Adding a Luna Cloud HSM Service
Luna HSM Client allows you to use both Luna partitions and Thales Data Protection on Demand (DPoD) Luna Cloud HSM services. Using a single client workstation, you can back up or migrate your keys between Luna and the Luna Cloud HSM service, or combine partitions and services into an HA group.
NOTE Refer to the Luna HSM Client Releases for supported client versions. Thales recommends keeping your Luna HSM Client software updated to the latest version, especially if your deployment includes Luna Cloud HSM.
Prerequisites
>If Luna HSM Client is not installed at the default location, the ChrystokiConfigurationPath must be set for the Luna Cloud HSM service to use the correct location.
>DPoD Luna Cloud HSM services support Windows and Linux operating systems only. This procedure presumes that you have already set up Luna HSM Client on your Windows or Linux workstation:
•Windows Luna HSM Client Installation
•Windows Interactive Luna HSM Client Installation
•Linux Luna HSM Client Installation
>For more information on Luna/Luna Cloud HSM service compatibility, refer to Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM, Password or Multifactor Quorum.
To add a DPoD Luna Cloud HSM service to an existing Luna HSM Client
1.After purchasing a Luna Cloud HSM service, refer to the DPoD Luna Cloud HSM documentation for instructions on downloading the Luna Cloud HSM service client. Transfer the zip file to your workstation using
2.Extract the zip file into a directory on your client workstation.
3.Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the Luna Cloud HSM service client install directory. The other client package can be safely deleted.
•[Windows] cvclient-min.zip
•[Linux] cvclient-min.tar
# tar -xvf cvclient-min.tar
Run the provided setenv script to automatically copy the necessary Luna Cloud HSM service configuration entries to the existing Luna HSM Client configuration file. The existing Luna HSM Client configuration file must be writable to execute setenv.
CAUTION! Running setenv will overwrite any existing Luna Cloud HSM service configurations in the Luna HSM Client configuration file.
NOTE If Luna HSM Client is not installed in the default directory, or if setenv was run previously, you must clear the ChrystokiConfigurationPath environment variable or update it to point to the location of the correct configuration file:
>[Windows] In the Control Panel, search for "environment" and select Edit the system environment variables. Click Environment Variables. In both the list boxes for the current user and system variables, edit ChrystokiConfigurationPath to point to the crystoki.ini file in the correct client install directory.
>[Linux] Either open a new shell session, or reset the environment variable for the current session to the location of the correct Chrystoki.conf file:
# export ChrystokiConfigurationPath=/etc/
•[Windows cmd prompt] Open a command prompt as Administrator and run the script with the -addcloudhsm option.
> .\setenv.cmd -addcloudhsm
•[Linux] Source the setenv script with the --addcloudhsm option.
# source ./setenv --addcloudhsm
4.Launch or relaunch LunaCM to verify that both your Luna partitions and Luna Cloud HSM service are available. Once the Luna Cloud HSM service has been added to the Luna HSM Client, you can delete the client package downloaded from Thales DPoD.
Initializing a Luna Cloud HSM Service
You must now initialize the Luna Cloud HSM service for use with your existing Luna partitions. If your Luna HSMs are password-authenticated, the cloning domain you set on the Luna Cloud HSM service must match the partition(s) with which it will share keys.
>Initializing an Application Partition
>Initializing Crypto Officer and Crypto User Roles for an Application Partition
If you will be using the Luna Cloud HSM service with multifactor quorum-authenticated Luna partitions, LunaCM provides the option to import the credential from a red domain PED key to Luna Cloud HSM, as described below.
NOTE This feature requires minimum Luna HSM Client 10.4.1, and is available for Luna Cloud HSM only.
Prerequisites
>The uninitialized Luna Cloud HSM service must be available in LunaCM on a client computer with Luna HSM Client 10.4.1 or newer installed.
>The client computer must have the Luna PED driver installed:
Windows: Modifying the Installed Windows Luna HSM Client Software (Remote PED package)
Linux: About Installing the Luna HSM Client Software ([5] Luna Remote PED package or -p ped in scripted installation)
>Connect a Luna PED to the client computer and set it to Local PED-USB mode
>If you were previously using this client computer as a Remote PED server, you must stop PEDserver before continuing:
>If your Luna partition domain uses an M of N PED key scheme, ensure that you have enough keys on hand to provide the M of N quorum.
To initialize a Luna Cloud HSM service using an imported domain secret
1.Launch LunaCM on the client computer.
2.Set the active slot to the uninitialized Luna Cloud HSM service.
lunacm:> slot set -slot <slot#>
3.Initialize the Luna Cloud HSM service, specifying an identifying label and including the -importpeddomain option.
lunacm:> partition init -label <label> -importpeddomain
Follow the prompts in LunaCM and on the Luna PED to import the domain secret and complete the initialization process.
Refer to Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM, Password or Multifactor Quorum for guidelines on using Luna Cloud HSM with Luna 7 HSMs. You can back up your partitions to Luna Cloud HSM using slot-to-slot cloning or by setting up an HA group to synchronize your partition contents with Luna Cloud HSM.
CAUTION! HA failover from multifactor quorum-authenticated Luna partitions to Luna Cloud HSM requires minimum Luna HSM Client 10.5.0. Refer to known issue LUNA-23945.