Network Configuration
The SafeNet Luna Network HSM is a network device that is intended to be installed in a data center and accessed remotely over a network. Network access to the SafeNet Luna Network HSM is provided by four 1 Gb/s Ethernet LAN ports. The SafeNet Luna Network HSM is also equipped with an RJ-45 serial port, used to provide serial access to the appliance for initial network configuration.
NOTE Always employ network security best practices. Place the SafeNet Luna Network HSM behind a firewall.
The network device interfaces (eth0, eth1, eth2, and eth3) and serial port are located on the rear of the appliance, as illustrated below:
Serial port
Use the serial port to connect a serial device to the SafeNet Luna Network HSM for access to LunaSH to perform initial network configuration. You will need to use the serial port to configure at least one of the network interfaces. Once you have configured an interface, you can connect the appliance to the network and access LunaSH to complete the network configuration.
Appliance network configuration
The following network parameters are configured at the appliance level:
>Appliance hostname. A hostname is optional, unless you are using DNS.
Ethernet LAN device configuration
The SafeNet Luna Network HSM is equipped with four individually-configurable 1 GB/s auto-sensing Ethernet LAN network devices. You can configure the following network settings for each device:
> IPv4 or IPv6 address. You can configure the addresses using static or DHCP addressing. If you are using IPv6 addressing, you can also use Stateless Autoconfiguration (SLAAC) to have a SLAAC-enabled router in your network automatically configure an IPv6 address on a device.
>Network gateway. IPv4 devices must use an IPv4 gateway. IPv6 devices must use an IPv6 gateway.
>Network mask. IPv4 devices must use dotted-quad format (for example, 255.255.255.0). IPv6 devices can use full or shorthand syntax.
>Static network route.
>DNS configuration. Although you configure DNS at the device level, the settings you configure for a device are available to all devices on the appliance if the configured device is connected to the network. To ensure DNS access, it is recommended that you configure each device. You can configure the following settings:
•DNS nameservers. You can add up to three DNS nameservers.
•DNS search domains.
These settings apply to static network configurations only. If you are using DHCP, the DNS search domains and DNS nameservers configured on the DHCP server are used.
Port bonding: Bond two ports into a single virtual redundant interface
The SafeNet Luna Network HSM supports port bonding. Port bonding allows you to create a bond between two interfaces (eth0 and eth1, or eth2 and eth3) into a single bonded interface (bond0 or bond1). In a bonded interface, both ports are bound to a virtual interface with a single IP address, with one port active and one port standby. See SafeNet Luna Network HSM Appliance Port Bonding for more information.
NTLS binding: Bind NTLS traffic to a specific device
You can bind the NTLS traffic (used to securely transport cryptographic messages exchanged between a client and the HSM across the network) to a specific Ethernet device (eth0, eth1, eth2, eth3, bond0, bond1, all) on the appliance. This allows you to divide the traffic going to the appliance into cryptographic (destined for the HSM) and administrative (LunaSH) streams, for enhanced security and performance. See Binding Your NTLS or SSH Traffic to a Device for more information.
SSH binding: Bind SSH traffic to a specific device, hostname, or IP address
You can optionally bind/restrict the SSH traffic (used to securely transport administrative messages across the network) to a specific Ethernet device (eth0, eth1, eth2, eth3, bond0, bond1, all) on the appliance, to the appliance hostname, or to a specific IP address. This allows you to divide the traffic going to the appliance into cryptographic (destined for the HSM) and administrative (LunaSH) streams, for enhanced security and performance. By default, SSH traffic is unrestricted. See Binding Your NTLS or SSH Traffic to a Device for more information.
Gathering Appliance Network Information
Before you begin, obtain the following information (see your network administrator for most of these items):
HSM Appliance Network Parameters
>IP address and subnet mask for each LAN port you want to use (if you are using static IP addressing)
>Hostname for the HSM appliance (registered with network DNS)
>Domain name (per port)
>Default gateway IP address (per port)
>DNS Name Server IP address(es) (per port)
>Search Domain name(s) (per port)
>Device subnet mask (per port)
DNS Entries
>Ensure that you have configured your DNS Server(s) with the correct entries for the appliance and the client. The Network HSM appliance expects fully qualified hostnames.
>If you are using DHCP, then all references to the Client and the HSM appliance (as in Certificates) should use hostnames.
Other Considerations
Clients need to be able to route directly to each HSM appliance they need to talk to, with no load balancing in place. The SafeNet Luna Network HSM does not work with off-the-shelf load balancers and service discovery techniques. You can NAT or forward the traffic so long as it always goes to the same place so the TLS tunnel isn’t terminated by outside forces.
Configuring the Network Parameters
You can use the serial connection to configure all of your network parameters now, or you can perform a minimal configuration now, where you only configure a single port, and then use the configured port to access the appliance over the network and complete the configuration.
NOTE Use a locally connected serial terminal when changing the appliance IP address, to avoid SSH admin console disconnection due to the change.
To configure the appliance and port network parameters:
You can configure all of the ports now, using the serial connection, or you can configure only one port now, and then use a network connection to that port to configure the remaining ports. It is recommended that you configure and test each device. You need to know the IP address of at least one network interface to establish a SSH connection to the appliance.
Once configured, you can find the interface IP addresses on the appliance's front-panel LCD screen. If there is no IP address shown on the LCD, you must use a serial port connection to connect to the appliance.
