Creating an STC Link Between a Client and a Partition
If you require a higher level of security for your network links than is offered by NTLS, such as in cloud environments, or in situations where message integrity is paramount, you can use Secure Trusted Channel (STC) to provide very secure client-partition links. STC offers the following features to ensure the security and integrity of your client-partition communications:
>All data is transmitted using symmetric encryption; only the end-points can decrypt messages
>Message authentication codes prevent an attacker from intercepting and modifying any command or response
>Mutual authentication of the HSM and the end-point ensure that only authorized entities can establish an STC connection
See Secure Trusted Channel (STC) in the Administration Guide for more information. You can configure your SafeNet Luna Network HSM so that some partitions use STC and others use NTLS.
NOTE The SafeNet Luna Network HSM can create STC and NTLS channels to different clients as required. The client can also support both STC and NTLS links. However, all links from a specific client to a specific SafeNet Luna Network HSM appliance must be either STC or NTLS.
NOTE STC links are not supported over an IPv6 network. You must use NTLS to make partition-client connections via IPv6.
This section describes how to establish an STC connection between a client and a new partition. The procedure consists of the following major steps:
>Step 1: Create the Client Token and Identity
>Step 2: Register the Partition Identity Public Key to the Client
>Step 3: Enable and Verify the STC Link
The following optional procedures are also described:
>Registering a Single STC Partition to Multiple Clients
>Converting an Initialized NTLS Partition-Client Connection to STC
Figure 1: Creating an STC Link Between a Client and a Partition
Prerequisites
You must complete these procedures before establishing a partition-client STC connection. The instructions are divided into tasks performed by the HSM SO and the Client Administrator.
>Enabling STC on the Admin Channel (Optional)
>Client Administrator Prerequisites
HSM SO Prerequisites
To prepare the HSM to use STC, the HSM SO must complete the following prerequisites. If you have Administrator access to the client workstation, you can use scp or pscp to transfer the server and partition public keys directly from the SafeNet Luna Network HSM. Otherwise, you must provide these keys to the client by other secure means.
1.Enable HSM Policy 39: Allow Secure Trusted Channel on the appliance.
a.Log in as HSM SO using LunaSH.
lunash:>hsm login
b.Set Policy 39 to 1 (Enabled).
lunash:>hsm changepolicy -policy 39 -value 1
c.Confirm that HSM Policy 39 is enabled.
lunash:>hsm showpolicies
2.Create one or more new partitions for the client.
NOTE Each client identity registered to a partition uses 2392 bytes of storage on the partition. Ensure that you create partitions large enough to store the identity of every client workstation that will access the partition, in addition to cryptographic objects.
lunash:>partition create -partition <partition_name> [-size <bytes>]
When you create a partition, a partition identity key pair is automatically created.
3.For each partition you created, export the partition identity public key to the SafeNet Luna Network HSM file system. The file will be named with the partition's serial number. You can check the key's filename with my file list.
lunash:>stc partition export -partition <partition_name>
lunash:>my file list
lunash:>stc partition export -partition app_par1
Successfully exported partition identity for partition app_par1 to file: 154438865304.pid
lunash:>my file list
515 Mar 6 17:38 154438865304.pid
4409 Mar 6 10:44 firstboot.log
4.View the partition identity public key hash. It is recommended that you provide it (via separate channel) to the client receiving the partition identity public key, so that the Partition SO can verify the key's integrity as described in Step 3: Enable and Verify the STC Link.
lunash:>stc partition show -partition <partition_name>
lunash:>stc partition show -partition app_par1
Partition Serial Number: 154438865304
Partition Identity Public Key SHA1 Hash: 477ad2869ad892ebdd5007aa54fae3745fa175e2
5.The client will require the following files/information to establish the STC connection. The SafeNet Luna Network HSM client software package includes the scp (Linux) and pscp (Windows) tools for securely transferring files (see SCP and PSCP for syntax). If you do not have access to the client workstation, or a firewall prevents you from using scp or pscp, you must transfer these files from the HSM and provide them to the client by other secure means:
•The HSM Server Certificate (server.pem) from the SafeNet Luna Network HSM. If you have already established an NTLS connection between the appliance and the client, as detailed in Create a Network Trust Link Between the Client and the Appliance, you do not need to send this certificate.
