Solaris Luna HSM Client Installation
NOTE Solaris Client was not included for Luna HSM 7.7.0 or 7.7.1 releases, or Universal Client 10.2 or 10.3.
These instructions assume that you have already acquired the Luna HSM Client software, in the form of a downloaded .tar archive.
You must install the Luna HSM Client software on each client workstation you will use to access a Luna HSM. This section describes how to install the client on a workstation running Solaris, and contains the following topics:
>Installing the Client Software
>Solaris Luna HSM Client Installation
>Uninstalling the Luna HSM Client Software
>Java
>Scripted or Unattended Installation
>Interrupting the installation - [Ctrl] [C]
Applicability to specific versions of Solaris is summarized in the Customer Release Notes.
NOTE Before installing a Luna system, you should confirm that the product you have received is in factory condition and has not been tampered with in transit. Refer to the Startup Guide included with your product shipment. If you have any questions about the condition of the product that you have received, contact Thales Support.
Each computer that connects to the Luna Network HSM appliance as a client must have the cryptoki library, the vtl client shell and other utilities and supporting files installed.
Each computer that contains a Luna PCIe HSM, or is connected to a Luna USB HSM, must have the cryptoki library and other utilities and supporting files installed.
NOTE This example shows all the Luna HSM Client products and components. Some items are not supported on all operating systems and therefore do not appear as you proceed through the installation script.
Prerequisites
Before starting the installation, ensure that you have satisfied the following prerequisites:
Random Number Generator (RNG) or Entropy Gathering Daemon (EGD)
Ensure that you have a Random Number Generator (RNG) or Entropy Gathering Daemon (EGD) on your system in one of the following locations:
>/dev/egd-pool
> /etc/egd-pool,
> /etc/entropy
>/var/run/egd-pool
RNG/EGD
Cryptographic algorithms, including those that assure the security of communication – such as in OpenSSL and other protocols – depend upon random numbers for the creation of strong keys and certificates. A readily available source of random data is the entropy that exists in complex computer processes. Utilities exist for every operating system, to gather bits of system entropy into a pool, which can then be used by other processes.
Windows and Linux have these installed by default. Other systems might not. See your system administrator.
Entropy Pool
In the case of Luna Network HSM, the Luna HSM Client administration tool (vtl) expects to find a source of randomness at /dev/random. If one is not found, vtl fails, because the link cannot be secured from the Client end.
If your system does have an entropy pool, but the random number generator (RNG) is not in the expected place, then you can create a symbolic link between the actual location and one of the following:
>/dev/random
> /dev/egd-pool
> /etc/egd-pool
>/etc/entropy
>/var/run/egd-pool
If your system does not have an entropy-gathering daemon or random number generator, please direct your system administrator to install one, and point it to one of the named devices.
Installing the Client Software
TIP We recommend verifying the integrity of the Universal Client packages, by calculating their SHA256 hash values and comparing with the hash values posted on the Support Portal, before installing them on your client machines.
You can use the sha256sum tool on Linux machines to calculate the SHA256 hash values.
It is recommended that you refer to the Luna HSM Customer Release Notes for any installation-related issues or instructions before you begin the following software installation process.
CAUTION! You must be logged in as root when you run the installation script.
By default, the Client programs are installed in the /opt/safenet/lunaclient/bin directory.
To install the Luna HSM Client software on a Solaris workstation
1.Log on to the client system, open a console or terminal window, and use su to gain administrative permissions for the installation.
2.Access the Luna HSM Client software:
a.Copy or move the .tar archive to a suitable directory where you can untar the archive and launch the installation script.
b.Extract the contents from the archive:
tar xvf <filename>.tar
3.Go to the install directory for your architecture:
NOTE Luna HSM Client 10.1 and newer includes libraries for 64-bit operating systems only.
Architecture | Path |
---|---|
Solaris Sparc 32-bit | LunaClient_7.X.0_SolarisXXSparc/32 |
Solaris Sparc 64-bit | LunaClient_7.X.0_SolarisXXSparc/64 |
Solaris x86 32-bit | LunaClient_7.X.0_SolarisXXx86/32 |
Solaris x86 64-bit | LunaClient_7.X.0_SolarisXXx86/64 |
4.To see the help, or a list of available installer options, type:
sh install.sh -? or sh install.sh --help
To install all available products and optional components, type:
sh install.sh all
To selectively install individual products and optional components, type the command without arguments:
sh install.sh
5.Type y
if you agree to be bound by the license agreement.
6.A list of installable Luna products is displayed (might be different, depending on your platform). Select as many as you require, by typing the number of each (in any order) and pressing Enter. As each item is selected, the list updates, with a "*" in front of any item that has been selected. The following example shows that items 1 and 3 have been selected, and item 4 is about to be selected.
