Home >

Installation Guide > SafeNet Client Software Installation > Linux SafeNet HSM Client Installation

Linux SafeNet HSM Client Installation  

These instructions are tested for the Linux  versions listed in the Customer Release Notes.

These instructions assume that you have already acquired the SafeNet Client software, either on CD/DVD or in the form of a downloaded .tar archive.

Applicability to specific versions of Linux is summarized in the Customer Release Notes for the current release.

Note:  Before installing a Luna® system, confirm that the product you have received is in factory condition and has not been tampered with in transit.  Refer to the Startup Guide included with your product shipment.  If you have any questions about the condition of the product that you have received, please contact SafeNet Support (800)545 6608 or support@safenet-inc.com immediately

Each computer that connects to the SafeNet HSM appliance as a Client must have the cryptoki library, the vtl client shell and other utilities and supporting files installed.  
Each computer that contains, or is connected to a SafeNet USB HSM or a SafeNet PCI-E HSM must have the cryptoki library and other utilities and supporting files installed.  

Note:  This example shows all the SafeNet Client products and components. Some items are not supported on all operating systems and therefore do not appear as you proceed through the installation script.

Do not install SafeNet client software on the same system as legacy SafeNet CA3, SafeNet CA4, SafeNet PCM, or SafeNet PCI software. The software is intended for modern/current SafeNet HSMs, SafeNet Network HSM, SafeNet PCI-E HSM, SafeNet USB HSM, SafeNet (Remote) Backup HSM.

Prerequisites

Before starting the installation, ensure that you have satisfied the following prerequisites:

Random Number Generator (RNG) or Entropy Gathering Daemon (EGD)

Ensure that you have a Random Number Generator (RNG) or Entropy Gathering Daemon (EGD) on your system in one of the following locations:

/dev/egd-pool

/etc/egd-pool,

/etc/entropy

/var/run/egd-pool

RNG/EGD

Cryptographic algorithms, including those that assure the security of communication – such as in OpenSSL and other protocols – depend upon random numbers for the creation of strong keys and certificates. A readily available source of random data is the entropy that exists in complex computer processes. Utilities exist for every operating system, to gather bits of system entropy into a pool, which can then be used by other processes.

Windows and Linux have these installed by default. Other systems may or may not. See your system administrator.

You Need an Entropy Pool

In the case of SafeNet Network HSM, the SafeNet Client administration tool (vtl) expects to find a source of randomness at /dev/random. If one is not found, vtl fails, because the link cannot be secured from the Client end.

If your system does have an entropy pool, but the random number generator (RNG) is not in the expected place, then you can create a symbolic link between the actual location and one of the following:

/dev/random

/dev/egd-pool

/etc/egd-pool

/etc/entropy

/var/run/egd-pool

If your system does not have an entropy gathering daemon or random number generator, please direct your system administrator to install one, and point it to one of the named devices.   

Alien with Debian

The SafeNet Client software is provided as RPM packages. If you are installing on a Debian system, you must have "alien" installed before beginning the SafeNet Client installation. The SafeNet Client installation script invokes the alien conversion of RPMs to DEB packages. The install script will stop with a message if you attempt to install on a Debian system without the alien package already installed.

Components Used to Build the Driver (SafeNet USB HSM, PCI-E, and Remote Backup HSM)

If you are installing the SafeNet PCI-E HSM, or SafeNet USB HSM, or SafeNet Remote Backup HSM clients, ensure that the following items are installed:

Kernel headers for build

rpm-build package

C and C++ compilers

make command

These items are required because the driver module is built on Linux before it is installed. If one of these items is missing, the driver build will fail and the module will not be installed..

Installing the Client Software

It is recommended that you refer to the SafeNet HSM Customer Release Notes for any installation-related issues or instructions before you begin the following software installation process.

CAUTION:  You must be logged in as root when you run the installation script.

By default, the Client programs are installed in the “/usr/safenet/lunaclient” directory.

