Documentation

Mistake on this page? Email us
DocsSecure Factory ServiceSetting up a root of factories CASetting up the HSM service

Setting up the HSM service

Development note: If you are using an HSM emulator for development purposes, skip these steps.

  1. Configure the HSM server details on the Secure Factory node:

    1. Set the HSM_HOST1 and HSM_HOST2 environment variables:

      $ export HSM_HOST1=<new-hsm-hostname-1.domain.com>
$ export HSM_HOST2=<new-hsm-hostname-2.domain.com>
$

    2. Start the Luna client container by running the hsm start command in the service-deployment/rof directory:

      $ ./rof hsm start
$

    3. Copy the server certificate of each HSM server, create a client certificate and export the client certificate to each of the HSM servers. When prompted, enter the HSM server admin password you set when connecting to the HSM server using SSH:

      1. For the first HSM server:

        $ ./rof hsm scp admin@${HSM_HOST1}:server.pem ./server1.pem
$ ./rof hsm vtl addServer -n ${HSM_HOST1} -c server1.pem
$ ./rof hsm vtl createCert -n hsm-service-rof
$ ./rof hsm scp /usr/safenet/lunaclient/cert/client/hsm-service-rof.pem admin@${HSM_HOST1}:
$

      2. For the second HSM server:

        $ ./rof hsm scp admin@${HSM_HOST2}:server.pem ./server2.pem
$ ./rof hsm vtl addServer -n ${HSM_HOST2} -c server2.pem
$ ./rof hsm scp /usr/safenet/lunaclient/cert/client/hsm-service-rof.pem admin@${HSM_HOST2}:
$

      For more information about the vtl command, see the "vtl createCert" and "vtl addServer" sections in the Gemalto SafeNet Luna Network HSM 7.3 product documentation.

    4. Verify that the client certificate created on the Luna client is copied to the HSM server:

      1. Connect to each of the HSM servers:

        $ ssh admin@{HSM_HOST1}
lunash:>

      2. Check that the client certificate is present:

        lunash:> my file list

        Example printout:

        lunash:> my file list
   515 Jan  8 07:55 1428271376056.pid
205358 Jan  7 16:51 hsm-service-rof.pem
Command Result : 0 (Success)
lunash:>

  2. Create a partition on the HSM server and assign the Luna client to the partition:

    1. Log in to the HSM server and create a ROOT_OF_FACTORIES partition:

      lunash:> hsm login
lunash:> partition create -p ROOT_OF_FACTORIES

      Example printout:

      lunash:>hsm login
  Please enter the HSM Administrators' password:
  > *************
'hsm login' successful.
Command Result : 0 (Success)
lunash:>par create -p ROOT_OF_FACTORIES
          Type 'proceed' to create the partition, or
          'quit' to quit now.
          > proceed
'partition create' successful.
lunash:>

      Enter the HSM administrators' password defined when you ran the hsm init command as part of the HSM setup steps.

    2. Check the partition details:

      lunash:> par show

      Example printout:

      lunash:> par show  
Partition Name:                            ROOT_OF_FACTORIES
Partition SN:                              1428271376068
Partition Label:
Partition SO     is not initialized.
Crypto Officer   is not initialized.
Crypto User      is not initialized.
Legacy Domain Has Been Set:                no
Partition Storage Information (Bytes):     Total=409782, Used=0, Free=409782
Partition Object Count:                    0
lunash:>

      Make note of the Partition SN, which you need later to verify the partition in the Luna client.

      For more information about the Partition Security Officer (SO) and Crypto Officer (CO) roles, see the "Partition Roles and Procedures" section in the Gemalto SafeNet Luna Network HSM 7.3 product documentation.

    3. Register and assign the Luna client to the partition:

      lunash:> client register -client hsm-service-rof-client -h hsm-service-rof
lunash:> client assignPartition -client hsm-service-rof-client -partition ROOT_OF_FACTORIES
lunash:> ntls ipcheck disable
lunash:> service restart ntls
lunash:>

      For more information, see the "client register", "client assignpartition", "ntls ipcheck" and "service restart" sections in the Gemalto SafeNet Luna Network HSM 7.3 product documentation.

    4. Open the lunacm terminal and verify that the Available HSMs section is not empty:

      $ ./rof hsm lunacm

      Example printout:

      $ ./rof hsm lunacm
lunacm (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.

