Linux SafeNet Luna HSM Client Software Installation

You must install the SafeNet Luna HSM client software on each client workstation you will use to access a SafeNet Luna HSM. This section describes how to install the client on a workstation running Linux, and contains the following topics:

>Prerequisites

>Installing the Client Software

>Installing the Minimal Client Software

>Controlling User Access to Your Attached HSMs and Partitions

>Uninstalling the Client Software or Removing Components

>Java Configuration

>Scripted or Unattended Installation

>Interrupting the Installation

Refer to the Customer Release Notes for a complete list of the supported Linux operating systems. These instructions assume that you have already acquired the SafeNet Luna Client software.

Prerequisites

Before starting the installation, ensure that you have satisfied the following prerequisites:

Components Required to Build the PCIe Driver and the Backup HSM Driver

On Linux, the PCIe driver module (and optionally the Backup HSM driver) is built by the client as part of the installation if you choose to install the Luna PCIe HSM component or the Backup HSM. To build the driver, the client requires the following items:

>Kernel headers for build

>kernel-devel package

>rpmbuild package

>C and C++ compilers

>make command

If any one of these items is missing, the driver build will fail and the client software will not be installed.

NOTE   The installed kernel and kernel-devel versions on the Client system must match, in order for the drivers to compile successfully. In general, if the versions do not match, or if you are not sure, use this command yum install kernel-devel-`uname -r` before installing Luna HSM Client. Note the required backticks, (the key to the left of the 1/! key on the keyboard) surrounding `uname –r` (or equivalent command yum install kernel-devel-$(uname -r)).

To check installed versions related to the currently running kernel: rpm -qa kernel * | grep $(uname -r).

Debian Requires alien

The SafeNet Luna HSM Client software is provided as RPM packages. If you are installing on a Debian system, you must have alien installed to allow the SafeNet Luna HSM Client installation script to convert the RPM packages to DEB packages. The installation script will stop with a message if you attempt to install on a Debian system without alien installed. This applies to any other supported Debian-based Linux distribution, such as Ubuntu.

SUSE Linux on IBM PPC

JCE un-restriction files must be downloaded from IBM, not from SUN, for this platform. Attempting to use SUN JCE un-restriction files on IBM PowerPC systems with SUSE Linux causes signing errors.

32-bit Client on 64-bit RedHat 6

Before installing the 32-bit Client on 64-bit OS, you must enter the following commands:

yum install glibc.i686
yum upgrade libstdc++
yum install libstdc++.i686
yum install libgcc.i686
yum install libcap.i686

Installing the Client Software

It is recommended that you refer to the SafeNet Luna HSM Customer Release Notes for any installation-related issues or instructions before installing the client software.

NOTE   You must install the client software using root-level privileges. For security reasons, we recommend that you do not log in as root (or use su root) to run the installation script, but instead use the sudo command to run the installation script, as detailed below.

The installation script

The installation script is install.sh and is usually launched with sh install.sh followed by any options or parameters.

>interactive: sh install.sh [-install_directory <prefix>]

>all: sh install.sh all [-install_directory <prefix>]

>scriptable: sh install.sh -p [sa|pci|g5|rb] [-c sdk|jsp|jcprov|ldpc|snmp] [-install_directory <prefix>]

The options on the script are:

>device(s)

"sa" is SafeNet Luna Network HSM (software only, no drivers)

"pci" is SafeNet Luna PCIe HSM (software plus driver for the PCI HSM)

"g5" is the SafeNet Luna Backup HSM (software plus driver for the backup HSM)

"rb" is software to enable Remote Backup

>components include the optional Software Development kit, Java providers, SNMP instance (not needed for Network HSM which has it built in)

By default, the Client programs are installed in the /usr/safenet/lunaclient directory.

Flexible Install paths

You can change the installation path for scriptable (non-interactive) installs by changing the prefix with the script option -install_directory <prefix>

The prefix, or major location is your choice, and replaces the /usr default portion.  

NOTE   Avoid the use of space characters in directory names.

The script option -install_directory <prefix> is available for scriptable installation, where either "all" or a list of products and components is specified on the command line. The script option -install_directory <prefix> is not used with interactive installation; instead, you are prompted.

The /safenet/lunaclient portion is appended by the install script, and provides a predictable structure for additional subdirectories to contain certificate files, and optionally STC files.

Regardless of -install_directory <prefix> provided, some files are not affected by that option (for example, the Chrystoki.conf configuration file goes under /etc, service files need to be in the service directory expected by Linux in order to run at boot time, and so on).

To install the SafeNet Luna HSM Client software on a Linux workstation:

1.Ensure that you have sudo privileges on the client workstation.

2.Access the installation software:

Copy or move the .tar archive to a suitable directory where you can untar the archive and extract the contents:

tar xvf <filename>.tar

3.Go to the directory for your architecture:

32-bit cd /<install_sw_root>/linux/32
64-bit cd /<install_sw_root>/linux/64

where <install_sw_root> is the location of the untarred installation download. For example, $HOME/safenet.

4.To install the software, run the install.sh installation script. You can run the script in interactive mode, or you can script the installation, as described in Scripted or Unattended Installation.

