Open topic with navigation

Creating an STC Link Between a Client and a Partition

Note:  Secure Trusted Channel requires firmware 6.22.0 or later.

If you require a higher level of security for your network links than is offered by NTL, such as in cloud environments, or in situations where message integrity is paramount, you can use Secure Trusted Channel (STC) to provide very secure client-partition links. STC offers the following features to ensure the security and integrity of your client-partition communications:

•Privacy of all communicated data through the use of symmetric encryption, so that only the end-points can read any sensitive data.

•Integrity of the communicated data through the use of message authentication codes, so that not eavesdropper could add, delete, modify or replay any command or response.

•Bi-directional authentication of both the HSM and the end-point, so that only authorized entities can establish an STC connection, and there can be no man-in-the-middle attack.

See "Secure Trusted Channel (STC) Network Links" on page 1 in the Administration Guide for more information.

Note:  STC and NTL can co-exist on the same Luna SA appliance, allowing you to configure some partitions to use STC, while other partitions use NTL. The client can also support both STC and NTLS links. However, all links from a specific client to a specific Luna SA appliance can be either NTL or STC, but not both.

To use STC, you must enable the following policies:

•HSM policy 39: Allow Secure Trusted Channel. This policy enables STC on the HSM, so that you can configure the HSM such that some partitions to use STC, while other partitions use NTLS. This policy can only be set by the HSM SO.

•Partiton policy 37: Force Secure Trusted Channel. This policy forces the partition to use STC, and requires that HSM policy 39 is also set. For legacy partitions, this policy can be only be set by the HSM SO. For partitions with SO, this policy can only be set by the partition SO.

The procedure for creating an STC link between a client and a partition differs depending on whether the partition is a legacy partition or a partition with SO, as follows:

Creating an STC Link to a Legacy Partition

The procedure for creating an STC link to a legacy partition consists of the following major steps:

1.Enable the STC policy on the HSM and partition.

2.Export the partition identity public key to a file on the appliance.

3.Create the client token and identity.

4.Exchange the partition and client identity public keys.

5.Register the client identity public key to the partition.

6.Register the partition identity public key with the client.

7.Enable and verify the STC link.

Step 1: Enable the STC policy on the HSM and partition

This step is performed by the HSM SO. For more information, including detailed procedures, examples, and a description of the impact of setting the policies, see "Enabling or Disabling STC on the HSM" on page 1 and "Enabling or Disabling STC on a Partition" on page 1 in the Administration Guide.

1.Launch LunaSH and log in as the HSM SO.

2.Enter the following command to ensure that policy 39: Allow Secure Trusted Channel is enabled on the HSM:

hsm showpolicies

If it is not enabled, enter the following command to enable the policy:

hsm changePolicy -policy 39 -value 1

3.Enter the following command to ensure that policy 37: Force Secure Trusted Channel is enabled on the partition:

partition showpolicies -partititon <partition_name>

If it is not enabled, enter the following command to enable the policy:

partition changepolicy -partition <partition_name> -policy 37 -value 1

Step 2: Export the partition identity public key to a file on the appliance

This step is performed by the HSM SO. Exporting the partition identity public key creates the partition identity if it does not already exist. The public key is exported to a file named <partition_serial_number>.pid on the appliance.

1.Enter the following command to export the partition's public key to a file:

stc partition export -partition <partition_name>

For example:

lunash:>stc partition export -partition legacy_stc

Successfully exported partition identity for partition legacy_stc to file 359693009023.pid

Command Result : 0 (Success)

Step 3: Create the client token and identity

This step is performed by the root user on the Luna client workstation, using LunaCM.

1.Open a Luna client session:

a.Open a command prompt or terminal window.

b.Launch LunaCM:

2.Initialize the STC client software token, or insert the STC client hardware token you have prepared for this client:

–If you are using an STC client software token, enter the following command to initialize the STC client token.

stc tokeninit -label <token_label>

For example:

lunacm:> stc tokeninit -label mySTCclientToken

Successfully initialized the client token.

