You are here: System and Software Getting Started Guide > Installing the Luna Software > Windows Install

Windows Installation

Applicability to specific versions of Windows is summarized in the Customer Release Notes for this release.

Before installing a Luna® system, you should confirm that the product you have received is in factory condition and has not been tampered with in transit.  Refer to the Content Sheet included with your product shipment.  If you have any questions about the condition of the product that you have received, please contact SafeNet Support (800)545 6608 or immediately.

Each computer that connects to the Luna SA as a Client must have the cryptoki library, the vtl client shell and other utilities and supporting files installed.  
Each computer that contains, or is connected to a Luna PCI-E or a Luna G5 HSM must have the cryptoki library and other utilities and supporting files installed.  

.NET framework - before installing Luna Client on Windows 2012 platform, install Microsoft .NET framework version 3.5,first. You can have other versions of .NET on your system (there is no conflict), but 3.5 is needed for Luna Client to launch HTL on Windows 2012.
For additional information see "Windows 2012 Supplement".   

On Windows Server 2008, LunaClient installs and HTL works without additional Windows components.



The supported Windows servers are 64-bit. They allow running of 32-bit or 64-bit applications.

For compatibility of our HSMs with Windows in general, we provide both 32-bit and 64-bit libraries for use with your applications as appropriate, but our supplied tools (lunacm, cmu, multitoken, etc.) are 64-bit versions only. This is because 64-bit tools are all that is needed on a 64-bit OS, but we mention it in case you were looking for 32-bit equivalents - there aren't any because none are needed.

For compatibility of our HSMs with Windows CAPI we have Luna CSP, and for the newer Windows CNG we have Luna KSP. If you are using either, then a section near the end of this chapter has additional specific instructions.

Interactive (prompted) and non-interactive (no prompts) installation options are available.

Interactive Client installation

For interactive installation, install Luna SA client software on supported Windows versions (see the Customer Release Notes for the current list) as follows.

  1. Log into Windows as “Administrator”, or as a user with administrator privileges.
  2. Insert the “Luna Client Software — Release X.x” CD into your CD drive.
  3. Click Start/Run and then type:

    where “d” is your CDROM drive
    or  use Explorer to navigate the CD directories and double click the appropriate

    NOTE: The installer is 64-bit only. If you have 32-bit applications, proceed with the 64-bit installation, then see the section (below) entitled "Using 32-bit applications with Luna Client".

  4. At the Welcome screen, click [Next].


  5. Accept the software license agreement.

  6. In the “Choose Destination Location” dialog,

    accept the default that is offered, or make a change if you prefer.  
  7. Click to select any of the Luna Product software options that you wish to install.

    Any that are marked with a red "X" are currently de-selected and will not be installed when you proceed. You must accept at least the major feature for your HSM. You can select all, if you wish - there is no conflict.

    The installer includes the Luna SNMP Subagent as an option with any of the Luna HSMs, except Luna SA (which has agent and subagent built in). For any of Luna PCI-E, Luna G5, or Luna Backup HSMs, include the subagent with any of the products, if desired - it doesn't matter which; it's the same subagent, and it goes to the same location on your hard disk. After installation is complete, you will need to move the SafeNet MIB files to the appropriate directory for your SNMP application, and you will need to start the SafeNet subagent and configure for use with your agent. See "SNMP".

  8. On the "Ready to Install" page click [Install].

    If you wish to modify any of your previous selections, you can still click [Back] to see previous pages. Once you click [Install], you are committed to the installation.
  9. If Windows presents a security notice asking if you wish to install the device driver from SafeNet, click [Install] to accept.

    If you choose not to install the driver, your Luna Client cannot function with any locally connected Luna hardware (which includes Luna PCI-E, Luna G5, or Luna [Remote] Backup HSMs).
  10. When the installation completes, click [Finish].