     Available HSMs:

     Slot Id ->              0
     Label ->                
     Serial Number ->        1428271376067
     Model ->                LunaSA 7.3.0
     Firmware Version ->     7.0.3
     Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
     Slot Description ->     Net Token Slot
lunacm:>

      Serial Number must match the Partition SN value of the ROOT_OF_FACTORIES partition created in the HSM server.

      For more information, about the lunacm terminal, see the "LunaCM Commands" section in the Gemalto SafeNet Luna Network HSM 7.3 product documentation.

  3. Configure the created partition on the Luna client:

    1. Initialize the partition, enter proceed to continue and configure the Security Officer role password (password for Partition SO):

      lunacm:> slot set -s 0
lunacm:> par init -label ROOT_OF_FACTORIES d <your-domain> -a

      Example printout:

      lunacm:> par init -label ROOT_OF_FACTORIES d <your-domain> -a
        You are about to initialize the partition.
        All contents of the partition will be destroyed.
        Are you sure you wish to continue?
        Type 'proceed' to continue, or 'quit' to quit now ->proceed
        Enter password for Partition SO: ********
        Re-enter password for Partition SO: ********
Command Result : No Error
lunacm:>

    2. Initialize the Crypto Officer role and configure the Crypto Officer password (partition password):

      lunacm:> role init -name co

      Example printout:

      lunacm:> role init -name co
        enter new password: ********
        re-enter new password: ********
Command Result : No Error
lunacm:>

    Note: You must set the same pass Crypto Officer password in both HSMs. Be sure to note your Crypto Officer password as it is required for later steps.

    1. Get both of the HSM server partition serial numbers to create a high availability group (ha-group):

      lunacm:> slot list

      When prompted, enter the Crypto Officer password.

      Example printout:

      lunacm:> slot list
        Slot Id ->              0
        Label ->                ROOT_OF_FACTORIES
        Serial Number ->        1428271376067
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.0.3
        Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              4
        Label ->                ROOT_OF_FACTORIES
        Serial Number ->        1428271376069
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.0.3
        Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
        Slot Description ->     Net Token Slot
        Current Slot Id: 0
Command Result : No Error   
lunacm:>

      For more information about high availability groups, see the "High Availability (HA) group" section in the Gemalto SafeNet Luna Network HSM 7.3 product documentation.

    2. Create an HA Group named rof-ha-group with the partition of the first HSM server:

      lunacm:> hagroup creategroup -label rof-ha-group -serialNumber <HSM-SERVER-1-PARTITION-SN>
        Enter the password: ********

      Enter the Crypto Officer password.

    3. Add the partition of the second HSM server to the rof-ha-group HA group:

      lunacm:> hagroup addMember -group rof-ha-group -serialNumber <HSM-SERVER-2-PARTITION-SN>

      Example printout:

      lunacm:>hagroup addMember -group rof-ha-group -serialNumber 1428271376069


   Enter the password: ***********

   Member 1428271376069 successfully added to group rof-ha-group. New group
   configuration is:

   HA Group Label:  rof-ha-group
   HA Group Number:  11428271376066
   HA Group Slot ID:  5
   Synchronization: enabled
     Group Members:  1428271376067, 1428271376069
        Needs sync:  yes
   Standby Members:  <none>


  Slot #    Member S/N                      Member Label    Status
  ======    ==========                      ============    ======
       0  1428271376067                    SECURE_FACTORY     alive
       1  1428271376069                    SECURE_FACTORY     alive


   Please use the command "ha synchronize" when you are ready
   to replicate data between all members of the HA group.
   (If you have additional members to add, you may wish to wait
   until you have added them before synchronizing to save time by
   avoiding multiple synchronizations.)

Command Result : No Error
lunacm:>

    4. Exit lunacm:

      lunacm:> exit
$

    5. Use the init sub-command of the hsm command to get all configuration and credentials files from the hsm-init Docker container into the secure-factory keystore directory.

      $ ./rof hsm init

    6. When prompted, enter the Crypto Officer password (partition password) as configured earlier.

      Example printout:

      $ ./rof hsm init
Please enter HSM CO partition password:
********
please re-type HSM CO partition password:
********
$

    7. Verify that all files exist:

      $ ./rof hsm verify
$

    8. Stop the Luna client container:

      $ ./rof hsm stop
$
Previous Next