AIX Luna HSM Client Installation
NOTE AIX Client was not included in Luna HSM Client 10.3.0 to Luna HSM Client 10.5.0. To use Luna HSM with this operating system, use a different Client release version.
These instructions assume that you have already acquired the Luna HSM Client software, usually in the form of a downloaded .tar archive.
You must install the Luna HSM Client software on each client workstation you will use to access a Luna HSM. This section describes how to install the client on a workstation running AIX, and contains the following topics:
>Installing the Client Software
>Uninstalling the Luna HSM Client Software
>Scripted or Unattended Installation
>Interrupting the Installation
Applicability to specific versions of AIX is summarized in the Customer Release Notes for the current release.
NOTE Before installing a Luna HSM, you should confirm that the product you have received is in factory condition and has not been tampered with in transit. Refer to the Content Sheet included with your product shipment. If you have any questions about the condition of the product that you have received, please contact Thales Technical Support.
Prerequisites
Each computer that connects to the Luna Network HSM 7 appliance as a Client must have the cryptoki library, the vtl client shell and other utilities and supporting files installed. Each computer that is connected to a Luna Remote Backup HSM must have the cryptoki library and other utilities and supporting files installed - in this case, that would be a Windows or Linux computer with the "Backup" option chosen when Luna HSM Client software is installed.
TIP Thales recommends verifying the integrity of the Luna HSM Client packages, by calculating their SHA256 hash values and comparing with the hash values posted on the Support Portal, before installing them on your client machines.
You can use the sha256sum tool on Linux machines to calculate the SHA256 hash values.
Installing the Client Software
Check the Customer Release Notes for any installation-related issues or instructions before you begin the following software installation process.
To install the Luna HSM Client software on AIX
1.Log on to the client system, open a console or terminal window, and use su or sudo to gain administrative permissions for the installation.
2.If you downloaded the software, copy or move the .tar archive (which usually has a name like "LunaClient_7.x.y-nn_AIX.tar") to a suitable directory where you can untar the archive and launch the installation script.
3.Enter the following command to extract the contents from the archive:
tar xvf <filename>.tar
4.Change directory to the software version suitable for your system.
5.Install the client software as follows:
•To see the 'help', or a list of available installer options, type:
sh install.sh -? or ./sh install.sh --help
•To install all available products and optional components, type:
sh install.sh all
•To selectively install individual products and optional components, type the command without arguments:
sh install.sh
NOTE Do not interrupt the installation script in progress. An uninterruptible power supply (UPS) is recommended. See Interrupting the Installation for more information.
6.Type y if you agree to be bound by the license agreement:
[mylunaclient-1 32]$ sh install.sh
IMPORTANT: The terms and conditions of use outlined in the software
license agreement (Document #008-010005-001_EULA_HSM_SW_revN) shipped with the product
("License") constitute a legal agreement between you and SafeNet. Please read the License contained in the packaging of this product in its entirety before installing this product. Do you agree to the License contained in the product packaging? If you select 'yes' or 'y' you agree to be bound by all the terms and conditions set out in the License.
If you select 'no' or 'n', this product will not be installed.
(y/n)
7.A list of installable Luna products appears (might be different, depending on your platform). Select as many as you require, by typing the number of each (in any order) and pressing Enter. As each item is selected, the list updates, with a "*" in front of any item that has been selected. This example shows item 1 has been selected.
Products Choose Luna Products to be installed *[1]: Luna Network HSM [N|n]: Next [Q|q]: Quit Enter selection: 1
NOTE Although the AIX and Solaris installers display the options, Luna PCIe HSM 7 and Luna USB HSM 7 are not supported in this release. Select only Luna Network HSM 7 during installation.
8.When selection is complete, type N or n for "Next", and press Enter. If you wish to make a change, simply type a number again and press Enter to de-select a single item.
9.The next list is called "Advanced" and includes additional items to install. Some items might be pre-selected to provide the optimum Luna HSM experience for the majority of customers, but you can change any selection in the list.
Products Choose Luna Products to be installed [1]: Luna Network HSM [N|n]: Next [Q|q]: Quit Enter selection: 1 Advanced Choose Luna Components to be installed [1]: Luna SDK *[2]: Luna JSP (Java) *[3]: Luna JCProv (Java) [B|b]: Back to Products selection [I|i]: Install [Q|q]: Quit Enter selection:
If you wish to make a change, simply type a number again and press Enter to select or de-select a single item.
