How clients are verified in Safenet Luna SA HSM?

Question

How Safenet Luna SA HSM clients are verified when the clients are registered using hostname ?

Answer 1

Safenet Luna HSMs use certificate based authentication for clients. The certificate must be copied to the HSM and have a filename that matches the hostname used in the client register command on the HSM.

A typical process for registration is:

1. Copy the server certificate to the client installation.

   scp [email protected]:server.pem /usr/lunasa/cert/server

2. Register the server locally

   vtl addServer -n 10.10.10.10 -c /usr/lunasa/cert/server/server.pem

3. Create the client certificate on the client:

   vtl createCert -n HOSTNAME

   This creates a certificate and private key in the cert/client directory named:

   HOSTNAME.pem (certificate)
   HOSTNAMEKey.pem (private key)

4. Copy the client certificate to the Luna SA HSM using scp.

   scp /usr/lunasa/cert/client/HOSTNAME.pem [email protected]:

5. On the HSM, register the client and assign it to a partition.

   client register -client HOSTNAME -hostname HOSTNAME
   client assignPartition -client HOSTNAME -partition PARTITIONNAME

6. On the client, verify that the client is registered and operating properly:

   $ vtl verify

   The following Luna SA Slots/Partitions were found:

   Slot Serial # Label
   ==== ======== =====
   1 123456789 myPartition1