Connect to and Set Up the HSM

Note: In the rest of this section, HID Global is providing instructions for using Thales (formerly Gemalto) SafeNet Network / Thales TCT (formerly SafeNet AT) Luna SA hardware and software. These instructions were written based on materials available to HID Global when this documentation was edited. You may need to adapt these steps based on the specific version of Thales SafeNet / Thales TCT Luna hardware and software that you are using. Please refer to the Thales SafeNet / Thales Trusted Cyber Technologies Luna documentation applicable to your deployment in parallel to using this documentation.

This section assumes that the Thales / Thales TCT client software has been installed in your specific environment (for example: on a Windows, Linux®, or Solaris™ platform). To verify, check the contents on the Client Software installation package delivered with the HSM. It will have specific instructions about installing the vendor software.

Before you attempt to set up the HSM for the first time, establish a serial connection between the workstation and the HSM. A Terminal Emulation tool (for example, TeraTermPro) must be used for setting up the serial communication using the following settings:

  • Serial port baud rate: 115200 

  • N, 8, 1 (no parity, 8 data-bits, one stop-bit)

  • VT-100 terminal emulation

During the first login attempt, you will be required to set up a new password for the HSM. Remember that both username and password are case-sensitive. The following operations are the responsibility of the HSM administrator:

  • Set up,

  • Record and assign partitions, and

  • Exchange the certificates.

The set of commands listed in Procedure 1: Set Date, Time, and Timezone provides an example of the code required to perform the operation. These values change for each HSM being set up and reflect the settings in which the network HSM will operate.

Important: It is recommended that you follow the sequence of tasks in section Procedure 1: Set Date, Time, and Timezone.

This section illustrates how to set the date, time, and timezone. The same command is used for setting the date (sysconf –date...) and time (sysconf –time...). The settings for date, time, and timezone are read using the syntax status –date, status –time, and status –zone, respectively. Set the date, time, and timezone using the following sample as a guide:

Copy 
cmslunasa] lunash:> sysconf -timezone -set US/Eastern
Timezone set to US/Eastern
Command Result : 0 (Success)

If the network uses the Domain Name System (DNS), the hostname for the HSM must be entered into the DNS record of the network to which the HSM connects. If DNS is not used in the network, then you can enter an arbitrary hostname. Set the hostname using the following sample as a guide:

Copy 
cmslunasa] lunash:>net hostname ade_luna_sa
Success: Hostname ade_luna_sa set.
Command Result : 0 (Success)

This operation sets the domain name in which the HSM operates. Set the domain name using the following sample as a guide:

Copy 
ade_luna_sa] lunash:>net domain luna_sa.test.com
Success: DomainName luna_sa.test.com set.
Command Result : 0 (Success)

This operation sets a new IP address for the DNS name server (this operation is optional if there is no DNS involved). Change the IP address of the DNS name server using the following sample as a guide:

Copy 
ade_luna_sa] lunash:>net -dns -nameserver 192.168.5.78
Success: Nameserver 192.168.5.78 added
Command Result : 0 (Success)

This operation sets up the IP address for the Ethernet device for the HSM port (eth0 or eth1). Set up the IP address for an Ethernet device using the following sample as a guide:

Copy 
[ade_luna_sa] lunash:>net interface -static -device eth0 -ip 192.168.5.200 -netmask 255.255.255.0 -gateway 192.168.5.1
Note: The network service must be restarted for new network settings to take effect.

If you are sure that you want to restart the network, then type 'proceed'; otherwise, type 'quit':

Copy 
> proceed
Proceeding...
Restarting network service...
Shutting down loopback interface:  [ OK ]
Setting network parameters:  [ OK ]
Bringing up loopback interface:  [ OK ]
Bringing up interface eth0:  [ OK ]
Command Result: 0 (Success)
Note: It is best practice to connect the HSM through the Ethernet port that was selected earlier (eth0 or eth1) to validate the settings. For example, in a Windows-based environment, the freeware PuTTY utility can be used to establish SSH communication with the HSM (the PuTTY utility is located on the Thales / Thales TCT Installation package). In a Linux-based environment, you can use SSH (Secure Shell) to perform the same purpose.

