|
Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 8] Enable the Client to Access a Partition > Creating an STC Link Between a Client and a Partition
|
|---|
If you require a higher level of security for your network links than is offered by NTLS, such as in cloud environments, or in situations where message integrity is paramount, you can use Secure Trusted Channel (STC) to provide very secure client-partition links. STC offers the following features to ensure the security and integrity of your client-partition communications:
•All data is transmitted using symmetric encryption; only the end-points can decrypt messages
•Message authentication codes prevent an attacker from intercepting and modifying any command or response
•Bi-directional authentication of both the HSM and the end-point ensure that only authorized entities can establish an STC connection
Note: This feature is not currently supported for use with IPv6 networks.
See Secure Trusted Channel (STC) in the Administration Guide for more information. You can configure your SafeNet Network HSM so that some partitions use STC and others use NTLS.
Note: The SafeNet Network HSM can create STC and NTLS channels to different clients as required. The client can also support both STC and NTLS links. However, all links from a specific client to a specific SafeNet Network HSM appliance must be either STC or NTLS.
This section describes how to establish an STC connection between a client and a new partition. The procedure consists of the following major steps:
•Step 1: Create the Client Token and Identity
•Step 2: Register the Partition Identity Public Key to the Client
•[Legacy Partitions] Register the Client Identity to the Appliance
•Step 3: Enable and Verify the STC Link
The following optional procedures are also described:
•Registering a Single STC Partition to Multiple Clients
•Converting an Initialized NTLS Partition-Client Connection to STC
Figure 1: Creating an STC Link Between a Client and a Partition
You must complete these procedures before establishing a partition-client STC connection. The instructions are divided into tasks performed by the HSM SO and the Client Administrator.
•Enabling STC on the Admin Channel (Optional)
•Client Administrator Prerequisites
To prepare the HSM to use STC, the HSM SO must complete the following prerequisites. If you have Administrator access to the client workstation, you can use scp or pscp to transfer the server and partition public keys directly from the SafeNet Network HSM. Otherwise, you must provide these keys to the client by other secure means.
Note: Use of older PuTTY versions, and related tools, can result in the appliance refusing to accept a connection. This can happen if a security update imposes restrictions on connections with older versions. To ensure compatibility, always use the versions of executable files included with the current client installer.
1.Enable HSM Policy 39: Allow Secure Trusted Channel on the appliance.
a.Log in as HSM SO using LunaSH.
hsm login
b.Use the following command to set Policy 39 to 1 (Enabled):
hsm changepolicy -policy 39 -value 1
c.Confirm that HSM Policy 39 is enabled:
hsm showpolicies
2.Use the following command to create one or more new partitions for the client:
Note: Each client identity registered to a partition uses 2392 bytes of storage on the partition. Ensure that you create partitions large enough to store the identity of every client workstation that will access the partition, in addition to cryptographic objects.
partition create -partition <partition_name> [-size <bytes>]
When you create a partition, a partition identity key pair is automatically created.
3.For each partition you created, export the partition identity public key to the SafeNet Network HSM file system. The file will be named with the partition's serial number. You can check the key's filename with my file list.
stc partition export -partition <partition_name>
my file list
For example:
lunash:>stc partition export -partition app_par1
Successfully exported partition identity for partition app_par1 to file: 154438865304.pid
lunash:>my file list
515 Mar 6 17:38 154438865304.pid
4409 Mar 6 10:44 firstboot.log
4.You can use the following command to display the partition identity public key hash. It is recommended that you provide it to the client along with the partition identity public key, so that the Partition SO can verify the key's integrity as described in Step 3: Enable and Verify the STC Link.
stc partition show -partition <partition_name>
For example:
lunash:>stc partition show -partition app_par1
Partition Serial Number: 154438865304
Partition Identity Public Key SHA1 Hash: 477ad2869ad892ebdd5007aa54fae3745fa175e2
5.[Legacy Partitions] If you are registering a legacy partition, you must now set partition policy 37: Force Secure Trusted Channel to 1 (On):
partition changepolicy -partition <partition_name> -policy 37 -value 1
6.The client will require the following files/information to establish the STC connection. The SafeNet Network HSM client software package includes the scp (Linux) and pscp (Windows) tools for securely transferring files (see SCP and PSCP in the Utilities Guide for syntax). If you do not have access to the client workstation, or a firewall prevents you from using scp or pscp, you must transfer these files from the HSM and provide them to the client by other secure means:
–The HSM Server Certificate (server.pem) from the SafeNet Network HSM. If you have already established an NTLS connection between the appliance and the client, as detailed in Creating an NTLS Link Between a Client and a Partition, you do not need to send this certificate.
