Home > |
---|
These instructions are tested for the Linux versions listed in the Customer Release Notes.
These instructions assume that you have already acquired the SafeNet Client software, either on CD/DVD or in the form of a downloaded .tar archive.
Applicability to specific versions of Linux is summarized in the Customer Release Notes for the current release.
Note: Before installing a Luna® system, confirm that the product you have received is in factory condition and has not been tampered with in transit. Refer to the Startup Guide included with your product shipment. If you have any questions about the condition of the product that you have received, please contact SafeNet Support (800)545 6608 or support@safenet-inc.com immediately
Each computer that connects to the SafeNet HSM appliance as a Client must have the
cryptoki library, the vtl client shell and other utilities and supporting
files installed.
Each computer that contains, or is connected to a SafeNet USB HSM or a SafeNet PCI-E HSM must have the cryptoki library and other utilities and supporting files installed.
Note: This example shows all the SafeNet Client products and components. Some items are not supported on all operating systems and therefore do not appear as you proceed through the installation script.
Do not install SafeNet client software on the same system as legacy SafeNet CA3, SafeNet CA4, SafeNet PCM, or SafeNet PCI software. The software is intended for modern/current SafeNet HSMs, SafeNet Network HSM, SafeNet PCI-E HSM, SafeNet USB HSM, SafeNet (Remote) Backup HSM.
Before starting the installation, ensure that you have satisfied the following prerequisites:
Ensure that you have a Random Number Generator (RNG) or Entropy Gathering Daemon (EGD) on your system in one of the following locations:
•/dev/egd-pool
• /etc/egd-pool,
• /etc/entropy
•/var/run/egd-pool
Cryptographic algorithms, including those that assure the security of communication – such as in OpenSSL and other protocols – depend upon random numbers for the creation of strong keys and certificates. A readily available source of random data is the entropy that exists in complex computer processes. Utilities exist for every operating system, to gather bits of system entropy into a pool, which can then be used by other processes.
Windows and Linux have these installed by default. Other systems may or may not. See your system administrator.
In the case of SafeNet Network HSM, the SafeNet Client administration tool (vtl) expects to find a source of randomness at /dev/random. If one is not found, vtl fails, because the link cannot be secured from the Client end.
If your system does have an entropy pool, but the random number generator (RNG) is not in the expected place, then you can create a symbolic link between the actual location and one of the following:
•/dev/random
• /dev/egd-pool
• /etc/egd-pool
•/etc/entropy
•/var/run/egd-pool
If your system does not have an entropy gathering daemon or random number generator, please direct your system administrator to install one, and point it to one of the named devices.
The SafeNet Client software is provided as RPM packages. If you are installing on a Debian system, you must have "alien" installed before beginning the SafeNet Client installation. The SafeNet Client installation script invokes the alien conversion of RPMs to DEB packages. The install script will stop with a message if you attempt to install on a Debian system without the alien package already installed.
If you are installing the SafeNet PCI-E HSM, or SafeNet USB HSM, or SafeNet Remote Backup HSM clients, ensure that the following items are installed:
•Kernel headers for build
•rpm-build package
•C and C++ compilers
•make command
These items are required because the driver module is built on Linux before it is installed. If one of these items is missing, the driver build will fail and the module will not be installed..
It is recommended that you refer to the SafeNet HSM Customer Release Notes for any installation-related issues or instructions before you begin the following software installation process.
CAUTION: You must be logged in as root when you run the installation script.
By default, the Client programs are installed in the “/usr/safenet/lunaclient” directory.
1.Log on to the client system, open a console or terminal window, and use sudo to gain administrative permissions for the installation.
2.If you have downloaded the SafeNet Client software as a .tar archive, skip to step 6.
3.Insert the DVD (mount it if you do not have automount).
4.Go to the DVD (/cdrom or whatever devicename your system uses) and the install directory for your architecture:
cd /cdrom/linux/32
or
cd /cdrom/linux/64
Note: Not all platforms are supported with each release, so the available install options might not match the list above.
5.Skip to step 9.
6.If you downloaded the software, copy or move the .tar archive (which usually has a name like "Luna Client_5.x.y-nn.tar") to a suitable directory where you can untar the archive and launch the installation script.
7.Extract the contents from the archive:
tar xvf <filename>.tar
8.Change directory to the software version suitable for your system (for example, under the linux subdirectory, in the x86 directory, choose 32-bit or 64-bit according to your system requirement).
9.To see the help, or a list of available installer options, type:
./sh install.sh -? or ./sh install.sh --help
To install all available products and optional components, type:
./sh install.sh all
To selectively install individual products and optional components, type the command without arguments:
./sh install.sh
10.Type y
if you agree to be bound by the license agreement.
