Skip to main content

SafeNet Network HSM

The SafeNet Network HSM 7 (formerly known as Luna SA) is a network HSM which allows users to create a partition to store a key, such as the RA key required to strongly authenticate to the DigiCert® Trust Lifecycle Manager. It includes many features that increase security, connectivity, and ease of administration in dedicated and shared security applications.

To access the partition of SafeNet Network HSM 7, use the Luna HSM Client through Network Trust Link Service (NTLS).

image2.png

Install Luna HSM Client

Follow the steps below to install the Luna HSM Client software on the client machine:

  1. Run LunaHSMClient.exe as Administrator.

    image3.png
  2. Select Install options and features.

    Check the following Luna Devices (some options and features are optional, depending on your environment):

    • Network

    • (Optional) Remote PED 

    Check the following Features (optional features depending on your environment):

    • CSP(CAPI) / KSP(CNG)

    • (Optional) JCE / JCA Provider (JSP)

    • (Optional) PKCS #11 (JCProv)

    Check the Software License Agreement, and then select INSTALL.

    image4.png
  3. Wait for completion. The progress bar is displayed at the bottom of the window.

    image5.png
  4. Once the installation is complete, select OK. The UNINSTALL and MODIFY button is displayed. Select QUIT.

    image6.png

Configure Luna HSM Client

Before following the steps listed below, a partition must be created. This is referred to as <PARTITION-NAME> throughout this document.

Follow these steps to configure the Luna HSM Client:

  1. Open a Command Prompt window and run the following commands:

    > cd C:\Program Files\SafeNet\LunaClient
    > lunacm.exe
  2. Create a Network Trust Link (NTL) - this is a one-step setup. If you have already created an NTL, proceed to step 4.

    lunacm:> clientconfig deploy -server <SERVER-HOSTNAME> -client <CLIENT-HOSTNAME> -par <PARTITION-NAME>
    Please wait while we set up the connection to the HSM. This may take several minutes...
    Please enter appliance admin role user's password:
    Command Result : No Error
    lunacm.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved.
    Slot Id -> 1
    Label -> <PARTITION-NAME>
    Serial Number -> 1314971349473
    Model -> LunaSA 7.2.0
    Firmware Version -> 7.0.3
    Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
    Slot Description -> Net Token Slot
    FM H Status -> FM Ready
    Current Slot Id: 1
    lunacm:> clientconfig v
    The following Luna SA Slots/Partitions were found:
    Slot Serial # Label
    ==== ================ =====
    1 1314971349473 <PARTITION-NAME>
    Command Result : No Error
  3. If you do not want to follow the one step setup (Step 2 above), follow these steps:

    • Obtain the Server certificate.

      The Server certificate has been created on the HSM, so it needs to be copied from the server.

      > pscp -scp admin@<SERVER-HOSTNAME>:server.pem
    • Add a Server for the Client side.

      > vtl addServer -n <SERVER-HOSTNAME> -c server.pem
      New server <SERVER-HOSTNAME> successfully added to server list.
    • Create a Client certificate.

      > vtl createCert -n <CLIENT-HOSTNAME>
      Private Key created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\<CLIENT-HOSTNAME>Key.pem
      Certificate created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\<CLIENT-HOSTNAME>.pem
    • Upload the Client certificate to the Server.

      > pscp -scp cert\client\<CLIENT-HOSTNAME>.pem admin@<SERVER-HOSTNAME>:
      admin@<SERVER-HOSTNAME>'s password:
      <CLIENT-HOSTNAME>.pem         | 1 kB |   1.1 kB/s | ETA: 00:00:00 | 100%

    Next, at the Server:

    • Register the Client and connect to the HSM via SSH.

      lunash:> client register -client <CLIENT-HOSTNAME> -hostname <CLIENT-HOSTNAME>
      'client register' successful.
      Command Result : 0 (Success)
    • Assign a partition to a Client and connect to the HSM via SSH.

      lunash:> client assignPartition -client <CLIENT-HOSTNAME> -partition <PARTITION-NAME>
      'client assignPartition' successful.
      Command Result : 0 (Success)

    Now, at the Client:

  4. Confirm connection settings.

    The working directory is C:\Program Files\SafeNet\LunaClient

    > vtl listServers
    Server: <SERVER-HOSTNAME> HTL required: no
    > vtl verify
    vtl (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved.
    The following Luna SA Slots/Partitions were found:
    Slot    Serial #                Label
    ====    ================        =====
    1 1314971349473               <PARTITION-NAME>
  5. Configure logging (optional). The working directory is C:\Program Files\SafeNet\LunaClient. The name of the log folder is c:\temp in the following example and it can be changed.