–The partition identity public key for each partition to be assigned to the client (154438865304.pid in the example above).
–The partition identity public key hash for each partition to be assigned to the client. This is recommended so that the client can verify the key's integrity before using the partition. Do not send the hash by the same means as the certificates.
7.[Legacy Partitions] You must manually register any client identities with the HSM once they are created. See [Legacy Partitions] Register the Client Identity to the Appliance. This step is unnecessary for PPSO partitions.
For added security, you can use STC to secure communications between the SafeNet Network HSM appliance and the HSM Admin partition. This procedure is performed by the HSM SO using LunaSH. You must be logged in as HSM SO to enable or disable this feature. You must restart the STC service after enabling STC on the Admin channel.
Note: Enabling STC on the Admin channel is performance-affecting. For more information, see Establishing and Configuring the STC Admin Channel on a SafeNet Network HSM Appliance.
1.Enable STC by entering the following command in LunaSH:
hsm stc enable
2.Restart the STC service on the HSM.
service restart stc
To prepare the client to access a partition on the SafeNet Network HSM, you must first establish a Network Trust Link to the appliance using the HSM Server Certificate (server.pem) you received from the HSM SO. You must have Administrator privileges on the client.
1.Open a command line (as Administrator) on the client and navigate to the LunaClient install directory.
2.Register the SafeNet Network HSM appliance with the client by entering the following command:
vtl addserver -n <server_IP_or_hostname> -c <server_certificate_filename>
See Creating an NTLS Link Between a Client and a Partition for more detailed instructions.
3.To check that you have successfully registered the appliance with the client, run LunaCM and enter the following command to see a list of registered servers:
clientconfig listservers
This procedure is completed by an Administrator on the client workstation, using LunaCM.
CAUTION: This step is not required if you have already created a client token and identity. Verify using stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.
1.Open a SafeNet HSM client session:
a.Open a command prompt or terminal window.
b.Launch LunaCM:
| Windows |
C:\Program Files\SafeNet\LunaClient\lunacm |
| Linux/AIX | /usr/safenet/lunaclient/data/bin/lunacm |
| Solaris/HP-UX | /opt/safenet/lunaclient/data/bin/lunacm |
2.Initialize the STC client software token, or insert the STC client hardware token (SafeNet eToken 7300) you have prepared for this client:
–If you are using an STC client software token, enter the following command to initialize the STC client token.
stc tokeninit -label <token_label>
For example:
lunacm:> stc tokeninit -label mySTCclientToken
Successfully initialized the client token.
–If you are using an STC client hardware token (SafeNet eToken 7300), insert the token into an available USB port. Before you can use a hardware token, the token must be initialized using the SafeNet Authentication Client on a Windows workstation, as described in Using a Hard Token to Store the STC Client Identity in the Administration Guide.
You must also install the SafeNet Authentication Client software (8.3 or higher) on the client workstation and add the following line to the Secure Trusted Channel section of the crystoki.ini (Windows) or Chrystoki.conf (UNIX/Linux) file, to specify the path to the SafeNet Authentication Client eToken library:
| Windows | ClientTokenLib=C:\Windows\System32\eToken.dll |
| Linux/UNIX | ClientTokenLib=<path_to_libeToken.so>
For example, on CentOS, the path is /usr/lib/libeToken.so |
3.Enter the following command to create a client identity on the token. The STC client identity public key is automatically exported to the <luna_client_root_dir>/data/client_identities directory:
stc identitycreate -label <client_identity>
For example:
lunacm:> stc identitycreate -label mySTCclientID
Client identity successfully created and exported to file /usr/safenet/lunaclient/data/client_identities/mySTCclientID
This step requires the partition identity public key file created by the HSM SO in Prerequisites (154438865304.pid in the example).
1.Enter the following command in LunaCM:
stc partitionregister -file <partition_identity> [-label <partition_label>]
For example:
lunacm:> stc partitionregister -file /usr/safenet/lunaclient/partition_identities/154438865304.pid -label app_par1
Partition identity 154438865305 successfully registered.
Repeat this step for each partition identity public key you wish to register to this client.
2.If you were provided with the partition identity public key hash, enter the following command to verify that the hashes match:
stc identityshow
For example:
lunacm:> stc identityshow
Client Identity Name: mySTCclientID
Public Key SHA1 Hash: 1b8e783c5cc3bb6a79e5d4a4026258a0f34ef7f6
List of Registered Partitions:
Partition Identity Partition Partition Public Key SHA1 Hash
Label Serial Number
________________________________________________________________________________
app_par1 154438865304 6916eca3751173f7cf903ab60b9bf1bf35088271
If the hashes do not match, enter the following command to deregister the partition identity public key, and contact your HSM SO.
stc partitionderegister -serial <partition_serial_number>
If you are registering legacy partitions, you must complete this additional step. This is carried out by an Administrator on the client workstation and the HSM SO.