If the script detects an existing cryptoki library, it stops and suggests that you uninstall your previous Luna software before starting the Luna HSM Client installation again.
10.The system installs all packages related to the products and any optional components that you selected. By default, the Client programs are installed in the /usr/safenet/lunaclient directory.
NOTE When installing, ensure that the full path of a package does not contain any space characters. (The IBM examples do not show any spaces, implying that this might be a system requirement.)
11.Although FMs are supported on Linux and Windows clients only in this release, the FM architecture requires a configuration file setting to allow partition login on an FM-enabled HSM. If the HSM you will be using with this client is FM-enabled (see Preparing the Luna Network HSM 7 to Use FMs for more information), you must add the following entry to the [Misc] section of the Chrystoki.conf file:
[Misc]
LoginAllowedOnFMEnabledHSMs=1
NOTE As a general rule, do not modify the Chrystoki.conf/crystoki.ini file, unless directed to do so by Thales Technical Support. If you do modify the file, never insert TAB characters - use individual space characters. Avoid modifying the PED timeout settings. These are now hardcoded in the appliance, but the numbers in the Chrystoki.conf file must match.
Uninstalling the Luna HSM Client Software
You may need to uninstall the Luna HSM Client software prior to upgrading to a new release, or if the software is no longer required.
To uninstall the Luna HSM Client software:
1.Log in as root. (use sudo instead)
2.Go to the client installation directory:
cd /usr/safenet/lunaclient/bin
3.Run the uninstall script:
sudo sh uninstall.sh
Installing Java
If you install the Luna Java Security Provider (JSP), refer to Luna JSP Overview and Installation for additional setup procedures for your operating system.
Scripted or Unattended Installation
If you prefer to run the installation from a script, rather than interactively, run the command with the options -p <list of Luna products> and -c <list of Luna components>. To see the syntax, run the command with help like this:
[myhost]$ sudo sh install.sh help [sudo] password for fred At least one product should be specified. usage: install.sh - Luna Client install through menu install.sh help - Display scriptable install options install.sh all - Complete Luna Client install install.sh -p [sa|pci|g5|rb] [-c sdk|jsp|jcprov|ldpc|snmp] -p <list of Luna products> -c <list of Luna components> - Optional. All components are installed if not provided Luna products options sa - Luna Network HSM pci - Luna PCIe HSM g5 - Luna USB HSM rb - Luna Backup HSM Luna components options sdk - Luna SDK jsp - Luna JSP (Java) jcprov - Luna JCPROV (Java) snmp - Luna SNMP subagent [myhost]$
For scripted/automated installation, your script will need to capture and respond to the License Agreement prompt, and to the confirmation prompt. For example:
[myhost]$ sudo sh install.sh all
IMPORTANT: The terms and conditions of use outlined in the software
license agreement (Document #008-010005-001_053110) shipped with the product
("License") constitute a legal agreement between you and SafeNet Inc.
Please read the License contained in the packaging of this
product in its entirety before installing this product.
Do you agree to the License contained in the product packaging?
If you select 'yes' or 'y' you agree to be bound by all the terms
and conditions se out in the License.
If you select 'no' or 'n', this product will not be installed.
(y/n) y
Complete Luna HSM Client will be installed. This includes Luna Network HSM,
Luna PCIe HSM, Luna USB HSM AND Luna Backup HSM.
Select 'yes' or 'y' to proceed with the install.
Select 'no' or 'n', to cancel this install.
Continue (y/n)? y
Interrupting the Installation
Do not interrupt the installation script in progress, and ensure that your host computer is served by an uninterruptible power supply (UPS). If you press [Ctrl] [C], or otherwise interrupt the installation (OS problem, power outage, other), some components will not be installed. It is not possible to resume an interrupted install process. The result of an interruption depends on where, in the process, the interruption occurred (what remained to install before the process was stopped).
As long as the cryptoki RPM package is installed, any subsequent installation attempt results in refusal with the message "A version of Luna HSM Client is already installed."
If components are missing or are not working properly after an interrupted installation, or if you wish to install any additional components at a later date (following an interrupted installation, as described), you would need to uninstall everything first. If sh uninstall.sh is unable to do it, then you must uninstall all packages manually.
Because interruption of the install.sh script is not recommended, and mitigation is possible, this is considered a low-likelihood corner case, fully addressed by these comments.