Optional Configuration Tasks
After completing the base configuration, you can also perform any of the following optional configuration tasks:
Configure the SafeNet Luna PCIe HSM appliance to use a Network Time Protocol (NTP) server
You can synchronize a SafeNet Luna PCIe HSM appliance with a network time protocol (NTP) server. NTP provides a reliable, consistent, and accurate timing mechanism for the appliance using Coordinated Universal Time (UTC), and is the recommended option for providing an accurate date and time for the appliance. SafeNet Luna PCIe HSM also provides secure NTP. See "Timestamping – NTP and Clock Drift" on page 1 in the SafeNet Luna PCIe HSM Appliance Administration Guide.
Configure multiple HSMs to operate in high-availability (HA) mode
High Availability (HA) mode allows you to automatically replicate the data on a HSM/partition over two or more physical HSMs to provide redundancy and load balancing. Applications using an HA HSM/partition do not access it directly. Instead, the HA software creates a virtual slot for the partition and manages which physical HSM is actually used when responding to an application request. See High-Availability (HA) Configuration and Operation in the Administration Guide.
Configure SNMP
You can use the SafeNet SNMP MIB to monitor the performance of your HSMs. See SNMP Monitoring in the Administration Guide.
Configure a remote PED
If you are configuring a PED-authenticated HSM, you can configure it to use a remote PED, which allows you to authenticate to the HSM from a remote location. See About Remote PED in the Administration Guide.
Configure for RADIUS Authentication
RADIUS (Remote Authentication Dial-In User Service) is a client/server protocol providing authentication, authorization, and accounting service to configured clients. The client passes user information to configured, designated RADIUS servers, and acts on the returned response. A RADIUS server receives user connection requests, authenticates the user if that user's profile exists on the server, and then returns the configuration information according to which the client can deliver service to the user.
While a proposal is being considered (by the custodians of the RADIUS standard) to switch to TLS communication protocol, RADIUS interaction currently takes place over UDP (User Datagram Protocol).
RADIUS Configuration Summary
Configuration and identification must take place at both ends of the RADIUS transaction. These actions include:
On the RADIUS Server Side
>Identify the client systems from which this server will accept requests and return service (this is recorded in the RADIUS server's configuration file).
>Identify the users who will be covered by the service.
On the RADIUS Client Side (Your SafeNet Luna PCIe HSM)
>Enable RADIUS.
>Add a RADIUS server, specifying its IP address, and providing the access secret for that server.
>Check the status of SafeNet Luna PCIe HSM appliance users.
>Add desired SafeNet Luna PCIe HSM appliance users to the RADIUS list, enabling RADIUS authentication for those users.
>Verify that RADIUS is enabled for any user on your SafeNet Luna PCIe HSM that needs to use RADIUS.
Configuring RADIUS with Your SafeNet Appliance
Follow these steps on the RADIUS Server:
You can use any standards-compliant RADIUS server, either a commercial server or one of the free/open-source servers, like freeRADIUS or openRADIUS.
1.Add the client to the RADIUS server's configuration file, specifying:
•The address of the SafeNet Luna PCIe HSM appliance.
•The secret or password that the client will use when connecting.
•A short, user-friendly or business-relevant name for the client.
You can edit the file directly, for some RADIUS implementations, or use the provided interface.
/etc/raddb/clients.conf: client 192.20.17.174 { ipaddr = 192.20.17.174 secret = testing123 nas = other shortname = sa174 } client 192.20.22.106 { ipaddr = 192.20.22.106 secret = testing321 nas = other shortname = sa22106 }
2.For each client, add the user name and the password for that user to the "users" file of the RADIUS server.
/etc/raddb/users: sauser162 Cleartext-Password := "userpw654" sauser171 Cleartext-Password := "userpw987" sauser172 Cleartext-Password := "userpw789" sauser173 Cleartext-Password := "userpw456" sauser174 Cleartext-Password := "userpw321" nagios Cleartext-Password := "nagiospw" audit Cleartext-Password := "userpin" someguy Cleartext-Password := "userpw" sauser106 Cleartext-Password := "userpw123"
A user can use RADIUS for a SafeNet Luna PCIe HSM, only if that SafeNet Luna PCIe HSM is registered as a client, and if that user is registered as a user in the appropriate files on the RADIUS server.
Follow these steps on the SafeNet Luna PCIe HSM appliance:
NOTE Without RADIUS, use the command user add user somename to add an appliance administrative user on SafeNet Luna PCIe HSM.
With RADIUS, use the command user radiusAdd -u somename to both create the user on the appliance and add that user to the RADIUS list. You cannot use user radiusAdd to convert an existing user from non-RADIUS to RADIUS.
1.On the SafeNet Luna PCIe HSM appliance, enable RADIUS with the command sysconf radius enable.
2.Add the server (by hostname or IP address), specifying the port to use, and the timeout value in seconds.
[1722022106] lunash:>sysconf radius add -s 192.20.15.182 -p 1812 -t 60 Enter the server secret: Re-enter the server secret: Command Result : 0 (Success)
3.Verify that the desired server has been added.
[1722022106] lunash:>sysconf radius show RADIUS for SSH is enabled with the following deployed servers: server:port timeout ------------- ---------- 192.20.15.182:1812 60 Command Result : 0 (Success)
4.Check the user list to see which users exist, are enabled on the SafeNet appliance, and are RADIUS enabled.
[1722022106] lunash:>user list Users Roles Status RADIUS -------------------- -------- -------- -------- admin admin enabled no audit audit enabled no monitor monitor disabled no operator operator disabled no Command Result : 0 (Success)
5.Add a user, by name, as a RADIUS user.
[1722022106] lunash:>user radiusAdd -u someguy Creating mailbox file: File exists Stopping sshd: [ OK ] Starting sshd: [ OK ] Command Result : 0 (Success)
6.Add the user's appliance role (in this example, we are giving him admin-level access).
[1722022106] lunash:>user role add -u someguy -r admin User someguy was successfully modified. Command Result : 0 (Success)
7.Verify that the user exists, has the correct role on the SafeNet appliance, and is a RADIUS user for this appliance.
[1722022106] lunash:>user list Users Roles Status RADIUS -------------------- -------- -------- -------- admin admin enabled no audit audit enabled no someguy admin enabled yes monitor monitor disabled no operator operator disabled no Command Result : 0 (Success) [1722022106] lunash:>