The HSM SO requires the client identity you created in Step 1: Create the Client Token and Identity. Use scp, pscp, or other secure means to provide this file from the <luna_client_root_dir>/data/client_identities directory.
1.Use scp or pscp to transfer the client identity to the appliance's "admin" user. Use my file list to confirm that it is available:
lunash:>my file list
484 Mar 6 17:45 mySTCclientID
515 Mar 6 17:38 154438865304.pid
2.Register the client identity to the partition:
stc client register -label <client_name> -file <client_ID> -partition <partition_name>
lunash:>stc client register -partition app_par1 -label Luna_client -file mySTCclientID
Successfully registered client identity mySTCclientIDto partition app_par1.
Repeat this step for each partition you wish to register to this client.
CAUTION: When you enable STC on the client, you must specify the SafeNet Network HSM appliance that hosts the partition you want to link to. This forces the client to use STC for all links to the specified SafeNet Network HSM appliance. Any existing NTLS connections to the specified SafeNet Network HSM appliance will be terminated. Ensure you have registered the partition identity for each partition on this HSM before continuing.
1.Enter the following command in LunaCM to determine the server ID of the SafeNet Network HSM appliance that hosts the partition:
clientconfig listservers
2.Enter the following command to enable the STC link:
stc enable -id <server_id>
For example:
lunacm:> stc enable -id 0
You are about to enable STC to server 192.20.11.78.
This will initiate an automatic restart of this application. All sessions
logged in through the application will be closed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Successfully enabled STC to connect to server 192.20.11.78.
At this point, LunaCM restarts. If successful, the partition appears in the list of available HSMs. The slot for the partition is easily identified because it does not have a label, since it is not yet initialized. In the following example, the uninitialized SafeNet Network HSM partition is in slot 1:
Available HSMs:
Slot Id -> 0
Label -> stc_legacy
Serial Number -> 359693009024
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna User Partition, No SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label ->
Serial Number -> 154438865304
Model -> K6 Base
Firmware Version -> 6.3.0
Configuration -> Luna User Partition with SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
3.Enter the following command to set the current slot to the slot containing the new partition:
slot set -slot <slot>
For example:
lunacm:> slot set -slot 1
4.Enter the following command to verify the link:
stc status
For example:
lunacm:> stc status
Enabled: Yes
Status: Connected
Channel ID: 2
Cipher Name: AES 256 Bit with Cipher Block Chaining
HMAC Name: HMAC with SHA 512 Bit
The Partition SO can now initialize the partition on the client workstation. See [Step 9] Configure PPSO Application Partitions. When a PPSO partition is initialized, the following actions are performed automatically:
•The client identity public key is registered to the partition.
•Partition policy 37: Force Secure Trusted Channel is enabled on the partition.
After the client-partition STC connection is established, you may want other clients to have access to the same partition. This procedure is different for legacy and PPSO partitions. Refer to the appropriate section below.
To register a legacy STC partition to multiple clients, repeat the procedure described above on each additional client workstation:
•Step 1: Create the Client Token and Identity
•Step 2: Register the Partition Identity Public Key to the Client
•[Legacy Partitions] Register the Client Identity to the Appliance
•Step 3: Enable and Verify the STC Link
This procedure allows the Partition SO, Crypto Officer, and Crypto User to access the partition from their own client workstations.
In the following procedure, Client 2 will register the HSM Server Certificate and the partition identity public key(s), and Client 1 will register Client 2's identity public key.
This procedure is completed by the Partition SO (Client 1) and the Client 2 Administrator.
Figure 2: Registering Two Clients to a Single Initialized Partition
You must provide the same files/information to the Client 2 Administrator that you received from the HSM SO. The SafeNet Network HSM client software package includes the scp (Linux) and pscp (Windows) tools for securely transferring files (see SCP and PSCP for syntax). If you do not have access to the client workstation, or a firewall prevents you from using scp or pscp, you must provide the following to the Client 2 Administrator by other secure means:
•The HSM Server Certificate (originally server.pem) from the SafeNet Network HSM. Alternatively, the Client 2 Administrator can obtain it from the HSM SO.
