Initializing the HSM client service
Initializing the HSM service requires two running SafeNet Luna Network HSMs with reachable IP addresses or hostnames, and the Luna client on the Secure Factory Service nodes. Secure Factory Service uses the hsm-service:luna730 docker image, which already contains Luna client.
Note that you perform some of the initialization steps on the HSM servers and others on the Lune client - inside the hsm-service:luna730 running container, using the hsm command of the Secure Factory Node (sfn) CLI tool.
Development note: If you are using an HSM emulator for development purposes, skip these steps.
To create a network trust link between the HSM client and the HSM server:
-
Configure the HSM server details on the Secure Factory node:
-
Set the
HSM_HOST1andHSM_HOST2environment variables:$ export HSM_HOST1=<new-hsm-hostname-1.domain.com> $ export HSM_HOST2=<new-hsm-hostname-2.domain.com> $ -
Start the Luna client container:
$ ./sfn hsm start $ -
Copy the server certificate of each HSM server, create a client certificate and export the client certificate to each of the HSM servers. When prompted, enter the HSM server admin password you set when connecting to the HSM server using SSH:
-
For the first HSM server:
$ ./sfn hsm scp admin@${HSM_HOST1}:server.pem ./server1.pem $ ./sfn hsm vtl addServer -n ${HSM_HOST1} -c server1.pem $ ./sfn hsm vtl createCert -n hsm-service-fts $ ./sfn hsm scp /usr/safenet/lunaclient/cert/client/hsm-service-fts.pem admin@${HSM_HOST1}: $ -
For the second HSM server:
$ ./sfn hsm scp admin@${HSM_HOST2}:server.pem ./server2.pem $ ./sfn hsm vtl addServer -n ${HSM_HOST2} -c server2.pem $ ./sfn hsm scp /usr/safenet/lunaclient/cert/client/hsm-service-fts.pem admin@${HSM_HOST2}: $
For more information about the
vtlcommand, see the "vtl createCert" and "vtl addServer" sections in the Gemalto SafeNet Luna Network HSM 7.3 product documentation. -
-
Verify that the client certificate created on the Luna client is copied to the HSM server:
-
Connect to each of the HSM servers:
$ ssh admin@${HSM_HOST1} lunash:> -
Check that the client certificate is present:
lunash:> my file listExample printout:
lunash:> my file list 515 Jan 8 07:55 1428271376056.pid 205358 Jan 7 16:51 hsm-service-fts.pem Command Result : 0 (Success) lunash:>
-
-
-
On the HSM server, assign the Luna client to the
SECURE_FACTORYpartition you created as part of the HSM setup steps:-
Log in to the HSM server:
lunash:> hsm loginExample printout:
lunash:> hsm login Please enter the HSM Administrators' password: > ************* 'hsm login' successful. -
Register and assign the Luna client to the partition:
lunash:> client register -client hsm-service-fts-client -h hsm-service-fts lunash:> client assignPartition -client hsm-service-fts-client -partition SECURE_FACTORY lunash:> exit $For more information, see the "client register", "client assignpartition", "ntls ipcheck" and "service restart" sections in the Gemalto SafeNet Luna Network HSM 7.3 product documentation.
-
On the Secure Factory node, open the
lunacmterminal and verify that theAvailable HSMssection is not empty:$ ./sfn hsm lunacmExample printout:
$ ./sfn hsm lunacm lunacm (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved. Available HSMs: Slot Id -> 0 Label -> Serial Number -> 1428271376067 Model -> LunaSA 7.3.0 Firmware Version -> 7.0.3 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot lunacm:>Serial Numbermust match thePartition SNvalue of theSECURE_FACTORYpartition created in the HSM server.For more information, about the
lunacmterminal, see the "LunaCM Commands" section in the Gemalto SafeNet Luna Network HSM 7.3 product documentation.
