Safenet Lunasa HSM First Configuration
Serial port is connected first
login as: admin
[email protected]<hostname>’s password: chrysalis
the password is changed.
Date Settings
[CeyHSM] lunash:>status date
[CeyHSM] lunash:>sysconf -timezone -set Europe/Istanbul
Network Settings
[CeyHSM] lunash:>net show
[CeyHSM] lunash:>net hostname CeyHSM
[CeyHSM] lunash:>net -dns -nameserver 172.16.128.100
[CeyHSM] lunash:>net interface -static -device eth0 -ip 172.16.128.111 -netmask 255.255.255.0 -gateway 172.16.128.1
Firmware Update
[CeyHSM] lunash:>hsm show
[CeyHSM] lunash:>hsm u f
HSM init
[CeyHSM] lunash:>hsm init -label CeyHSM
[CeyHSM] lunash:>hsm ped vector init
For making HSM FIPS-Compliant
hsm -changePolicy -policy 12 -value 0 ( Allow Non-FIPS algorithms,works when no)
Generate HSM Server certificate
[CeyHSM] lunash:>sysconf regenCert
[CeyHSM] lunash:>ntls bind eth0 -bind 172.16.128.111
Remote ped Connection
On Host computer
C:\HSM_SafeNetLunaSA>PedServer.exe -m start
[CeyHSM] lunash:>hsm ped connect -ip 172.16.128.116 -port 1503
Create Partition
[CeyHSM] lunash:>hsm login
[CeyHSM] lunash:>partition -create -name partitionceyhun
[CeyHSM] lunash:>partition -showpolicies -partition partitionceyhun
[CeyHSM] lunash:>partition changePolicy -partition partitionceyhun -policy 22 -value 1
[CeyHSM] lunash:>partition changePolicy -partition partitionceyhun -policy 23 -value 1
[CeyHSM] lunash:>partition activate -par partitionceyhun -pass AdHP-XYZ0-0XYZ/ZYX0
[CeyHSM] lunash:>partition autoActivate -p partitionceyhun -on
Link host with HSM
c:\Program Files\LunaSA>ctp [email protected]:server.pem .
c:\Program Files\LunaSA>dir
c:\Program Files\LunaSA>vtl addServer -n 172.16.128.111 -c server.pem
Generate Client cert
c:\Program Files\LunaSA>vtl createCert -n 172.16.128.116
c:\Program Files\LunaSA>ctp cert\client\172.16.128.116.pem [email protected]:
Register client to HSM
[CeyHSM] lunash:>client -register -client ftClient2 -ip 172.16.128.116
[CeyHSM] lunash:>client assignPartition -client ftClient2 -partition ftPartition2
[CeyHSM] lunash:>sysconf rem di
[CeyHSM] lunash:>ntls bind eth0
c:\Program Files\LunaSA>vtl verify
Linux Client
cd /usr/lunasa/bin
./ctp [email protected]:server.pem .
./vtl addServer -n 172.16.128.111 -c server.pem
./vtl createCert -n 172.16.128.116
./ctp ../cert/client/172.16.128.116.pem [email protected]:
Generate Key Pair
c:\Program Files\LunaSA>cmu generateKeyPair -modulusBits=2048 -publicExp=65537 -sign=1 -verify=1 -labelPublic=PublicKey -labelPrivate=PrivateKey -modifiable=1
Generate Request Certificate
c:\Program Files\LunaSA>cmu requestCertificate -privateHandle=10 -publicHandle=9 -cn=”test Certificate” -outputFile=cert01-company.req
Importing the certificate:
c:\Program Files\LunaSA>cmu import -inputFile= cert01-company.cer -label=Sample Certificate
Note :The object imported with the ckdemo application must be copied and its private property changed to false.
syslog tail entries 9999 logname hsm
Generate Key Pair Self Signed Certificate
c:\Program Files\LunaSA>cmu selfSignCertificate -publichandle=9 -privatehandle=10 -serialNumber=a1a1a1a1 -C=TR -keyusage=digitalsignature -label= cert01-company -CN=ceyhun
**********************************
**Luna CSP ile Generate Key Pair**
**********************************
Registering partition to CSP:
C:\Program Files\LunaSA\CSP>register
Generating certificate requests:
C:\Users\Administrator\Desktop>Certreq -New policy.inf ceyhun-cert.req
Policy.inf
[NewRequest]
Subject = “CN = Ceyhun Certificate Request,OU = Signature,O = SD,L = Izmir,S = Izmir,C = TR”
KeyLength=2048
ProviderName=”Luna Cryptographic Services for Microsoft Windows”
Associating the generated certificate with LunaCSP in CertificateStore:
C:\Users\Administrator\Desktop>certutil.exe -f -csp “Luna Cryptographic Services for Microsoft Windows” -repairstore MY 2B0EDF1D71D84445ED7B28EFEEB3BC92
If SSH service does not work:
sysconf setAdmin show
sysconf setAdmin device eth0
Partition01: AdHP-XYZ0-0XYZ/ZYX0
Partition02: JSSxXYZ0tPHEABCDd
When HSM is closed and applications cannot be logged in:
>hsm login
At this stage, the blue hsm admin pad is attached.
>partition activate -partition Partition01 -password AdHP-XYZ0-0XYZ/ZYX0
Here, the black pad (partition admin pad) is attached.
