Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority
A trusted Certificate Authority (CA) can provide authentication for your NTLS connections. This can be a commercial third-party CA or your organization's own signing station. This type of connection is created in the following stages:
1.Registering the Appliance Certificate on the Client
2.Authenticating a Client Using a 3rd-Party CA
3.Registering the Client Certificate and CA Certificate Chain on the Appliance
NOTE This feature requires minimum Luna HSM Client version 10.1. See Version Dependencies by Feature for more information.
Registering the Appliance Certificate on the Client
Use the following procedure to transfer the appliance's self-signed certificate to the client and register it.
Prerequisites
>You must have admin- or operator-level access to LunaSH on the appliance, or access to a custom LunaSH account.
>You must have Administrator privileges on the client workstation.
To register the appliance certificate to the client
1.Use pscp (Windows) or scp (Linux/UNIX) to import the HSM Appliance Server Certificate (server.pem) from the appliance to the client workstation. You require admin- or operator-level account access to complete this step. If you do not have SSL access to the appliance, or a firewall blocks file transfer over the network, the appliance admin must provide this certificate by other secure means.
TIP If you are importing certificates from multiple appliances to this client, rename each incoming certificate during the pscp/scp transfer. This will prevent you from accidentally overwriting one server.pem certificate with another.
pscp <user>@<host/IP>:server.pem <target_filename>
NOTE When using pscp/scp over an IPv6 network, enclose addresses in square brackets.
You must accept the SSH certificate the first time you open a pscp/scp or SSH link. You can check the SSH fingerprint in LunaSH to confirm the secure connection.
lunash:> sysconf fingerprint ssh
If the HSM appliance IP or hostname is changed, SSH detects a mismatch in the HSM appliance's server certification information and warns you of a potential security breach. To resolve this issue, delete the server's certificate information from the client’s known host file at: /<user home dir>/.ssh/known_hosts2, and re-import the server certificate.
2.Register the HSM Server Certificate with the client, using the vtl utility from the command line or shell prompt. If using a host name, ensure the name is reachable over the network (ping <hostname>). Thales Group recommends specifying an IP address to avoid network issues.
>vtl addServer -n <Network_HSM_hostname/IP> -c <server_certificate>
Authenticating a Client Using a 3rd-Party CA
Use the following procedure to authenticate the client by having its certificate signed by your trusted CA.
Prerequisites
>You must have Administrator privileges on the client workstation.
To authenticate a client using a certificate signed by a 3rd-party CA
1.On the client workstation, open a command prompt and navigate to the Luna HSM Client directory.
NOTE On Windows, ensure that you open a command prompt with Administrator privileges.
•Windows: C:\Program Files\SafeNet\LunaClient
•Linux/AIX: /usr/safenet/lunaclient/bin
•Solaris: /opt/safenet/lunaclient/bin
2.Create a Certificate Signing Request (CSR) for the client—an unsigned certificate to be signed by a third-party Certificate Authority (CA). You must specify the client hostname or IP. You have the option to specify other information about the certificate.
CAUTION! Regenerating the client certificate will break any existing NTLS/STC connections.
> vtl createCSR -n <client_hostname/IP>
The certificate and private key are saved to the <client_install_dir>/cert/client directory and are named <client_hostname/IP>CSR.pem and <client_hostname/IP>Key.pem, respectively. The command output displays the filepath.
3.Submit the CSR file to be signed by your preferred or in-house Certificate Authority. You require the following artifacts from the CA:
•Signed base64(PEM)-encoded client certificate in x509 format
•The CA's base64(PEM)-encoded client certificate in x509 format, including the root certificate
4.Copy the signed client certificate to the following location in the Luna HSM Client directory:
•Windows: C:\Program Files\SafeNet\LunaClient\cert\client\
•Linux/AIX: /usr/safenet/lunaclient/cert/client/
•Solaris: /opt/safenet/lunaclient/cert/client/
Registering the Client Certificate and CA Certificate Chain on the Appliance
Use the following procedure to register the client certificate on the appliance, and register the CA certificate chain so that the appliance can authenticate the client certificate.
Prerequisites
>You must have admin- or operator-level access to LunaSH on the Luna Network HSM appliance.
>You require the signed base64(PEM)-encoded client certificate and the CA's base64-encoded certificate chain, including the root certificate, in x509 format.
NOTE All certificate chain files must be named for the certificate Common Name, with a .pem extension.
To register the client certificate and CA certificate chain on the appliance
1.Transfer the client certificate and the CA certificate chain to the admin or operator user on the appliance (or the custom role that will perform the registration) using pscp or scp. The files arriving at the appliance are automatically placed in the appropriate directory. Do not specify a target directory.
2.Log in to LunaSH and register the client certificate with the appliance, selecting a client name that can be used to easily identify the client. Specify either the -hostname or -ip option, according to which one you used to create the certificate.
lunash:> client register -client <client_name> {-hostname <client_hostname> | -ip <client_IP>}
3.Register the CA certificate chain in the appliance trust store. Specify each certificate's filename, minus the .pem extension, using the -hostname option. Repeat this step until the entire certificate chain is registered.
lunash:> client register -client <cert_name> -hostname <cert_filename>
You can now assign partitions to the client (see Assigning or Revoking NTLS Client Access to a Partition).