  11. After the installer closes,

As a general rule, do not modify the Chrystoki.conf/crystoki.ini file, unless directed to do so by SafeNet Customer Support.
If you do modify the file, never insert TAB characters - use individual space characters.
Avoid modifying the PED timeout settings. These are now hardcoded in the appliance, but the numbers in the Chrystoki.conf file must match.


Using msiexec for scripted or unattended installation of the Luna Client

You can use the msiexec command to install the Luna client from the command line, or from a script. The msiexec command includes various command line switches (see the Microsoft documentation for details) that allow you to install the Luna client with varying levels of user interaction, including a quiet mode (/qn) that requires no user interaction.

However, since the Luna client includes a device driver, the following confirmation dialog is displayed when you install the Luna client using the msiexec command , regardless of the command line switches you use:

If you check the Always trust software from "SafeNet, Inc." checkbox, this dialog will not be displayed on subsequent installs, allowing for a truly "silent" install that requires no user interaction. That option was introduced with Windows 2008.

For more detailed information, see "Scripted / Unattended Installation on Windows".



During the installation, if you allow our Java Security Provider to be installed, the Luna Java files are installed below C:\Program Files\LunaClient\JSP\lib. In order to use our JSP, you must have separately installed Java (JDK or run-time environment from the vendor of your choice) onto your system.

Copy the Luna Java files from their default location under C:\Program Files\SafeNet\LunaClient\JSP\lib to the Java environment directory; example
C:\Program Files\Java\jre6\lib\ext

The exact directory might differ depending on where you obtained your Java system, the version, and any choices that you made while installing and configuring it.


Java 7 Library Path Issue

SafeNet has traditionally recommended that you put LunaAPI.dll in the <java install dir>/lib/ext folder.

However, Java 7 for Windows has removed this directory from the Java library path. As a result, when a Java 7 application on Windows uses the Luna provider, it cannot find the LunaAPI.dll library, causing the application to fail.

To address this problem, we suggest that you use one of the following methods to add LunaAPI.dll to the Java 7 search path:


For additional Java-related information,see "Java" .  

JSP Static Registration

You would choose static registration of providers if you want all applications to default to our (SafeNet) provider.

Once your client has externally logged in using salogin (see "Login from a Client to your Luna HSM (optional)" ) in the Reference section of this document) or your own HSM-aware utility, any application would be able to use Luna product without being designed to login to the HSM Partition.

Edit the file located in the \jre\lib\security directory of your Java SDK/JRE 1.6.x or 1.7.x installation to read as follows:




You can set our provider in first position for efficiency if Luna HSM operations are your primary mode. However, if your application needs to perform operations not supported by the LunaProvider (secure random generation or random publickey verification, for example) then it would receive error messages from the HSM and would need to handle those gracefully before resorting to providers further down the list. We have found that having our provider in third position works well for most applications.

The modifications in the "" file are global, and they might result in the breaking of another application that uses the default KeyPairGenerator without logging into the Luna SA first. This consideration might argue for using dynamic registration, instead.

JSP Dynamic Registration

For your situation, you may prefer to employ dynamic registration of Providers, in order to avoid possible negative impacts on other applications running on the same machine. As well, the use of dynamic registration allows you to keep installation as straightforward as possible for your customers.


We formally test Luna HSMs and our Java provider with SUN JDK for all platforms except AIX, and with IBM JDK for the AIX platform. We have not had problems with OpenJDK, although it has not been part of our formal test suite. The Luna JCE provider is compliant with the JCE specification, and should work with any JVM that implements the Java language specification.

Occasional problems have been encountered with respect to IBM JSSE.

GNU JDK shipped with most Linux systems has historically been incomplete and not suitable.



Luna CSP allows you to use the Luna HSM with Microsoft CAPI, which is supported on 32-bit and on 64-bit Windows.

Luna KSP allows you to use the Luna HSM with Microsoft CNG, which is newer, has additional functions, and supersedes CAPI.

Both of these require modifications to the Windows Registry.

For Luna CSP, the utility "register.exe" takes care of the registry.

