Optional Configuration Tasks

After completing the base configuration, you can also perform any of the following optional configuration tasks:

Configure the SafeNet Luna Network HSM appliance to use a Network Time Protocol (NTP) server

You can synchronize a SafeNet Luna Network HSM appliance with a network time protocol (NTP) server. NTP provides a reliable, consistent, and accurate timing mechanism for the appliance using Coordinated Universal Time (UTC), and is the recommended option for providing an accurate date and time for the appliance. SafeNet Luna Network HSM also provides secure NTP. See Timestamping – NTP and Clock Drift in the SafeNet Luna Network HSM Appliance Administration Guide.

Configure multiple HSMs to operate in high-availability (HA) mode

High Availability (HA) mode allows you to automatically replicate the data on a HSM/partition over two or more physical HSMs to provide redundancy and load balancing. Applications using an HA HSM/partition do not access it directly. Instead, the HA software creates a virtual slot for the partition and manages which physical HSM is actually used when responding to an application request. See High-Availability Groups in the Administration Guide.

Configure SNMP

You can use the SafeNet SNMP MIB to monitor the performance of your HSMs. See SNMP Monitoring in the Administration Guide.

Configure a remote PED

If you are configuring a PED-authenticated HSM, you can configure it to use a remote PED, which allows you to authenticate to the HSM from a remote location. See About Remote PED in the Administration Guide.

Configure for RADIUS Authentication

RADIUS (Remote Authentication Dial-In User Service) is a client/server protocol providing authentication, authorization, and accounting service to configured clients. The client passes user information to configured, designated RADIUS servers, and acts on the returned response. A RADIUS server receives user connection requests, authenticates the user if that user's profile exists on the server, and then returns the configuration information according to which the client can deliver service to the user.

While a proposal is being considered (by the custodians of the RADIUS standard) to switch to TLS communication protocol, RADIUS interaction currently takes place over UDP (User Datagram Protocol).

RADIUS Configuration Summary

Configuration and identification must take place at both ends of the RADIUS transaction. These actions include:

On the RADIUS Server Side

>Identify the client systems from which this server will accept requests and return service (this is recorded in the RADIUS server's configuration file).

>Identify the users who will be covered by the service.

On the RADIUS Client Side (Your SafeNet Luna Network HSM)

>Enable RADIUS.

>Add a RADIUS server, specifying its IP address, and providing the access secret for that server.

>Check the status of SafeNet Luna Network HSM appliance users.

>Add desired SafeNet Luna Network HSM appliance users to the RADIUS list, enabling RADIUS authentication for those users.

>Verify that RADIUS is enabled for any user on your SafeNet Luna Network HSM that needs to use RADIUS.

Configuring RADIUS with Your SafeNet Appliance

You can use any standards-compliant RADIUS server, either a commercial server or one of the free/open-source servers, like freeRADIUS or openRADIUS.

To configure the RADIUS Server:

1.Add the client to the RADIUS server's configuration file, specifying:

The address of the SafeNet Luna Network HSM appliance.

The secret or password that the client will use when connecting.

A short, user-friendly or business-relevant name for the client.

You can edit the file directly, for some RADIUS implementations, or use the provided interface. 

/etc/raddb/clients.conf:

client 192.20.17.174 {
        ipaddr          = 192.20.17.174
        secret          = testing123
        nas             = other
        shortname       = sa174
}
client 192.20.22.106 {
        ipaddr          = 192.20.22.106
        secret          = testing321
        nas             = other
        shortname       = sa22106
}

2.For each client, add the user name and the password for that user to the "users" file of the RADIUS server.

/etc/raddb/users:

sauser162       Cleartext-Password := "userpw654"
sauser171       Cleartext-Password := "userpw987"
sauser172       Cleartext-Password := "userpw789"
sauser173       Cleartext-Password := "userpw456"
sauser174       Cleartext-Password := "userpw321"
nagios          Cleartext-Password := "nagiospw"
audit           Cleartext-Password := "userpin"
someguy         Cleartext-Password := "userpw"
sauser106       Cleartext-Password := "userpw123"

A user can use RADIUS for a SafeNet Luna Network HSM, only if that SafeNet Luna Network HSM is registered as a client, and if that user is registered as a user in the appropriate files on the RADIUS server.

Follow these steps on the SafeNet Luna Network HSM appliance:

NOTE   Without RADIUS, use the command user add user somename to add an appliance administrative user on SafeNet Luna Network HSM.
With RADIUS, use the command user radiusAdd -u somename to both create the user on the appliance and add that user to the RADIUS list. You cannot use user radiusAdd to convert an existing user from non-RADIUS to RADIUS.

1.On the SafeNet Luna Network HSM appliance, enable RADIUS.

lunash:>sysconf radius enable

2.Add the server (by hostname or IP address), specifying the port to use, and the timeout value in seconds.

lunash:>sysconf radius addserver -server <hostname/IP> -port <port> -timeout <seconds>

[1722022106] lunash:>sysconf radius add -s 192.20.15.182 -p 1812 -t 60

Enter the server secret:
Re-enter the server secret:
Command Result : 0 (Success)

3.Verify that the desired server has been added.

lunash:>sysconf radius show

[1722022106] lunash:>sysconf radius show

RADIUS for SSH is enabled with the following deployed servers:

                                                     server:port     timeout
                                                   -------------  ----------
                                              192.20.15.182:1812          60

Command Result : 0 (Success)

4.Check the user list to see which users exist, are enabled on the SafeNet appliance, and are RADIUS enabled.

lunash:>user list

[1722022106] lunash:>user list

                   Users       Roles      Status      RADIUS
    --------------------    --------    --------    --------
                   admin       admin     enabled          no
                   audit       audit     enabled          no
                 monitor     monitor    disabled          no
                operator    operator    disabled          no

Command Result : 0 (Success)

5.Add a user, by name, as a RADIUS user.

lunash:>user radusadd -username <name>

[1722022106] lunash:>user radiusAdd -u someguy

Creating mailbox file: File exists
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Command Result : 0 (Success)

6.Add the user's appliance role (in this example, we are giving him admin-level access).

lunash:>user role add -username <name> -role <role>

[1722022106] lunash:>user role add -u someguy -r admin

User someguy was successfully modified.

Command Result : 0 (Success)

7.Verify that the user exists, has the correct role on the SafeNet appliance, and is a RADIUS user for this appliance.

lunash:>user list

[1722022106] lunash:>user list

                   Users       Roles      Status      RADIUS
    --------------------    --------    --------    --------
                   admin       admin     enabled          no
                   audit       audit     enabled          no
                 someguy       admin     enabled         yes
                 monitor     monitor    disabled          no
                operator    operator    disabled          no

Command Result : 0 (Success)


Customer Support Portal

SafeNet Luna Network HSM 7.4 Product Documentation  16 December 2019  Copyright 2001-2019 Thales. All rights reserved.