|
Home > |
|---|
This section describes how to use the Luna CSP registration tool and related utilities to configure the Luna client to use a Luna HSM with Microsoft Certificate Services. You must be the Administrator or a member of the Administrators group to run the Luna CSP tools.
The Luna CSP can be used by any application that acquires the context of the Luna CSP. All users who login and use the applications that acquired the context have access to the Luna CSP. After you register the Luna HSM partitions with Luna CSP, your CSP and KSP code should work in the same manner whether our HSM (crypto provider) is selected, or the default provider is used.
Note: The Luna CSP is an optional installation. It is installed by default in <luna_client_install_dir>/CSP. If the CSP is not installed, re-run the installer.
Use the keymap utility if you have previously been using another provider (with its keys in the Luna HSM) and wish to migrate to MS CSP keeping your established keys. The keymap utility simply creates on the Luna HSM the data object that MS CSP expects, which in turn makes your existing keys available to MS CSP. See <luna_client_install_dir>/CSP/keymap.exe.
Use the ms2Luna utility if you already have MS CSP in use with software key storage and you now wish to continue with your keys held on the Luna HSM. See <luna_client_install_dir>/CSP/ms2luna.exe.
You can use the CSP registration tool (<luna_client_install_dir>/CSP/register.exe) to perform the following functions:
•register HSM partitions for use with the Luna CSP. The password for each HSM Partition is secured such that only the user for which the password was secured is able to un-secure it. See "Registering Partitions"
•register which non-RSA cryptographic algorithms you want performed in software only. See "Registering the Cryptographic Algorithms to be Performed in Software"
•enable key counting in KSP/CSP. See "Enabling Key Counting".
register.exe [/partition | /algorithms | /library | /usagelimit] [/highavailability] [/strongprotect] [/cryptouser] [/?]
| Parameter | Shortcut | Description |
|---|---|---|
| /partition | /p |
Register a partition and it's encrypted challenge. You are prompted through the required steps to select and register a Luna HSM partition. This is the default option. If you type register with no additional parameters, then /partition is assumed. For example, if you type register /highavail or register /strongprotect, then /partition is invoked and the additional option that you selected (i.e., /highavail or /strongprotect) is run along with it . That is, typing register /highavail is the same as typing register /partition /highavail. |
| /highavail | /h |
Register only high availability (HA) partitions. |
| /strongprotect | /s |
Strongly protect the challenge for registered partition |
| /algorithms | /a |
Register the desired software ONLY algorithms |
| /library | /l |
Register CSP library and signature in the registry |
| /usagelimit | /u |
Register CSP RSA key maximum usage limit |
| /cryptouser | /c |
Use CSP as Crypto User |
The syntax used to register partitions depends on whether the partitions use high availability (HA) or not, as detailed in the following procedures.
1.Enter the following command and respond to the prompts:
2.C:\Program Files\SafeNetLunaClient\CSP> register
For example:
**************************************************************
SafeNet Luna CSP, Partition Registration
Protect the HSM's challenge for the selected partitions.
NOTE:
This is a WEAK protection of the challenge!!
After you have configured all applications that will use
the Luna CSP, and run them once, you MUST run:
register /partition /strongprotect *
to strongly protect the registered challenges!!
**************************************************************
This procedure is a destructive procedure and will completely replace any previous settings!!
Do you wish to continue?: [y/n]
Do you want to register the partition named 'nes'? [y/n]:
Please enter the Luna SA challenge for the partition 'nes' :
Success registering the ENCRYPTED challenge for partition 'nes'.
Only the Luna CSP will be able to use this data!
Registered 1 partition(s) for use by the Luna CSP!
All available Partitions are presented for you to register or not.
3.Install and/or configure your application(s).
4.Run each of your applications once to use Luna CSP.
5.Enter the following command to strongly protect the registered challenges:
register /partition /strongprotect *
CAUTION: You must run register /strongprotect to ensure the protection of the HSM partition passwords.
Note: Once you run the /strongprotect option, only those users that existed previous to the /strongprotect command are allowed to use the Luna CSP. If the /strongprotect option is not used, then any/all users can use the Luna CSP.
