|
Home > |
|---|
This command generates or re-generates the SafeNet appliance server certificate used for the NTLA in hardware.
If you are using a system with DNS, you should not specify an IP address. If you are using a system that does not use DNS, you should specify the IP address of eth0 so that the certificate will be properly generated.
It is very important that the certificates are properly generated or the NTLA will not work.
This command stores the resulting private and public keys in the HSM, and the certificate generated from them on the file system (hard disk) inside the SafeNet appliance.
If you prefer the additional speed of keys that are stored in the file system, use the command 'sysconf regenCert' instead.
If you use 'sysconf hwRegenCert', the private key exists only on the HSM. Therefore the parts of the NTLS-setup handshake that need the private key take slightly longer to complete. For applications that set up an NTLS link for an extended period and perform multiple crypto operations, the additional overhead is negligible.
For applications that set up the link, perform one operation, tear down the link, then set up another for the next operation, the overhead of storing the private key on the HSM could become noticeable.
To use keys in hardware, the following sequence is necessary:
•at the SafeNet Network HSM, run sysconf hwRegenCert
•run ntls bind, as required; this also restarts NTLS
•run ntls activateKeys, to ensure that the keys in the special partition remain available
•transfer the new server certificate to clients
•at the client, register the new server certificate
As well, if the SafeNet appliance is rebooted/restarted for any reason (secure package update, power failure...) with the NTLS keys in the HSM, you must perform ntls activateKeys and service restart ntls.
This command generates a new key-pair. If you wish to use existing keys, that you have already created in the file system (not yet stored on the HSM), then you can move your existing keys into the HSM with sysconf secureKeys
You must be logged in to use this command.
The keys in hardware feature requires a special container "Cryptoki User" to keep the RSA key pair for NTLS. Even though it shows in the partition list, this container is not meant to be managed by customers directly. Once it is created, you should never need to touch this partition at all.
sysconf hwRegenCert [<eth0_ip_address>]
| Parameter | Shortcut | Description |
|---|---|---|
| <eth0_ip_address> | Provide the IP address of eth0 if the rest of your setup was done without DNS. | |
| -days |
Specifies the certificate validity period, in days. Range: 1 to 3653 |
|
| -force | Force the action without prompting. | |
| -startdate | Specifies the certificate validity start date, in numeric year, month, day format with four-digit year (yyyymmdd). |
[mylunaSA]lunash:>par create -par "Cryptoki User"
On completion, you will have this number of partitions: 1
-label: Not provided; using name for label.
Note: This partition is only to be used for NTLS Keys in Hardware.
Type 'proceed' to create the initialized partition, or
'quit' to quit now.
> proceed
Please ensure that you copy the password from the Luna PED and
that you keep it in a safe place.
Luna PED operation required to create a partition - use User or Partition Owner (black) PED key.
Luna PED operation required to generate cloning domain on the partition - use Domain (red) PED key.
'partition create' successful.
Command Result : 0 (Success)
[mylunaSA] lunash:>sysconf hwRegenCert
WARNING !! This command will overwrite the current server certificate and private key.
All clients will have to add this server again with this new certificate.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'
> proceed
Proceeding...
NTLS certificate generated. Migrate NTLS private key into HSM hardware..
Enter User Password:
Proceeding to create/migrate keys to "Cryptoki User" with handle 9
Please attend to the PED to activate partition on HSM - use User or Partition Owner (black) PED key.
Success: NTLS keys are in hardware.
'sysconf hwRegenCert' successful. NTLS and/or STC must be (re)started before clients can connect.
Please use the 'ntls show' command to ensure that NTLS is bound to an appropriate network device or IP
address/hostname for the network device(s) NTLS should be active on. Use 'ntls bind' to change this binding if
necessary.
Command Result : 0 (Success)
[mylunaSA] lunash:>ntls activateKeys
Enter User Password:
Please attend to the PED to activate partition on HSM - use User or Partition Owner (black) PED key.
Stopping ntls:OK
Starting ntls:OK
Stopping htl:OK
Starting htl:OK
Command Result : 0 (Success)
[mylunaSA] lunash:>