–If you are using an STC client hardware token (SafeNet eToken 7300), insert the token into an available USB port. Before you can use a hardware token, the token must be initialized using the SafeNet Authentication Client on a Windows workstation, as described in "Using a Hard Token to Store the STC Client Identity" on page 1 in the Administration Guide.

In addition, you must also install the SafeNet Authentication Client software (8.3 or higher) on the client workstation and add the following line to the Secure Trusted Channel section of the crystoki.ini (Windows) or Chrystoki.conf (UNIX/Linux) file, to specify the path to the SafeNet Authentication Client eToken library:

3.Enter the following command to create a client identity on the token. The STC client identity public key is automatically exported to the <luna_client_root_dir>/data/client_identities directory:

stc identitycreate -label <client_identity>

For example:

lunacm:> stc identitycreate -label mySTCclientID

Client identity successfully created and exported to file /usr/safenet/lunaclient/data/client_identities/mySTCclientID

4.Exit LunaCM.

Step 4: Exchange the partition and client identity public keys

The STC identity public keys are exchanged as follows:

•the client identity public key is copied from the Luna client data/client_identities directory to the Luna SA appliance.

•the partition identity public key is copied from the appliance to the data/partition_identities directory on the Luna client workstation.

Copying the public keys to or from the Luna SA appliance is performed by the Luna SA appliance administrator, using scp (UNIX/Linux) or pscp (Windows).

Copying the public keys to or from the Luna client workstation is performed by the root user on the Luna client workstation.

The following procedure assumes that you are able to perform both roles, that is, you can log in to the Luna client workstation as root, and you possess the Luna SA appliance admin password so that you can use scp/pscp to transfer files directly between the Luna client workstation and the Luna SA appliance.

If your IT and security policies require separation of roles, the keys can be exchanged manually, for example, using email with fingerprint verification, so that the root user on the Luna client workstation is responsible for:

• providing the client identity public key to the Luna SA appliance administrator.

•copying the partition identity public key to the data/partition_identities directory on the Luna client workstation.

The Luna SA appliance administrator is responsible for:

•using scp/pscp from a separate workstation to copy the client identity public key to the Luna SA appliance.

• using scp/pscp from a separate workstation to copy the partition identity public key from the Luna SA appliance and then providing it to the root user on the Luna client workstation.

1.Log in to the Luna client workstation as the root user.

2.Go to the Luna client data/client_identities directory:

3.Export the client identity public key to the HSM appliance, using pscp (Windows) or scp (Linux/UNIX). You require the Luna SA appliance admin password to complete this step:

Note:  You must scp to the admin account on the HSM appliance, or the client public key will not register correctly.  The file arriving at the appliance is automatically placed in the appropriate directory. Do not specify a target directory.

pscp mySTCclientID admin@myLunaSA: 
admin@myLunaSA's password: ********  
mySTCclientID   | 1 kB |   1.1 kB/s | ETA: 00:00:00 | 100%

scp mySTCclientID admin@192.168.0.123: 
admin@192.168.0.123's password: ********  
mySTCclientID   | 1 kB |   1.1 kB/s | ETA: 00:00:00 | 100%

4.Go to the Luna client data/partition_identities directory:

5.Use pscp (Windows) or scp (Linux/UNIX) to import the partition public key from the Luna SA appliance to the data/partition_identities directory on the Luna client workstation. See "Using the scp and pscp Utilities" for details. You require the Luna SA appliance admin password to complete this step:

pscp admin@myLuna:359693009023.pid . 
admin@myLuna's password:  

359693009023.pid     | 1 kB |   1.1 kB/s | ETA: 00:00:00 | 100%

scp admin@192.168.0.123:359693009023.pid . 
admin@192.168.0.123's password:   
359693009023.pid      | 1 kB |   1.1 kB/s | ETA: 00:00:00 | 100%

Step 5: Register the client identity public key to the partition

Note:  Each client identity registered to a partition uses 2332 bytes of storage on the partition. Before registering a client identity to a partition, ensure that there is adequate free space.

This step is performed by the HSM SO. You can register multiple clients to a partition.

