Configured and Registered Client Using an HSM Partition

Following the instructions in the previous sections, you have already registered and assigned a Client to a SafeNet Luna PCIe HSM partition.

All that is required for a Client application to begin using a SafeNet Luna PCIe HSM partition (to which the Client has been assigned) is the standard handshake sequence:

1.The Client establishes a Network Trust Link connection with the SafeNet Luna PCIe HSM (port 1792).

2.The Client requests a list of available partitions (if not already known).

3.SafeNet Luna PCIe HSM responds with a list of only those partitions assigned to the requesting Client.

4.The Client chooses a partition from the available, assigned partitions.

5.SafeNet Luna PCIe HSM demands the credential (password or PED key) for the selected partition.

6.The Client (which may also be called Crypto User if you are using the Crypto Officer/Crypto User authentication and access model) provides the appropriate credential.

7.SafeNet Luna PCIe HSM grants access, and the Client application begins using the partition.

Your application should be capable of performing the above actions.

Simple Troubleshooting

If your Client application is having difficulty using SafeNet Luna PCIe HSM, and you have already verified the connection and the configuration (using multitoken and CMU utilities - see multitoken or About the CMU Functions in the Utilities Guide), then there may be a problem with the configuration of your Client application. Try the following suggestions before calling Thales Technical Support.

Password Authentication Model

If you have a password-authenticated SafeNet Luna PCIe HSM, look to your application setup for the source of the problem. It might require special configuration. If SafeNet Luna PCIe HSM has replaced another HSM product (including a SafeNet product), you may need to modify the application to recognize the new device.

NOTE   Refer to the SDK Reference Guide and to the application integration documents provided by ThalesTechnical Support for information on integrating many popular applications and services with SafeNet Luna PCIe HSM.

PED Authentication Model

If you have a PED-authenticated SafeNet Luna PCIe HSM, having the Client application present the partition password is not sufficient to access the partition. The partition must also be activated (see Activation and Auto-Activation on PED-Authenticated Partitions). To ensure that the HSM Partition is always in the desired state, we recommend that you enable AutoActivation on the partition, so that it can accept Client authentication and access at any time without presenting a PED key at the SafeNet Luna PCIe HSM appliance.

If you want minute-by-minute control of a client's ability to access the HSM, without the need to access the appliance at its location, use the Remote PED feature (see About Remote PED).


Customer Support Portal

SafeNet Luna PCIe HSM 7.3 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.