Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority
A trusted Certificate Authority (CA) can provide authentication for your NTLS connections. This can be a commercial third-party CA or your organization's own signing station. This type of connection is created in the following stages:
1.Registering the Appliance Certificate on the Client
2.Authenticating a Client Using a Trusted CA
3.Registering the Client on the Appliance with -nocert [Appliance 7.8.3 onward]
NOTE This feature requires minimum Luna HSM Client 10.1.0.
Registering the Appliance Certificate on the Client
Use the following procedure to transfer the appliance's self-signed certificate to the client and register it.
Prerequisites
>You must have admin- or operator-level access to LunaSH on the appliance, or access to a custom LunaSH account.
>You must have Administrator privileges on the client workstation.
To register the appliance certificate to the client
1.Use pscp (Windows) or scp (Linux/UNIX) to import the HSM Appliance Server Certificate (server.pem) from the appliance to the client workstation. You require admin- or operator-level account access to complete this step. If you do not have SSL access to the appliance, or a firewall blocks file transfer over the network, the appliance admin must provide this certificate by other secure means.
TIP If you are importing certificates from multiple appliances to this client, rename each incoming certificate during the pscp/scp transfer. This will prevent you from accidentally overwriting one server.pem certificate with another.
pscp <user>@<host/IP>:server.pem <target_filename>
NOTE When using pscp/scp over an IPv6 network, enclose addresses in square brackets.
You must accept the SSH certificate the first time you open a pscp/scp or SSH link. You can check the SSH fingerprint in LunaSH to confirm the secure connection.
lunash:> sysconf fingerprint ssh
If the HSM appliance IP or hostname is changed, SSH detects a mismatch in the HSM appliance's server certification information and warns you of a potential security breach. To resolve this issue, delete the server's certificate information from the client’s known host file at: /<user home dir>/.ssh/known_hosts2, and re-import the server certificate.
2.Register the HSM Server Certificate with the client, using the vtl utility from the command line or shell prompt. If using a host name, ensure the name is reachable over the network (ping <hostname>). Thales Group recommends specifying an IP address to avoid network issues.
>vtl addServer -n <Network_HSM_hostname/IP> -c <server_certificate>
Authenticating a Client Using a Trusted CA
Use the following procedure to authenticate the client by having its certificate signed by your trusted CA.
Prerequisites
>You must have Administrator privileges on the client workstation.
To authenticate a client using a certificate signed by a trusted CA
1.On the client workstation, open a command prompt and navigate to the Luna HSM Client directory.
NOTE On Windows, ensure that you open a command prompt with Administrator privileges.
•Windows: C:\Program Files\SafeNet\LunaClient
•Linux/AIX: /usr/safenet/lunaclient/bin
•Solaris: /opt/safenet/lunaclient/bin
2.Create a Certificate Signing Request (CSR) for the client—an unsigned certificate to be signed by a third-party Certificate Authority (CA). You must specify the client hostname or IP. You have the option to specify other information about the certificate.
CAUTION! Regenerating the server certificate will break any existing NTLS/STC connections, when a subsequent restart of the service is performed.
> vtl createCSR -n <client_hostname/IP>
The certificate and private key are saved to the <client_install_dir>/cert/client directory and are named <client_hostname/IP>CSR.pem and <client_hostname/IP>Key.pem, respectively. The command output displays the filepath.
3.Submit the CSR file to be signed by your preferred or in-house Certificate Authority. You require the following artifacts from the CA:
•Signed base64(PEM)-encoded client certificate in x509 format
•The CA's base64(PEM)-encoded client certificate in x509 format, including the root certificate
4.Copy the signed client certificate to the following location in the Luna HSM Client directory:
•Windows: C:\Program Files\SafeNet\LunaClient\cert\client\
•Linux/AIX: /usr/safenet/lunaclient/cert/client/
•Solaris: /opt/safenet/lunaclient/cert/client/
Registering the Client on the Appliance with -nocert [Appliance 7.8.3 onward]
Use the following procedure to register the client on the appliance, and register the CA certificate chain so that the appliance can authenticate the client certificate.
