Creating an STC Connection
To create a Secure Trusted Channel (STC) connection, a partition identity is created directly on the partition, and the client and partition exchange identities. This allows end-to-end encryption of all communications between partition and client. This section describes how to establish an STC connection between a client and a new partition. The procedure involves the HSM SO and the administrator of the client workstation.
NOTE The Luna Network HSM can create STC and NTLS channels to different clients as required. The client can also support both STC and NTLS links. However, all links from a specific client to a specific Luna Network HSM appliance must be either STC or NTLS.
STC links are not supported over an IPv6 network. You must use NTLS to make partition-client connections via IPv6.
STC has been updated for the Luna 7.7.0 release. To use the updated STC connections, you require appliance software 7.7.0 or newer, Luna HSM firmware 7.7.0 or newer, and Luna HSM Client 10.3.0 or newer. See Version Dependencies by Feature.
To use Functionality Modules (FMs) with STC client connections, you require Luna HSM firmware 7.7.0 or newer. To use FMs with earlier firmware versions, you must use NTLS connections.
To establish an STC connection between partition and client, you must first enable STC on the HSM (depending on your HSM firmware version), create one or more partitions and export their partition identities. These operations are performed by the HSM SO.
NOTE When you enable HSM policy 39: Allow Secure Trusted Channel on Luna 7.4.x or earlier, the following LunaSH commands are blocked to protect the integrity of any STC links that are created:
If you plan to use STC on the admin channel and want to recreate the HSM identity first, see Configuring STC Identities and Settings before continuing.
To prepare the HSM and partition(s) for STC connections
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin (see Logging In to LunaSH).
2.Log in as HSM SO (see Logging In as HSM Security Officer).
lunash:> hsm login
3.Enable HSM Policy 39: Allow Secure Trusted Channel. If you are using Luna version 7.7.0 or newer, this policy has been removed; skip this step.
lunash:> hsm changepolicy -policy 39 -value 1
4.Create one or more new partitions for the client (see Creating or Deleting an Application Partition).
lunash:> partition create -partition <partition_name> [-size <bytes>]
NOTE The following client identity storage overhead must be noted:
>When running appliance software 7.4.0 or lower, Luna HSM firmware 7.3.3 or lower, and Luna HSM Client 10.2.0 or lower (old STC partitions), each client identity registered to a partition uses 2392 bytes of storage on the partition.
>When running appliance software 7.7.0 or newer, Luna HSM firmware 7.7.0 or newer, and Luna HSM Client 10.3.0 or newer (updated STC partitions), each client identity registered to a partition uses 512 bytes of storage on the partition.
Ensure that you create partitions large enough to store the identity of every client that will access the partition, in addition to cryptographic objects.
When you create a partition, a partition identity key/key pair is automatically created.
5.For each partition, export the partition identity public key to the Luna Network HSM file system. The file will be named with the partition's serial number. The command syntax is different depending on the Luna software/firmware version:
•Luna 7.7.0 or newer:
lunash:> partition stcidentity export -partition <partition_name>
lunash:>partition stcidentity export -partition app_par1 Successfully exported partition identity for partition app_par1 to file: 154438865304.pid
•Luna 7.4.x or earlier:
lunash:> stc partition export -partition <partition_name>
lunash:>stc partition export -partition app_par1 Successfully exported partition identity for partition app_par1 to file: 154438865304.pid
6.[Optional] View the partition identity public key hash. If you are not the client administrator, it is recommended that you provide it (via separate channel) so that the client administrator can verify the key's integrity as described in Creating a Client-Partition STC Connection. The command syntax is different depending on the Luna software/firmware version:
•Luna 7.7.0 or newer:
lunash:> partition stcidentity show -partition <partition_name>
•Luna 7.4.x or earlier:
lunash:> stc partition show -partition <partition_name>
7.If the client administrator does not have admin access to the appliance, or a firewall prevents you from using pscp or scp, you must transfer these files from the HSM and provide them to the client administrator by other secure means:
•The HSM Server Certificate (server.pem) from the Luna Network HSM.
•The partition identity public key for each partition the client will access (154438865304.pid in the example above).
•[Optional] The partition identity public key hash for each partition the client will access. This is recommended so that the client can verify the key's integrity before using the partition. Do not send the hash by the same means as the certificates.
To access partitions on the HSM using STC, you must first create an STC token and identity on the client. These operations are performed by the client administrator.