    > vtl logging configure c:\temp
    Success setting log path to c:\temp
    > vtl logging show
    Client logging written to: c:\temp\LunaCryptokiLog.htm

Configure High Availability (HA)

  1. Create an HA Group.

    Open a Command Prompt window and run the following client commands:

    > cd C:\Program Files\SafeNet\LunaClient
    > lunacm.exe
    lunacm:> slot set -s <SLOT-NUMBER>
    lunacm:> hagroup creategroup -se <SERIALNUMBER> -label <HA-LABEL>
    Enter the password: ************
    New group with label "HAGroup" created with group number <SERIALNUMBER>.
    Group configuration is:
    HA Group Label: <HA-LABEL>
    HA Group Number: 11336489553517
    HA Group Slot ID: Not Available
    Synchronization: enabled
    Group Members: 1336489553517
    Needs sync: no
    Standby Members: <none>
    Slot # Member S/N Member Label Status
    ====== ========== ============ ======
    1 1336489553517 <PARTITION-NAME>alive
    Command Result : No Error
    lunacm.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights
    reserved.
    Available HSMs:
    Slot Id -> 1
    Label -> <PARTITION-NAME>
    Serial Number -> 1336489553517
    Model -> LunaSA 7.2.0
    Firmware Version -> 7.0.3
    Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
    Slot Description -> Net Token Slot
    FM HW Status -> FM Ready
    Slot Id -> 5
    HSM Label -> <HA-LABEL>
    HSM Serial Number -> 11336489553517
    HSM Model -> LunaVirtual
    HSM Firmware Version -> 7.0.3
    HSM Configuration -> Luna Virtual HSM (PED) Signing With Cloning Mode
    HSM Status -> N/A - HA Group
    Current Slot Id: 1 

    注意

    Both Configure CSP and Configure KSP must be configured again if you run the steps above.

  2. Enable HA Only

    lunacm:> slot set -s <HA-SLOT-NO>
    Current Slot Id: <HA-SLOT-NO> (Virtual HSM 7.0.3 (PED) Signing
    With Cloning Mode)
    Command Result : No Error
    
    lunacm:> hagroup ho -e
    "HA Only" has been enabled.
    Command Result : No Error
    
    
    lunacm:> hagroup ho -s
    This system is configured to show only HA slots. (HA Only is
    enabled)
    Command Result : No Error

Configure CSP

注意

For the deployment of the Autoenrollment Server, you need to configure CSP.

For SafeNet CSP, the utility register.exe (64-bit version) takes care of the registry.  To configure CSP, open a Command Prompt window and run the following commands:  

  1. Register CSP Library

    C:\Program Files\SafeNet\LunaClient\CSP>register.exe /library
    
    register.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights
    reserved.
    
    Success registering SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Luna
    enhanced RSA and AES provider for Microsoft Windows.
    Success registering SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Luna
    Cryptographic Services for Microsoft Windows.
    Success registering SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Luna
    SChannel Cryptographic Services for Microsoft Windows.
  2. Register the partition

    C:\Program Files\SafeNet\LunaClient\CSP>register.exe
    register.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights
    reserved.
    
    ***************************************************************************
    *                                                                         *
    *  Safenet LunaCSP, Partition Registration                                *
    *                                                                         *
    *  Protect the HSM's challenge for the selected partitions.               *
    *                                                                         *
    *  NOTE:                                                                  *
    *  This is a WEAK protection of the challenge.                            *
    *  After you have configured all applications that will use               *
    *  the LunaCSP and ran them once, you MUST run:                           *
    *  register /partition /strongprotect                                     *
    *  to strongly protect the registered challenges.                         *
    *                                                                         *
    ***************************************************************************
    
    This is a destructive procedure and will overwrite any previous
    registrations.
    