•The partition identity public key for each partition to be assigned to the client (154438865304.pid in the example above).
•The partition identity public key hash for each partition to be assigned to the client. This is recommended so that the client can verify the key's integrity before using the partition. Do not send the hash by the same means as the certificates.
Enabling STC on the Admin Channel (Optional)
For added security, you can use STC to secure communications between the SafeNet Luna Network HSM appliance and the HSM Admin partition. This procedure is performed by the HSM SO using LunaSH. You must be logged in as HSM SO to enable or disable this feature. You must restart the STC service after enabling STC on the Admin channel.
NOTE Enabling STC on the Admin channel is performance-affecting. For more information, see Establishing and Configuring the STC Admin Channel on a SafeNet Luna Network HSM Appliance.
To enable STC on the admin channel:
1.Enable STC.
lunash:>hsm stc enable
2.Restart the STC service on the HSM.
lunash:>service restart stc
Client Administrator Prerequisites
To prepare the client to access a partition on the SafeNet Luna Network HSM, you must first establish a Network Trust Link to the appliance using the HSM Server Certificate (server.pem) you received from the HSM SO. You must have Administrator privileges on the client workstation.
1.Open a command line (as Administrator) on the client and navigate to the Luna HSM Client install directory.
2.Register the SafeNet Luna Network HSM appliance with the client.
>vtl addserver -n <IP/hostname> -c <server_certificate_filename>
See Create a Network Trust Link Between the Client and the Appliance for more detailed instructions.
3.To check that you have successfully registered the appliance with the client, launch LunaCM and view the list of registered servers.
lunacm:>clientconfig listservers
Step 1: Create the Client Token and Identity
This procedure is completed by an Administrator on the client workstation, using LunaCM.
CAUTION! This step is not required if you have already created a client token and identity. Verify using stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.
To create the client token and identity:
1.Open a SafeNet Luna HSM client session.
a.Open a command prompt or terminal window.
b.Launch LunaCM.
Windows |
C:\Program Files\SafeNet\LunaClient\lunacm |
Linux | /usr/safenet/lunaclient/data/bin/lunacm |
Solaris/HP-UX | /opt/safenet/lunaclient/data/bin/lunacm |
2.Initialize the STC client software token, or insert the STC client hardware token (SafeNet eToken 7300) you have prepared for this client:
•If you are using an STC client software token, initialize the STC client token.
lunacm:>stc tokeninit -label <token_label>
lunacm:> stc tokeninit -label mySTCclientToken
Successfully initialized the client token.
•If you are using an STC client hardware token (SafeNet eToken 7300), insert the token into an available USB port. Before you can use a hardware token, initialize it using the SafeNet Authentication Client on a Windows workstation, as described in Using a Hard Token to Store the STC Client Identity in the Administration Guide.
You must also install the SafeNet Authentication Client software (8.3 or higher) on the client workstation and add the following line to the Secure Trusted Channel section of the crystoki.ini (Windows) or Chrystoki.conf (UNIX/Linux) file, to specify the path to the SafeNet Authentication Client eToken library:
Windows | ClientTokenLib=C:\Windows\System32\eToken.dll |
Linux | ClientTokenLib=<path_to_libeToken.so>
For example, on CentOS, the path is /usr/lib/libeToken.so |
3.Create a client identity on the token. The STC client identity public key is automatically exported to the <luna_client_root_dir>/data/client_identities directory.
lunacm:>stc identitycreate -label <client_identity>
lunacm:> stc identitycreate -label mySTCclientID
Client identity successfully created and exported to file /usr/safenet/lunaclient/data/client_identities/mySTCclientID
Step 2: Register the Partition Identity Public Key to the Client
This step requires the partition identity public key file created by the HSM SO in Prerequisites (154438865304.pid in the example).
To register the partition identity public key to the client:
1.Launch LunaCM and register the public key to the client.
lunacm:>stc partitionregister -file <partition_identity> [-label <partition_label>]
lunacm:> stc partitionregister -file /usr/safenet/lunaclient/partition_identities/154438865304.pid -label app_par1
Partition identity 154438865305 successfully registered.