CAUTION! If you already have STC connections to partitions on other HSMs, skip this procedure and use the existing client token/identity. If you re-initialize an existing client token/identity, active STC connections to this client will be broken.
NOTE If you have upgraded your Luna Network HSM to appliance software version 7.7.0 and newer, Luna Network HSM firmware 7.7.0 and newer, Luna HSM Client 10.3.0 and newer, and converted partitions to V1 partitions, the STC client soft token (token.db) that was previously initialized for STC connections cannot be reinitialized. You must delete the old token.db before completing the procedure below. For more information about the location of token.db, refer to the description of SoftTokenDir in Configuration File Summary.
To prepare the client for STC connections
1.Open a command prompt or terminal and navigate to the Luna HSM Client directory.
NOTE On Windows, ensure that you open a command prompt with Administrator privileges.
•Windows: C:\Program Files\SafeNet\LunaClient
2.[Optional] Launch LunaCM and verify that the STC client token is uninitialized.
lunacm:> stc tokenlist
3.Initialize the STC client token, specifying a token label.
lunacm:> stc tokeninit -label <token_label>
4.Create a client identity on the token.
lunacm:> stc identitycreate -label <client_identity>
The STC client identity public key is automatically exported to:
To access STC partitions on the Luna Network HSM appliance, you must first register the HSM Server Certificate. The STC connection is then created by registering one or more partition identity public keys to the client identity and enabling STC on the client. These operations are performed by the client administrator, with admin access to the Luna Network HSM appliance. If you do not have admin access, or a firewall blocks file transfer over the network, the appliance admin must provide these files by other secure means.
To create a Client-Partition STC Connection
1.On the client workstation, use pscp or scp to import the HSM Appliance Server Certificate (server.pem) from the appliance. You require the appliance's admin password to complete this step.
TIP If you are importing certificates from multiple appliances to this client, rename each certificate during the pscp/scp transfer. This will prevent you from accidentally overwriting one server.pem certificate with another.
pscp admin@<host/IP>:server.pem <target_filename>
2.Register the HSM Server Certificate with the client, using the vtl utility from the command line or shell prompt. If using a host name, ensure the name is reachable over the network (ping <hostname>). Thales recommends specifying an IP address to avoid network issues.
> vtl addServer -n <Network_HSM_hostname/IP> -c <server_certificate>
3.[Optional] To check that you have successfully registered the appliance with the client, display the list of registered servers.
4.Use pscp or scp to import the partition identity public keys for all partitions you will access with STC. The files are named with the partition serial number (<partitionSN>.pid). You require the appliance's admin password to complete this step.
5.Register the partition identity public key to the client. Specify the path to the key file and, optionally, a label for the partition identity.
lunacm:> stc partitionregister -file <partition_identity> [-label <partition_label>]
lunacm:> stc partitionregister -file /usr/safenet/lunaclient/data/partition_identities/154438865304.pid -label app_par1 Partition identity 154438865305 successfully registered.
Repeat this step for each partition identity public key you wish to register to this client.
6.[Optional] If the HSM SO provided the partition identity public key hash, verify that the hashes match.
lunacm:> stc identityshow
If the hashes do not match, deregister the partition and contact your HSM SO.
lunacm:> stc partitionderegister -serial <partitionSN>
7.Display the list of registered Luna Network HSM servers to find the server ID of the appliance that hosts the partition(s).
lunacm:> clientconfig listservers
8.Enable the STC connection.
CAUTION! This forces the client to use STC for all links to the specified Luna Network HSM appliance. If the server has partitions assigned to this client using NTLS, those connections will be terminated. Ensure you have registered the partition identity for all applicable partitions on this HSM before continuing.
lunacm:> stc enable -id <server_ID>
LunaCM restarts. If successful, the partition appears in the list of available slots.
9.[Optional] Set the active slot to the new partition and verify the STC link.
lunacm:> slot set -slot <slot>
lunacm:> stc status
The Partition SO can now initialize the partition (see Initializing an Application Partition). When the partition is initialized, the following actions are performed automatically:
>The client identity public key is registered to the partition.
>Partition policy 37: Force Secure Trusted Channel is enabled on the partition.
Once the partition is initialized, you can allow additional clients to connect to it using STC (see Connecting an Initialized STC Partition to Multiple Clients).
STC provides several configurable options that define the network settings for an STC link, and the security settings for the messages transmitted over the link. Although default values are provided that provide the optimal balance between security and performance, you can override the defaults, if desired. See Configuring STC Identities and Settings for more information.