To install the SafeNet HSM client software on a Linux workstation

1.Log on to the client system, open a console or terminal window, and use sudo to gain administrative permissions for the installation.

2.If you have downloaded the SafeNet Client software as a .tar archive, skip to step 6.

3.Insert the DVD (mount it if you do not have automount).

4.Go to the DVD (/cdrom or whatever devicename your system uses) and the install directory for your architecture:

cd /cdrom/linux/32

or

cd /cdrom/linux/64

Note:  Not all platforms are supported with each release, so the available install options might not match the list above.

5.Skip to step 9.

6.If you downloaded the software, copy or move the .tar archive (which usually has a name like "Luna Client_5.x.y-nn.tar") to a suitable directory where you can untar the archive and launch the installation script.

7.Extract the contents from the archive:

tar xvf <filename>.tar

8.Change directory to the software version suitable for your system (for example, under the linux subdirectory, in the x86 directory, choose 32-bit or 64-bit according to your system requirement).

File listing of the CD or .tar contents, showing  linux > x86 > 32 install files

9.To see the help, or a list of available installer options, type:

./sh install.sh -? or ./sh install.sh --help

To install all available products and optional components, type:

./sh install.sh all

To selectively install individual products and optional components, type the command without arguments:

./sh install.sh

10.Type y if you agree to be bound by the license agreement.  

11.A list of installable SafeNet products appears (might be different, depending on your platform). Select as many as you require, by typing the number of each (in any order) and pressing [Enter]. As each item is selected, the list updates, with a "*" in front of any item that has been selected. This example shows items 1 and 3 have been selected, and item 4 is about to be selected.

Products
Choose Luna Products to be installed
    *[1]: SafeNet Network HSM       [2]: SafeNet PCI-E HSM   
*[3]: SafeNet USB HSM  
[4]: SafeNet Remote Backup HSM   
     [N|n]: Next
     [Q|q]: Quit
Enter selection: 4
  

12.When selection is complete, type "N" or "n" for "Next", and press [Enter]. If you wish to make a change, simply type a number again and press [Enter] to de-select a single item.   

13.The next list is called "Advanced" and includes additional items to install. Some items might be pre-selected to provide the optimum SafeNet HSM experience for the majority of customers, but you can change any selection in the list. When the Components list is adjusted to your satisfaction, press [Enter].

Note:   The installer includes the SafeNet SNMP Subagent as an option. If you select this option, you will need to move the SafeNet MIB files to the appropriate directory for your SNMP application after installation is complete, and you will need to start the SafeNet subagent and configure for use with your agent. See the Administration Guide for more information. 

14.If the script detects an existing cryptoki library, it stops and suggests that you uninstall your previous SafeNet software before starting the SafeNet Client installation again.

15.The system installs all packages related to the products and any optional components that you selected.

As a general rule, do not modify the Chrystoki.conf/crystoki.ini file, unless directed to do so by SafeNet Customer Support. If you do modify the file, never insert TAB characters - use individual space characters. Avoid modifying the PED timeout settings. These are now hardcoded in the appliance, but the numbers in the Chrystoki.conf file must match.

Uninstalling the SafeNet HSM Client Software

cd /usr/safenet/lunaclient/bin

./sh uninstall.sh

Java

During the installation, the script provides the opportunity to install SafeNet Java components. If you select Java components, the SafeNet Java files are installed below /usr/safenet/lunaclient/jsp/. In order to use Java, you must have separately installed Java (JDK or run-time environment from the vendor of your choice) onto your system.

Copy the SafeNet Java library and jar files from their default location under /usr/safenet/lunaclient/jsp/lib to the Java environment directory, for example /usr/jre/lib/ext.

The exact directory might differ depending on where you obtained your Java system, the version, and any choices that you made while installing and configuring it.

For additional Java-related information, see Java Interfaces in the SDK Reference Guide.

JSP Static Registration

You would choose static registration of providers if you want all applications to default to our (SafeNet) provider.

