Home >

Appliance Administration Guide > Configuration without One-step NTLS > [Step 8] Enable the Client to Access a Partition > Creating an NTLS Link Between a Client and a Partition


Creating an NTLS Link Between a Client and a Partition

After you establish a network trust link between the client and the appliance, you can assign the Client to a specific Partition on the appliance to grant the client access to the partition. After you assign a client to a partition, the client can establish NTLS links to the partition, allowing you to do the following:

see the partition as a slot in LunaCM,

use the partition with your cryptographic applications.

Note:  You must be connected to the HSM Server and logged in as “admin”.

Assigning a Client to a Partition

Use LunaSH client assignpartition command to assign a registered client to an HSM Partition. You might need to use your client IP address as your client name, if you registered your client using an IP address.

If you are configuring a PPSO partition, this is the final task you need to complete before handing off the partition to the partition owner.

To assign a client to a partition

1.Connect to the appliance via SSH as "admin" or as "operator".

2.Enter the following command to assign a client to a partition:

client assignPartition -client <clientname> -partition <partition name>

For example:

lunash:> client assignPartition -client ntl_client -partition ntl_partition
 'client assignPartition' successful.
Command Result : 0 (Success)
 

3.Enter the following command to verify that the HSM Partition is assigned to the client.

client show -client <clientname>

For example:

lunash:> client show -client ntl_client
ClientID:     ntl_client
Hostname:     Luna_Client
HTL Required: no
OTT Expiry:   n/a
Partitions:   ntl_partition
 

4.If you registered your client by host name, the appliance will need to use a DNS server to look up the device IP address. To ensure that the client is reachable in the event of a DNS failure, you can use the following command to map the client host name to its IP address, and save the mapping locally on the appliance.

client hostip map -client <client_name> -ip <client_IP_address>

For example:

lunash:> client hostip map -client ntl_client -ip 192.20.11.21 
Command Result : 0 (Success)
 
lunash:>client hostip show
 
Client Name         Host Name                     Host IP
----------------------------------------------------------------------
ntl_client          ntl_client                    192.20.11.21
Command Result : 0 (Success)
 

5.If you are configuring a PPSO partition, hand off possession of the partition to its new owner by providing the contact information (IP address and partition name) and any necessary instructions. The receiving person will become the partition SO and begin configuring the partition for its application.

Verifying Your Setup

Before beginning to use a Client application with your newly configured partition, you can verify that the foregoing setup has been properly performed.

This task is performed by the partition owner, from the SafeNet HSM client workstation used to deploy the partition.

1.On your Client computer, open a command-line console.

2.Go to the software directory (c:\Program Files\SafeNet\LunaClient for Windows, or /usr/safenet/lunaclient for Linux, Solaris or AIX, or /opt/safenet/lunaclient for HP-UX), and type vtl verify.

3.The response should be similar to:
Slot    Serial #     Label
====    ========     =====
1       2279315      Partition1

If you get an error message, then some part of the configuration has not been properly completed. Retrace the procedure.

At this point, the client and HSM are configured and registered with each other. You can now begin to use the SafeNet Network HSM with your application. You can use the “partition list” command for a list of HSM Partitions on the HSM, and the “client list” command for a list of the clients assigned to an HSM Partition.

4.Setup is complete. We suggest that you browse the Administration Guide to develop a deeper understanding of the options and capabilities of your SafeNet Network HSM partition, and of the housekeeping tasks and utilities that you might need.

Client Connection Limits

See Connections to the Appliance - Limits , for a discussion of the limits for client connections to a SafeNet Network HSM appliance and HSM.

Applications and Integrations

If you have any of dozens of third-party applications, we might already have performed system integration with it, and published an Integration Guide for the application or API that you wish to use. Contact SafeNet Customer Support for the latest list of current integrations, or to request that one be developed.