setting up safenet lunasa
TRANSCRIPT
-
8/10/2019 Setting Up SafeNet LunaSA
1/4
24/10/2014 8.3. Setting up SafeNet LunaSA LinOTP 2.7 documentation
http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html 1/4
8.3. Setting up SafeNet LunaSA
Warning
This documentation does not replace the SafeNet LunaSA documentation. The HSM is a
sophisticated device - you should consult the manual and know what you are doing.
8.3.1. Requirements
You need to install the following software packages on the LinOTP server that were delivered
with your HSM:
ctp-4.5.0
libcryptoki-4.5.0
vtl-4.5.0
The components are installed to/usr/lunasa. The executables are located at/usr/lunasa/bin.
8.3.2. Network settings
Note
For connecting to the Luna SA you need to connect the Luna SA appliance with the client
computer via a null modem cable with the following settings: Serial port baud rate: 115200
N,8,1 (no parity, 8 data-bits, one stop-bit) VT-100 ter minal emulation. Hardware flow
Alternatively the HSM is accessible via IP 192.168.0.1. After the first login with the username
admin and the password chrysalis the password is requested to be changed. Furthermore the
time needs to be set and the network should be configured:
# setting time zone
lunash:> sysconf timezone -set Europe/Berlin
# setting time
lunash:> sysconf -time 12:55 20071223
# setting hostname
lunash:> net hostname hsm1
# set domain name
lunash:> net domain example.com
# set multiple nameservers
lunash:> net dns -nameserver 172.16.16.6
lunash:> net dns -nameserver 172.16.16.7
# set multiple search domains
lunash:> net dns -search example.com
# set eth0. (eth1 may also be set)
lunash:> net interface -static -device eth0 \
-ip 172.16.16.102 -netmask 255.255.255.224 \
-gateway 172.16.1
# control the settings
lunash:> net show
Now the LunaSA can be contacted via ssh. When the network connection is working correctly
an ntp service can be set up. Setting up the domain controller in forest root as NTP servers:
lunash:> sysconf ntp -addserver 172.16.16.6
8.3.3. LunaSA server certificate
Note
For communication the LunaSA generates a certificate. For correct generation the LunaSA
needs to be inserted in the DNS servers or in /etc/hosts.
When the DNS server resolve the hsm1 correctly the server certificate can be generated:
lunash:> sysconf regenCert
CAUTION: Current Server Certificate and Private Key will be
overwritten. All clients will have to add the server
TABLE OF CONTENTS
1. LinOTP Management Guide
2. LinOTP Installation Guide
1. Supported Operating Syste
2. Checklist
3. Server installation
4. Installing Management Clien
5. Installing Authentication Mo
6. Customization
7. Database connection
8. Security Modules
8.1. Defining Security Module
8.2. Defining SafeNet LunaS
8.3. Setting up SafeNet Luna
8.3.1. Requirements
8.3.2. Network settings
8.3.3. LunaSA server certific
8.3.4. Initialization of HSM
8.3.5. Setting up HSM clients
assigning clients to HSM parti
8.3.6. Troubleshooting
8.4. Create AES Keys
8.5. Backup and restore with
LunaSA
8.6. Setting up HA and Load
balancing for LunaSA
8.7. Managing Passwords wit
LunaSA
9. Integration examples
10. Updates
11. Migrating from LinOTP 1.3
LinOTP 1.0
12. Security advisories
13. Troubleshooting
3. LinOTP User Guide
4. LinOTP Appliance Manual
5. LinOTP Module Development
SEARCH
Go
Enter search terms or a module, clas
function name.
LinOTP 2.7 documentation
P REVI O US | NEX T | I ND EX
http://www.linotp.org/doc/2.6/part-appliance/index.htmlhttp://www.linotp.org/doc/2.6/part-user/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/HSM/lunasa_passwords.htmlhttp://www.linotp.org/doc/2.6/part-installation/management-client/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/server-installation/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/supported_os.htmlhttp://www.linotp.org/doc/2.6/part-management/index.htmlhttp://www.linotp.org/doc/2.6/part-module-dev/index.htmlhttp://www.linotp.org/doc/2.6/part-appliance/index.htmlhttp://www.linotp.org/doc/2.6/part-user/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/troubleshooting/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/security/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/migration/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/updates/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/integration/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/HSM/lunasa_passwords.htmlhttp://www.linotp.org/doc/2.6/part-installation/HSM/lunasa_ha.htmlhttp://www.linotp.org/doc/2.6/part-installation/HSM/lunasa_backup.htmlhttp://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.htmlhttp://www.linotp.org/doc/2.6/part-installation/HSM/defining_lunasa.htmlhttp://www.linotp.org/doc/2.6/part-installation/HSM/defining_security_modules.htmlhttp://www.linotp.org/doc/2.6/part-installation/HSM/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/DB/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/customization/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/auth-modules/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/management-client/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/server-installation/index.htmlhttp://www.linotp.org/doc/2.6/part-installation/checklist.htmlhttp://www.linotp.org/doc/2.6/part-installation/supported_os.htmlhttp://www.linotp.org/doc/2.6/part-installation/index.htmlhttp://www.linotp.org/doc/2.6/part-management/index.html -
8/10/2019 Setting Up SafeNet LunaSA
2/4
24/10/2014 8.3. Setting up SafeNet LunaSA LinOTP 2.7 documentation
http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html 2/4
again with new certificate.
