Home > |
---|
The first step in preparing your clients to use the cryptographic resources provided by the HSM appliance is to create a secure network trust link (NTL) between the client and the appliance. After you create the NTL link between the client and the appliance, you can configure links to individual partitions on the appliance using NTL or Secure Trusted Channel (STC), as described in "Enable the Client to Access a Partition".
Network Trust Links (NTL) are secure, authenticated network connections between the Luna SA and Clients. NTLs use two-way digital certificate authentication and TLS data encryption to protect sensitive data as it is transmitted between HSM Partitions on the Luna SA and Clients. NTLs consist of the following parts:
•the Network Trust Link Service (NTLS). The NTL server daemon runs on the Luna SA appliance and manages the NTL connections to the appliance. NTL uses port 1792 on the Luna SA appliance.
•the Network Trust Link Agent (NTLA). The NTL agent runs on a Luna client workstation and manages the NTL connections to the workstation. The NTL agent is included in the Luna client software.
•The Network Trust Link itself, an encrypted, secure communications channel between the Client’s NTLA and the HSM appliance's NTLS.
Network Trust Links use digital certificates to verify the identities of connecting clients. During the initial HSM appliance configuration (see "Generate a New HSM Server Certificate"), the appliance administrator generated a unique certificate that identifies the HSM appliance. Similarly, each Client must generate its own certificate that identifies it uniquely. Both the Client and the HSM appliance use these certificates to verify the other’s identity before an NTL is created between them.
Clients running on virtual machines (VMs) are subject to an attack in which a clone of the VM instance is used to gain access to the HSM. To remove this risk, and ensure the integrity of the client, you can optionally specify that you want the network trust link to require host trust link (HTL) client authentication. HTL uses a client-specific, one-time-token on the client that is synchronized with the HSM server to ensure the integrity of the client, and prevent an unsynchronized cloned VM image from connecting to the HSM. See "Host Trust Link Client Authentication" in the Administration Guide for more information.
Although designed for VM clients, you can use HTL to secure the client on any NTL link.
CAUTION: To avoid a VM clone attack, do not register a VM client without invoking the HTL option.
To invoke the HTL option when creating an NTL, you do the following:
1.Specify the -htl option when using the vtl addserver command to register the Luna SA appliance with the Luna client workstation.
2.Specify the -requirehtl option when using the LunaSH client register command to register the Luna client workstation with the Luna SA appliance.
3.Generate a one-time token for the Luna client workstation using the LunaSH htl generateott command
4.Use scp/pscp to export the one-time-token to the Luna client workstation
5.Rename the one-time-token with the hostname/IP of the Luna SA appliance and place it in the <luna_client_root>/htl directory. The HTL link is established automatically during the next HTL polling interval.
These steps are included as options in the procedure "To create a network trust link".
To create an NTL, the Client and HSM appliance must first exchange certificates. Once the certificates have been exchanged, the Client registers the Luna SA’s certificate in a trust list, and the Luna SA appliance, in turn, registers the Client’s certificate in its list of clients. When the certificates have been exchanged and registered at each end, the NTL is ready to use.
Note: Administration commands can take a few seconds to be noted by the NTLS. If you have added or deleted a client, wait a few seconds before connecting.
Note: You must have administrator (or root) access to perform this procedure. Read/write access to the Luna client installation directory is required for the certificate exchange.
1.Prepare the client workstation:
a.Install the Luna client software. See "Luna Client Software Installation " in the Installation Guide for details.
b.Install an SSH client to provide secure shell access to the Luna appliance for certificate exchange and registration. The PuTTY SSH client (putty.exe) is included in the Luna client for Windows.
c.Ensure that the client workstation has network access to the Luna SA appliance. The appliance auto-negotiates network bandwidth up to Gigabit Ethernet speeds. See "Recommended Network Characteristics" for more information.
2.Open a Luna client session:
a.Open a command prompt or terminal window.
b.Go to the Luna client installation directory:
Windows | C:\Program Files\SafeNet\LunaClient |
Linux/AIX | /usr/safenet/lunaclient/bin |
Solaris/HP-UX | /opt/safenet/lunaclient/bin |
3.Use pscp (Windows) or scp (Linux/UNIX) to import the HSM Appliance Server Certificate (server.pem) from the Luna SA appliance to the Luna client workstation. See "Using the scp and pscp Utilities" for details. You require the Luna SA appliance admin password to complete this step:
Note: If you are registering multiple Luna SA appliances to a client, you must use the <target_filename> option to rename the server.pem file when importing it to the client, to ensure that each HSM Appliance Server Certificate has a unique name on the client.
Windows |
Syntax: pscp [options] <user>@<host>:<source_filename> <target_filename> Example:To copy the server certificate from host myLuna to the current (.) directory, keeping the same name: pscp admin@myLuna:server.pem . server.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100% |
Linux/UNIX |
Syntax:scp [options] <user>@<host>:<source_filename> <target_filename> Example: To copy the server certificate from host IP 192.168.0.123 to the current (.) directory, keeping the same name: scp admin@192.168.0.123:server.pem .
|
Note: You must accept the SSH certificate first time you open an scp or ssh link.You can use lunash:> sysconf fingerprint -ssh to check the certificate fingerprint.
