Applicability to specific versions of Windows is summarized in the Customer Release Notes for this release.
Before installing a Luna® system, you should confirm that the product you have received is in factory condition and has not been tampered with in transit. Refer to the Content Sheet included with your product shipment. If you have any questions about the condition of the product that you have received, please contact SafeNet Support (800)545 6608 or support@safenet-inc.com immediately.
Each computer that connects to the Luna SA as a Client must have the
cryptoki library, the vtl client shell and other utilities and supporting
files installed.
Each computer that contains, or is connected to a Luna PCI-E or a Luna G5 HSM must have the cryptoki library and other utilities and supporting files installed.
.NET framework - before installing Luna Client on Windows 2012 platform, install Microsoft .NET framework version 3.5,first. You can have other versions of .NET on your system (there is no conflict), but 3.5 is needed for Luna Client to launch HTL on Windows 2012.
For additional information see "Windows 2012 Supplement".
On Windows Server 2008, LunaClient installs and HTL works without additional Windows components.
The supported Windows servers are 64-bit. They allow running of 32-bit or 64-bit applications.
For compatibility of our HSMs with Windows in general, we provide both 32-bit and 64-bit libraries for use with your applications as appropriate, but our supplied tools (lunacm, cmu, multitoken, etc.) are 64-bit versions only. This is because 64-bit tools are all that is needed on a 64-bit OS, but we mention it in case you were looking for 32-bit equivalents - there aren't any because none are needed.
For compatibility of our HSMs with Windows CAPI we have Luna CSP, and for the newer Windows CNG we have Luna KSP. If you are using either, then a section near the end of this chapter has additional specific instructions.
Interactive (prompted) and non-interactive (no prompts) installation options are available.
For interactive installation, install Luna SA client software on supported Windows versions (see the Customer Release Notes for the current list) as follows.
As a general rule, do not modify the Chrystoki.conf/crystoki.ini
file, unless directed to do so by SafeNet Customer Support.
If you do modify the file, never insert TAB characters - use individual
space characters.
Avoid modifying the PED timeout settings. These are now hardcoded in the appliance,
but the numbers in the Chrystoki.conf file must match.
You can use the msiexec command to install the Luna client from the command line, or from a script. The msiexec command includes various command line switches (see the Microsoft documentation for details) that allow you to install the Luna client with varying levels of user interaction, including a quiet mode (/qn) that requires no user interaction.
However, since the Luna client includes a device driver, the following confirmation dialog is displayed when you install the Luna client using the msiexec command , regardless of the command line switches you use:
If you check the Always trust software from "SafeNet, Inc." checkbox, this dialog will not be displayed on subsequent installs, allowing for a truly "silent" install that requires no user interaction. That option was introduced with Windows 2008.
For more detailed information, see "Scripted / Unattended Installation on Windows".
During the installation, if you allow our Java Security Provider to be installed, the Luna Java files are installed below C:\Program Files\LunaClient\JSP\lib. In order to use our JSP, you must have separately installed Java (JDK or run-time environment from the vendor of your choice) onto your system.
Copy the Luna Java files from their default location under C:\Program Files\SafeNet\LunaClient\JSP\lib to the Java environment directory; example
C:\Program Files\Java\jre6\lib\ext
The exact directory might differ depending on where you obtained your Java system, the version, and any choices that you made while installing and configuring it.
SafeNet has traditionally recommended that you put LunaAPI.dll in the <java install dir>/lib/ext folder.
However, Java 7 for Windows has removed this directory from the Java library path. As a result, when a Java 7 application on Windows uses the Luna provider, it cannot find the LunaAPI.dll library, causing the application to fail.
To address this problem, we suggest that you use one of the following methods to add LunaAPI.dll to the Java 7 search path:
For additional Java-related information,see "Java" .
You would choose static registration of providers if you want all applications to default to our (SafeNet) provider.
Once your client has externally logged in using salogin (see "Login from a Client to your Luna HSM (optional)" ) in the Reference section of this document) or your own HSM-aware utility, any application would be able to use Luna product without being designed to login to the HSM Partition.
