3.2 Configuring the client connection
This section contains information on setting up the connection to the HSM. The procedure you need to follow depends on whether you are using a cloud-based DPoD HSM or an on-premises HSM.
3.2.1 Configuring the connection for DPoD
To configure a client connection for DPoD, follow the instructions provided by Thales:
DPoD Documentation > Services > Luna Cloud HSM Services > Add and Configure Client
3.2.2 Configuring the connection using the Universal Client
To configure a client connection for HSMs using the Universal Client or the Luna Client software, you must use the lunacm utility to create the connection.
To create the trust link between the client and the HSM using lunacm:
- On the MyID application server, open a Windows command prompt as an Administrator.
-
Navigate to the Universal Client utilities folder.
By default, this is:
C:\Program Files\SafeNet\LunaClient\
-
At the command prompt, type:
lunacm
This launches the command line environment that you will use to configure your connection to the HSM.
-
Establish the connection between the MyID application server and the HSM using the following command:
clientconfig deploy -server <server> -client <client> -partition <partition> [-password <password>] [-user <user>] [-hsmPassword <hsmpassword>] [-regen] [-force] [-verbose]
where:
-
-server or -n – Server hostname or IP address (mandatory).
-
-client or -c – Client hostname or IP address (mandatory).
-
-partition or -par – Partition name to assign to the client (mandatory).
-
-password or -pw – Appliance admin role user's password.
-
-user or -ur – Appliance admin role user's name, default is admin.
-
-hsmPassword or -hsmPw – HSM SO role password, only needed if HSM SO login enforcement is enabled.
-
-regen or -rg – Regenerate new and replace existing client's certificate.
-
-force or -f – Force Action.
-
-verbose or -v – Show verbose logs.
For example:
clientconfig deploy -n myserver.example.com -c myclient -par mypartition
Press ENTER and wait for the command to complete.
-
-
When prompted, type the HSM admin password.
Press ENTER and wait for the command to complete.
If you see an error at this stage, possible causes are:
-
You provided the wrong application server IP address.
-
The application server IP address is already registered on the HSM.
-
- Close down lunacm: type exit and press ENTER.
-
At the Windows command prompt, start lunacm again.
The luncacm utility displays the details of the HSM to which you are connected:
-
If you want to change to a different slot from the one listed, use the following command:
slot set -slot <slot_id>
where:
-
<slot_id> – the number of the slot you want to use.
If the command completes successfully, lunacm displays:
Command Result : No Error
-
-
To initialize the partition, use the following command:
partition init -label <label>
where:
-
<label> – the label of the partition you want to initialize.
Follow the on-screen instructions. If the partition has already been initialized you will have to provide the existing SO password. If the partition has not been initialized, you must provide the partition domain.
Note: Make sure you take a note of the Partition SO password that you create.
If the command completes successfully, lunacm displays:
Command Result : No Error
-
-
Log on to the initialized partition as the partition security officer using the following command:
role login -name po
-
Type the password you entered when you initialized the partition.
-
Initialize the crypto officer using the following command:
role init -name co
-
You are prompted to provide a new password.
Note: you are required to change this password before you can use the HSM with MyID; provide a temporary password.
-
Change the crypto officer password.
You will be unable to use the HSM with MyID until you have changed the password. To confirm whether the crypto officer password needs to be changed:
-
Log on to the HSM using PuTTY.
See section 3.2.3, Connecting to the HSM using PuTTY for information on logging on to the HSM using PuTTY.
-
Run the following command:
partition show -p <partition>
where:
- <partition> – the name of the partition you are using.
If the crypto officer password needs to be changed, the following text will appear in the report:
Crypto Officer PIN To Be Changed: yes
-
If the report indicates that the crypto officer password needs to be changed:
- Open lunacm.
-
Log on as the crypto officer:
role login -name co
-
Change the password:
role changepw -name co
- Follow the on-screen prompts.
-
Use PuTTY again to connect to the HSM to confirm that the password does not need to be changed:
Crypto Officer PIN To Be Changed: no
-
3.2.3 Connecting to the HSM using PuTTY
You can connect to your on-premises HSM using PuTTY; this allows you to carry out procedures such as checking whether the crypto officer password needs to be changed.
-
Connect to the HSM using SSH.
The putty.exe program supplied with the HSM client is located in the following folder:
C:\Program Files\SafeNet\LunaClient
The first time you use this program to connect to your HSM, you must:
- Specify the connection, as shown above, using appropriate information.
- Record an appropriate name in the Saved Sessions box and click Save.
To connect to the HSM:
- Highlight the connection information in the Saved Sessions list.
- Click Load.
- Click Open. A terminal window opens.
-
In the terminal window, log in to the session using the HSM admin account.
Note: If your HSM is being hosted externally, you will need to obtain the details for this from the host organization.
-
Log in as the HSM administrator.
At the lunash:> prompt, type:
hsm login
Then type the HSM administrator password.