1.Launch LunaSH and log in as the HSM SO.

2.Enter the following command to register the client identity public key to the partition:

stc client register -partition <partition_name> -label <client_label> -file <client_public_key>

For example:

stc client register -partition mySTCpar -label myClient -file mySTCclientID

Step 6: Register the partition identity public key to the client

This step is performed by the root user on the Luna client workstation.

1.Log in to the Luna client workstation as the root user.

2.Open a Luna client session:

a.Open a command prompt or terminal window.

b.Launch LunaCM:

3.Enter the following command to register the partition identity public key to the client token:

stc partitionregister -file <partition_identity> [-label <partition_label>]

For example:

lunacm:> stc partitionregister -file /usr/safenet/lunaclient/partition_identities/359693009023.pid -label mySA_mySTCpartition

Step 7: Enable and verify the STC link

CAUTION:  When you enable STC on the client, you must specify the Luna SA appliance that hosts the partition you want to link to. This forces the client to use STC for all links to the specified Luna SA appliance. Any existing NTLS links to the specified Luna SA appliance will be terminated.

This step is performed by the root user on the Luna client workstation.

1.Log in to the Luna client workstation as the root user.

2.Open a Luna client session:

a.Open a command prompt or terminal window.

b.Launch LunaCM:

3.Enter the following command to determine the server ID of the Luna SA appliance that hosts the partition:

clientconfig listservers

For example:

lunacm:> clientconfig listservers

Server ID   Server          Channel   HTL Required

0           192.168.0.123   STC       No

1           192.168.0.59    NTLS      No

4.Enter the following command to enable the STC link:

stc enable -id <server_id>

For example:

stc enable -id 0

You are about to enable STC to server mySA.

This will initiate an automatic restart of this application. All sessions

logged in through the application will be closed.

Are you sure you wish to continue?

Type 'proceed' to continue, or 'quit' to quit now -> proceed

Successfully enabled STC to connect to server mySA.

At this point, LunaCM restarts. If successful, the partition is listed in the list of available HSMs. You can use the stc identityshow command to list the partitions registered to the client token.

5.Enter the following command to verify the link. This command displays the status of the STC link for the current slot:

stc status

For example:

lunacm:> stc status

Enabled:        Yes

Status:         Connected

Channel ID:     2

Cipher Name:    AES 256 Bit with Cipher Block Chaining

HMAC Name:      HMAC with SHA 512 Bit

Creating an STC Link to a Partition With SO

Creating an STC link to a partition with SO is performed entirely by the root user on the Luna client workstation, using LunaCM. The procedure consists of the following major steps:

1.Ensure that you have satisfied the prerequisite conditions.

2.Create the client token and identity.

3.Register the partition identity public key with the client.

4.Initialize the partition.

5.Enable policy 37: Force Secure Trusted Channel on the partition.

6.Enable and verify the STC link.

CAUTION:  STC allows you to claim the partition as the holder of the partition public key, and creates a one-time temporary STC link to allow you to register the client to the partition. You must complete all of the steps in this procedure in a single LunaCM session. If you do not, the partition is locked, and will not be accessible. The only workaround is for the HSM SO to delete the partition, create a new partition, and provide you with new partition public key so that you can try again.

Step 1: Ensure that you have satisfied the prerequisite conditions

Before attempting to create an STC link to a partition with SO, ensure that you have satisfied the following prerequisites:

1.You have the STC partition identity public key for the partition. Before using the partition identity public key, it is recommended that you confirm its authenticity by verifying its hash. You can verify the partition identity public key hash after you register the partition identity public key to the client token, as outlined in the following procedure. The HSM SO can use the LunaSH command stc partition show -partition <partition_name> to display the partition identity public key hash and provide it to you with the partition identity public key.

2.Confirm with the HSM SO that policy 39: Allow Secure Trusted Channel is enabled on the HSM.

Note:  This procedure automatically registers the client identity to the partition. Each client identity registered to a partition uses 2332 bytes of storage on the partition. Before enabling the STC link, ensure that there is adequate free space on the partition.