To display the help, or a list of available installer options, type:

sudo sh install.sh -? or sudo sh install.sh help

To install all available products and optional components, type:

sudo sh install.sh all

To selectively install individual products and optional components, type the command without arguments:

sudo sh install.sh

NOTE   Do not interrupt the installation script in progress. An uninterruptible power supply (UPS) is recommended. See Interrupting the Installation for more information.

5.Type y if you agree to be bound by the license agreement. You must accept the license agreement before you can install the software.

6.A list of installable SafeNet products is displayed. Select as many as you require, by typing the number of each (in any order) and pressing Enter. As each item is selected, the list updates, with a * in front of any item that has been selected.

This example shows items 1 and 3 have been selected, and item 4 is about to be selected. The selections work as a toggle - if you wish to make a change, simply type a number again and press Enter to de-select it.

Products
Choose Luna Products to be installed
    *[1]: Luna Network HSM       [2]: Luna PCIe HSM   
*[3]: Luna USB HSM  
[4]: Luna Backup HSM   
     [N|n]: Next
     [Q|q]: Quit
Enter selection: 4

When selection is complete, type N or n for "Next", and press Enter. The "Advanced" menu is displayed.

7.Select or de-select any additional items you want to install. Selected items are indicated with a *. Some items might be pre-selected to provide the optimum experience for the majority of customers, but you can change any selection in the list. When the Components list is adjusted to your satisfaction, press Enter.

NOTE    The installer includes the Luna SNMP Subagent as an option. If you select this option, you will need to move the SafeNet MIB files to the appropriate directory for your SNMP application after installation is complete, and you will need to start the SafeNet subagent and configure it for use with your agent. See the Administration Guide for more information. 

8.If the script detects an existing cryptoki library, it stops and suggests that you uninstall your previous SafeNet software before starting the SafeNet Luna Client installation again.

9.The system installs all packages related to the products and any optional components that you selected.

Installing the Minimal Client Software

The minimal client package contains the minimum run-time libraries required for a cryptography application to connect to SafeNet Network HSM using PKCS#11 or Java APIs. It does not include tools such as LunaCM or VTL.Minimal client install is intended for container instances to interact with SafeNet Luna HSM partitions. Installing is as simple as copying the tarball and untarring it where you want it. A copy of a configured Chrystoki.conf file, along with client and server certificate files (and optionally, STC configuration files) must be available to any instance of Luna Minimal Client at run time.

See Linux Minimal Luna Client Install - Overview for a general example using Docker.

Controlling User Access to Your Attached HSMs and Partitions

By default, only the root user has access to your attached HSMs and partitions. You can specify a set of non-root users that are permitted to access your attached HSMs and partitions, by adding them to the hsmusers group.

NOTE   The client software installation automatically creates the hsmusers group if one does not already exist on your system. The hsmusers group is retained when you uninstall the client software, allowing you to upgrade your client software while retaining your hsmusers group configuration.

Adding users to hsmusers group

To allow non-root users or applications access your attached HSMs and partitions, assign the users to the hsmusers group. The users you assign to the hsmusers group must exist on the client workstation. Users you add to the hsmusers group are able to access your attached HSMs and partitions. Users who are not part of the hsmusers group are not able to access your attached HSMs and partitions.

To add a user to hsmusers group

1.Ensure that you have sudo privileges on the client workstation.

2.Add a user to the hsmusers group:

sudo gpasswd --add <username> hsmusers

where <username> is the name of the user you want to add to the hsmusers group.

Removing users from hsmusers group

Should you wish to rescind a user's access to your attached HSMs and partitions, you can remove them from the hsmusers group.

NOTE   The user you delete will continue to have access to the HSM until you reboot the client workstation.

To remove a user from hsmusers group

1.Ensure that you have sudo privileges on the client workstation.

2.Remove a user from the hsmusers group:

sudo gpasswd -d <username> hsmusers

where <username> is the name of the user you want to remove from the hsmusers group. You must log in again to see the change.

Uninstalling the Client Software or Removing Components

You may need to uninstall the client software before upgrading to a new version, or if it is no longer required.

To uninstall the client software

1.Ensure that you have sudo privileges on the client workstation.

2.Go to the client installation directory:

cd /usr/safenet/lunaclient/bin

3.Run the uninstall script:

sudo sh uninstall.sh

CAUTION!   The hsmusers group is not removed when the client software is uninstalled. Should you install the client again on the same system, all users previously in the group will have access to your attached HSMs and partitions by default. You must remove users from the group if you want to restrict their access. See Removing users from hsmusers group.

To remove individual components

To uninstall the JSP component or the SDK component, you must uninstall SafeNet Luna HSM Client completely, then re-run the installation script without selecting the unwanted component(s).

Java Configuration

During the installation, the script provides the opportunity to install SafeNet Java components. If you select Java components, the SafeNet Java files are installed in the /usr/safenet/lunaclient/jsp/ directory. In order to use Java, you must have separately installed Java (JDK or run-time environment from the vendor of your choice) onto your system. Refer to the Customer Release Notes for supported JDKs.

