Configuration File Summary

[Chrystoki2]

Path to the Chrystoki2 library.

Path to the Chrystoki2 library on 32-bit Windows systems only.

[Luna]

Specifies the PED timeout time 1 - defines how long (in milliseconds) the HSM tries to detect if it can talk to the PED before starting the actual communication with it. If the PED is unreachable the HSM returns to the host a result code for the respective HSM command. The result code indicates that the PED is not connected. This timeout is intended to be small so that the user is informed quickly that the PED is not connected.

Specifies the PED timeout time 2 - defines how long (in milliseconds) the firmware waits for the local PED to respond to PED commands. PED commands should not be confused with PED-related HSM commands. An HSM sends PED commands to the PED when processing PED-related HSM commands, such as LOGIN or PED_CONNECT. One PED-related HSM command can involve many PED commands being sent by the HSM to the PED (for example, the MofN related commands). If a local PED does not respond to the PED commands within the span of PEDTimeout2 the HSM returns an appropriate result code (such as PED_TIMEOUT) for the respective PED-related HSM command.

Specifies the PED timeout time 3 - defines additional time (in milliseconds) the firmware must wait for the remote PED to respond to PED commands. That is, the actual time the firmware waits for a remote PED to respond is PEDTimeout2 + PEDTimeout3.

Sets the default timeout interval - defines how long (in milliseconds) the HSM driver in the host system waits for HSM commands to return a result code. If the result code is not returned in that time, the driver assumes that the HSM is stuck and halts it, with the DEVICE_ERROR returned to all applications that use the HSM. Most HSM commands use this timeout. Very few exceptions exist, when a command's timeout is hard-coded in the Cryptoki library, or separate timeouts are specified in the Chrystoki.conf for certain classes of HSM commands.

This is an exception to DefaultTimeout (above). It defines timeout (in milliseconds) for all PED-related HSM commands. This class of PED-related commands can take more time than the ordinary commands that subscribe to the DefaultTimeOut value. As a rule of thumb, CommandTimeOutPedSet = DefaultTimeOut + PEDTimeout1 + PEDTimeout2 + PEDTimeout3.  

The amount of time (in milliseconds) the library allows for a Keypair generate operation to return a value. Due to the random component, large key sizes can take an arbitrarily long time to generate, and this setting keeps the attempts within reasonable bounds.The default is calculated as the best balance between the inconvenience of occasional very long waits and the inconvenience of restarting a keygen operation. You can change it to suit your situation.

The amount of time (in milliseconds) the library allows for the HSM to respond to a cloning command.

Timeout for Domain Parameter Generation.

[CardReader]

This setting was used when debugging older SafeNet products. For modern products it is ignored.

Number of SafeNet Luna USB HSM slots reserved so that the library will check for connected devices.

>Can be set to zero if you have no SafeNet Luna USB HSMs and wish to get rid of the reserved spaces in your slot list.

>Can be set to any number, but is effectively limited by the number of external USB devices your host can support.

[RBS]

The hostname or IP address that the RBS server will listen on. Default is 0.0.0.0 (any IP on the local host).

The port number used by the RBS server.

The location of the RBS Client authentication file.

The location of the RBS Server certificate file.

The location of the RBS Server certificate private key file.

The location of the OpenSSL configuration file used by RBS Server or Client.

The location of the RBS library.

If true (default), RBS acts as a Server. If false, RBS acts as a Client.

[LunaSA Client]

Location of the OpenSSL configuration file.

Time in milliseconds before a receive timeout

TCPKeepAlive is a TCP stack option, available at the LunaClient, and at the SafeNet Luna Network HSM appliance. For SafeNet purposes, it is controlled via an entry in the Chrystoki.conf /crystoki.ini file on the LunaClient, and in an equivalent file on SafeNet Luna Network HSM. For SafeNet Luna HSM 6.1 and newer, a fresh client software installation includes an entry "TCPKeepAlive=1" in the "LunaSA Client" section of the configuration file Chrystoki.conf (Linux/UNIX) or crystoki.ini (Windows). Config files and certificates are normally preserved through an uninstall, unless you explicitly delete them.

As such, if you update (install) LunaClient software where you previously had an older LunaClient that did not have a TCPKeepAlive entry, one is added and set to "1" (enabled), by default. In the case of update, if TCPKeepAlive is already defined in the configuration file, then your existing setting (enabled or disabled) is preserved.

The settings at the appliance and the client are independent. This allows a level of assurance, in case (for example) a firewall setting blocks in one direction.

If true, library will search for network slots

Location, on the client, of the server certificate file (set by vtl or LunaCM command clientconfig deploy).

Location of the Client certificate file that is uploaded to SafeNet Luna Network HSM for NTLS (set by vtl or LunaCM command clientconfig deploy).

Location of the Client private key file (set by vtl or LunaCM command clientconfig deploy).

Entries embedded by vtl utility, or the LunaCM command clientconfig deploy. Identifies the NTLS-linked SafeNet Luna Network HSM servers, and determines the order in which they are polled to create a slot list.

NOTE   The [Presentation] section is not created automatically. To change any of the following values, you must first create this section in the configuration file.