Repeat this step for each partition identity public key you wish to register to this client.
2.If you were provided with the partition identity public key hash, verify that the hashes match.
lunacm:>stc identityshow
lunacm:> stc identityshow
Client Identity Name: mySTCclientID
Public Key SHA1 Hash: 1b8e783c5cc3bb6a79e5d4a4026258a0f34ef7f6
List of Registered Partitions:
Partition Identity Partition Partition Public Key SHA1 Hash
Label Serial Number
________________________________________________________________________________
app_par1 154438865304 6916eca3751173f7cf903ab60b9bf1bf35088271
If the hashes do not match, deregister the partition identity public key, and contact your HSM SO.
lunacm:>stc partitionderegister -serial <partition_serial_number>
Step 3: Enable and Verify the STC Link
CAUTION! When you enable STC on the client, you must specify the SafeNet Luna Network HSM appliance that hosts the partition you want to link to. This forces the client to use STC for all links to the specified SafeNet Luna Network HSM appliance. Any existing NTLS connections to the specified SafeNet Luna Network HSM appliance will be terminated. Ensure you have registered the partition identity for each partition on this HSM before continuing.
To enable and verify the STC link:
1.Launch LunaCM and view the list of registered servers to find the server ID of the SafeNet Luna Network HSM appliance that hosts the partition.
lunacm:>clientconfig listservers
2.Enable the STC link.
lunacm:>stc enable -id <server_ID>
lunacm:> stc enable -id 0
You are about to enable STC to server 192.20.11.78.
This will initiate an automatic restart of this application. All sessions
logged in through the application will be closed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Successfully enabled STC to connect to server 192.20.11.78.
LunaCM restarts. If successful, the partition appears in the list of available HSMs. The slot for the partition is easily identified because it does not have a label, since it is not yet initialized. In the following example, the uninitialized SafeNet Luna Network HSM partition is in slot 1:
Available HSMs:
Slot Id -> 0
Label -> stc_legacy
Serial Number -> 359693009024
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna User Partition, No SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label ->
Serial Number -> 154438865304
Model -> LunaSA
Firmware Version -> 7.0.1
Configuration -> Luna User Partition, No SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
3.Set the active slot to the new partition.
lunacm:>slot set -slot <slot>
4.Verify the link.
lunacm:>stc status
lunacm:> stc status
Enabled: Yes
Status: Connected
Channel ID: 2
Cipher Name: AES 256 Bit with Cipher Block Chaining
HMAC Name: HMAC with SHA 512 Bit
The Partition SO can now initialize the partition on the client workstation. See Configure Application Partitions. When the partition is initialized, the following actions are performed automatically:
>The client identity public key is registered to the partition.
>Partition policy 37: Force Secure Trusted Channel is enabled on the partition.
Registering a Single STC Partition to Multiple Clients
After the client-partition STC connection is established, you may want other clients to have access to the same partition. This allows the Partition SO, Crypto Officer, and Crypto User to access the partition from their own client workstations.
In the following procedure, Client 2 will register the HSM Server Certificate and the partition identity public key(s), and Client 1 will register Client 2's identity public key.
This procedure is completed by the Partition SO (Client 1) and the Client 2 Administrator.
Figure 2: Registering Two Clients to a Single Initialized Partition
Partition SO (Client 1) Prerequisites:
You must provide the same files/information to the Client 2 Administrator that you received from the HSM SO. The SafeNet Luna Network HSM client software package includes the scp (Linux) and pscp (Windows) tools for securely transferring files (see SCP and PSCP for syntax). If you do not have access to the client workstation, or a firewall prevents you from using scp or pscp, you must provide the following to the Client 2 Administrator by other secure means:
>The HSM Server Certificate (server.pem) from the SafeNet Luna Network HSM. Alternatively, the Client 2 Administrator can obtain it from the HSM SO.
