Cluster-Client Connections

Thales provides a client-side script, LNHClientRegistration, to connect Luna HSM Client to a cluster. You must run the script on any Luna HSM Client computers that will create or use keyrings on the cluster. The client requires a specified member Luna Network HSM 7 to use as an entry point to the cluster. All traffic from the client will be directed to this member appliance, although the operations may be performed by other cluster members.

NOTE    

>The LNHClientRegistration script included with Luna HSM Client 10.7.2 and newer is larger than in previous versions; it has been signed by Thales, like all other client binaries released for Windows platforms.

>Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.

If this client will be used by a customer with monitor privileges in a service provider deployment, you can specify a LunaSH username to associate with the client. This can be the default monitor role, or a custom user with the monitor role assigned (see Creating Custom Appliance User Accounts). The specified user must already exist on the appliance.

Connecting Luna HSM Client to a Cluster

The following procedure will allow you to connect a Luna HSM Client computer to a Luna Network HSM 7 cluster. Each cluster is assigned an index number from 00 to 09 on the client. In this release, the configuration can be viewed only in the crystoki.ini / Chrystoki.conf configuration file; the following entries for each cluster are added to the LunaSA Client section (see Configuration File Summary):

LNHServer##
LNHServerClientCert##
LNHServerClientKey##
LNHServerCAFile##
LNHServerCN##

Prerequisites

>Ensure that you have a supported Luna HSM Client version installed. Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.

CAUTION!   Using Luna HSM Client 10.7.2, running the script while specifying the same common name (usually an IP address) that was used to create an existing NTLS certificate causes the existing NTLS private key to be deleted. To preserve this key, located in <install directory>/data/client_identities/, save a copy in another location and restore it after running the registration script. Refer to known issue LUNA-32033.

Refer to Updating the Luna HSM Client Software.

>Ensure that you have the following information about each cluster you want to access using this client:

the Cluster ID

the IP address for an authorized member appliance that will accept this client's traffic

>If you customize the port numbers for admin and/or crypto traffic to the appliance, you must edit the LNHClientRegistration script to account for these port numbers, or client registration will fail. To update the script, replace all instances of the default admin port 50070 with your configured admin port, and instances of the default crypto port 50052 with your configured crypto port.

CAUTION!   In this release, changing the default port used for crypto operations on the cluster (50052) can cause communication problems between cluster members. Refer to known issue LUNA-26485.

>On AIX, the LNHClientRegistration script requires GNU sed 4.8.

Run dnf install sed to install it before using the script.

To connect Luna HSM Client to a cluster member

1.Run the LNHClientRegistration script to connect the client to the cluster, specifying the Cluster ID (-c), the IP address of the member the client will connect to (-i), a Common Name for the client certificate (-n), an optional label for the client (-l), and an optional LunaSH username with a monitor role to associate with this client (-u). This assigns the cluster to the 00 index position on the client.

Linux/AIX:

# ./LNHClientRegistration.sh -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>]

Windows PowerShell:

./LNHClientRegistration.ps1 -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>]

Windows command prompt:

powershell.exe -command "LNHClientRegistration.ps1 -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>]"

2.Run the script again for each additional cluster you wish to add, including the -m option to indicate that you are adding multiple clusters. Each new cluster added will be assigned to the next incremental index position (01, 02, 03... 09). If all the positions are filled, an error message is returned.

CAUTION!    

>Running the script again without the -m option will overwrite the cluster configuration at the 00 index position. However, do not replace a cluster configuration this way; stop your client applications and delete the existing cluster configuration before running the script again. See Removing a Cluster From the Luna HSM Client.

>Each cluster can only be added once; do not attempt to add the same cluster multiple times using different LunaSH roles.

Linux/AIX:

# ./LNHClientRegistration.sh -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>] -m

Windows PowerShell:

LNHClientRegistration.ps1 -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>] -m

Windows command prompt:

powershell.exe -command "LNHClientRegistration.ps1 -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>] -m"

Removing a Cluster From the Luna HSM Client

In this release, to remove a cluster from the client, you must manually delete it from the index by editing the LunaSA Client section of the crystoki.ini / Chrystoki.conf configuration file. First, stop all applications on this client that are using the cluster you will remove. Delete the entries for that cluster and save the configuration file.

LunaSA Client = {
   ReceiveTimeout = 20000;
   SSLConfigFile = /usr/safenet/lunaclient/bin/openssl.cnf;
   ClientPrivKeyFile = /usr/safenet/lunaclient/cert/client/ClientNameKey.pem;
   ClientCertFile = /usr/safenet/lunaclient/cert/client/ClientNameCert.pem;
   ServerCAFile = /usr/safenet/lunaclient/cert/server/CAFile.pem;
   NetClient = 1;
   TCPKeepAlive = 1;

   LNHServer00 = 1.2.3.4:50052;
   LNHServerClientCert00 = /usr/safenet/lunaclient/cert/client/c2c94c40-6491-409e-bd3d-16e236544b7f/2.3.4.5.pem;
   LNHServerClientKey00 = /usr/safenet/lunaclient/cert/client/c2c94c40-6491-409e-bd3d-16e236544b7f/2.3.4.5Key.pem;
   LNHServerCAFile00 = /usr/safenet/lunaclient/cert/server/c2c94c40-6491-409e-bd3d-16e236544b7f/lnh_ca.pem;
   LNHServerCN00 = lnh.thalesgroup.com;
   LNHServer01 = 5.6.7.8:50052;
   LNHServerClientCert01 = /usr/safenet/lunaclient/cert/client/3fed78e8-58ad-4aec-be5f-4a12a04ff073/2.3.4.5.pem;
   LNHServerClientKey01 = /usr/safenet/lunaclient/cert/client/3fed78e8-58ad-4aec-be5f-4a12a04ff073/2.3.4.5Key.pem;
   LNHServerCAFile01 = /usr/safenet/lunaclient/cert/server/3fed78e8-58ad-4aec-be5f-4a12a04ff073/lnh_ca.pem;
   LNHServerCN01 = lnh.thalesgroup.com;
}