1.Configure the IP address, network mask, and gateway (optional) on at least one of the Ethernet LAN ports, using the network interface command. You can configure the ports to use an IPv4 or IPv6 address. A mix of IPv4 and IPv6 ports is supported.
CAUTION! Clients connecting to the appliance must use the same IP version that is configured on the port they are connecting to, so that certificates resolve. That is, all clients connecting to an IPv4 port must have an IPv4 address, and all clients connecting to an IPv6 port must have an IPv6 address.
•If you are configuring an IPv4 address, you can configure a static address, or use DHCP.
| Static | lunash:> network interface static -device <netdevice> -ip <IP_address> -netmask <netmask> [-gateway <IP_address>] |
| DHCP | lunash:> network interface dhcp -device <netdevice> |
•If you are configuring an IPv6 address, you can configure a static address, configure the port to obtain an IPv6 address using the Stateless Address Autoconfiguration (SLAAC) protocol, or use DHCP. To use SLAAC, you must have a SLAAC-enabled router in your network.
| Static | lunash:> network interface static -device <netdevice> -ip <IP_address> -netmask <netmask> [-gateway <IP_address>] -ipv6 |
| SLAAC | lunash:> network interface slaac -device <netdevice> |
| DHCP | lunash:> network interface dhcp -device <netdevice> -ipv6 |
You are prompted to confirm the action. If no network cable is attached to the port you configured, the following message is displayed:
Warning. Unable to activate interface <netdevice> Ensure that the network cable is connected.
This message is informational. The interface will automatically activate when you connect a network cable to the port.
2.Optional: If you wish to use the Port Bonding feature described above to configure bond0 and/or bond1 interface, use the network interface bonding config and network interface bonding enable commands. See SafeNet Luna Network HSM Appliance Port Bonding for more information.
3.Optional: If desired, set the appliance hostname and domain name using the network hostname command. You can specify a simple hostname or a Fully Qualified Domain Name (FQDN) using the format <hostname.domainname>. If you supply a hostname that includes a space, all text after the space is ignored. For example, if you typed network hostname my hsm the system would assign a hostname of “my”. Therefore, if you want "my hsm", use "my_hsm", "my-hsm", or similar.
lunash:> network hostname <hostname>
You must configure your DNS server to resolve the hostname to the IP address configured on the Ethernet port of the appliance. Do this for each Ethernet port you are configuring. See your network administrator for assistance.
4.Optional: If you wish to use the NTLS or SSH binding features described above to restrict NTLS or SSH messages to an interface (eth0, eth1, eth2, eth3, bond0, bond1, all),use the ntls bind or sysconf ssh commands. See Binding Your NTLS or SSH Traffic to a Device for more information.
5.Optional: If desired, add a domain name server to the network configuration for the appliance using the network dns add nameserver command. The name server is added to the appliance DNS table. You can add up to three different DNS name servers to the appliance DNS table. There is one DNS table that applies to all network devices (ports) on the appliance.
NOTE The domain name settings apply to static network configurations only. If you are using DHCP, the DNS name servers configured on the DHCP server are used.
When you add a DNS server, you add it to a specific network device on the appliance (eth0, eth1, eth2, eth3, bond0, bond1). When you add a DNS server to a device, it is added to the DNS table for the appliance and becomes available to all devices on the appliance, provided the device you added it to is connected to the network. For example, if you add a DNS server to eth0, all devices will be able to access the DNS server if eth0 is connected to the network. If eth0 is disconnected from the network, access to the DNS server is lost for any devices to which you did not add the DNS server. To ensure that any DNS server you add is available in the event of a network or port failure, it is recommended that you add it to all devices you will use to connect the appliance to the network.
lunash:> network dns add nameserver <ip_address> -device <net_device>
6.Optional: If desired, add a search domain to the network configuration for the appliance using the net dns add searchdomain command. Search domains allow you to avoid typing the complete address of frequently used Internet domains by automatically appending the search domain to an internet address you specify in LunaSH. For example, if you add the search domain mycompany.com, entering the command network ping hsm1 would search for the domain hsm1.mycompany.com. If the domain resolves, it would ping the device with that hostname.
The search domain is added to the appliance DNS table. You can add a maximum of six search domains totaling no more than 256 characters.
NOTE The search domain settings apply to static network configurations only. If you are using DHCP, the DNS search domains configured on the DHCP server are used.
When you add a DNS search domain, you add it to a specific network device on the appliance (eth0, eth1, eth2, eth3, bond0, bond1). When you add a search domain to a device, it is added to the DNS table for the appliance and becomes available to all devices on the appliance, provided the device you added it to is connected to the network. For example, if you add a search domain to eth0, all devices will use the search domain if eth0 is connected to the network. If eth0 is disconnected from the network, the search domain is not used by any devices to which you did not add the search domain. To ensure that any search domain you add is available in the event of a network or port failure, it is recommended that you add it to all devices you will use to connect the appliance to the network.
lunash:> network dns add searchdomain <domain> -device <net_device>
If you have chosen to perform setup via SSH, rather than via the direct (serial) administrative connection, then you will likely lose your network connection at this point, as you confirm the change of IP address from the default setting.
7.View the new network settings with network show.
The network show command displays the current settings, so you can verify that they are now correct for your environment before attempting to use them.
