Connecting an Initialized STC Partition to Multiple Clients

Once an STC connection has been established between the partition and Client1, and the partition initialized, the Partition SO can allow other clients to access the partition. Since the Partition SO has control of the partition via Client1, they must provide the partition ID key to the Client2 administrator, and register Client2's ID key to the partition.

This procedure is completed by the Partition SO (using Client1) and the Client2 administrator in the following phases:

1.Preparing the Additional Client to Use STC

2.Connecting an Additional Client to the Initialized STC Partition

Preparing the Additional Client to Use STC

To access partitions on the HSM using STC, you must first create an STC token and identity on the client. These operations are performed by the client administrator.

CAUTION!   If you already have STC connections to partitions on other HSMs, skip this procedure and use the existing client token/identity. If you re-initialize an existing client token/identity, active STC connections to this client will be broken.

NOTE   If you have upgraded your Luna Network HSM to appliance software version 7.7.0 and newer, Luna Network HSM firmware 7.7.0 and newer, Luna HSM Client 10.3.0 and newer, and converted partitions to V1 partitions, the STC client soft token (token.db) that was previously initialized for STC connections cannot be reinitialized. You must delete the old token.db before completing the procedure below. For more information about the location of token.db, refer to the description of SoftTokenDir in Configuration File Summary.

To prepare the client for STC connections

1.Open a command prompt or terminal and navigate to the Luna HSM Client directory.

NOTE   On Windows, ensure that you open a command prompt with Administrator privileges.

Windows: C:\Program Files\SafeNet\LunaClient

Linux/AIX: /usr/safenet/lunaclient/bin

Solaris: /opt/safenet/lunaclient/bin

2.[Optional] Launch LunaCM and verify that the STC client token is uninitialized.

lunacm:> stc tokenlist

3.Initialize the STC client token, specifying a token label.

lunacm:> stc tokeninit -label <token_label>

4.Create a client identity on the token.

lunacm:> stc identitycreate -label <client_identity>

The STC client identity public key is automatically exported to:

<client_install_directory>/data/client_identities/

5.[Optional] Display the client ID key hash. You can provide this hash to the Partition SO to verify the key's integrity.

lunacm:> stc identityshow

6.Provide the following certificate/information to the Partition SO (Client1) via pscp, scp, or other secure means:

Client2 identity public key

[Optional] Client2 identity public key hash (do not provide the hash by the same means as the key)

Connecting an Additional Client to the Initialized STC Partition

This procedure will allow an additional client (Client2 in the examples below) to access an initialized STC partition. The Partition SO (using Client1) and the Client2 administrator must complete the procedure.

Partition SO (Client1): To allow an additional client access to the STC partition

1.Ensure that you have received the following certificates/information from the Client2 administrator:

Client2 identity public key

[Optional] Client2 identity public key hash

2.On Client1, launch LunaCM and log in as Partition SO.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -role po

3.Register the Client2 ID key to the partition. Specify a label for Client2 and the path to the key file.

lunacm:> stcconfig clientregister -label <client_label> -file <path/client_ID>

4.[Optional] Display the hash for the Client2 identity.

lunacm:> stcconfig clientlist

If the displayed hash does not match the hash you received from the Client2 administrator, deregister the client identity and contact the Client2 administrator:

lunacm:>stcconfig clientderegister -label <client_label>

NOTE   If the Client2 administrator has admin access to the Luna Network HSM appliance, and the partition identity public key is still available in the admin user's files on the appliance (lunash:> my file list), steps 5-7 are unnecessary.

5.Export a copy of the partition identity public key to the Client1 filesystem.

lunacm:> stcconfig partitionidexport

The partition ID key is named for the partition serial number (<serialnum>.pid) and automatically exported to:

<Lunaclient_install_directory>/data/partition_identities/

6.[Optional] Display the partition ID key hash. You can provide this hash to the Client2 administrator to verify the key's integrity. Do not send the hash by the same means as the key.

lunacm:> stc identityshow

7.Provide the following certificates/information to the Client2 administrator via scp, pscp, or other secure means (see pscp):

Partition identity public key

[Optional] Partition identity public key hash (do not provide the hash by the same means as the key)

HSM Server Certificate, located in:

<Lunaclient_install_directory>/cert/server/<hostname/IP>Cert.pem

Client2 administrator: To create the client-partition STC connection

1.Ensure that you have received the following certificates/information from the Partition SO:

HSM Server Certificate (*.pem)

Partition identity public key (*.pid)

[Optional] Partition identity public key hash

NOTE   If the Client2 administrator has admin access to the Luna Network HSM appliance, and the partition identity public key is still available in the admin user's files on the appliance (lunash:> my file list), you can retrieve the HSM Server Certificate (server.pem) and the partition ID key (<partition_serialnum>.pid) directly from the appliance using pscp or scp.

2.Open a command prompt or terminal window and navigate to the Luna Network HSM client installation directory.

3.Register the HSM Server Certificate to the client.

> vtl addServer -n <HSM_hostname/IP> -c <server_certificate>

4.Launch LunaCM and register the partition ID key to the client. Specify the path to the key file and an optional label for the partition.

lunacm:> stc partitionregister -file <path/IDfile>.pid [-label <partition_label>]

5.[Optional] Display the hash for the partition ID key.

lunacm:> stc identityshow

If the displayed hash does not match the hash you received from the Partition SO, deregister the partition and contact the Partition SO:

lunacm:> stc partitionderegister -serial <partition_serialnum>

6.Display the list of registered Luna Network HSM servers to find the server ID of the appliance that hosts the partition(s).

lunacm:> clientconfig listservers

7.Enable the STC connection.

CAUTION!   This forces the client to use STC for all links to the specified Luna Network HSM appliance. If the server has partitions assigned to this client using NTLS, those connections will be terminated. Ensure you have registered the partition identity for all applicable partitions on this HSM before continuing.

lunacm:> stc enable -id <server_ID>

LunaCM restarts. If successful, the partition appears in the list of available slots.

8.[Optional] Set the active slot to the new partition and verify the STC link.

lunacm:> slot set -slot <slot>

lunacm:> stc status

Client2 can now access the partition via an STC connection. You can repeat the procedure to allow more clients to access the partition.

NOTE   Each client identity registered to a partition uses 2392 bytes of storage on the partition. Ensure that the partition is large enough to store the identity of every client that will access the partition, in addition to cryptographic objects. If necessary, the HSM SO can re-size an existing partition (see Customizing Partition Sizes).

STC provides several configurable options that define the network settings for an STC link, and the security settings for the messages transmitted over the link. Although default values are provided that provide the optimal balance between security and performance, you can override the defaults, if desired. See Configuring STC Identities and Settings for more information.