Configure Luna HSM Device and Luna Cloud HSM Service

Configure Luna HSM Device

To configure the Luna HSM device, follow the below steps:

For assistance, refer to the Thales product documentation for Luna Network HSM 7 and Luna HSM Client: https://thalesdocs.com/gphsm/luna/7/docs/network/Content/Home_Luna.htm

  1. Ensure the HSM is set up, initialized, provisioned, and ready for deployment.
  2. Create a partition to be used by Password Safe.
  3. Create an exchange certificate between the Luna Network HSM and client system.
  4. Register the client and assign the partition to create an NTLS connection.
  5. Initialize Crypto Officer and Crypto User roles for the registered partition.
  6. Ensure the partition is successfully registered and configured. The command to see the registered partitions is: 
    C:\Program Files\SafeNet\LunaClient>lunacm.exe
                    
lunacm.exe (64-bit) v10.2.0-111. Copyright (c) 2020 SafeNet. All rights reserved.
                    
Available HSMs:
   Slot Id ->            0
   Label ->            Password Safe                    
   Serial Number ->    1238696044904
   Model ->            LunaSA 7.4.0 
   Firmware Version ->    7.4.0
   Configuration ->    Luna User Partition With SO (PW) Signing With Cloning Mode
   Slot Description ->    Net Token Slot 
   FM HW Status ->    Non-FM
  7. For PED-authenticated HSM, enable partition policies 22 and 23 to allow activation and auto-activation.

To configure Luna HSM High Availability (HA), refer to the Luna HSM documentation for HA. Follow the steps and details on how to configure and set up two or more HSM appliances on Windows and UNIX systems. You must enable the HAOnly setting in HA for failover to work so that if the primary stops functioning, all calls automatically route to the secondary until the primary starts functioning again.

Configure Luna Cloud HSM Service

For assistance, refer to the Thales product documentation for Luna Cloud HSM : https://thalesdocs.com/dpod/services/luna_cloud_hsm/index.html

Standalone Cloud HSM Service Using Minimum Client Package

  1. Transfer the downloaded ZIP file to your client workstation using pscp, scp, or other secure means.
  2. Extract the ZIP file into a directory on your client workstation.
  3. Extract or untar the appropriate client package for your operating system in the client install directory. Do not extract to a new subdirectory.
    • Windows: cvclient-min.zip
    • Linux: cvclient-min.tar
      • # tar -xvf cvclient-min.tar
  4. Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.
    • Windows: Right-click setenv.cmd and select Run as Administrator.
    • Linux: Source the setenv script.
      • # source ./setenv
  5. Run the LunaCM utility and verify the Cloud HSM service is listed.

Standalone Cloud HSM Service Using Full Client Package

  1. Transfer the downloaded ZIP file to your client workstation using pscp, scp, or other secure means.
  2. Extract the ZIP file into a directory on your client workstation.
  3. Extract or untar the appropriate client package for your operating system in the client install directory. Do not extract to a new subdirectory.
    • Windows: cvclient-min.zip
    • Linux: cvclient-min.tar
      • # tar -xvf cvclient-min.tar
  4. Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.
    • Windows: Right-click setenv.cmd and select Run as Administrator.
    • Linux: Source the setenv script.
      • # source ./setenv
  5. Copy the server and partition certificates from the Cloud HSM service client directory to Luna client certificates directory:
    • Cloud HSM Certificates:
      • server-certificate.pem
      • partition-ca-certificate.pem
      • partition-certificate.pem
    • Luna Client Certificate Directory:
      • Windows default location for Luna Client: C:\Program Files\Safenet\Lunaclient\cert\
      • Linux default location for Luna Client: /usr/safenet/lunaclient/cert/

Skip this step for Luna Client v10.2 or later versions.

  1.  Open the configuration file from the Cloud HSM service client directory and copy the XTC and REST section.
    • Windows: crystoki.ini
    • Linux: crystoki.conf
  2. Edit the Luna Client configuration file and add the XTC and REST sections copied from Cloud HSM service client configuration file.
  3. Change server and partition certificates path from step 5 in XTC and REST sections. Do not change any other entries provided in these sections.
    • XTC:

      PartitionCAPath=<LunaClient_cert_directory>\partition-ca-certificate.pem

      PartitionCertPath00=<LunaClient_cert_directory>\partition-certificate.pem

    • REST:

      SSLClientSideVerifyFile=<LunaClient_cert_directory>\server-certificate.pem

Skip this step for Luna Client v10.2 or later versions.

  1. Edit the following entry from the Misc section and update the correct path for the plugins directory:
    [Misc]
PluginModuleDir=<LunaClient_plugins_directory>

[Windows Default]
C:\Program Files\Safenet\Lunaclient\plugins\

[Linux Default]
/usr/safenet/lunaclient/plugins/ 
  2. Save the configuration file. If you wish, you can now safely delete the extracted Cloud HSM service client directory.
  3. Reset the ChrystokiConfigurationPath environment variable and point back to the location of the Luna Client configuration file.
    • Windows:
      • In Control Panel, search for environment, and select Edit the system environment variables.
      • Click Environment Variables.
      • In both list boxes for the current user and system variables,edit ChrystokiConfigurationPath and point to the crystoki.ini file in the Luna client install directory.
    • Linux:
      • Either open a new shell session, or export the environment variable for the current session pointing to the location of the Chrystoki.conf file:

        # export ChrystokiConfigurationPath=/etc/

  4. Run the LunaCM utility and verify the Cloud HSM service is listed.

In hybrid mode, both Luna and Cloud HSM service are listed.