Just remember to run the 64-bit version, the 32-bit version, or both, depending on the applications you are running.

  1. Register the csp dll:   
    # register.exe /library   
  2. Register the partition:   
    # register <no arguments>


For Luna KSP, the utility "KspConfig.exe" takes care of the registry.

  1. Follow instructions for the use of the graphical KspConfig.exe as described in "KSP for CNG" in the Integration section.

Just remember to run the 64bit version, the 32bit version, or both, depending on the applications you are running.

The cryptoki.ini file, which specifies many configuration settings for your HSM and related software, includes a line that specifies the path to the appropriate libNT for use with your application(s). Verify that the path is correct


If Luna CSP (CAPI) / Luna KSP(CNG) is selected at installation time then the SafeNetKSP.dll file is installed in these two locations:  
 - C:\Windows\System32 (used for 64-bit KSP)     
- C:\Windows\SysWOW64 (used for 32-bit KSP)


Using 32-bit applications with Luna Client

Luna Client 32-bit libraries (cryptoki.dll, cklog.dll, etc.) and versions of CSP and KSP libraries and tools are installed in the "win32" directory(C:\Program Files\SafeNet\LunaClient\win32).

win32 directory content is as follows:

- cklog201.dll

- cklog201.dll.sig

- cryptoki.dll

- cryptoki.dll.sig

- shim.dll

- shim.dll.sig

- jsp directory which contains:

    * LunaAPI.dll

If the Luna CSP (CAPI) / Luna KSP(CNG) feature is installed, the following are also installed under win32:

- csp directory which contains:

    * keymap

    * LunaCSP.dll

    * LunaCSP.sig

    * ms2Luna

    * register

- KSP directory that contains:

    * kspcmd

    * KspConfig

    * ksputil

    * ms2Luna


In order to properly use the 32-bit library and tools on 64-bit systems there are two basic approaches:   


Direct loading of library   

Set your application to load the 32-bit library installed under the win32 directory, and run your application. For an example on how to load the cryptoki library dynamically, please refer to the Luna SDK.

This should work for any application that directly points to the needed library, and represents the majority of customer applications.


Loading the library via the configuration file    

If you require your 32-bit Windows application to run on 64-bit Windows and your application uses the crystoki.ini to find the location of the cryptoki library (such as applications that use ckbridge - no longer distributed - or that use CSP), we recommend creating a new copy of the crystoki.ini file under the win32 directory to point to the 32-bit cryptoki library as described below:

  1. Install Luna Client and configure the HSM or SA client as you would normally do.   
  2. Create a copy of the crystoki.ini file and store it in the win32 directory.   
  3. Modify the LibNT entry in the file (the copy in the win32 directory) to point to the cryptoki.dll library located in the win32 directory
    LibNT=C:\Program Files\SafeNet\LunaClient\win32\cryptoki.dll   
  4. Open a new DOS prompt (to be used to run your application).   
  5. Set the ChrystokiConfigurationPath environment variable to point to the win32 directory set
    ChrystokiConfigurationPath= C:\Program Files\SafeNet\LunaClient\win32\   
  6. Run your application.


Uninstalling, Modifying, or Fixing the Luna Client Software

At any time, you might need to uninstall Luna Client, or to modify the installation (perhaps to add a component or product that you did not previously install), or to repair the installed software. In that case, run the LunaClient.msi program again. Because the software is already installed on your computer, after you click through the Welcome page, this dialog appears:

Choose the desired option, click [Next], and follow the prompts.

It is possible that you might see a message like this:

Ignore that message if you see it while uninstalling LunaClient. You do not need to restart your computer, and you will not be prompted to do so.


After Installation

When you have installed the software onto a Client, the next task for Luna SA is to configure the appliance and HSM, and to create a network trust link between your Client and Luna SA.

See "Recommended Network Characteristics" .


For Luna PCI-E and Luna G5, the next task is to initialize and configure the HSM.

See "Initializing a PED-Authenticated HSM".