6.Enter the following command to reconnect to the library:
register.exe /library
7.Run all applications as usual.
When registering an HA Partition for use, follow these steps.
1.Enter the following command and respond to the prompts:
C:\Program Files\SafeNet\LunaClient\CSP> register /highavail
Note: Use the /highavail option only if you have HA set up for your Luna SAs.
2.For example:
**************************************************************
SafeNet Luna CSP, Partition Registration
Protect the HSM's challenge for the selected partitions.
NOTE:
This is a WEAK protection of the challenge!!
After you have configured all applications that will use
the Luna CSP, and run them once, you MUST run:
register /partition /strongprotect *
to strongly protect the registered challenges!!
**************************************************************
This procedure is a destructive procedure and will completely replace any previous settings!!
Do you wish to continue?: [y/n]
Do you want to register the partition named 'nes'? [y/n]:
Please enter the Luna SA challenge for the partition 'nes' :
Success registering the ENCRYPTED challenge for partition 'nes'.
Only the Luna CSP will be able to use this data!
Registered 1 partition(s) for use by the Luna CSP!
Note: If you are using HA, then only the HA virtual partition is presented for registering.
3.Install and/or configure your application(s).
4.Run each of your applications once to use Luna CSP.
5.Enter the following command to strongly protect the registered challenges:
register /partition /strongprotect *
CAUTION: You must run register /strongprotect to ensure the protection of the HSM partition passwords.
Note: Once you run the /strongprotect option, only those users that existed previous to the /strongprotect command are allowed to use the Luna CSP. If the /strongprotect option is not used, then any/all users can use the Luna CSP.
6.Enter the following command to reconnect to the library:
register.exe /library
7.Run all applications as usual.
Certain operations (symmetric), such as the hash operation may be performed faster in software than on the Luna HSM. The register /algorithms command allows you to choose which algorithms to de-register from the Luna HSM. The trade-off is a gain in speed, at the cost of some security (exposing the operation in software). Signing and other asymmetric operations are always done on the HSM.
1.Enter the following command and respond to the prompts:
C:\Program Files\SafeNet\LunaClient\CSP> register /algorithms
2.You are prompted for yes or no responses about which algorithms are to be registered for software-only use. For example:
************************************************************************
SafeNet Luna CSP, Algorithm Registration
Register algorithms to be done in software by the Microsoft CSP(s).
BY DEFAULT, ALL ALGORITHMS ARE DONE IN HARDWARE BY THE Luna SA.
ONLY NON RSA ALGORITHMS MAY BE CONFIGURED FOR SOFTWARE.
RSA PUBLIC/PRIVATE ALGORITHMS WILL ALWAYS BE IN HARDWARE.
************************************************************************
Do you want algorithm 'CALG_RC2', done in software?(y/n):
Do you want algorithm 'CALG_RC4', done in software?(y/n):
Do you want algorithm 'CALG_RC5', done in software?(y/n):
Do you want algorithm 'CALG_DES', done in software?(y/n):
Do you want algorithm 'CALG_3DES_112', done in software?(y/n):
Do you want algorithm 'CALG_3DES', done in software?(y/n):
Do you want algorithm 'CALG_MD2', done in software?(y/n):
Do you want algorithm 'CALG_MD5', done in software?(y/n):
Do you want algorithm 'CALG_SHA', done in software?(y/n):
Do you want algorithm 'CALG_MAC', done in software?(y/n):
Do you want algorithm 'CALG_HMAC', done in software?(y/n):
Success registering software only algorithms:
CALG_RC2,CALG_RC4,CALG_RC5,...!
If you chose no for all prompts, then all algorithms revert to hardware and the following is displayed:
All algorithms have been de-registered and will now only be done in hardware!
Key counting allows you to specify the maximum number of times that a key can be used. It sets the upper limit from 0 to MAX(UInt32).
1.Enter the following command and respond to the prompts. Enter the key usage limit, or enter 0 to turn off the feature:
C:\Program Files\SafeNet\LunaClient\CSP> register /usagelimit
For example:
C:\Program Files\SafeNet\LunaClient\CSP>register /usagelimit
register v1.0.1
Enter the key usage limit: 2000
Successfully configured the key usage limit to 2000 uses.