11.A list of installable SafeNet products appears (might be different, depending on your platform). Select as many as you require, by typing the number of each (in any order) and pressing [Enter]. As each item is selected, the list updates, with a "*" in front of any item that has been selected. This example shows items 1 and 3 have been selected, and item 4 is about to be selected.
Products Choose Luna Products to be installed
*[1]: SafeNet Network HSM [2]: SafeNet PCI-E HSM
*[3]: SafeNet USB HSM
[4]: SafeNet Remote Backup HSM
[N|n]: Next [Q|q]: Quit
Enter selection: 4
12.When selection is complete, type "N" or "n" for "Next", and press [Enter]. If you wish to make a change, simply type a number again and press [Enter] to de-select a single item.
13.The next list is called "Advanced" and includes additional items to install. Some items might be pre-selected to provide the optimum SafeNet HSM experience for the majority of customers, but you can change any selection in the list. When the Components list is adjusted to your satisfaction, press [Enter].
Note: The installer includes the SafeNet SNMP Subagent as an option. If you select this option, you will need to move the SafeNet MIB files to the appropriate directory for your SNMP application after installation is complete, and you will need to start the SafeNet subagent and configure for use with your agent. See the Administration Guide for more information.
14.If the script detects an existing cryptoki library, it stops and suggests that you uninstall your previous SafeNet software before starting the SafeNet Client installation again.
15.The system installs all packages related to the products and any optional components that you selected.
As a general rule, do not modify the Chrystoki.conf/crystoki.ini file, unless directed to do so by SafeNet Customer Support. If you do modify the file, never insert TAB characters - use individual space characters. Avoid modifying the PED timeout settings. These are now hardcoded in the appliance, but the numbers in the Chrystoki.conf file must match.
cd /usr/safenet/lunaclient/bin
./sh uninstall.sh
During the installation, the script provides the opportunity to install SafeNet Java components. If you select Java components, the SafeNet Java files are installed below /usr/safenet/lunaclient/jsp/. In order to use Java, you must have separately installed Java (JDK or run-time environment from the vendor of your choice) onto your system.
Copy the SafeNet Java library and jar files from their default location under /usr/safenet/lunaclient/jsp/lib to the Java environment directory, for example /usr/jre/lib/ext.
The exact directory might differ depending on where you obtained your Java system, the version, and any choices that you made while installing and configuring it.
For additional Java-related information, see Java Interfaces in the SDK Reference Guide.
You would choose static registration of providers if you want all applications to default to our (SafeNet) provider.
Once your client has externally logged in using salogin (see ) in the Reference section of this document) or your own HSM-aware utility, any application would be able to use SafeNet product without being designed to login to the HSM Partition.
Edit the java.security file located in the \jre\lib\security directory of your Java SDK/JRE 1.6.x or 1.7.x installation to read as follows:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.safenetinc.luna.provider.LunaProvider
security.provider.4=com.sun.rsajca.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
You can set our provider in first position for efficiency if SafeNet HSM operations are your primary mode. However, if your application needs to perform operations not supported by the LunaProvider (secure random generation or random publickey verification, for example) then it would receive error messages from the HSM and would need to handle those gracefully before resorting to providers further down the list. We have found that having our provider in third position works well for most applications.
The modifications in the "java.security" file are global, and they might result in the breaking of another application that uses the default KeyPairGenerator without logging into the SafeNet Network HSM first. This consideration might argue for using dynamic registration, instead.
For your situation, you may prefer to employ dynamic registration of Providers, in order to avoid possible negative impacts on other applications running on the same machine. As well, the use of dynamic registration allows you to keep installation as straightforward as possible for your customers.
We formally test SafeNet HSMs and our Java provider with SUN JDK for all platforms except AIX, and with IBM JDK for the AIX platform. We have not had problems with OpenJDK, although it has not been part of our formal test suite. The SafeNet JCE provider is compliant with the JCE specification, and should work with any JVM that implements the Java language specification.
Occasional problems have been encountered with respect to IBM JSSE.
GNU JDK shipped with most Linux systems has historically been incomplete and not suitable.
To uninstall the JSP component or the SDK component, you must uninstall SafeNet Client completely, then re-run the installation script without selecting the unwanted component(s).
sh uninstall.sh
Do not interrupt the installation script in progress, and ensure that your host computer is served by an uninterruptible power supply (UPS). If you press [Ctrl] [C], or otherwise interrupt the installation (OS problem, power outage, other), some components will not be installed. It is not possible to resume an interrupted install process. The result of an interruption depends on where, in the process, the interruption occurred (what remained to install before the process was stopped).
As long as the cryptoki RPM package is installed, any subsequent installation attempt results in refusal with the message "A version of SafeNet Client is already installed."