>The partition identity public key for each partition you want to register to Client 2. You can use the original *.pid file supplied by the HSM SO, or export a copy to the client system using LunaCM:
lunacm:>role login -name po
lunacm:>stcconfig partitionidexport
lunacm:> stcconfig partitionidexport
Successfully exported partition identity for the current slot to /usr/safenet/lunaclient/partition_identities/154438865305.pid
>The partition identity public key hash for each partition to be registered to Client 2. This is recommended so that the Client 2 Administrator can verify the key's integrity before using the partition. You should not send the hash by the same means as the certificates. To view the hash in LunaCM:
lunacm:>stc identityshow
lunacm:> stc identityshow
Client Identity Name: mySTCclientID
Public Key SHA1 Hash: 1b8e783c5cc3bb6a79e5d4a4026258a0f34ef7f6
List of Registered Partitions:
Partition Identity Partition Partition Public Key SHA1 Hash
Label Serial Number
________________________________________________________________________________
app_par1 154438865304 6916eca3751173f7cf903ab60b9bf1bf35088271
Client 2 Prerequisites:
1.Launch LunaCM and create the client token and identity.
NOTE This step is not required if you have already created a client token and identity. Verify using stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.
lunacm:>stc tokeninit -label <token_label>
lunacm:>stc identitycreate -label <client_identity>
For a more detailed description of this step, see Step 1: Create the Client Token and Identity.
2.Provide the following files/information to the Partition SO. The SafeNet Luna Network HSM client software package includes the scp (Linux) and pscp (Windows) tools for securely transferring files (see SCP and PSCP for syntax). If you do not have access to the client workstation, or a firewall prevents you from using scp or pscp, you must provide the client identity to the Partition SO by other secure means.
•The client 2 identity public key
•The client 2 identity public key hash. This is recommended so that the Partition SO can verify the key's integrity before allowing access to the partition. You should not send the hash by the same means as the client identity public key. To view the hash in LunaCM:
lunacm:>stc identityshow
lunacm:> stc identityshow
Client Identity Name: Client2
Public Key SHA1 Hash: cd5ca1c094acfe44803a9ef4b412fc4087a16c32
List of Registered Partitions: None
Client 2 Administrator:
1.Ensure that you have the required certificates/information from the Partition SO:
•HSM Server Certificate (*.pem)
•Partition identity public key (*.pid) for each partition to be registered
•Partition identity public key hash for each partition
2.Open a command prompt or terminal window and navigate to the SafeNet Luna Network HSM client installation directory.
3.Use the vtl utility to register the HSM Server Certificate (192.20.11.78Cert.pem in the example below) to the client.
>vtl addserver -n <HSM_hostname_or_IP> -c <server_certificate>
>vtl addserver -n 192.20.11.78 -c ./cert/server/192.20.11.78Cert.pem
New server 192.20.11.78 successfully added to server list.
4.Launch LunaCM, register the partition identity public key to Client 2, and view the partition hash.
lunacm:>stc partitionregister -file <partition_identity> [-label <partition_label>]
lunacm:>stc identityshow
Repeat for each partition you want to register. For a more detailed description of this step, see Step 2: Register the Partition Identity Public Key to the Client.
5.Find the correct server ID for the SafeNet Luna Network HSM hosting the partition and enable its STC connection. You will be prompted to restart LunaCM and all current sessions will be closed.
CAUTION! This forces the client to use STC for all links to the specified appliance. Any remaining NTLS links from this client to the appliance will be terminated. Ensure you have registered the partition identity for each partition on this HSM before continuing.
lunacm:>clientconfig listservers
lunacm:>stc enable -id <server_ID>
If the partition is not visible as a slot when LunaCM restarts, wait until the Partition SO completes the final procedure and activates Partition Policy 37. For a more detailed version of this step, see Step 3: Enable and Verify the STC Link.
Partition SO (Client 1):
1.Ensure that you have received the required certificates/information from the Client 2 Administrator:
•Client 2 identity public key
•Client 2 identity public key hash
2.Launch LunaCM, change the active slot to the partition, and login as Partition SO.
lunacm:>slot set -slot <slotnum>
lunacm:>role login -name po
3.Register the Client 2 identity public key (Client2 in the example below).
lunacm:>stcconfig clientregister -label <client_label> -file <client_identity>
lunacm:> stcconfig clientregister -l Client2 -f /usr/safenet/lunaclient/client_identities/Client2
Successfully registered the client Client2 to the current slot.