Step 2: Create the client token and identity

Note:  This step is not required if you have already created a client token and identity. Verify using stc identityshow.

1.Open a Luna client session:

a.Open a command prompt or terminal window.

b.Launch LunaCM:

2.Initialize the STC client software token, or insert the STC client hardware token (SafeNet eToken 7300) you have prepared for this client:

–If you are using an STC client software token, enter the following command to initialize the STC client token.

stc tokeninit -label <token_label>

For example:

lunacm:> stc tokeninit -label mySTCclientToken

Successfully initialized the client token.

–If you are using an STC client hardware token (SafeNet eToken 7300), insert the token into an available USB port. Before you can use a hardware token, the token must be initialized using the SafeNet Authentication Client on a Windows workstation, as described in "Using a Hard Token to Store the STC Client Identity" on page 1 in the Administration Guide.

In addition, you must also install the SafeNet Authentication Client software (8.3 or higher) on the client workstation and add the following line to the Secure Trusted Channel section of the crystoki.ini (Windows) or Chrystoki.conf (UNIX/Linux) file, to specify the path to the SafeNet Authentication Client eToken library:

3.Enter the following command to create a client identity on the token. The STC client identity public key is automatically exported to the <luna_client_root_dir>/data/client_identities directory:

stc identitycreate -label <client_identity>

For example:

lunacm:> stc identitycreate -label mySTCclientID

Client identity successfully created and exported to file /usr/safenet/lunaclient/data/client_identities/mySTCclientID

Step 3: Register the partition identity public key to the client

After you register the partition identity public key to the client, and restart LunaCM, the partition will be visible as a slot in LunaCM. The slot will not have a label.

1.Enter the following command to register the partition identity public key to the client token:

stc partitionregister -file <partition_identity> [-label <partition_label>]

For example:

lunacm:> stc partitionregister -file /usr/safenet/lunaclient/partition_identities/359693009023.pid -label mySA_mySTCpartition

2.If you were provided with the partition identity public key hash, enter the following command to verify that the hashes match:

stc identityshow

For example:

lunacm:> stc ids

Client Identity Name:		myclient

Public Key SHA1 Hash:		5f3395af2ae01ac25c1a27dc25

Partition Name	Partition Serial Number	 Partition Public Key SHA1 Hash

par_app3	124338921974	         23159590be9b57fd0c9d8a84beeed04d4279c01c

par_app47	152943202231	         de9f2c7fd25e1b3afad3e85a0bd17d9b100db4b3

par_app12	150253010085	         2fd4e1c67a2d28fced849ee1bb76e7391b93eb12

If the hashes do not match, enter the following command to deregister the partition identity public key, and contact your HSM SO.

stc partitionderegister -serial <partition_serial_number>

3.Restart LunaCM. Following the restart, the partition will be visible as a slot in LunaCM. The slot for the partition is easily identified because it does not have a label, since it is not yet initialized,. In the following example, the uninitialized PPSO partition is in slot 1:

lunacm:> exit

[root@myclient bin]# ./lunacm

Available HSMs:

Slot Id ->              0

Label ->                stc_legacy

Serial Number ->        359693009024

Model ->                K6 Base

Firmware Version ->     6.22.0

Configuration ->        Luna User Partition, No SO (PW) Signing With Cloning Mode

Slot Description ->     Net Token Slot

Slot Id ->              1

Label ->                

Serial Number ->        359693009027

Model ->                K6 Base

Firmware Version ->     6.22.0

Configuration ->        Luna User Partition, No SO (PW) Signing With Cloning Mode

Slot Description ->     Net Token Slot

Step 4: Initialize the partition

When you initialize the partition, the client identity public key is automatically registered to the partition, and you become the owner of the partition. A temporary STC channel is established that allows you to login to the partition to set policy 37: Force Secure Trusted Channel on the partition, so that an STC link is automatically established in subsequent sessions.