•The partition identity public key for each partition you want to register to Client 2. You can use the original *.pid file supplied by the HSM SO, or export a copy to the client system using the following LunaCM commands:
role login -name po
stcconfig partitionidexport
For example:
lunacm:> stcconfig partitionidexport
Successfully exported partition identity for the current slot to /usr/safenet/lunaclient/partition_identities/154438865305.pid
•The partition identity public key hash for each partition to be registered to Client 2. This is recommended so that the Client 2 Administrator can verify the key's integrity before using the partition. You should not send the hash by the same means as the certificates. Enter the following command in LunaCM to view the hash:
stc identityshow
For example:
lunacm:> stc identityshow
Client Identity Name: mySTCclientID
Public Key SHA1 Hash: 1b8e783c5cc3bb6a79e5d4a4026258a0f34ef7f6
List of Registered Partitions:
Partition Identity Partition Partition Public Key SHA1 Hash
Label Serial Number
________________________________________________________________________________
app_par1 154438865304 6916eca3751173f7cf903ab60b9bf1bf35088271
1.This step is not required if you have already created a client token and identity. Verify using stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.
Run LunaCM and execute the following commands to create the client token and identity:
stc tokeninit -label <token_label>
stc identitycreate -label <client_identity>
For a more detailed description of this step, see Step 1: Create the Client Token and Identity.
2.Provide the following files/information to the Partition SO. The SafeNet Network HSM client software package includes the scp (Linux) and pscp (Windows) tools for securely transferring files (see SCP and PSCP for syntax). If you do not have access to the client workstation, or a firewall prevents you from using scp or pscp, you must provide the client identity to the Partition SO by other secure means.
–The client 2 identity public key
–The client 2 identity public key hash. This is recommended so that the Partition SO can verify the key's integrity before allowing access to the partition. You should not send the hash by the same means as the client identity public key. Enter the following command in LunaCM to view the hash:
stc identityshow
For example:
lunacm:> stc identityshow
Client Identity Name: Client2
Public Key SHA1 Hash: cd5ca1c094acfe44803a9ef4b412fc4087a16c32
List of Registered Partitions: None
1.Ensure that you have received the necessary certificates/information from the Partition SO:
–HSM Server Certificate (*.pem)
–Partition identity public key (*.pid) for each partition to be registered
–Partition identity public key hash for each partition
2.Open a command prompt or terminal window and navigate to the SafeNet Network HSM client installation directory.
3.Use the vtl utility to register the HSM Server Certificate (192.20.11.78Cert.pem in the example below) to the client:
vtl addserver -n <HSM_hostname_or_IP> -c <server_certificate>
For example:
>vtl addserver -n 192.20.11.78 -c ./cert/server/192.20.11.78Cert.pem
New server 192.20.11.78 successfully added to server list.
4.Launch LunaCM and use the following commands to register the partition identity public key to Client 2 and view the partition hash:
stc partitionregister -file <partition_identity> [-label <partition_label>]
stc identityshow
Repeat for each partition you want to register. For a more detailed description of this step, see Step 2: Register the Partition Identity Public Key to the Client.
5.Find the correct server ID for the SafeNet Network HSM hosting the partition and enable its STC connection. You will be prompted to restart LunaCM and all current sessions will be closed.
CAUTION: This forces the client to use STC for all links to the specified appliance. Any remaining NTLS links from this client to the appliance will be terminated. Ensure you have registered the partition identity for each partition on this HSM before continuing.
clientconfig listservers
stc enable -id <server_ID>
If the partition is not visible as a slot when LunaCM restarts, wait until the Partition SO completes the final procedure and activates Partition Policy 37. For a more detailed version of this step, see Step 3: Enable and Verify the STC Link.
1.Ensure that you have received the necessary certificates/information from the Client 2 Administrator:
–Client 2 identity public key
–Client 2 identity public key hash
2.Launch LunaCM, change the active slot to the partition, and login as Partition SO:
slot set -slot <slotnum>
role login -name po
3.Use the following command to register the Client 2 identity public key (Client2 in the example below):
stcconfig clientregister -label <client_label> -file <client_identity>
For example:
lunacm:> stcconfig clientregister -l Client2 -f /usr/safenet/lunaclient/client_identities/Client2
Successfully registered the client Client2 to the current slot.
4.Enter the following command to view the hash for the Client2 identity:
stcconfig clientlist
For example:
lunacm:> stcconfig clientlist
Client Name Client Public Key SHA1 Hash
___________________________________________________________________________
Client2 cd5ca1c094acfe44803a9ef4b412fc4087a16c32
Partition SO 1b8e783c5cc3bb6a79e5d4a4026258a0f34ef7f6
If the displayed hash does not match the hash you received from the Client 2 Administrator, enter the following command to deregister the client identity, and contact the Client 2 Administrator:
stcconfig clientdelete -label <client_label>
5.You can now initialize the Crypto Officer role (or the CO can initialize the Crypto User role) and provide the password to the Client 2 Administrator by secure means. See [Step 9] Configure PPSO Application Partitions.
