systems has historically been incomplete and not suitable.

Remove components

To uninstall the JSP component or the SDK component, you must uninstall LunaClient completely, then re-run the installation script without selecting the unwanted component(s).

sh uninstall.sh

[Ctrl] [C] - If you interrupt the installation

Do not interrupt the installation script in progress, and ensure that your host computer is served by an uninterruptible power supply (UPS). If you press [Ctrl] [C], or otherwise interrupt the installation (OS problem, power outage, other), some components will not be installed. It is not possible to resume an interrupted install process. The result of an interruption depends on where, in the process, the interruption occurred (what remained to install before the process was stopped).

As long as the cryptoki RPM package is installed, any subsequent installation attempt results in refusal with the message "A version of Luna Client is already installed."

If components are missing or are not working properly after an interrupted installation, or if you wish to install any additional components at a later date (following an interrupted installation, as described), you would need to uninstall everything first. If ‘sh uninstall.sh’ is unable to do it, then you must uninstall all packages manually.

Because interruption of the install.sh script is not recommended, and mitigation is possible, this is considered a low-likelihood corner case, fully addressed by these comments.

Scripted or Unattended Installation

If you prefer to run the installation from a script, rather than interactively, run the command with the options -p <list of Luna products> and -c <list of Luna components>. To see the syntax, run the command with --help like this:

[myhost]$ sh .../LunaClient_5.3.0-5x/linux/64/install.sh --help
Installing from .../LunaClient_5.3.0-x/linux/64

At least one product should be specified.

usage:
        install.sh      - Luna Client install through menu
        install.sh help - Display scriptable install options
        install.sh all  - Complete Luna Client install

        install.sh -p [sa|pci|g5|rb] [-c sdk|jsp|jcprov|ldpc|snmp]

        -p <list of Luna products>
        -c <list of Luna components>  - Optional. All components are installed if not provided

Luna products options
   sa     - Luna SA
   pci    - Luna PCI-E
   g5     - Luna G5
   rb     - Luna Remote Backup HSM

Luna components options
   sdk    - Luna SDK
   jsp    - Luna JSP (Java)
   jcprov - Luna JCPROV (Java)
   ldpc   - Crypto Command Center Provisioning Client
   snmp   - Luna SNMP subagent


[myhost]$

For scripted/automated installation, your script will need to capture and respond to the License Agreement prompt, and to the confirmation prompt. For example:

[myhost]$ ./install.sh all 
Installing from /home/me/Downloads/LunaClient_5.3.0/linux/64  

IMPORTANT: The terms and conditions of use outlined in the software 
license agreement (Document #008-010005-001_053110)  shipped with the product 
("License") constitute a legal agreement between you and SafeNet Inc.
Please read the License contained in the packaging of this 
product in its entirety before installing this product.

Do you agree to the License contained in the product packaging?

If you select 'yes' or 'y' you agree to be bound by all the terms 
and conditions se out in the License.

If you select 'no' or 'n', this product will not be installed. 

(y/n) y

Complete Luna Client will be installed. This includes Luna SA,
Luna PCI-E, Luna G5 AND Luna Remote Backup HSM.

Select 'yes' or 'y' to proceed with the install.

Select 'no' or 'n', to cancel this install. 

Continue (y/n)?

For example, to automate installation for our testing, we use:

if product == 'all':

cmd ='/bin/bash %s %s'%(install_cmd, product) # install.sh all

SUSE Linux on IBM PPC

JCE un-restriction files must be downloaded from IBM, not from SUN, for this platform. Attempting to use SUN JCE un-restriction files on IBM PowerPC systems with SUSE Linux causes signing errors with Java 5 and Java 6.

32-bit Client on 64-bit RedHat 6

While no errors normally appear when installing 64-bit client on 64-bit RedHat 6, some preparation is required to avoid installation errors when installing 32-bit Client on 64-bit OS. Do the following:

yum install glibc.i686
yum upgrade libstdc++
yum install libstdc++.i686
yum install libgcc.i686
Then run the 32-bit installer
./install.sh

Failure to perform those steps before launching the installer can result in output like the following:

Installing the Luna Client 5.3.0-5...
Adding new version of configurator
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:configurator ########################################### [100%]
Adding new version of libcryptoki
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:libcryptoki ########################################### [100%]
Checking for /etc/Chrystoki.conf.rpmsave
Using new /etc/Chrystoki.conf
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
Adding new version of libshim
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:libshim ########################################### [100%]
Adding new version of lunacm
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:lunacm ########################################### [100%]
Adding new version of lunacmu
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:lunacmu ########################################### [100%]
Adding new version of ckdemo
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:ckdemo ########################################### [100%]
Adding new version of multitoken
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:multitoken ########################################### [100%]
Adding new version of cklog
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:cklog ########################################### [100%]
Adding new version of salogin
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:salogin ########################################### [100%]
Adding new version of vtl
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:vtl ########################################### [100%]
Adding new version of htl_client
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:htl_client ########################################### [100%]
/var/tmp/rpm-tmp.bLgG1F: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
Starting htl_client:/etc/init.d/htlc_service: /usr/safenet/lunaclient/htl/htl_client: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
FAILED
warning: %post(htl_client-5.3.0-5.i386) scriptlet failed, exit status 1
Adding new version of javaSAMP
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:javaSAMP ########################################### [100%]
Adding new version of ckSample
/home/builds/LunaClient/CLT_SDK/5.3.0/LunaClient_5.3.0-5/LunaClient_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:ckSample ########################################### [100%]

If the installation script proceeds to the end, with the above errors, the installation appears successful, but you are unable to create certs. Re-do.

After Installation

When you have installed the software onto a Client, the next task is to configure the Luna appliance and HSM.

Go here .

Show the Table of Contents