Creating a One-Step NTLS Registration Role

Creating NTLS links between a client and partition using the one-step method (see Create a Network Trust Link - One-Step Setup in the Configuration Guide) usually requires administrative access to the SafeNet Luna Network HSM appliance. You can set up a custom role that allows a third party to use only the commands necessary for one-step NTLS.

To create a one-step NTLS registration role

1.Create a role definition .txt file on your local workstation, listing the following commands:

scp
partition list
client list
client register
client assignPartition

NOTE   All lines must end with a UNIX-style linefeed (lf) character. If you create your file in Windows, be sure to convert it to use UNIX line endings before transferring it to an HSM appliance.

These are the commands necessary for creating one-step NTLS links. You can include any other commands for your registration purposes. See client in the LunaSH Command Reference Guide for the complete set of client commands.

2.Transfer the role definition file (registerclient.txt in the example below) to the appliance using pscp (Windows) or scp (Linux/UNIX).

Windows

pscp registerclient.txt admin@<server_host/IP>:

pscp registerclient.txt admin@192.168.0.123: 
admin@192.168.0.123's password: ********  
registerclient.txt | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%
Linux/UNIX

scp registerclient.txt admin@<server_host/IP>:

scp registerclient.txt admin@192.168.0.123: 
admin@192.168.0.123's password: ********  
registerclient.txt | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%

3.Log in to the appliance by SSH as the admin user.

4.Import the role definition file to create the registerclient role (see user role import).

lunash:> user role import -file registerclient.txt -role registerclient

5.Create the register user account (seeuser add

lunash:> user add -username register

6.Assign the role to the register user (see user role add).

lunash:> user role add -username register -role registerclient

7.Open a new SSH connection to the appliance and log in as register with the default password "PASSWORD".

login as: register
register@192.168.0.123's password:

You will be prompted to set a new password for the register user. This will be the password you provide to the third-party client. Ensure it is both secure and distinct from the admin user password.

8.Provide the register password and the partition name to the client operator. The client can now establish a one-step NTLS connection by specifying the register user and password in LunaCM (see clientconfig deploy).

lunacm:> clientconfig deploy -server <server_host/IP> -client <client_host/IP> -partition <name> -user register