4.View the hash for the Client2 identity.
lunacm:>stcconfig clientlist
lunacm:> stcconfig clientlist
Client Name Client Public Key SHA1 Hash
___________________________________________________________________________
Client2 cd5ca1c094acfe44803a9ef4b412fc4087a16c32
Partition SO 1b8e783c5cc3bb6a79e5d4a4026258a0f34ef7f6
If the displayed hash does not match the hash you received from the Client 2 Administrator, deregister the client identity and contact the Client 2 Administrator:
lunacm:>stcconfig clientdelete -label <client_label>
5.You can now initialize the Crypto Officer role (or the CO can initialize the Crypto User role) and provide the password to the Client 2 Administrator by secure means. See Configure Application Partitions.
The Partition SO can register additional clients to the same partition by repeating the process above.
Figure 3: Registering Multiple Clients to a Single Partition
Converting an Initialized NTLS Partition-Client Connection to STC
If you have initialized partitions already assigned to a client using NTLS, you can use the following procedure to switch to a more secure STC connection. All of the client's assigned partitions on the specified SafeNet Luna Network HSM will be converted. It is not possible for a client to connect to multiple partitions on a single SafeNet Luna Network HSM using a combination of NTLS and STC.
NOTE The HSM SO must first enable HSM Policy 39: Allow Secure Trusted Channel on the SafeNet Luna Network HSM (see Prerequisites).
The Partition SO must complete this procedure.
To convert an NTLS partition-client connection to STC:
1.Launch LunaCM and create the client token and identity.
NOTE This step is not required if you have already created a client token and identity. Verify using stc identityshow. If you recreate the client identity, you will have to re-register any existing STC partitions.
lunacm:>stc tokeninit -label <token_label>
lunacm:>stc identitycreate -label <client_identity>
For a more detailed description of this step, see Step 1: Create the Client Token and Identity.
2.Login as Partition SO and export the existing partition ID.
lunacm:>slot set -slot <slotnum>
lunacm:>role login -name po
lunacm:>stcconfig partitionidexport
lunacm:> stcconfig partitionidexport
Successfully exported partition identity for the current slot to /usr/safenet/lunaclient/partition_identities/1238700701520.pid
3.Register the partition's public key with the client identity.
lunacm:>stc partitionregister -file <partition_identity> [-label <partition_label>]
lunacm:> stc partitionregister -file /usr/safenet/lunaclient/partition_identities/1238700701520.pid
Partition identity 1238700701520 successfully registered.
4.Register the client identity to the partition.
NOTE Each client identity registered to a partition uses 2392 bytes of storage on the partition. Ensure that there is enough free space before registering a client identity.
lunacm:>stcconfig clientregister -label <client_label> -file <client_identity>
lunacm:> stcconfig clientregister -label mySTCclientID -file /usr/safenet/lunaclient/client_identities/mySTCclientID
Successfully registered the client mySTCclientID to the current slot.
5.Enable partition policy 37: Force STM Connection.
lunacm:>partition changepolicy -slot <slotnum> -policy 37 -value 1
Repeat steps 2-5 for each NTLS partition on the same SafeNet Luna Network HSM you want to register to this client.
NOTE If this command returns an error, ensure that the HSM SO has enabled HSM Policy 39.
6.Find the correct server ID for the SafeNet Luna Network HSM hosting the partition and enable its STC connection. You will be prompted to restart LunaCM and all current sessions will be closed.
CAUTION! This forces the client to use STC for all links to the specified appliance. Any remaining NTLS links from this client to the appliance will be terminated. Ensure that you have completed steps 2-5 for each of this client's partitions before continuing.
lunacm:>clientconfig listservers
lunacm:>stc enable -id <server_ID>
If a partition is not visible as a slot when LunaCM restarts, disable STC for the server using lunacm:>stc disable -id <server_ID>, and ensure that you have activated Partition Policy 37. For a more detailed version of this step, see Step 3: Enable and Verify the STC Link.