Home > |
---|
You invoke HTL by specifying it as required, when creating a Network Trust Link (NTL) between a client and an application partition. HTL then runs as a service/daemon.
The config file (Chrystoki.conf for Linux/UNIX, or crystoki.ini for Windows) specifies a directory that would be used by HTL, and in general that should not be changed by you.
The HTL service uses port 1867, so be sure to avoid assigning that to any other function or service.
This section outlines the general boundaries of HTL.
•Only one HTL connection is allowed per hostname/IP. If multiple clients are using one IP in a NAT scenario, each client must be registered with a hostname instead of an IP. The hostname is then mapped to the NAT IP from the SafeNet Network HSM admin interface.
•The One-Time Token (OTT) that is part of HTL uses random data from the HSM. The PKCS standard does not require a login, in order to retrieve random data from the HSM, merely a read-only session. Therefore the user creating the OTT does not need to log into the HSM.
•Incoming NTLS connections for an HTL client are rejected if the client does not have an established HTL link. This includes/affects HA. If a member of an HA group has HTL enabled, then the HTL link must be established before that member can establish NTLS links and join the group.
•If an HTL link for a client goes down, no polling interval is involved before all existing NTLS sessions are killed - termination takes place immediately. When the HTL client detects that the link is down, it automatically attempts to re-use the last OTT to re-establish the link under the assumption that the server allows a grace period. The HTL link status changes to reflect this [ “Attempting to connect” ].If the re-establishment attempt is rejected (no grace period configured on the server, grace period exceeded, invalid OTT, or other reason) then the HTL client stops and the link status changes to “down”.
If the re-establishment simply fails (network outage, etc) then the HTL client will keep trying until it recognizes a definite success or failure.
•When attempting NTLS connections, if one of the intended participants (Client or SafeNet appliance) specifies HTL, but for some reason the other does not, then possible outcomes of such are mismatch are as follows:
–Client specifies HTL but the server does not: If you give the client an OTT it will try to connect and then be rejected. This sequence will loop indefinitely.
–Server specifies HTL but the client does not: The client will never try to establish an HTL connection. The server will reject all NTLS connection attempts from the client because it expects an HTL connection to be present.
•client register -ottExpiry : if set, overrides the system default
•client register -generateOtt : create an OTT immediately after registering the user. That is equivalent to running client register without the option followed by htl generateOtt.
Host Trust Links are created as an option when you create a Network Trust Link (NTL) between a client and an application partition. See [Step 7] Create a Network Trust Link Between the Client and the Appliance in the Configuration Guide for a detailed procedure.