NOTE The client's certificate file can be used to perform the registration, but is not needed (see the -noCert option below) as of appliance software version 7.8.3. Certificates can be exchanged later. If -noCert is not used, then a certificate named for hostname or IP is expected.
NTLS always employs bilateral authentication thus the client certificate is definitely being used. What “-nocert” means is that the client certificate is not self-signed, thus only the CA certificates are required to be in the Luna Network HSM 7 appliance trust store.
Prerequisites
>You must have admin- or operator-level access to LunaSH on the Luna Network HSM 7 appliance.
>You require the signed, base64-encoded, PEM-formatted client certificate and the CA's base64-encoded, PEM-formatted certificate chain, including the root certificate.
To register the client certificate and CA certificate chain on the appliance
1.Log in to LunaSH and register the client with the appliance, selecting a client name that can be used to easily identify the client. Specify either the -hostname or -ip option.
lunash:> client register-client <client_name> {-hostname <client_hostname> | -ip <client_IP>} -nocert
2.Register the CA certificate chain in the appliance trust store. Specify each certificate's filename, minus the .pem extension, using the -hostname option. Repeat this step until the entire certificate chain is registered.
lunash:> client register-client <cert_name> -hostname <cert_filename>
You can now assign partitions to the client (see Assigning or Revoking NTLS Client Access to a Partition).
Registering the Client Certificate and CA Certificate Chain on the Appliance [pre-7.8.3]
Use the following procedure to register the client certificate on the appliance, and register the CA certificate chain so that the appliance can authenticate the client certificate.
Prerequisites
>You must have admin- or operator-level access to LunaSH on the Luna Network HSM 7 appliance.
>You require the signed, base64-encoded, PEM-formatted client certificate and the CA's base64-encoded, PEM-formatted certificate chain, including the root certificate.
NOTE
>All certificate chain files must be named for the certificate Common Name.
>The following procedure assumes that you are configuring an NTLS client-partition connection for the first time. If an NTLS client-partition connection has been established and the client certificate is being periodically replaced, for example in the case of client certificate renewals or deployment on multiple virtual machines, the new client certificate must be transferred to and registered with the appliance only if it was authenticated by the CA under a new host name or IP; that is, the appliance will continue trusting the CA-signed client certificate based on the registered certificate chain and maintain the NTLS client-partition connection if the new client certificate has been authenticated by the CA under a previously used client host name or IP. In such cases, where client certificates must be periodically replaced while maintaining an NTLS client-partition connection, Thales recommends that you replace the client certificate in the client and leave the expired client certificate in the appliance to avoid incurring application downtime.
To register the client certificate and CA certificate chain on the appliance
1.Transfer the client certificate and the CA certificate chain to the admin or operator user on the appliance (or the custom role that will perform the registration) using pscp or scp. The files arriving at the appliance are automatically placed in the appropriate directory. Do not specify a target directory.
2.Log in to LunaSH and register the client certificate with the appliance, selecting a client name that can be used to easily identify the client. Specify either the -hostname or -ip option, according to which one you used to create the certificate.
lunash:> client register -client <client_name> {-hostname <client_hostname> | -ip <client_IP>}
3.Register the CA certificate chain in the appliance trust store. Specify each certificate's filename, minus the .pem extension, using the -hostname option. Repeat this step until the entire certificate chain is registered.
lunash:> client register -client <cert_name> -hostname <cert_filename>
You can now assign partitions to the client (see Assigning or Revoking NTLS Client Access to a Partition).
Updating or rotating or refreshing a certificate from a registered client
If the client certificate is expiring, or your security policy requires you to rotate certificates on a schedule, you might prefer to perform the action without closing currently working connections. With Luna Appliance Software 7.8.3 and newer, the client update command allows you to update the certificate such that it takes effect for all new connections, but current open connections remain open with the pre-update certificate. The CA issuing certificate for clients should be registered on the Luna Network HSM 7 appliance and the CA issuing certificate for the appliance should be registered on the client.