Thales Luna
This document provides instructions for setting up Thales Luna Network HSM as a HSM provider for PrivX. This integration allows PrivX to store and/or encrypt its cryptographic keys with HSM.
These instructions are only applicable to fresh deployments: existing PrivX deployments cannot be integrated with HSM.
These instructions are to be used together with the PrivX-setup instructions provided in the PrivX Administrator Manual.
Disclaimers
This document includes instructions regarding third-party products by Thales. These instructions are provided for general guidance only.
Documentation involving third-party products include setting up partitions in Luna Network HSM. The instructions in this manual were verified against SafeNet Luna SA 5 (5.4.7-1) and Thales Luna Cloud HSM Services. These instructions will need to be adapted when using other versions of Luna Network HSM.
SSH Communications Security Corporation does not make any warranties as to the accuracy, reliability, or usefulness of these instructions, nor guarantee that the content related to third-party products is up to date.
SSH Communications Security Corporation does not provide any warranties regarding third-party products, such as Luna Network HSM, nor provide any support or other services for third- party products.
For instructions about setting up and operating Thales products, we always recommend that you consult the official vendor documentation intended for the specific version(s) of Thales products in your use and/or directly contact Thales representatives or support.
It is always your responsibility to define the final production setup for the Thales products that you use.
Setup for Luna Network HSM
Follow the Luna Network HSM vendor documentation to install and configure the HSM.
You will need to:
- Create a partition for use with PrivX and take note of the partition password.
- Install Luna Network HSM clients with the following components on PrivX Servers:
- Luna SDK
- Luna JSP
- Luna JCProv
- Configure Client-Partition Connection on PrivX Servers.
- Register your PrivX Servers as Luna clients and assign them to the partition.
Once you've completed the previous steps, you can verify the partition with:
sudo /usr/safenet/lunaclient/bin/vtl verify
Verify that the output looks similar to this:
Slot Serial # Label
==== ================ ==============
0 153524008 privxpartition
Note the slot ID, which will be required later during PrivX-Server setup.
Setup for Luna Cloud HSM
Follow the Luna Network HSM vendor documentation to provision a service, then a partition, and finally install the client for use with PrivX.
Initialize the crypto officer using lunacm according to the vendor instructions. The crypto officer password is used as the PKCS#11 pin during PrivX installation.
When launching lunacm, the tool should print information about the partition. Take note of the partition's slot ID, as this will be used as the PKCS#11 slot during PrivX installation.
If your Luna Cloud HSM is licensed with a trial license, the maximum number of keys will be limited. This should be sufficient for a basic evaluation setup of PrivX, but you will likely hit this limit quickly after creating a few Access Groups or Role Principal Keys.
Setting Up PrivX-Server Software on PrivX Machines
If you installed the Luna SDK in a non-default location, export the following environment variable prior to PrivX installation and append this line to /opt/privx/scripts/local-env: ChrystokiConfigurationPath=</custom/install/path>. Also adjust the provider library file path accordingly when prompted.
Set up PrivX-Server software according to Deployment instructions, while paying attention to the following points.
You will be prompted for HSM settings during postinstall. Provide them as follows:
Enable pkcs11 keyvault support? [y/N]
To enable, enter y
Select pkcs11 provider:
Select the option for Thales Luna Network HSM.
Enter pkcs11 provider library file path:
Enter the provider library path, by default: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
Enter pkcs11 slot:
Enter the slot number of the PrivX partition. In this example: 0
Enter pkcs11 pin: and Enter pkcs11 pin again:
Enter and verify the password of the PrivX partition/crypto officer.
To automate postinstall, provide the HSM settings (and other settings) in /opt/privx/scripts/postinstall_env, and source the file before running postinstall.
After this, proceed with setup as normal. You should have access to the PrivX GUI after postinstall completes.
If you need to set up additional PrivX servers, duplicate the PrivX-server setup to other PrivX machines as described in High-Availability Deployment.
The provided backup.sh and restore.sh utilities only duplicate the PrivX-server setup. They do not duplicate Luna HSM client setups.