-
-
Configure the
SECURE_FACTORYpartition on the Luna client:-
Initialize the partition, enter
proceedto continue and configure the Security Officer role password (password for Partition SO):lunacm:> slot set -s 0 lunacm:> par init -label SECURE_FACTORY -d <your-domain> -aExample printout:
lunacm:> par init -label SECURE_FACTORY -d <your-domain> -a You are about to initialize the partition. All contents of the partition will be destroyed. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Enter password for Partition SO: ******** Re-enter password for Partition SO: ******** Command Result : No Error lunacm:> -
Initialize the Crypto Officer role and configure the Crypto Officer password (partition password):
lunacm:> role init -name coExample printout:
lunacm:> role init -name co enter new password: ******** re-enter new password: ******** Command Result : No Error lunacm:>Note: You must set the same pass Crypto Officer password in both HSMs. Be sure to note your Crypto Officer password as it is required for later steps.
-
Log in as a Crypto Officer and reset the same role password:
lunacm:> role logout lunacm:> role login -name co -password <CRYPTO-OFFICER-PASSWORD> lunacm:> role changepw -name co -old <CRYPTO-OFFICER-PASSWORD> -new <CRYPTO-OFFICER-PASSWORD> lunacm:> role logout lunacm:> -
Get both of the HSM server partition serial numbers to create a high availability group (
ha-group):lunacm:> slot listWhen prompted, enter the Crypto Officer password.
Example printout:
lunacm:> slot list Slot Id -> 0 Label -> SECURE_FACTORY Serial Number -> 1428271376067 Model -> LunaSA 7.3.0 Firmware Version -> 7.0.3 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot Slot Id -> 1 Label -> SECURE_FACTORY Serial Number -> 1428271376069 Model -> LunaSA 7.3.0 Firmware Version -> 7.0.3 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot Current Slot Id: 0 Command Result : No Error lunacm:>For more information about high availability groups, see the "High Availability (HA) group" section in the Gemalto SafeNet Luna Network HSM 7.3 product documentation.
-
Create an HA Group named
fts-ha-groupwith the partition of the first HSM server:lunacm:> hagroup creategroup -label fts-ha-group -serialNumber <HSM-SERVER-1-PARTITION-SERIAL-NUMBER> Enter the password: ********Enter the Crypto Officer password and
proceedto continue. -
Add the partition of the second HSM server to the
fts-ha-groupHA group:lunacm:> hagroup addMember -group fts-ha-group -serialNumber <HSM-SERVER-2-PARTITION-SERIAL-NUMBER>Example printout:
lunacm:>hagroup addMember -group fts-ha-group -serialNumber 1428271376069 Enter the password: *********** Member 1428271376069 successfully added to group fts-ha-group. New group configuration is: HA Group Label: fts-ha-group HA Group Number: 11428271376066 HA Group Slot ID: 5 Synchronization: enabled Group Members: 1428271376067, 1428271376069 Needs sync: yes Standby Members: <none> Slot # Member S/N Member Label Status ====== ========== ============ ====== 0 1428271376067 SECURE_FACTORY alive 1 1428271376069 SECURE_FACTORY alive Please use the command "ha synchronize" when you are ready to replicate data between all members of the HA group. (If you have additional members to add, you may wish to wait until you have added them before synchronizing to save time by avoiding multiple synchronizations.) Command Result : No Error lunacm:> -
Exit
lunacm:lunacm:> exit $ -
Use the
initsub-command of thehsmcommand to get all configuration and credentials files from thehsm-initDocker container into thesecure-factory keystoredirectory.$ ./sfn hsm init -
When prompted, enter the Crypto Officer password (partition password) as configured earlier.
Example printout:
$ ./sfn hsm init Please enter HSM CO partition password: ******** please re-type HSM CO partition password: ******** $ -
Verify that all files exist:
$ ./sfn hsm verify $ -
Stop the Luna client container:
$ ./sfn hsm stop $
-