    Do you wish to continue?: [y/n]y
    Do you want to register the partition named '<PARTITION-NAME>'?[y/n]: y
    
    Enter challenge for partition '<PARTITION-NAME>' : <Only hit "Enter" then the
    PED Authentication will be requested>
    Success registering the ENCRYPTED challenge for partition '<PARTITIONNAME>:1'.
    Only the LunaCSP will be able to use this data.
    Registered 1 partition(s) for use by the LunaCSP.
  3. Register the HA partition

    Run the following commands if HA is configured.

    c:\Program Files\SafeNet\LunaClient\CSP>register.exe /h
    register.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights
    reserved.
    ***************************************************************************
    *                                                                         *
    * Safenet LunaCSP, Partition Registration                                 *
    *                                                                         *
    * Protect the HSM's challenge for the selected partitions.                *
    *                                                                         *
    * NOTE:                                                                   *
    * This is a WEAK protection of the challenge.                             *
    * After you have configured all applications that will use                *
    * the LunaCSP and ran them once, you MUST run:                            *
    * register /partition /strongprotect                                      *
    * to strongly protect the registered challenges.                          *
    *                                                                         *
    ***************************************************************************
    This is a destructive procedure and will overwrite any previous
    registrations.
    Do you wish to continue?: [y/n]y
    Do you want to register the partition named ''?[y/n]: y
    Enter challenge for partition '' :************
    Success registering the ENCRYPTED challenge for partition ':1'.
    Only the LunaCSP will be able to use this data.
    Registered 1 partition(s) for use by the LunaCSP.

Configure KSP

To configure KSP (CNG), run KspConfig.exe (the default location is C:\Program Files\SafeNet\LunaClient\KSP\). 

Follow instructions for the use of the graphical KspConfig.exe as described in KSP for CNG in the SDK Reference Guide.

The following window will appear:

image7.png
  1. Double-click Register Or View Security Library, then confirm the value C:\Program Files\SafeNet\LunaClient\cryptoki.dll.

    image8.png
  2. Double-click Register HSM Slots for Administrator/<Domain Name>

    • Select Administrator

    • Select <Domain Name>

    • Select HA Group for Available Slots 

    • Enter Slot Password

  3. Select Register Slot.

    image9.png
  4. Double-click Register HSM Slots for SYSTEM/NT AUTHORITY.

    • Select SYSTEM

    • Select NT AUTHORITY

    • Select HA Group for Available Slots 

    • Enter Slot Password

  5. Select Register Slot.

    image10.png

    注意

    When you click Register Slot, there is no change on Registered Slot, but this step is necessary.

When registering the Luna KSP (with the Luna KSPConfig utility), use the following user and domain combinations:

  • The user and domain performing these procedures.

  • The user and domain running the web application and using the private key.

  • The local user and NT Authority domain user.

  • The LocalSystem and NTAuthority of the system.

注意

If you implement the Autoenrollment server, you must also install and register the Luna CSP. Refer to the SafeNet product documentation for details.

Generate CSR

  1. Create the information file for the CSR. To generate the CSR using certreq.exe through CSP, the ProviderName must be Luna Cryptographic Services for Microsoft Windows. The .inf file looks as follows:

    [NewRequest]
    KeyUsageProperty = "NCRYPT_ALLOW_ALL_USAGES"
    RequestType = PKCS10
    ProviderName = "Luna Cryptographic Services for Microsoft Windows"
    ProviderType = 1
    Subject = "CN=Registration Authority"
    KeyContainer = "CSPRA20220725"
    MachineKeySet = TRUE
    HashAlgorithm = SHA256
    KeyAlgorithm = RSA
    KeyLength = 2048
  2. Generate the CSR through HSM.

    注意

    <inf-file> is the file created in step 1, <csr-file> is an output file.

    • Open command prompt and run the following command:

      > certreq -new <inf-file> <csr-file>
    • The CSR file will be generated as follows;

      -----BEGIN NEW CERTIFICATE REQUEST-----
      MIIDjzCCAncCAQAwITEfMB0GA1UEAwwWUmVnaXN0cmF0aW9uIEF1dGhvcml0eTCC
      ....
      C610uaqncn6FvLu5pygZYFEVtOanCXNQRRUWiDGWKjHF+10GMh+V5YUur55T4W80
      0uwK
      -----END NEW CERTIFICATE REQUEST-----
  3. Get a client authentication certificate.

    Refer to section Get a client authentication certificate

  4. Install RA certificate.

    Refer to the section Install RA certificate