The Partition SO can register additional clients to the same partition by repeating the process above.
Figure 3: Registering Multiple Clients to a Single Partition
If you have initialized partitions already assigned to a client using NTLS, you can use the following procedure to switch to a more secure STC connection. All of the client's assigned partitions on the specified SafeNet Network HSM will be converted. It is not possible for a client to connect to multiple partitions on a single SafeNet Network HSM using a combination of NTLS and STC.
The procedure for legacy partitions is essentially the same as the procedure above, except that the partition already exists and the NTLS connection has already been established. The steps below are simplified. The HSM SO and Client Administrator must each complete part of this procedure.
The partition and the client must first exchange certificates.
1.Using LunaSH, the HSM SO exports the partition ID and transfers it to the client workstation by secure means:
stc partition export -partition <partition_name>
2.Using LunaCM, the Client Administrator creates the STC token and identity. This is unnecessary and transfers the ID file to the HSM SO by secure means:
stc tokeninit -label <token_label>
stc identitycreate -label <client_identity>
1.Use scp or pscp to transfer the Client ID to the SafeNet Network HSM.
2.Enable HSM Policy 39: Allow Secure Trusted Channel on the SafeNet Network HSM:
hsm changepolicy -policy 39 -value 1
3.Register the Client ID with the partition:
stc client register -partition <partition_name> -label <client_label> -file <client_ID>
4.Enable partition policy 37: Force Secure Trusted Channel for the partition:
partition changepolicy -slot <slotnum> -policy 37 -value 1
1.Open LunaCM and register the partition ID file with the client:
stc partitionregister -file <partition_identity> [-label <partition_label>]
2.Find the correct server ID for the SafeNet Network HSM hosting the partition and enable its STC connection.
lunacm:>clientconfig listservers
lunacm:>stc enable -id <server_ID>
The Partition SO must complete this procedure.
Note: The HSM SO must first enable HSM Policy 39: Allow Secure Trusted Channel on the SafeNet Network HSM (see Prerequisites).
1.This step is not required if you have already created a client token and identity. Verify using stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.
Run LunaCM and execute the following commands to create the client token and identity:
stc tokeninit -label <token_label>
stc identitycreate -label <client_identity>
For a more detailed description of this step, see Step 1: Create the Client Token and Identity.
2.Login to the partition as Partition SO and use the following command to export the existing partition ID:
slot set -slot <slotnum>
role login -name po
stcconfig partitionidexport
For example:
lunacm:> stcconfig partitionidexport
Successfully exported partition identity for the current slot to /usr/safenet/lunaclient/partition_identities/1238700701520.pid
3.Enter the following command to register the partition's public key with the client identity:
stc partitionregister -file <partition_identity> [-label <partition_label>]
For example:
lunacm:> stc partitionregister -file /usr/safenet/lunaclient/partition_identities/1238700701520.pid
Partition identity 1238700701520 successfully registered.
4.Enter the following command to register the client identity to the partition:
Note: Each client identity registered to a partition uses 2392 bytes of storage on the partition. Ensure that there is enough free space before registering a client identity.
stcconfig clientregister -label <client_label> -file <client_identity>
For example:
lunacm:> stcconfig clientregister -label mySTCclientID -file /usr/safenet/lunaclient/client_identities/mySTCclientID
Successfully registered the client mySTCclientID to the current slot.
5.Enter the following command to enable partition policy 37: Force STM Connection.
partition changepolicy -slot <slotnum> -policy 37 -value 1
Repeat steps 2-5 for each NTLS partition on the same SafeNet Network HSM you want to register to this client.
Note: If this command returns an error, ensure that the HSM SO has enabled HSM Policy 39 on the appliance.
6.Find the correct server ID for the SafeNet Network HSM hosting the partition and enable its STC connection. You will be prompted to restart LunaCM and all current sessions will be closed.
CAUTION: This forces the client to use STC for all links to the specified appliance. Any remaining NTLS links from this client to the appliance will be terminated. Ensure that you have completed steps 2-5 for each of this client's partitions before continuing.
clientconfig listservers
stc enable -id <server_ID>
If a partition is not visible as a slot when LunaCM restarts, disable STC for the server using stc disable -id <server_ID>, and ensure that you have activated Partition Policy 37. For a more detailed version of this step, see Step 3: Enable and Verify the STC Link.