Edit the java.security file located in the \jre\lib\security directory of your Java SDK/JRE 1.6.x or 1.7.x installation to read as follows:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.safenetinc.luna.provider.LunaProvider
security.provider.4=com.sun.rsajca.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
You can set our provider in first position for efficiency if Luna HSM operations are your primary mode. However, if your application needs to perform operations not supported by the LunaProvider (secure random generation or random publickey verification, for example) then it would receive error messages from the HSM and would need to handle those gracefully before resorting to providers further down the list. We have found that having our provider in third position works well for most applications.
The modifications in the "java.security" file are global, and they might result in the breaking of another application that uses the default KeyPairGenerator without logging into the Luna SA first. This consideration might argue for using dynamic registration, instead.
For your situation, you may prefer to employ dynamic registration of Providers, in order to avoid possible negative impacts on other applications running on the same machine. As well, the use of dynamic registration allows you to keep installation as straightforward as possible for your customers.
We formally test Luna HSMs and our Java provider with SUN JDK for all platforms except AIX, and with IBM JDK for the AIX platform. We have not had problems with OpenJDK, although it has not been part of our formal test suite. The Luna JCE provider is compliant with the JCE specification, and should work with any JVM that implements the Java language specification.
Occasional problems have been encountered with respect to IBM JSSE.
GNU JDK shipped with most Linux systems has historically been incomplete and not suitable.
Luna CSP allows you to use the Luna HSM with Microsoft CAPI, which is supported on 32-bit and on 64-bit Windows.
Luna KSP allows you to use the Luna HSM with Microsoft CNG, which is newer, has additional functions, and supersedes CAPI.
Both of these require modifications to the Windows Registry.
For Luna CSP, the utility "register.exe" takes care of the registry.
Just remember to run the 64-bit version, the 32-bit version, or both, depending on the applications you are running.
---
For Luna KSP, the utility "KspConfig.exe" takes care of the registry.
Just remember to run the 64bit version, the 32bit version, or both, depending on the applications you are running.
The cryptoki.ini file, which specifies many configuration settings for your HSM and related software, includes a line that specifies the path to the appropriate libNT for use with your application(s). Verify that the path is correct
If Luna CSP (CAPI) / Luna KSP(CNG) is selected at installation time then the SafeNetKSP.dll file is installed in these two locations:
- C:\Windows\System32 (used for 64-bit KSP)
- C:\Windows\SysWOW64 (used for 32-bit KSP)
Luna Client 32-bit libraries (cryptoki.dll, cklog.dll, etc.) and versions of CSP and KSP libraries and tools are installed in the "win32" directory(C:\Program Files\SafeNet\LunaClient\win32).
win32 directory content is as follows:
- cklog201.dll
- cklog201.dll.sig
- cryptoki.dll
- cryptoki.dll.sig
- shim.dll
- shim.dll.sig
- jsp directory which contains:
* LunaAPI.dll
If the Luna CSP (CAPI) / Luna KSP(CNG) feature is installed, the following are also installed under win32:
- csp directory which contains:
* keymap
* LunaCSP.dll
* LunaCSP.sig
* ms2Luna
* register
- KSP directory that contains:
* kspcmd
* KspConfig
* ksputil
* ms2Luna
In order to properly use the 32-bit library and tools on 64-bit systems there are two basic approaches:
Set your application to load the 32-bit library installed under the win32 directory, and run your application. For an example on how to load the cryptoki library dynamically, please refer to the Luna SDK.
This should work for any application that directly points to the needed library, and represents the majority of customer applications.
If you require your 32-bit Windows application to run on 64-bit Windows and your application uses the crystoki.ini to find the location of the cryptoki library (such as applications that use ckbridge - no longer distributed - or that use CSP), we recommend creating a new copy of the crystoki.ini file under the win32 directory to point to the 32-bit cryptoki library as described below:
At any time, you might need to uninstall Luna Client, or to modify the installation (perhaps to add a component or product that you did not previously install), or to repair the installed software. In that case, run the LunaClient.msi program again. Because the software is already installed on your computer, after you click through the Welcome page, this dialog appears:
Choose the desired option, click [Next], and follow the prompts.
It is possible that you might see a message like this:
Ignore that message if you see it while uninstalling LunaClient. You do not need to restart your computer, and you will not be prompted to do so.
When you have installed the software onto a Client, the next task for Luna SA is to configure the appliance and HSM, and to create a network trust link between your Client and Luna SA.
See "Recommended Network Characteristics" .
For Luna PCI-E and Luna G5, the next task is to initialize and configure the HSM.
See "Initializing a PED-Authenticated HSM".