[Presentation]

Sets the starting slot for the identified partition. If one partition slot on an HSM is specified, then any that are not listed from that HSM are not displayed.

Admin partitions of local SafeNet Luna PCIe HSMs are not visible/(visible) in a slot listing

When the number of partitions on an HSM is not at the limit, unused slots are shown/(not shown).

Causes basic slot list to start at slot number 1 instead of (0).

[HAConfiguration]

When set to 1, shows only the HA virtual slot to the client, and hides the physical partitions/slots that are members of the virtual slot. Setting HAOnly helps prevent synchronization problems among member partitions, by forcing all client actions to be directed against the virtual slot, and dealing with synch transparently. HAOnly also prevents the shifting of slot numbers in the slot list that could occur if a visible physical partition were to drop out, which could disrupt an application that identifies its client partitions by slot numbers.

Specifies how many reconnection attempts will be made, when a member drops from the group. A value of "-1" is infinite retries.

Specifies the interval (in seconds) at which the library will attempt to reconnect with a missing member, until "reconnAtt" is reached, and attempts cease. The default value of 60 seconds is the lowest that is accepted.

[Misc]

The location of the LunaClient tools.

Controls what happens on newer firmware, when calls are made to specific older mechanisms that are now discouraged due to weakness.

When this item is set to 0, no re-mapping is performed.
When the value is set to 1, the following re-mapping occurs if the HSM firmware permits:

>PKCS Key Gen -> 186-3 Prime key gen

>X9.31 Key Gen -> 186-3 Aux Prime key gen (see Mechanism Remap for FIPS Compliance)

Controls what happens on older firmware, when specific newer mechanisms are called, that are not supported on the older firmware.
When this item is set to 0, no re-mapping is performed.

When the value is set to 1, the following re-mapping occurs if the HSM firmware permits:

>186-3 Prime key gen -> PKCS Key Gen

>186-3 Aux Prime key gen -> X9.31 Key Gen

Intended for evaluation purposes, such as with existing integrations that require newer mechanisms, before you update to firmware that actually supports the more secure mechanisms. Be careful with this setting, which makes it appear you are getting a new, secure mechanism, when really you are getting an outdated, insecure mechanism (see Mechanism Remap for FIPS Compliance).

This flag specifies which role to check for challenge request status. Possible values include:

>0 (default): no challenge request

>1: check for Crypto Officer challenge request

>2: check for Crypto User challenge request

Controls whether the public exponent of an RSA key can be copied from the private key template, if the public key template does not already have a public exponent attribute set.

Possible values include:

>0: if no public exponent is provided in the public template, then an error is returned (expected behavior).

>1(default): if no public exponent is provided in the public template, then the private exponent is copied from the private template to populate the public template.

For PKCS#11 compliance, this should be set to "0".

This flag determines what action to take if a function binding fails during a CryptokiConnect() operation.

Possible values include:

>0: fail if not all functions can be resolved (default)

>1: do not fail but issue warning for each function not resolved

>2: do not fail and do not issue warning (silent mode)

This flag determines whether the client can log in to a partition on an HSM that uses Functionality Modules (FMs). FMs consist of custom-designed code that introduces new functionality, which can be more or less secure than standard HSM functions.

Possible values include:

>0: the client does not allow login to an FM-enabled partition

>1: the client allows login to an FM-enabled partition

The default setting for this flag depends on whether you chose to install the FM Tools with the Luna HSM Client.

[Secure Trusted Channel]

Specifies the location of the token library on 64-bit Windows systems. This value must be correct in order to use a client token.

For 32-bit systems, see the ClientTokenLib32 entry below.

By default, ClientTokenLib points to the location of the soft token library. If you are using a hard token, you must manually change this value to point to the hard token library for your operating system. The exact location of the hard token library may vary depending on your installer. The location provided here is the most common location used.

Specifies the location of the token library on 32-bit Windows systems. This entry appears on Windows only. For 64-bit systems, see the ClientTokenLib entry above.

By default, ClientTokenLib32 points to the location of the soft token library. If you are using a hard token, you must manually change this value to point to the hard token library for your operating system. The exact location of the hard token library may vary depending on your installer. The location provided here is the most common location used.

NOTE   The [Session] section is not created automatically. To change any of the following values, you must first create this section in the configuration file.

[Session]

This flag determines whether AutoCleanUp runs, to close orphan sessions, on behalf of an application that neglects to close sessions. It is useful for SafeNet Luna PCIe HSMs (in the host that also runs the client application). AutoCleanUp runs during C_Finalize on the client. By contrast, the SafeNet Luna Network HSM has the active NTLS service that tracks and closes dangling sessions.

Possible values include:

>0: Run AutoCleanUp if your application leaks sessions and you cannot rewrite the application.

>1: Disable AutoCleanUp if you have a SafeNet Luna PCIe HSM and your client application does proper housekeeping, or if your application is connecting via NTLS to a SafeNet Luna Network HSM.

NOTE   The [Toggles] section is not created automatically. To change any of the following values, you must first create this section in the configuration file.

[Toggles]