To install JSP for Java 7/8

Copy the SafeNet Java library and .jar files from their default location under /usr/safenet/lunaclient/jsp/lib to the Java environment directory.

For example: /usr/jre/lib/ext

The exact directory might differ depending on where you obtained your Java system, the version, and any choices that you made while installing and configuring it.

To install JSP for Java 9+

Add LunaProvider to the Java classpath and the native bridge to the java.library.path environment variable.

For example:

> java -cp /<path to Gemalto provider>/LunaProvider.jar -Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ <class name>

The exact directory might differ depending on where you obtained your Java system, the version, and any choices that you made while installing and configuring it.

To install JCPROV

Copy the SafeNet JCPROV files from their default location under /usr/safenet/lunaclient/jcprov/lib to the Java environment directory.

For additional Java-related information, see Java Interfaces in the SDK Reference Guide.

JSP Static Registration

NOTE   This section applies to JSP, not to JCPROV.  

You would choose static registration of providers if you want all applications to default to the SafeNet provider.

Once your client has externally logged in using salogin or your own HSM-aware utility, any application would be able to use SafeNet product without being designed to log in to the HSM Partition.

Edit the java.security file located in the /jre/lib/security directory of your Java SDK/JRE installation to read as follows:

security.provider.1=sun.security.provider.Sun

security.provider.2=com.sun.net.ssl.internal.ssl.Provider

security.provider.3=com.safenetinc.luna.provider.LunaProvider

security.provider.4=com.sun.rsajca.Provider

security.provider.5=com.sun.crypto.provider.SunJCE

security.provider.6=sun.security.jgss.SunProvider

You can set our provider in first position for efficiency if SafeNet Luna HSM operations are your primary mode. However, if your application needs to perform operations not supported by the LunaProvider (secure random generation or random publickey verification, for example) then it would receive error messages from the HSM and would need to handle those gracefully before resorting to providers further down the list. We have found that having our provider in third position works well for most applications.

The modifications in the java.security file are global, and they might result in the breaking of another application that uses the default KeyPairGenerator without logging into the SafeNet Luna Network HSM first. This consideration might argue for using dynamic registration, instead.

JSP Dynamic Registration

For your situation, you may prefer to employ dynamic registration of Providers, in order to avoid possible negative impacts on other applications running on the same machine. As well, the use of dynamic registration allows you to keep installation as straightforward as possible for your customers.

Scripted or Unattended Installation

If you prefer to run the installation from a script, rather than interactively, run the command with the options -p <list of SafeNet products> and -c <list of SafeNet components>. To see the syntax, run the command with help like this:

[myhost]$ sudo sh install.sh help
[sudo] password for fred

At least one product should be specified.

usage:
        install.sh      - Luna Client install through menu
        install.sh help - Display scriptable install options
        install.sh all  - Complete Luna Client install

        install.sh -p [sa|pci|g5|rb] [-c sdk|jsp|jcprov|ldpc|snmp]

        -p <list of Luna products>
        -c <list of Luna components>  - Optional. All components are installed if not provided

Luna products options
   sa     - SafeNet Luna Network HSM
   pci    - SafeNet Luna PCIe HSM
   g5     - SafeNet Luna USB HSM
   rb     - SafeNet Luna Backup HSM

Luna components options
   sdk    - Luna SDK
   jsp    - Luna JSP (Java)
   jcprov - Luna JCPROV (Java)
   snmp   - Luna SNMP subagent


[myhost]$
    

For scripted/automated installation, your script will need to capture and respond to the License Agreement prompt, and to the confirmation prompt. For example:   

[myhost]$ sudo sh install.sh all 

IMPORTANT: The terms and conditions of use outlined in the software 
license agreement (Document #008-010005-001_053110) shipped with the product 
("License") constitute a legal agreement between you and SafeNet Inc.
Please read the License contained in the packaging of this 
product in its entirety before installing this product.

Do you agree to the License contained in the product packaging?

If you select 'yes' or 'y' you agree to be bound by all the terms 
and conditions se out in the License.

If you select 'no' or 'n', this product will not be installed. 

(y/n) y

Complete Luna Client will be installed. This includes SafeNet Luna Network HSM,
SafeNet Luna PCIe HSM, SafeNet Luna USB HSM AND SafeNet Luna Backup HSM.

Select 'yes' or 'y' to proceed with the install.

Select 'no' or 'n', to cancel this install. 

Continue (y/n)?  y  

Interrupting the Installation

Do not interrupt the installation script in progress, and ensure that your host computer is served by an uninterruptible power supply (UPS). If you press [CTRL] [C], or otherwise interrupt the installation (OS problem, power outage, other), some components will not be installed. It is not possible to resume an interrupted install process. The result of an interruption depends on where, in the process, the interruption occurred (what remained to install before the process was stopped).

As long as the cryptoki RPM package is installed, any subsequent installation attempt results in refusal with the message "A version of SafeNet Luna Client is already installed."

If components are missing or are not working properly after an interrupted installation, or if you wish to install any additional components at a later date (following an interrupted installation, as described), you would need to uninstall everything first. If sh uninstall.sh is unable to do it, then you must uninstall all packages manually.