Adding a Luna Cloud HSM Service

Luna HSM Client allows you to use both Luna partitions and Thales Data Protection on Demand (DPoD) Luna Cloud HSM services. Using a single client workstation, you can back up or migrate your keys between Luna and the Luna Cloud HSM service, or combine partitions and services into an HA group.

The standard Luna HSM Client configuration file requires some special editing to add a Luna Cloud HSM service. This procedure will allow you to add a Luna Cloud HSM service to your existing Luna HSM Client.

NOTE   This feature requires minimum Luna HSM Client version 10.2. See Version Dependencies by Feature for more information.

Prerequisites

>You must be using Luna HSM Client software version 10.2 or higher (see Updating the Luna HSM Client Software).

>DPoD Luna Cloud HSM services support Windows and Linux operating systems only. This procedure presumes that you have already set up Luna HSM Client on your Windows or Linux workstation:

Windows Luna HSM Client Installation

Linux Luna HSM Client Installation

>Luna Cloud HSM services are only compatible with password-authenticated Luna PCIe HSM partitions. For more information on Luna/Luna Cloud HSM service compatibility, refer to Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM. You can still use Luna Cloud HSM and PED-authenticated Luna partitions from the same client workstation, but they cannot clone cryptographic objects between them.

>You must create a Luna Cloud HSM service using Thales DPoD:

https://cpl.thalesgroup.com/encryption/cloud-hsm-services-on-demand

To add a DPoD Luna Cloud HSM service to an existing Luna HSM Client

1.After purchasing a Luna Cloud HSM service, refer to the DPoD Luna Cloud HSM documentation for instructions on downloading the Luna Cloud HSM service client. Transfer the .zip file to your Luna HSM Client workstation using pscp, scp, or other secure means.

2.Extract the .zip file into a directory on your client workstation.

3.Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the Luna Cloud HSM service client install directory. The other client package can be safely deleted.

[Windows] cvclient-min.zip

[Linux] cvclient-min.tar

# tar -xvf cvclient-min.tar

4.Run the provided script to create a new configuration file containing information required by the Luna Cloud HSM service.

[Windows] Right-click setenv.cmd and select Run as Administrator.

[Linux] Source the setenv script.

# source ./setenv

5.Open the configuration file in the Luna Cloud HSM service client directory.

[Windows] crystoki.ini

[Linux] Chrystoki.conf

6.Copy the following sections from the Luna Cloud HSM service client configuration file to the existing version in the Luna HSM Client install directory.

[XTC]
Enabled=1
TimeoutSec=600

[REST]
AuthTokenClientId=<AuthTokenClientId>
AuthTokenClientSecret=<AuthTokenClientSecret>
AuthTokenConfigURI=<AuthTokenConfigURI>
ClientConnectIntervalMs=1000
ClientConnectRetryCount=900
ClientEofRetryCount=15
ClientPoolSize=32
ClientTimeoutSec=120
RestClient=1
ServerName=<ServerName>
ServerPort=443

Also, add the path to the plugins directory to the [Misc] section in your configuration file:

[Misc]
PluginModuleDir=<client_plugins_directory>

[Windows default] C:\Program Files\Safenet\Lunaclient\plugins\

[Linux default] /usr/safenet/lunaclient/plugins/

NOTE   The above example is taken from a Windows crystoki.ini file; for a Linux client platform, the Chrystoki.conf file uses the same entries in Linux syntax (Misc = { instead of [Misc], etc).

Save the configuration file. If you wish, you can now safely delete the extracted Luna Cloud HSM service client directory.

7.Manually reset the ChrystokiConfigurationPath environment variable back to the location of the original configuration file.

[Windows] In the Control Panel, search for "environment" and select Edit the system environment variables. Click Environment Variables. In both the list boxes for the current user and system variables, edit ChrystokiConfigurationPath to point to the crystoki.ini file in the original client install directory.

[Linux] Either open a new shell session, or reset the environment variable for the current session to the location of the original Chrystoki.conf file:

# export ChrystokiConfigurationPath=/etc/

8.Launch or relaunch LunaCM to verify that both your Luna partitions and Luna Cloud HSM service are available.

You can now initialize the Luna Cloud HSM service just as you would a password-authenticated Luna application partition. The cloning domain you set on the Luna Cloud HSM service must match the partition(s) from which you will migrate keys. Refer to the Thales DPoD documentation for instructions and information on the capabilities of your Luna Cloud HSM service.

>Initializing an Application Partition

>Initializing the Crypto Officer and Crypto User Roles

Refer to Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM before migrating keys or using the Luna Cloud HSM service in an HA group. You can migrate keys to your new Luna Cloud HSM service using direct slot-to-slot cloning, a Luna Backup HSM, or by setting up an HA group.

>Cloning Objects to Another Application Partition

>Backup and Restore Using a Luna Backup HSM (G5)

>Backup and Restore Using a Luna Backup HSM (G7)

>Setting Up an HA Group