Once your client has externally logged in using salogin (see ) in the Reference section of this document) or your own HSM-aware utility, any application would be able to use SafeNet product without being designed to login to the HSM Partition.

Edit the java.security file located in the \jre\lib\security directory of your Java SDK/JRE 1.6.x or 1.7.x installation to read as follows:

security.provider.1=sun.security.provider.Sun

security.provider.2=com.sun.net.ssl.internal.ssl.Provider

security.provider.3=com.safenetinc.luna.provider.LunaProvider

security.provider.4=com.sun.rsajca.Provider

security.provider.5=com.sun.crypto.provider.SunJCE

security.provider.6=sun.security.jgss.SunProvider

You can set our provider in first position for efficiency if SafeNet HSM operations are your primary mode. However, if your application needs to perform operations not supported by the LunaProvider (secure random generation or random publickey verification, for example) then it would receive error messages from the HSM and would need to handle those gracefully before resorting to providers further down the list. We have found that having our provider in third position works well for most applications.

The modifications in the "java.security" file are global, and they might result in the breaking of another application that uses the default KeyPairGenerator without logging into the SafeNet Network HSM first. This consideration might argue for using dynamic registration, instead.

JSP Dynamic Registration

For your situation, you may prefer to employ dynamic registration of Providers, in order to avoid possible negative impacts on other applications running on the same machine. As well, the use of dynamic registration allows you to keep installation as straightforward as possible for your customers.

Compatibility

We formally test SafeNet HSMs and our Java provider with SUN JDK for all platforms except AIX, and with IBM JDK for the AIX platform. We have not had problems with OpenJDK, although it has not been part of our formal test suite. The SafeNet JCE provider is compliant with the JCE specification, and should work with any JVM that implements the Java language specification.

Occasional problems have been encountered with respect to IBM JSSE.

GNU JDK shipped with most Linux systems has historically been incomplete and not suitable.

Removing components

To uninstall the JSP component or the SDK component, you must uninstall SafeNet Client completely, then re-run the installation script without selecting the unwanted component(s).  

sh uninstall.sh

[Ctrl] [C] - If you interrupt the installation

Do not interrupt the installation script in progress, and ensure that your host computer is served by an uninterruptible power supply (UPS). If you press [Ctrl] [C], or otherwise interrupt the installation (OS problem, power outage, other), some components will not be installed. It is not possible to resume an interrupted install process. The result of an interruption depends on where, in the process, the interruption occurred (what remained to install before the process was stopped).

As long as the cryptoki RPM package is installed, any subsequent installation attempt results in refusal with the message "A version of SafeNet Client is already installed."

If components are missing or are not working properly after an interrupted installation, or if you wish to install any additional components at a later date (following an interrupted installation, as described), you would need to uninstall everything first. If ‘sh uninstall.sh’ is unable to do it, then you must uninstall all packages manually.

Because interruption of the install.sh script is not recommended, and mitigation is possible, this is considered a low-likelihood corner case, fully addressed by these comments.

Scripted or Unattended Installation

If you prefer to run the installation from a script, rather than interactively, run the command with the options -p <list of SafeNet products> and -c <list of SafeNet components>. To see the syntax, run the command with --help like this:

[myhost]$ sh .../Luna Client_5.3.0-5x/linux/64/install.sh --help
Installing from .../Luna Client_5.3.0-x/linux/64

At least one product should be specified.

usage:
        install.sh      - Luna Client install through menu
        install.sh help - Display scriptable install options
        install.sh all  - Complete Luna Client install

        install.sh -p [sa|pci|g5|rb] [-c sdk|jsp|jcprov|ldpc|snmp]

        -p <list of Luna products>
        -c <list of Luna components>  - Optional. All components are installed if not provided

Luna products options
   sa     - SafeNet Network HSM
   pci    - SafeNet PCI-E HSM
   g5     - SafeNet USB HSM
   rb     - SafeNet Remote Backup HSM