To verify your settings, use the ping command to ping the server name from the HSM environment using the following sample as a guide:

Copy 
net ping <servername> or IP@
[ade_luna_sa] lunash:>net ping supreme.testLunadomain.testval.activcard.com
PING supreme.testLunadomain.testval.activcard.com (192.168.5.24) from 
192.168.5.200 : 56(84) bytes of data.
64 bytes from supreme.testLunadomain.testval.activcard.com (192.168.5.24): icmp_seq=0 ttl=128 time=492 usec
--- supreme.testLunadomain.testval.activcard.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.492/0.492/0.492/0.000 ms
Command Result: 0 (Success)
Note: It is recommended that the server ping the HSM to confirm its settings (for example, by using the ping 192.168.5.200 command executed on the workstation). Each client’s network application should attempt to ping the HSM through the network.

This operation adds a Network Time Protocol (NTP) server to the HSM server list. Add a server to the HSM server list using the following sample as a guide.

Copy 
[ade_luna_sa] lunash:>sysconf ntp -addserver 192.168.5.200
Shutting down ntpd:                                  [ OK ]
Starting ntpd:                                       [ OK ]
NTP server 192.168.5.200 added
Command Result: 0 (Success)

The client’s network application and the HSM securely exchange data through a Network Trust Link (NTL). This operation changes the default certificate that is recorded in the HSM for NTLS (Network Trust Link Service) protected communications. Generate a new HSM server certificate using the following sample as a guide:

Copy 
[ade_luna_sa] lunash:>sysconf regencert 192.168.5.200
WARNING!! This command will overwrite the current server certificate and private key.
All clients will have to add this server again with this new certificate.
If you are sure that you wish to proceed, then type 'proceed'; otherwise type 'quit':
> proceed
Proceeding...
'sysconf regenCert' successful. NTLS must be (re)started before clients can connect.
Please use the 'ntls show' command to ensure that NTLS is bound to an appropriate network device or IP address/hostname for the network device(s) NTLS should be active on. Use 'ntls bind' to change this binding if necessary.
Command Result: 0 (Success)
Note:  

  • NTLs are secure, authenticated network connections between the HSM and the client’s network application. NTLS uses two-way digital certificate authentication and SSL data encryption to protect sensitive data as it is transmitted between the HSM partitions and the client’s application. NTLS resides on the HSM, NTLA resides on the client, and the NTL is the secure connection between NTLS and NTLA. To create an NTL, the client and the HSM must first exchange certificates. Those certificates are used to identify each protagonist and are shared before the NTL link is considered to be up and running.

  • The ntls show command is used in cases where there is no DNS involved. Whenever DNS is involved, the following command is called:

    Copy
    [ade_luna_sa] lunash:>sysconf regencert

This command restarts NTLS on the HSM. Restart NTLS using the following sample as a guide:

Copy 
[ade_luna_sa] lunash:>service r ntls
Checking for connected clients before stopping NTLS service:
There are no connected clients.  Proceeding...
Stopping ntls:                                             [ OK ]
Starting ntls:                                             [ OK ]
Command Result: 0 (Success)

The following command must be sent to bind NTLS (in the HSM) to the physical Ethernet port (eth0 or eth1). Bind NTLS using the following sample as a guide:

Copy 
[ade_luna_sa] lunash:>ntls bind none -bind 192.168.5.200
Success: NTLS binding hostname or IP Address 192.168.5.200 set.
NOTICE: The NTLS service must be restarted for new settings to take effect.
If you are sure that you wish to restart NTLS, then type 'proceed'; otherwise type 'quit':
> proceed
Proceeding...
Restarting NTLS service...
Stopping ntls:                                             [ OK ]
Starting ntls:                                             [ OK ]
Command Result: 0 (Success)
Note: It is also possible to call eth0 as shown in the following sample:

Copy
ade_luna_sa] lunash:>ntls bind eth0


To check the correct execution of the binding, use the following command:

Copy 
[ade_luna_sa] lunash:>ntls show
NTLS bound to network device: none IP Address: "192.168.5.200" (eth0)
Command Result: 0 (Success)