Note: If the HSM appliance IP or hostname is changed, SSH will detect a mismatch in the HSM appliance's server certification information and warn you of a potential security breach. To resolve this issue, delete the server's certificate information from the client’s known host file at: /<user home dir>/.ssh/known_hosts2, and re-import the server certificate.
4.Register the HSM Server Certificate with the client, using the vtl addserver command. Use the -htl option if the client is running in a VM, or if you want to the add extra client identity verification offered by HTL to the link (see "The Host Trust Link (HTL) Option for VM Clients").
See "VTL" in the Utilities Reference Guide for full command syntax:
Non-VM clients (without HTL) | vtl addServer -n <SA_hostname_or_IP> -c <server_certificate> |
VM clients (with HTL) | vtl addServer -n <SA_hostname_or_IP> -c <server_certificate> -htl |
Note: If you specify the -htl option, you must also specify the -requirehtl option when you register the client with the server, in a subsequent step. If you do not, the server will reject requests to create the link, since it expects an HTL connection to be present.
Note: The vtl command is not interactive. It is called from the command line or a shell prompt, it completes its current task, and it exits back to the shell.
Examples:
The following command copies the server.pem file that was downloaded in the previous step, from <luna_install_dir> to <luna_install_dir>/cert/server, and registers the myLunaSA server certificate (<luna_install_dir>/cert/server/server.pem), with the client:
bash-2.05# ./vtl addServer -n myLunaSA -c cert/server/server.pem
New server myLunaSA successfully added to the server list.
The following command copies the server.pem file that was downloaded in the previous step, from <luna_install_dir> to <luna_install_dir>/cert/server, and registers the server certificate for the Luna SA appliance at IP address 192.168.0.123 (<luna_install_dir>/cert/server/server.pem), with the client and specifies that the link requires HTL client integrity verification:
bash-2.05# ./vtl addServer -n 192.168.0.123 -c server.pem -htl
New server 192.168.0.123 successfully added to the server list.
5.Create a certificate and private key for the client, using the vtl createcert command. See "VTL" in the Utilities Reference Guide for full command syntax:
vtl createcert -n <Luna_client_hostname_or_IP>
Note: The client hostname or IP address must be an exact match for the client hostname, as reported using the hostname command. If you create a certificate using a hostname parameter that is not an exact letter-case match for the client’s hostname, you will be unable to create an NTLS link.
The certificate and private key are saved to the <luna_install_dir>/cert/client directory and are named <Luna_client_hostname_or_IP>.pem and <Luna_client_hostname_or_IP>Key.pem, respectively. The vtl createcert command displays the full path-name to the key and certificate files that were generated.
Example: The following command creates a certificate and private key for the client named myLunaClient:
bash-2.05# ./vtl createCert -n myClient1
Private Key created and written to: /usr/safenet/lunaclient/bin/cert/client/myClientKey.pem
Certificate created and written to: /usr/safenet/lunaclient/bin/cert/client/myClient.pem
6.Export the client certificate to the HSM appliance, using pscp (Windows) or scp (Linux/UNIX). You require the Luna SA appliance admin password to complete this step:
Note: You must scp to the admin account on the HSM appliance, or the client certificate will not register correctly. The file arriving at the HSM is automatically placed in the appropriate directory. Do not specify a target directory.
Windows |
Syntax: pscp [options] <source_filename> <user>@<host>:[<target_filename>] Example:To copy the client certificate (myLunaClient.pem) to the myLunaSA appliance, keeping the same name: pscp myLunaClient.pem admin@myLunaSA: |
Linux/UNIX |
Syntax:scp [options] <source_filename> <user>@<host>:[<target_filename>] Example: To copy the client certificate (myLunaClient.pem) to the Luna SA appliance with IP 192.168.0.123, keeping the same name: scp myLunaClient.pem admin@192.168.0.123: |
7.Register the client certificate with the HSM appliance using the LunaSH client register command. Use the -requirehtl, -ottexpiry, and -generateott options if the client is running in a VM, or if you want to the add extra client identity verification offered by HTL to the link (see "The Host Trust Link (HTL) Option for VM Clients"). You need an admin or operator-level account on the Luna SA appliance to complete this step.
Note: You must specify the -requirehtl option if you used the -htl option when you registered the server with the client. If you do not, the server will reject requests to create the link, since it expects an HTL connection to be present.
a.Use an SSH client to connect to the Luna SA appliance and login using an admin or operator-level account.
b.Use the LunaSH client register command to register the client. See "client register" in the LunaSH Reference Guide for details.