Luna components options
   sdk    - Luna SDK
   jsp    - Luna JSP (Java)
   jcprov - Luna JCPROV (Java)
   snmp   - Luna SNMP subagent


[myhost]$
    

For scripted/automated installation, your script will need to capture and respond to the License Agreement prompt, and to the confirmation prompt. For example:   

[myhost]$ ./install.sh all 
Installing from /home/me/Downloads/Luna Client_5.3.0/linux/64  

IMPORTANT: The terms and conditions of use outlined in the software 
license agreement (Document #008-010005-001_053110)  shipped with the product 
("License") constitute a legal agreement between you and SafeNet Inc.
Please read the License contained in the packaging of this 
product in its entirety before installing this product.

Do you agree to the License contained in the product packaging?

If you select 'yes' or 'y' you agree to be bound by all the terms 
and conditions se out in the License.

If you select 'no' or 'n', this product will not be installed. 

(y/n) y

Complete Luna Client will be installed. This includes SafeNet Network HSM,
SafeNet PCI-E HSM, SafeNet USB HSM AND SafeNet Remote Backup HSM.

Select 'yes' or 'y' to proceed with the install.

Select 'no' or 'n', to cancel this install. 

Continue (y/n)?  y  

For example, to automate installation for our testing, we use:

if product == 'all':
cmd ='/bin/bash %s %s'%(install_cmd, product) # install.sh all

SUSE Linux on IBM PPC

JCE un-restriction files must be downloaded from IBM, not from SUN, for this platform. Attempting to use SUN JCE un-restriction files on IBM PowerPC systems with SUSE Linux causes signing errors with Java 5 and Java 6.   

32-bit Client on 64-bit RedHat 6

While no errors normally appear when installing 64-bit client on 64-bit RedHat 6, some preparation is required to avoid installation errors when installing 32-bit Client on 64-bit OS. Do the following:

yum install glibc.i686

yum upgrade libstdc++

yum install libstdc++.i686

yum install libgcc.i686

Then run the 32-bit installer

./install.sh

Failure to perform those steps before launching the installer can result in output like the following:

Installing the Luna Client 5.3.0-5...
Adding new version of configurator
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:configurator ########################################### [100%]
Adding new version of libcryptoki
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:libcryptoki ########################################### [100%]
Checking for /etc/Chrystoki.conf.rpmsave
Using new /etc/Chrystoki.conf
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
/var/tmp/rpm-tmp.ndfBQQ: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
Adding new version of libshim
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:libshim ########################################### [100%]
Adding new version of lunacm
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:lunacm ########################################### [100%]
Adding new version of lunacmu
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:lunacmu ########################################### [100%]
Adding new version of ckdemo
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:ckdemo ########################################### [100%]
Adding new version of multitoken
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:multitoken ########################################### [100%]
Adding new version of cklog
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:cklog ########################################### [100%]
Adding new version of salogin
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:salogin ########################################### [100%]
Adding new version of vtl
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:vtl ########################################### [100%]
Adding new version of htl_client
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:htl_client ########################################### [100%]
/var/tmp/rpm-tmp.bLgG1F: /usr/safenet/lunaclient/bin/configurator: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
Starting htl_client:/etc/init.d/htlc_service: /usr/safenet/lunaclient/htl/htl_client: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
FAILED
warning: %post(htl_client-5.3.0-5.i386) scriptlet failed, exit status 1
Adding new version of javaSAMP
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:javaSAMP ########################################### [100%]
Adding new version of ckSample
/home/builds/Luna Client/CLT_SDK/5.3.0/Luna Client_5.3.0-5/Luna Client_5.3.0-5/linux/32
Preparing... ########################################### [100%]
1:ckSample ########################################### [100%] 
 

If the installation script proceeds to the end, with the above errors, the installation appears successful, but you are unable to create certs. Re-do.

After Installation

When you have installed the software onto a Client, the next task is to configure the SafeNet HSM, as described in the Configuration Guide.