CAUTION:  After you initialize the partition, you must immediately proceed to the next step to login to the partition as the partition SO and enable policy 37: Force Secure Trusted Channel. You must do this from the current LunaCM session. If the LunaCM session is closed before you enable the policy, the temporary STC link is terminated. Any attempt to re-establish an STC link to the partition will fail, since the policy is not enabled. The only workaround in this case is for the HSM SO to delete the partition, create a new partition, and provide you with the new partition access information and public key, so that you can try again.

1.Set the current slot to the slot containing the uninitialized (unlabelled) partition.

2.Enter the following command to initialize the partition. On a password-authenticated HSM, you are prompted to specify the partition SO password and domain you want to use for the partition. On a PED-authenticated HSM, you are prompted to attend to the PED to imprint (or provide) the partition SO PED key and domain PED key:

partition initialize -label <partition_label>

For example:

lunacm:>par init -label stc_ppso

You are about to initialize the partition.

All contents of the partition will be destroyed.

Are you sure you wish to continue?

Type 'proceed' to continue, or 'quit' to quit now ->proceed

Enter password for Partition SO: ********

Re-enter password for Partition SO: ********

Option -domain was not specified.  It is required.

Enter the domain name: *******

Re-enter the domain name: *******

Command Result : No Error

Step 5: Enable policy 37: Force Secure Trusted Channel on the partition

1.Enter the following command to log in to the partition as the partition SO. You are prompted to enter the partition SO password or to attend to the PED:

role login -name Partition SO

2.Enter the following command to enable policy 37: Force Secure Trusted Channel on the partition:

partition changepolicy -policy 37 -value 1

3. Enter the following command to ensure that the policy is set:

partition showpolicies

For example:

lunacm:> par sp

...

Partition Policies

...

36: Allow secret key SFF backup/restore

37: Force Secure Trusted Channel

Step 6: Enable and verify the STC link

CAUTION:  When you enable STC on the client, you must specify the Luna SA appliance that hosts the partition you want to link to. This forces the client to use STC for all links to the specified Luna SA appliance. Any existing NTLS links to the specified Luna SA appliance will be terminated.

1.Enter the following command to determine the server ID of the Luna SA appliance that hosts the partition:

clientconfig listservers

For example:

lunacm:> clientconfig listservers

Server ID   Server          Channel   HTL Required

0           192.168.0.123   STC       No

1           192.168.0.59    NTLS      No

2.Enter the following command to enable the STC link:

stc enable -id <server_id>

For example:

lunacm:> stc enable -id 0

You are about to enable STC to server mySA.

This will initiate an automatic restart of this application. All sessions

logged in through the application will be closed.

Are you sure you wish to continue?

Type 'proceed' to continue, or 'quit' to quit now -> proceed

Successfully enabled STC to connect to server mySA.

At this point, LunaCM restarts. If successful, the partition is listed in the list of available HSMs, with the label you specified when you initialized the partition. For example:

Available HSMs:

Slot Id ->              0

Label ->                stc_legacy

Serial Number ->        359693009024

Model ->                K6 Base

Firmware Version ->     6.22.0

Configuration ->        Luna User Partition, No SO (PW) Signing With Cloning Mode

Slot Description ->     Net Token Slot

Slot Id ->              1

Label ->                stc_ppso

Serial Number ->        359693009027

Model ->                K6 Base

Firmware Version ->     6.22.0

Configuration ->        Luna User Partition, No SO (PW) Signing With Cloning Mode

Slot Description ->     Net Token Slot

3.Enter the following command to set the current slot to the slot containing the new partition:

slot set -slot <slot>

For example:

lunacm:> slot set -slot 1

4.Enter the following commands to verify the link:

stc status

For example:

lunacm:> stc status

Enabled:        Yes

Status:         Connected

Channel ID:     2

Cipher Name:    AES 256 Bit with Cipher Block Chaining

HMAC Name:      HMAC with SHA 512 Bit

You can now create the Crypto Officer and Crypto User roles on the partition. See "Configure PPSO Application Partitions".

Luna PCI-E 6.0 Product Documentation
007-011329-007 Rev. A May 2015 Copyright 2015 SafeNet, Inc. All rights reserved.

Open topic with navigation