Non-VM clients (without HTL) | By hostname |
client register -client <client_name> -hostname <client_hostname> |
By IP address | client register -client <client_name> -ip <client_IP_address> | |
VM clients (with HTL) | By hostname |
client register -client <client_name> -hostname <client_hostname> -requirehtl [-ottexpiry<seconds>]-generateott |
By IP address | client register -client <client_name> -ip <client_IP_address> -requirehtl [-ottexpiry<seconds>]-generateott |
Note: The <client_name>, above can be any string that allows you to easily identify this client. Many people use the hostname, but the <client_name> can be any string that you find convenient. This might sound a little redundant (naming the client twice in one command), but it becomes especially useful if you are not using DNS - in that case, a well-considered <client_name> is likely going to be easier to remember or recognize than the client's IP address.
Note: If you are registering with HTL, you can omit the -ottexpiry parameter to use the default expiry; the default, and other options, are configurable. You can also use the htl commands to generate the one-time-token at a later time and configure the HTL options. See "htl"
Examples:
The following command registers the client at IP address 123.65.98.7 and assigns it a <client_name> of Standard_Client:
lunash:> client register -client Standard_Client -hostname 123.65.98.7
‘client register’ successful.
Command Result : 0 (Success)
The following command registers the client at IP address 74.123.33.2, assigns it a <client_name> of VM_Client, specifies that it requires HTL with the default expiry, and generates a one-time token for the client:
lunash:> client register -client VM_Client -hostname 74.123.33.2 -requirehtl -generateott
‘client register’ successful.
One-time token for client VM_Client is ready to use.
Command Result : 0 (Success)
8.If you are not using the HTL option, this procedure is complete. You can use the LunaSH client list command to verify the client registration.
If you are using the HTL option, complete the remaining steps to import the HTL one-time token, rename it to use the Luna SA appliance name rather than the Luna client workstation name, and activate HTL on the link by placing the token in the <Luna_install_dir>/htl directory.
9.Use pscp (Windows) or scp (Linux/UNIX) to import the one-time-token (<SA_appliance_hostname_or_IP>.ott) from the Luna SA appliance to the Luna client workstation. See "Using the scp and pscp Utilities" for details. You require the Luna SA appliance admin password to complete this step:
Windows |
Syntax: pscp [options] <user>@<host>:<source_filename> <target_filename> Example:To copy the HTL one-time token from host myLunaClient to the current (.) directory, keeping the same name: pscp admin@myLunaSA:myLunaClient.ott
. |
Linux/UNIX |
Syntax:scp [options] <user>@<host>:<source_filename> <target_filename> Example: To copy the HTL one-time token from host myLunaClient to the current (.) directory, keeping the same name: scp admin@myLunaSA:myLunaClient.ott
. |
10.Rename the HTL one-time token with the IP address or hostname, as relevant, of your Luna SA appliance, and move it to the <Luna_client_install_dir>/htl directory to activate HTL on the link:
Windows |
Use Windows Explorer, or enter the following commands from a command prompt window: cd "C:\Program Files\SafeNet\LunaClient" move <client_hostname_or_IP>.ott .\htl\<SA_appliance_hostname_or_IP>.ott |
Linux/AIX |
Enter the following commands from a terminal window: cd /usr/safenet/lunaclient/bin mv <client_hostname_or_IP>.ott ./htl/<SA_appliance_hostname_or_IP>.ott |
Solaris/HP-UX |
Enter the following commands from a terminal window: cd /opt/safenet/lunaclient/bin mv <client_hostname_or_IP>.ott ./htl/<SA_appliance_hostname_or_IP>.ott |
Example:
bash-2.05# cd /usr/safenet/lunaclient/bin
bash-2.05# mv myLunaClient.ott ./htl/myLunaSA.ott
bash-2.05# cd htl
bash-2.05# ls
myLunaSA.ott
11.This part of the procedure is complete. After the token has been moved to its correct location and renamed to reflect the Luna SA hostname or IP, it will be used during the next HTL polling interval. This happens automatically.
You can use the LunaSH client list command to verify the client registration, and the LunaSH htl show command to confirm the status of the Host Trust Link. The HTL Status changes to "Up" and the OTT Status changes to "In use" after the client has successfully established a Host Trust Link
Example:
lunash:>client list
registered client 1: 74.123.33.2
Command Result : 0 (Success)
lunash:>htl show
HTL Grace period : 60 seconds
Default OTT expiry : 300 seconds
Client Name HTL Status OTT Status OTT Expiry Time
-----------------------------------------------------------------
MyClient Up In Use 300 (default)
Command Result : 0 (Success)
If you have multiple HSM appliances connected and registered with a client and you de-register that client from one of the HSM appliances, then you must also de-register that HSM appliance on the client side. Failure to do so will result in a “Broken pipe” error, which indicates an incomplete registration.
If you wish to de-register a client and then re-register with a new certificate, on the same HSM appliance, then you must copy the certificate to the HSM appliance (HSM server) and stop and re-start the service called NTLS (see "service list" and "service restart"). Before such a restart, any connection attempts fail, and “Error on SSL accept” is logged.