Type proceed to generate cert or quit to cancel
> proceed
To be able to use the LunaSA via network, the trusted interface has to be defined:
lunash:>ntls bind eth0
8.3.4. Initialization of HSM
To be able to initialize the HSM the Luna PED needs to be connected to the LunaSA appliance
and you need to got a set of PED Keys. The LunaSA is configured via thehsm init
command.Most of the parameters for this command are entered via the Luna PED.:
lunash:> hsm init -label hsm1
Note
You should stick to the web based documentation closely, since this is a sensitive process.
Roughly after having issued the hsm init command the process is as follows:
8.3.4.1. Create HSM Admin PED Key
Insert the blue PED key. This will be the HSM Admin PED Key.
As the fresh key is blank, a new PED PIN needs to be chosen.
by Copy this PED Key backup copies of the PED key can be generated.Login as HSM Admin (Security Officer /SO).
8.3.4.2. Create Domain PED Key
Insert a second PED key. This will be the Domain PED Key.
If this is a fresh key, a new PED PIN should also be set.
Backups can be generated.
The initialization of the HSM has finished now. Copies of the PED Keys can also be made later.
8.3.4.3. HSM security polices
Using the command:hsm showPol -c
you can display the policies:
Description Value Code Destructive
=========== ===== ==== ===========
Allow cloning On 7 Yes
Allow non-FIPS algorithms On 12 Yes
Allow MofN auto-activation On 13 No
SO can reset partition PIN On 15 Yes
Allow network replication On 16 No
Allow Remote Authentication On 20 Yes
Force user PIN change after set/reset Off 21 No
For performing Backups the policy Allow cloning must be ON. For a redundant HA setup the
policiesAllow cloning andAllow network replication must be ON.
To switch a policy to ON use the command:
hsm changePol -p 7 -v 1
8.3.4.4. Create HSM Partitions
The LunaSA HSM can be partitioned that way, that each LinOTP is using an own partition of
the HSM. To create a new partition on the HSM you must connect the Luna PED and logon as
HSM admin issuing the command:
lunash:> hsm login
and inserting the blue HSM Admin PED Key.
A new partition is created issuing the command:
lunash:> partition create -name yourPartition
A black Partition Owner PED Key is generated. A PIN for the black PED Key needs to be set.
When askedAre you duplicating this PED Key Y/N? backups of the black PED Key may be
generated.
The Luna PED will now display the Password that clients (the LinOTP server) will use to
authenticate to this partition. As this password will never show again anywhere else, it needs
-
8/10/2019 Setting Up SafeNet LunaSA
3/4
24/10/2014 8.3. Setting up SafeNet LunaSA LinOTP 2.7 documentation
http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html 3/4
to be recorded/remembered:
Login secret value
btqx-EFGH-3456-7/K9
Please write it down.
(Press ENTER)
After displaying the client password the creation of the partition has finished.
If you have more partitions, create all other partitions with new black partition owner keys.
For each partition a separate black Partition Owner PED Key should be used. Otherwise the
LunaSA will create a so called Group PED Key.
Note
When creating Group PED Keys the access rights to the HSM of the LinOTP servers can not
be separated! It is recommended to use a separate PED Key for each partition.
8.3.4.5. Partition policies
Partition policies can be viewed on the Luna SA using the command:
lunash:> partition showPolicies -partition yourPartition
8.3.4.6. Activate Partitions
In order for an application to access the partition without the black partition owner key
plugged in, the Partition needs to be activated. Therefor the PolicyAllow activation needs tobe set to 1:
lunash:> partition changePolicy -partition
yourPartition -policy 22 -value 1
For setting the partition policy you need to have the blue SO PED key. Afterwards the partition
can be activated:
lunash:> partition activate -partition partitionPolicyCA
When activating the partition you need to enter the client password that was generated when
the partition was initialized. For activating the partition you need to have the Partition Owner
PED key.
If the HSM lost power and you start the HSM again, the partition needs to be activated again.
To avoid this, you can turn theAutoactivation policy on:
lunash:> partition changePolicy -partition yourPartition -policy 23 -value 1
8.3.5. Setting up HSM clients and assigning clients to HSM partitions
A LinOTP server talking to the HSM is called a HSM client. The connection is encrypted and
authenticated via certifcates on both sides. The certificate of the LunaSA was already
generated. This server certificate needs to be transferred to each LinOTP server.
Copy the server certificate to each LinOTP by issuing the command:
./ctp admin@hsm1:server.pem .
You need to add the HSM server on the client side:
./vtl addServer -n hsm1 -c server.pem
Now the client needs to get a client certificate created:
./vtl createCert -n linotp
Copy the client certificate to the LunaSA:
./ctp cert/client/linotp.pem admin@hsm1:
Now the client needs to be registered on the LunaSA and be assigned to a partition. Therefore
on the LunaSA the admin must issue the following commands:
# register the client
lunash:> client register -client linotp -hostname linotp
# assign a client to partition
lunash:> client assignPartition -client linotp -partition yourPartition
Verify the working connection by:
./vtl verify
You should see a list with the available slots. You also need the slot number to configure laterin LinOTP.
8.3.6. Troubleshooting
The names must resolve successfully. Try to ping the HSM from the LinOTP server by name
-
8/10/2019 Setting Up SafeNet LunaSA
4/4