SafeNet Luna SA as a HSM Provider
This document provides instructions for setting up SafeNet Luna SA (Luna SA) as a HSM provider for PrivX. This integration allows PrivX to store and/or encrypt its cryptographic keys with HSM.
These instructions are only applicable to fresh deployments: existing PrivX deployments cannot be integrated with HSM.
These instructions are to be used together with the PrivX-setup instructions provided in the PrivX Administrator Manual.
Disclaimers
This document includes instructions regarding third-party products by Thales. These instructions are provided for general guidance only.
Documentation involving third-party products include setting up partitions in Luna SA. The instructions in this manual were verified against SafeNet Luna SA 5 (5.4.7-1). These instructions will need to be adapted when using other versions of Luna SA.
SSH Communications Security Corporation does not make any warranties as to the accuracy, reliability, or usefulness of these instructions, nor guarantee that the content related to third-party products is up to date.
SSH Communications Security Corporation does not provide any warranties regarding third-party products, such as Luna SA, nor provide any support or other services for third- party products.
For instructions about setting up and operating Thales products, we always recommend that you consult the official vendor documentation intended for the specific version(s) of Thales products in your use and/or directly contact Thales representatives or support.
It is always your responsibility to define the final production setup for the Thales products that you use.
Prerequisites
Check and ensure the following before performing the procedures in this document:
- Your Luna SA has a partition for PrivX use (PrivX partition). You also know the password for the PrivX partition.
- You have admin access to your Luna SA.
- You have familiarized yourself with the PrivX-deployment prerequisites and setup instructions. Note that these differ between single-server and HA deployments.
- On the host(s) where PrivX shall be installed (PrivX machines), you have installed Luna SA clients with the following components:
- Luna SDK
- Luna JSP
- Luna JCProv
Integration Steps
The high-level workflow for Luna-SA integration involves:
- Connecting PrivX machines to Luna-SA partition.
- Setting up PrivX-server software on PrivX machines.
These steps are described in more detail in the following sections.
Connecting PrivX Machines to Luna-SA Partition
Set up Network Trust Link between Luna SA and your PrivX machine(s). Unless otherwise specified, the following steps are to be performed on all PrivX machines:
Obtain the Luna-SA-server certificate and register the Luna-SA server with it. This can be done as follows (replace admin and lunasa.example.com with your Luna-SA administrator name and your Luna-SA-server address respectively):
# scp admin@lunasa.example.com:server.pem .
# /usr/safenet/lunaclient/bin/vtl addServer -n lunasa.example.com -c server.pem
Create a client certificate and register it with your Luna SA (replace privx.example.com with the FQDN or the IP address of your PrivX machine):
# /usr/safenet/lunaclient/bin/vtl createCert -n privx.example.com
# scp /usr/safenet/lunaclient/cert/client/privx.example.com.pem admin@lunasa.example.com:
The provided PrivX-machine address must be resolvable on your Luna SA: If your environment lacks DNS, use IP addresses instead.
On your Luna SA, register the PrivX machine as a Luna-SA client, and assign the client to the PrivX partition (replace privxclient with an arbitrary client name, replace privxpartition with the name of the Luna-SA partition reserved for PrivX):
lunash:> client register -client privxclient -hostname privx.example.com
lunash:> client assignPartition -client privxclient -partition privxpartition
Back on the PrivX machine, verify that the Network Trust Link is configured correctly:
# /usr/safenet/lunaclient/bin/vtl verify
On successful configuration, the PrivX partition is listed in the output, similar to the following:
Slot Serial # Label
==== ================ ==============
0 153524008 privxpartition
Note the slot number of the PrivX partition, required later for setting up PrivX.
Setting Up PrivX-Server Software on PrivX Machines
Set up PrivX-server software on a PrivX machine according to the PrivX Administrator Manual, while paying attention to the following points.
You will be prompted for HSM settings during postinstall. Provide them as follows:
Enable pkcs11 keyvault support? [y/N]
To enable, enter y
Select pkcs11 provider [1-3]:
To select SafeNet Network HSM, enter 1
Enter pkcs11 provider library file path:
Enter /usr/safenet/lunaclient/lib/libCryptoki2_64.so
Enter pkcs11 slot:
Enter the slot number of the PrivX partition. In this example: 0
Enter pkcs11 pin:
and Enter pkcs11 pin again:
Enter and verify the password of the PrivX partition.
To automate postinstall, provide the HSM settings (and other settings) in /opt/privx/scripts/postinstall_env
, and source
the file before running postinstall.
After this, proceed with setup as normal. You should have access to the PrivX GUI after postinstall completes.
If you need to set up additional PrivX servers, duplicate the PrivX-server setup to other PrivX machines as described in High-Availability Deployment.
The provided backup.sh
and restore.sh
utilities only duplicate the PrivX-server setup. They do not duplicate Luna-SA-client setups.