Create a Network Trust Link Between the Client and the Appliance

The first step in preparing your clients to use the cryptographic resources provided by the HSM appliance is to create a secure Network Trust Link (NTL) between the client and the appliance. After you create the NTL link between the client and the appliance, you can configure links to individual partitions on the appliance using NTL or Secure Trusted Channel (STC), as described in Enable the Client to Access a Partition.

About Network Trust Links

Network Trust Links (NTL) are secure, authenticated network connections between the SafeNet Luna Network HSM and Clients. NTLs use two-way digital certificate authentication and TLS data encryption (version 1.2 is supported in SafeNet Luna Network HSM 6.1) to protect sensitive data as it is transmitted between HSM Partitions on the SafeNet Luna Network HSM and Clients. NTLs consist of the following parts:

>Network Trust Link Service (NTLS): NTL server daemon runs on the SafeNet Luna Network HSM appliance and manages the NTL connections to the appliance. NTL uses port 1792 on the SafeNet Luna Network HSM appliance.

>Network Trust Link Agent (NTLA): NTL agent runs on a SafeNet Luna HSM client workstation and manages the NTL connections to the workstation. The NTL agent is included in the SafeNet Luna HSM client software.

>Network Trust Link itself: an encrypted, secure communications channel between the Client’s NTLA and the HSM appliance's NTLS.

Network Trust Links use digital certificates to verify the identities of connecting clients. During the initial HSM appliance configuration (see Generating the HSM Server Certificate), the appliance administrator generated a unique certificate that identifies the HSM appliance. Similarly, each Client must generate its own certificate that identifies it uniquely. Both the Client and the HSM appliance use these certificates to verify the other’s identity before an NTL is created between them.

NOTE   Secure Trusted Channel (STC) offers enhanced HSM-client message integrity, and an additional layer of protection for client-to-HSM communications, even over unsecured networks. To take advantage of this feature, see Creating an STC Link Between a Client and a Partition in the Configuration Guide. For more on the differences between NTLS and STC connections, see STC Overview in the Administration Guide.

In this chapter, we setup a network trust link between a Luna HSM Client and an application partition on a SafeNet Luna Network HSM. You can use either of the following methods:

Create a Network Trust Link - Multi-step setup

Create a Network Trust Link - One-Step Setup