Products Choose Luna Products to be installed
*[1]: Luna Network HSM [2]: Luna PCIe HSM
*[3]: Luna USB HSM
[4]: Luna Backup HSM [N|n]: Next [Q|q]: Quit
Enter selection: 4
7.When the selection is complete, type N or n for "Next", and press Enter. If you wish to make a change, simply type a number again and press Enter to de-select a single item.
8.The next list is titled "Advanced" and includes additional items to install. Some items might be pre-selected to provide the optimum Luna HSM experience for the majority of customers, but you can change any selection in the list. When the Components list is adjusted to your satisfaction, press Enter.
NOTE The installer includes the Luna SNMP Subagent as an option. If you select this option, you will need to move the SafeNet MIB files to the appropriate directory for your SNMP application after installation is complete, and you will need to start the SafeNet subagent and configure for use with your agent.
9.If the script detects an existing cryptoki library, it stops and suggests that you uninstall your previous Luna software before starting the Luna HSM Client installation again.
10.The system installs all packages related to the products and any optional components that you selected.
11.Although FMs are supported on Linux and Windows clients only in this release, the FM architecture requires a configuration file setting to allow partition login on an FM-enabled HSM. If the HSM you will be using with this client is FM-enabled (see Preparing the Luna PCIe HSM to Use FMs for more information), you must add the following entry to the [Misc] section of the Chrystoki.conf file:
[Misc]
LoginAllowedOnFMEnabledHSMs=1
NOTE As a general rule, do not modify the Chrystoki.conf/crystoki.ini file, unless directed to do so by Thales Technical Support. If you do modify the file, never insert TAB characters - use individual space characters. Avoid modifying the PED timeout settings. These are now hardcoded in the appliance, but the numbers in the Chrystoki.conf file must match.
Uninstalling the Luna HSM Client Software
1.cd /opt/safenet/lunaclient/bin
2.sh uninstall.sh
Java
If you install the Luna Java Security Provider (JSP), refer to Luna JSP Overview and Installation for additional setup procedures for your operating system.
Scripted or Unattended Installation
If you prefer to run the installation from a script, rather than interactively, run the command with the options -p <list of Luna products> and -c <list of Luna components>. To see the syntax, run the command with help like this:
[myhost]$ sudo sh install.sh help
[sudo] password for fred
At least one product should be specified. usage: install.sh - Luna Client install through menu install.sh help - Display scriptable install options install.sh all - Complete Luna Client install install.sh -p [sa|pci|g5|rb] [-c sdk|jsp|jcprov|ldpc|snmp] -p <list of Luna products> -c <list of Luna components> - Optional. All components are installed if not provided Luna products options sa - Luna Network HSM pci - Luna PCIe HSM g5 - Luna USB HSM rb - Luna Backup HSM Luna components options sdk - Luna SDK jsp - Luna JSP (Java) jcprov - Luna JCPROV (Java) snmp - Luna SNMP subagent [myhost]$
For scripted/automated installation, your script will need to capture and respond to the License Agreement prompt, and to the confirmation prompt. For example:
[myhost]$ sudo sh install.sh all IMPORTANT: The terms and conditions of use outlined in the software license agreement (Document #008-010005-001_053110) shipped with the product ("License") constitute a legal agreement between you and SafeNet Inc. Please read the License contained in the packaging of this product in its entirety before installing this product. Do you agree to the License contained in the product packaging? If you select 'yes' or 'y' you agree to be bound by all the terms and conditions se out in the License. If you select 'no' or 'n', this product will not be installed. (y/n) y Complete Luna Client will be installed. This includes Luna Network HSM, Luna PCIe HSM, Luna USB HSM AND Luna Backup HSM. Select 'yes' or 'y' to proceed with the install. Select 'no' or 'n', to cancel this install. Continue (y/n)? y
Interrupting the installation - [Ctrl] [C]
Do not interrupt the installation script in progress, and ensure that your host computer is served by an uninterruptible power supply (UPS). If you press [Ctrl] [C], or otherwise interrupt the installation (OS problem, power outage, other), some components will not be installed. It is not possible to resume an interrupted install process. The result of an interruption depends on where, in the process, the interruption occurred (what remained to install before the process was stopped).
As long as the cryptoki package is installed, any subsequent installation attempt results in refusal with the message "A version of Luna Client is already installed." Removing the library allows the script to clean up remaining components, so that you can install again.
What to do if installation is incomplete or damaged
1.If SNFTlibcryptoki has been installed, uninstall it manually.
2.Run the Client install script again. Now that SNFTlibcryptoki is removed, the install script removes any stray packages and files.
3.Install again, to perform a clean installation.