4

How Safenet Luna SA HSM clients are verified when the clients are registered using hostname ?

Buzz LIghtyear
  • 480
  • 5
  • 16
  • Is the FQDN of the client verified ? or is it only the Certificate authentication ? – Buzz LIghtyear Aug 21 '15 at 06:31
  • Note that these are PKCS#11 based clients. PKCS#11 is a standardized C interface for secure tokens. So I guess that makes it on topic, although the security site is probably a better fit. Or Safenet of course. – Maarten Bodewes Aug 21 '15 at 08:08
  • I would *expect* only certificate authentication as the PKI should be restricted to specific devices within the organization (the cert. is generally not obtained from a commercial CA I presume, more care is required during certificate generation); it would be pretty easy to try this of course, just connect from a device without a domain name. – Maarten Bodewes Aug 21 '15 at 08:15

3 Answers3

3

Safenet Luna HSMs use certificate based authentication for clients. The certificate must be copied to the HSM and have a filename that matches the hostname used in the client register command on the HSM.

A typical process for registration is:

  1. Copy the server certificate to the client installation.

    scp admin@10.41.4.98:server.pem /usr/lunasa/cert/server

  2. Register the server locally

    vtl addServer -n 10.10.10.10 -c /usr/lunasa/cert/server/server.pem

  3. Create the client certificate on the client:

    vtl createCert -n HOSTNAME

    This creates a certificate and private key in the cert/client directory named:

    HOSTNAME.pem (certificate)
    HOSTNAMEKey.pem (private key)

  4. Copy the client certificate to the Luna SA HSM using scp.

    scp /usr/lunasa/cert/client/HOSTNAME.pem admin@10.10.10.10:

  5. On the HSM, register the client and assign it to a partition.

    client register -client HOSTNAME -hostname HOSTNAME
    client assignPartition -client HOSTNAME -partition PARTITIONNAME

  6. On the client, verify that the client is registered and operating properly:

    $ vtl verify

    The following Luna SA Slots/Partitions were found:

    Slot Serial # Label
    ==== ======== =====
    1 123456789 myPartition1

Keith Bucher
  • 161
  • 2
  • 4
  • I know the process of creating a hostname based cert. But, if i do not configure a dns in the HSM or atleast i shud do a hostip for HSM to allow connection from an IP with this certificate. – Buzz LIghtyear Aug 27 '15 at 02:56
  • The reason why i asked this question is because, now we have a client which connects from 2 different IP. But physically there is only one machine from where the client connects. – Buzz LIghtyear Aug 27 '15 at 02:57
  • We are restricted to configure a DNS in the HSM due to security reasons. So hostname verification cannot be done from the HSM. – Buzz LIghtyear Aug 27 '15 at 02:58
  • 1
    I'm not sure I understand your situation entirely, but it sounds like you cannot register clients via DNS in your HSM. You can register clients on the HSM via IP address as well as hostname. I would try creating certificates for both of the IPs on the client and registering both those IPs as clients on the HSM. – Keith Bucher Aug 27 '15 at 16:22
2

Looking at you comments after Keith helped with the process of trust/cert exchange. Below is the command that you might need-

ntls ipcheck disable

Karthik tv
  • 109
  • 1
  • 2
  • 7
0

HSM verifies clients based on the NTL ((Network Trust Link) connection. Establishing NTL connection is mandatory before clients makes a call to HSM via Crytoki. The procedure to establish NTL connection is explained by @Keith Bucher

Amarnath Chigurupati
  • 91
  • 6