If components are missing or are not working properly after an interrupted installation, or if you wish to install any additional components at a later date (following an interrupted installation, as described), you would need to uninstall everything first. If ‘sh uninstall.sh’ is unable to do it, then you must uninstall all packages manually.
Because interruption of the install.sh script is not recommended, and mitigation is possible, this is considered a low-likelihood corner case, fully addressed by these comments.
If you prefer to run the installation from a script, rather than interactively, run the command with the options -p <list of SafeNet products> and -c <list of SafeNet components>. To see the syntax, run the command with --help like this:
[myhost]$ sh .../Luna Client_5.3.0-5x/linux/64/install.sh --help Installing from .../Luna Client_5.3.0-x/linux/64 At least one product should be specified. usage: install.sh - Luna Client install through menu install.sh help - Display scriptable install options install.sh all - Complete Luna Client install install.sh -p [sa|pci|g5|rb] [-c sdk|jsp|jcprov|ldpc|snmp] -p <list of Luna products> -c <list of Luna components> - Optional. All components are installed if not provided Luna products options sa - SafeNet Network HSM pci - SafeNet PCI-E HSM g5 - SafeNet USB HSM rb - SafeNet Remote Backup HSM Luna components options sdk - Luna SDK jsp - Luna JSP (Java) jcprov - Luna JCPROV (Java) snmp - Luna SNMP subagent [myhost]$
For scripted/automated installation, your script will need to capture and respond to the License Agreement prompt, and to the confirmation prompt. For example:
[myhost]$ ./install.sh all Installing from /home/me/Downloads/Luna Client_5.3.0/linux/64 IMPORTANT: The terms and conditions of use outlined in the software license agreement (Document #008-010005-001_053110) shipped with the product ("License") constitute a legal agreement between you and SafeNet Inc. Please read the License contained in the packaging of this product in its entirety before installing this product. Do you agree to the License contained in the product packaging? If you select 'yes' or 'y' you agree to be bound by all the terms and conditions se out in the License. If you select 'no' or 'n', this product will not be installed. (y/n) y Complete Luna Client will be installed. This includes SafeNet Network HSM, SafeNet PCI-E HSM, SafeNet USB HSM AND SafeNet Remote Backup HSM. Select 'yes' or 'y' to proceed with the install. Select 'no' or 'n', to cancel this install. Continue (y/n)? y
For example, to automate installation for our testing, we use:
if product == 'all':
cmd ='/bin/bash %s %s'%(install_cmd, product) # install.sh all
JCE un-restriction files must be downloaded from IBM, not from SUN, for this platform. Attempting to use SUN JCE un-restriction files on IBM PowerPC systems with SUSE Linux causes signing errors with Java 5 and Java 6.
While no errors normally appear when installing 64-bit client on 64-bit RedHat 6, some preparation is required to avoid installation errors when installing 32-bit Client on 64-bit OS. Do the following:
•yum install glibc.i686
•yum upgrade libstdc++
•yum install libstdc++.i686
•yum install libgcc.i686
Then run the 32-bit installer
./install.sh
Failure to perform those steps before launching the installer can result in output like the following:
Installing the Luna Client 5.3.0-5... Adding new version of configurator /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:configurator ########################################### [100%] Adding new version of libcryptoki /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:libcryptoki ########################################### [100%] Checking for /etc/Chrystoki.conf.rpmsave Using new /etc/Chrystoki.conf /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory /var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory Adding new version of libshim /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:libshim ########################################### [100%] Adding new version of lunacm /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:lunacm ########################################### [100%] Adding new version of lunacmu /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:lunacmu ########################################### [100%] Adding new version of ckdemo /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:ckdemo ########################################### [100%] Adding new version of multitoken /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:multitoken ########################################### [100%] Adding new version of cklog /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:cklog ########################################### [100%] Adding new version of salogin /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:salogin ########################################### [100%] Adding new version of vtl /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:vtl ########################################### [100%] Adding new version of htl_client /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:htl_client ########################################### [100%] /var/tmp/rpm-tmp.bLgG1F: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory Starting htl_client:/etc/init.d/htlc_service: /usr/safenet/lunaclient/htl/htl_client: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory FAILED warning: %post(htl_client-5.3.0-5.i386) scriptlet failed, exit status 1 Adding new version of javaSAMP /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:javaSAMP ########################################### [100%] Adding new version of ckSample /home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32 Preparing... ########################################### [100%] 1:ckSample ########################################### [100%]
If the installation script proceeds to the end, with the above errors, the installation appears successful, but you are unable to create certs. Re-do.
When you have installed the software onto a Client, the next task is to configure the SafeNet HSM, as described in the Configuration Guide.